Re: How do you use TCPDump?
Correct, it is wireshark now. Somehow I still remember that with the name ethereal :) On Fri, Mar 4, 2011 at 10:15, Steven Ayre stevea...@gmail.com wrote: There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself). -Steve On 4 Mar 2011, at 03:11, Chris Jones cjns1...@gmail.com wrote: On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote: Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap. I believe they call it ‘wireshark’ these days.. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/116381e8-8be5-4583-ad73-effec4f5d...@gmail.com
Re: How do you use TCPDump?
On Fri, Mar 04, 2011 at 03:30:47AM EST, Anand Sivaram wrote: Correct, it is wireshark now. Somehow I still remember that with the name ethereal :) In ‘lenny’ at least, there's still a dummy ‘ethereal’ package.. That's how I found the new name.. couldn't remember it. Anyway, I mentioned it in case the OP needs to google for it. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304115801.GA4176@pavo.local
Re: How do you use TCPDump?
On Wed, Mar 2, 2011 at 11:00 PM, Jason Hsu jhsu802...@jasonhsu.com wrote: I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? look at snort. it's pretty much the industry standard when it comes to ids. also, you can either use the new snort format (which is a pita to convert to pcap format) or you can have it log 'interesting' things to a flat file and directly look it with tshark or tcpdump or scapy or whatever else you'd like. now, what's cool, is if you see something that starts to make you wonder, you go into scapy, modify the packets and replay. fun :) one last thing, learn how to write 'good' rules. just because you've got a bunch of data doesn't make it good data. in fact, too much data is bad data because someone has to look through it all, after a while complacency sets in and your analysis guy becomes useless. in this case, i suppose the analysis guy would be you :)
Re: How do you use TCPDump?
On Thu, Mar 3, 2011 at 09:43, Mike Viau vi...@sheridanc.on.ca wrote: On Wed, 2 Mar 2011 22:00:41 -0600 jhsu802...@jasonhsu.com wrote: I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host. The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n 'tcp and port 80 and dst 10.0.0.1' One tip is to pass the -n switch when running because DNS queries slow down captures. Hope that helps :) -M -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/bay148-w174ae84d50a7f526d341e4ef...@phx.gbl Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap.
Re: How do you use TCPDump?
On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote: Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap. I believe they call it ‘wireshark’ these days.. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local
Re: How do you use TCPDump?
There's tshark too... (part of wireshark but commandline like tcpdump, filters are identical to wireshark itself). -Steve On 4 Mar 2011, at 03:11, Chris Jones cjns1...@gmail.com wrote: On Thu, Mar 03, 2011 at 09:00:43AM EST, Anand Sivaram wrote: Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap. I believe they call it ‘wireshark’ these days.. cj -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304031150.GB4250@pavo.local -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/116381e8-8be5-4583-ad73-effec4f5d...@gmail.com
How do you use TCPDump?
I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? -- Jason Hsu jhsu802...@jasonhsu.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110302220041.35071bf9.jhsu802...@jasonhsu.com
RE: How do you use TCPDump?
On Wed, 2 Mar 2011 22:00:41 -0600 jhsu802...@jasonhsu.com wrote: I have it installed, and I can look up the parameters in the command. What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this? What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and udp. You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host. The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n 'tcp and port 80 and dst 10.0.0.1' One tip is to pass the -n switch when running because DNS queries slow down captures. Hope that helps :) -M -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/bay148-w174ae84d50a7f526d341e4ef...@phx.gbl
