Intruder Detection with tcpdump

Searching for Packet Information

If you want to search for information in the packet you have to know where to look. Tcpdump starts counting bytes of header information at byte 0; the 13th byte contains the TCP flags shown in Figure 4.

Figure 4: Header bytes 12-15.

Looking at byte 13, if SYN and ACK are set, then your binary value would be 00010010 , which are the same as decimal 18. This command searches for packets with this type of data in byte 13:

# tcpdump -n -r dumpfile.lpc -c 10 'tcp[13] == 18' and host 172.16.183.2

Figure 5 is an example of what this command will return.

Figure 5: Searching byte 13 for packets with SYN and ACK set.

When capturing data with tcpdump, one way to ignore the ARP traffic is to put it in a filter:

# tcpdump -n -s 1515 -c 5 -i eth1 tcp or udp or icmp

This will catch only tcp , udp , or icmp .

Tables 3 and 4 show you what you need to know to find all TCP packets with the SYN ACK or other flags set.

Incident Response

When analyzing network traffic, a tool like tcpdump is critical. I'll share some examples of using tcpdump to view a couple of different dump files as a way to learn more about network problems or possible attack scenarios. The first is a binary dump file of a snort log. You have the following information: The IP address of the Linux system is 192.168.100.45; an attacker got in using a WU-FTPD vulnerability and deployed a backdoor. What can you find out about how the attack happened and what the attacker did?

First, take a look at the file:

# tcpdump -xX -r snort001.log

The log appears long at this point, so you might want to run the file in snort,

# snort -r snort001.log -A full -c /etc/snort/snort.conf

which gives you information like total packets processed, protocol breakdown, alerts, and so on (Figures 6 and 7).

Figure 6: Checking a binary dump file of a snort log.
Figure 7: Running the file in snort.

Next, extract the full snort log file for analysis,

# tcpdump -nxX -s 1515 -r snort001.log > tcpdump-full.dat

which gives you a readable file to parse. After looking through it, you find ip-proto-11 , which is Network Voice Protocol (NVP) traffic. Now you can search through the file looking for ip-proto-11 .

# tcpdump -r snort001.log -w NVP-traffic.log proto 11

This command reads the snort001.log file, looks for log proto 11 , and writes the contents to the NVP-traffic.log file. Next, you need to be able to view the binary file.

# tcpdump -nxX -s 1515 -r NVP-traffic.log > nvp-traffic_log.dat

This file contains both hex and ASCII, which is nice, but you just want the IP address. Try this,

# tcpdump -r NVP-traffic.log > nvp-traffic_log01.dat

which gives you a list of IP addresses that were communicating by Network Voice Protocol (NVP) (Figure 8).

Figure 8: IP addresses communicating via NVP.

Next, I'll show you another snort dump file from a compromised Windows box that was communicating with an IRC server.

With which IRC servers did the server at 172.16.134.191 communicate? To look for TCP connections, try using tcpdump with a filtering expression to capture SYN/ACK packets coming in from outside servers:

# tcpdump -n -nn -r snort_log 'tcp and dst host 172.16.134.191 and tcp[13]==18'

This command produces a long list of connections going from 172.16.134.191 to outside connections (Figure 9).

Figure 9: Some connections going from the server of interest to outside connections.

Because IRC communicates on ports 6666-6669, add that information to the command to narrow down the search:

# tcpdump -n -nn -r snort_log 'tcp and dst host 172.134.16.234 and tcp[13]==18' and portrange 6666-6669

Now the list has been narrowed down to three IPs that were communicating with the server using IRC (Figure 10).

Figure 10: Searching ports 6666-6669.

Related content

  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

  • Network Grep

    Ngrep is a pattern-matching tool that sorts the wheat from the chaff and doubles as a lightweight packet sniffer.

  • Visualize Your Network

    Sometimes data that’s five minutes old just isn’t good enough. An abundance of network monitoring tools for SNMP makes a sys admin’s job easier by collecting and displaying a superabundance of constantly changing data.

  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

  • Moving Data Between Virtual Machines
    Network information in virtualized computer landscapes is not easy to access. In this article, we look at a few approaches you can use.
comments powered by Disqus