nsm chapter 6: command line packet analysis...
TRANSCRIPT
![Page 2: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/2.jpg)
Topics
• SO Tool Categories
• Running Tcpdump
• Using Dumpcap and Tshark
• Running Argus and the Ra Client
2
![Page 3: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/3.jpg)
SO Tool Categories
3
![Page 4: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/4.jpg)
Three Types of Tools
• Data presentation
• Data collection
• Data delivery
4
![Page 5: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/5.jpg)
Data Presentation Tools
• Packet Analysis Tools
– Read traffic from a live interface or from a saved PCAP file
– Command-line: tcpdump, Tshark (with Dumpcap), and Argus Ra Client
– Graphical interface: Wireshark, Xplico, and NetworkMiner (see Ch 7)
5
![Page 6: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/6.jpg)
NSM Consoles
• Gateways to NSM data
• Squil, Squert, and ELSA (see Ch 8)
– Text discusses Snorby but it's abandoned and no longer included in Security Onion
– Links Ch 1e, 1f
6
![Page 7: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/7.jpg)
Data Collection Tools
• These applications collect and generate the NSM data available to the presentation tools
• Argus server, Netsniff-ng, PRADS, Snort, Suricata, and Bro
7
![Page 8: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/8.jpg)
Argus and PRADS
• Argus server and PRADS create and store their own form of session data
• Argus uses a proprietary binary format suited for rapid command-line mining
• PRADS data is best read through an NSM console
8
![Page 9: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/9.jpg)
Netsniff-ng
• Simply writes full-content data to disk in pcap format
9
![Page 10: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/10.jpg)
Snort and Suricata
• Network intrusion detection systems (NIDS)
• Inspect traffic and write alerts
• According to signatures deployed with each tool
10
![Page 11: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/11.jpg)
Bro
• Observes and interprets traffic that has been generted and logged in a variety of NSM datatypes
11
![Page 12: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/12.jpg)
Data Delivery Tools
• Middleware between the data presentation and data collection tools
• PulledPork manages IDS rules
• Barnyard2 manages alert processing
• Capme manages pcap access
12
![Page 13: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/13.jpg)
Squil Agents
• Shuttle data from the collection tools to the presentation software
• pcap_agent and snort_agent
• Apache web server
• MySQL database
• Sphinx index application
13
![Page 14: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/14.jpg)
Integrating Tools
• Integrate host-centric analysis analysis features
• OSSEC host IDS
• Syslog-ng for transport and aggregation of log messages
14
![Page 15: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/15.jpg)
Core SO tools
15
![Page 16: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/16.jpg)
Running Tcpdump
16
![Page 17: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/17.jpg)
Tcpdump
• Protocol analyzer: understands layers of networking
• Included in SO but not running by default
• Often used to analyze pcaps in /nsn/sensor_data/<sensorname>/dailylogs
• Can also collect live data
17
![Page 18: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/18.jpg)
Basic Usage
• Requires sudo
• Specify interface with -i
18
![Page 19: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/19.jpg)
Other Useful Switches
• -n Don't resolve names
• -s # Adjust "snaplength" -- Number of bytes to collect (default is 68 bytes for IPv4)
• -c count Only collect count packets (0 for all data)
• -X Print out packet bytes
• -w filename.pcap Write PCAP file
19
![Page 20: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/20.jpg)
-X
20
![Page 21: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/21.jpg)
DNS Query & Reply
21
![Page 22: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/22.jpg)
TCP Handshake• [S] SYN
• [S.] SYN/ACK
• [.] ACK
22
![Page 23: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/23.jpg)
Capture Filters
• In Berkeley Packet Format (BPF)
• Add filter to the end of the command line
• icmp Only ICMP protocol
• port 53 UDP or TCP port 53
• tcp and port 443 Requires both conditions
• man pcap-filter to see all options
23
![Page 24: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/24.jpg)
Capture Filters
• host 192.168.1.1 traffic to or from this IP
• src host 192.168.1.1 traffic from this IP
• dst host 192.168.1.1 traffic to this IP
• src net 192.168.1.0 traffic from this network
24
![Page 25: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/25.jpg)
Only ICMP Replies
25
![Page 26: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/26.jpg)
Looping Through Files
• For example, Listing 6-14 looks through all fles for traffc involving host 8.8.8.8 and TCP thanks to a for loop and the find command. Note the backticks (on the same key as the tilde symbol) in front of the find and after -type f.
