2016-05-17

tcpdump - standard Unix tool for analyzing network packets

(Up-to-date source of this post.)

despite its name it can do much more than capturing TCP headers
can sniff traffic on many network types (including 802.1Q VLAN)
de facto standard for command line packet analysis in Unix environment

Useful options:

-D -- list available interfaces

-i INTERFACE -- listen on INTERFACE (default: lowest numbered interface)

-w FILE -- write raw packets to FILE

-r FILE -- read packets from FILE

-nn -- turn off host and protocol name resolution (to avoid generating DNS packets)

-s0 -- set snaplength to 0, i.e. read the whole packet not just first 68 bytes (default if version >= 4.0)

-t -- turn off timestamp entries

-c COUNT -- capture COUNT packets and stop

Examples:

tcpdump -nni eth1 -w packets.pcap
tcpdump -nnr packets.pcap

Output format will vary based upon what protocols are in use:

TCP

timestamp L3_protocol sIP.sPort > dIP.dPort: TCP_flags,
TCP_sequence_number, TCP_acknowledgement_number, TCP_windows_size,
data_length

UDP

timestamp L3_protocol sIP.sPort > dIP.dPort: L4_protocol, data_length

use up to -vvv to provide more information on headers
use -x to get entire packets (including data not just headers) in hex format
use -A to get entire packets in hex and ASCII format
use -X to get entire packets in hex and ASCII format

Packet Filtering

utilizes the Berkeley Packet Filter (BPF) format

added to the end of the command (recommended to use single quotes)

tcpdump -nnr packets.pcap 'tcp dst port 8080' -w packets_tcp8080.pcap
tcpdump -nnr packets.pcap -F known_good_hosts.bpf

BPF

           operator
 primitive   |      primitive
     |       |         |
+---------+  | +----------------+
|         |  | |                |
udp port 53 && dst host 192.0.2.2
 |        |
 |        value
qualifier

Qualifiers

host
net - network in CIDR notation
port
src - communication source
dst - communication destination
ip - IP protocol
tcp - TCP protocol
upd - UPP protocol

Logical operators

&& - true when both conditions are true
|| - true when either condition is true
! - true when a condition is NOT met

Examples

host 192.0.2.100 - match traffic to/from 192.0.2.100
dst host 2001:db8:85a3::8a2e:370:7334 - match traffic to the IPv6 address
ether host 00:50:56:98:60:92 - match traffic to the specified MAC address
!port 22 - match any traffic not to/from port 22
icmp - match all ICMP traffic
!ip6 - match everything that is not IPv6

Resources

Applied Network Security Monitoring

2016-05-13

Common Vagrant Tasks

(Up-to-date source of this post.)

Search and add a box (virtual machine image):

vagrant box add https://atlas.hashicorp.com/ubuntu/boxes/trusty64

added box is global to the vagrant install
this is the base box (used to start the VM from the clean state)
base boxes are stored in ~/.vagrant.d/boxes

Initialize vagrant environment:

mkdir ubuntu-trusty64
cd ubuntu-trusty64
vagrant init ubuntu/trusty64

Vagrantfile is created

Start vagrant environment:

vagrant up

vagrant "imports" (copies) the base box to provider specific location (ex. ~/.VirtualBox)

Check box(es) status:

vagrant status

Check box(es) SSH configuration:

vagrant ssh-config

Ssh to a box:

vagrant ssh

Clean up:

# save VM's state; fastest to start again; eats most diskspace (hard disk + saved state of RAM)
vagrant suspend

# graceful shutdown; slower to start again, still eats disk space (hard disk)
vagrant halt

# power down and remove all of the guest hard disks; even slower to
# start again (reimport of the base box and reprovisioning)
vagrant destroy

Show status of all vagrant environments on the host (independent of the directory you're in):

vagrant global-status [--prune]

To share a folder from the host on the guest, add following to Vagrantfile:

config.vm.synced_folder "../../eset-repos", "/shared/eset-repos",
  owner: "jreisinger", group: "jreisinger"

Resources

https://docs.vagrantup.com
https://sysadmincasts.com/episodes/4-vagrant
http://docs-v1.vagrantup.com/v1/docs/