26
![Page 27: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/27.jpg)
27
![Page 28: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/28.jpg)
Using Dumpcap and Tshark
28
![Page 29: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/29.jpg)
Shipped with Wireshark
• Dumpcap is a simple packet collection tool
• Tshark is the command-line version of Wireshark
– Analyzes traffic
– Friendlier than tcpdump
– Uses human-readable syntax
29
![Page 30: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/30.jpg)
Tshark as Root
• Protocol dissectors may contain vulnerabilities
• Recommended: collect with dumpcap, analyze later with tshark and wireshark
30
![Page 31: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/31.jpg)
Running Dumpcap
• When running as root, Dumpcap can't write to the user's home directory, so the output's in /tmp
• Dumpcap captures whole packets by default, unlike tcpdump
31
• Dumpcap uses the same BPF syntax as Tcpdump, as shown in Listing 6-16.
![Page 32: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/32.jpg)
Running Dumpcap without root Privileges
• sudo dpkg-reconfigure wireshark-common
32
![Page 33: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/33.jpg)
Running Dumpcap without root Privileges
• sudo usermod -a -G wireshark so
• sudo reboot
33
![Page 34: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/34.jpg)
Capturing Pings with Dumpcap
34
![Page 35: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/35.jpg)
Absolute Timestamps in Tshark
• tshark -t ad -r icmp.pcap
35
![Page 36: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/36.jpg)
Using Display Filters with Tshark
• Display filters use a different format than BPF
• Display filters don't affect packet capture
• tshark -r icmp.pcap -Y "icmp.type == 0"
36
![Page 37: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/37.jpg)
Full Decode
• -V for verbose protocol decode
• -x for hex and ASCII
37
![Page 38: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/38.jpg)
Ex
38
![Page 39: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/39.jpg)
Ex
39
![Page 40: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/40.jpg)
Ex
40
![Page 41: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/41.jpg)
Tshark Display Filters in Action
• View HTTP Traffic
41
![Page 42: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/42.jpg)
Tshark Display Filters in Action
• Use -Y instead of -R
42
![Page 43: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/43.jpg)
Tshark Display Filters in Action
• Searching for a range of IP addresses
43
![Page 44: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/44.jpg)
Running Argus and the Ra Client
44
![Page 45: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/45.jpg)
Argus
• A session data generation and analysis suite
• Argus server is running by default on Security Onion
• Client is in /nsm/sensor_data/<sensorname>/argus directory
• sudo nsm_sensor_ps-status --only-argus
– Shows Argus status
45
![Page 46: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/46.jpg)
Was Off by Default
• Do this to start argus
• sudo sed –i 's|ARGUS_ENABLED="no"| ARGUS_ENABLED="yes"|g' /etc/nsm/*/ sensor.conf
• sudo service nsm restart
46
![Page 47: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/47.jpg)
Stopping and Starting Argus
• sudo nsm_sensor_ps-stop --only-argus
• sudo nsm_sensor_ps-start --only-argus
47
![Page 48: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/48.jpg)
Argus Data
48
![Page 49: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/49.jpg)
Argus File Format
• Argus stores flows, not complete pcaps
• Much smaller: ex: 48 days of data
49
![Page 50: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/50.jpg)
Examining Argus Data
• -n Don't resolve port numbers to names
• tcp and dst port 21 BPF packet filter
• -s Specify which fields to display
50
![Page 51: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/51.jpg)
Argus Data in SO
51
![Page 52: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/52.jpg)
Ra Help
• - switch to filter
52
![Page 53: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/53.jpg)
Ra Filtered for ICMP
53
![Page 54: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/54.jpg)
Ra for SSH
• Many records for the same conversation
54
![Page 55: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/55.jpg)
Racluster
• Ra can break a long conversation into separate sections
• Racluster combines them into one record
55
![Page 56: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/56.jpg)
Number of Lines
56
![Page 57: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/57.jpg)
Advanced Usage Example
• -m saddr daddr groups records by source and destination IP address
57
![Page 58: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/58.jpg)
Without -m
58
![Page 59: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/59.jpg)
With -m
• Combines many conversations into one record
59
![Page 60: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/60.jpg)
Advanced Usage Example
60
![Page 61: NSM Chapter 6: Command Line Packet Analysis Toolsfit.ptithcm.edu.vn/wp-content/uploads/2018/03/Lecture4... · 2018-03-27 · Data Presentation Tools •Packet Analysis Tools –Read](https://reader033.vdocuments.mx/reader033/viewer/2022053015/5f14c0ab0eaabc6ff90c07a9/html5/thumbnails/61.jpg)
End of Chapter 6
61