Introduction to tcpdump in Linux

In Linux, the sniffer includes tcpdump, Nmap, linSniffer, LinuxSniffer, hunt, and sniffit. Next we will only introduce the excellent sniffer in Linux ?? Tcpdump. The installation of tcpdump in Linux is very simple. Generally, there are two installation methods. An rpm Package is used for installation. In addition, it is installed in the form of a source program. In this Linux environment, the sniffer has Tcpdump, Nmap, linSniffer, LinuxSniffer, hunt, sniffit, etc. Next we will only introduce the excellent sniffer in Linux ?? Tcpdump. The installation of tcpdump in Linux is very simple. Generally, there are two installation methods. An rpm Package is used for installation. In addition, it is installed in the form of a source program. Here we will discuss how to install the rpm package. This form of installation is the simplest installation method. The rpm Package is compiled and packaged into a binary format. it can be directly installed using the rpm command without any modification.
Use the following command to log on as a super user:
# Rpm-ivh tcpdump-3_4a5.rpm
In this way, tcpdump is successfully installed in Linux.
Tcpdump is a multi-purpose network communication monitor that can capture and display packets and their content. It can be used as a protocol analyzer to provide an optimal channel between systems and network devices to detect communication and/or connectivity issues. Most of the time, network problems are concentrated on network configuration problems and hardware-related faults diagnosis. However, users will often face protocol-related problems and are forced to study the mechanisms of specific protocols to solve the problems. When tcpdump is used, the message to be checked is displayed in long or short format (based on the command line options used. Tcpdump has a powerful filtering mechanism that can be used to find packets that match a specified string or rule.
Tcpdump provides two main capture modes: garbage collection and non-garbage collection. In the pooled mode, each packet transmitted on the network is captured, regardless of whether the packet is sent to the system that executes tcpdump. For example, this mode is used by the RMON detector to monitor network communication. Probe listens on the network and collects protocol information and statistics. Because the LAN protocol (such as Ethernet) is broadcast-based, each transmitted frame can be obtained by any network interface connected to the LAN. Any device can read each transmitted frame, as long as the device chooses this method and configures it to read. When a device or interface reads each frame from the network, it indicates that it is in the garbage collection mode. In practice, the interface must be configured for the pooled operation and used only for special scenarios requiring network diagnosis. For this reason, only the root user can enable the garbage collection mode on an interface. This is the main reason that non-root users are not allowed to call tcpdump. The tcpdump tool provides many command line options to select the capture mode, control the output, specify filtering rules, and specify other operation features. These options are grouped based on their features and include the following types: operation mode, display options, packet filtering options.
The operation mode option controls how tcpdump captures and displays network communication parameters. The meanings of each option are as follows:
-C capture a specified number of packets;
-F use a file as the filter expression source;
-I use optional network interfaces to capture packets;
-P cannot be captured in pooled mode;
-R: reads captured files rather than network interfaces;
-W saves the original packet to the file.
Example:
1. pdumparp captures and displays all IP Address Resolution Protocol (ARP) packets. Capture includes requests and responses.
2. pdump host red and tcp will capture and display all transmission control protocol packets from (Sent to) red host.
3. pdump hos red1 and port23 will capture and display all packets sent to or from red1 using port 23. Used to check the Telnet packets sent from other systems to the system on the network. Port 23 is the Telnet service port for all incoming packets. Hazards of Sniffer
The sniffer can help network administrators find network vulnerabilities and detect network performance. The sniffer is a double-edged sword, which is also very harmful.
Sniffer may cause the following dangers:
1. the sniffer can capture passwords;
2. capture special or confidential information;
3. used to endanger the security of network neighbors, or to obtain higher-level access permissions;
4. analyze the network structure for network penetration.
Sniffer attacks are very common, especially on the Internet. A put sniffer can capture thousands of passwords. One of the largest sniffer attacks was discovered in 1994. This attack is widely considered to be the worst in the record. many host systems that can be accessed via FTP, Telnet, or remote logon are compromised. In this accident (the attacker was in Rahul.net), the sniffer only ran for 18 hours. During this period, several hundred hosts were leaked. Attackers include 268 sites, such as MIT, US Navy and Air Force, Sun Microsystems, IBM, NASA, CERFNet, and machines from universities in Canada, Israel, the Netherlands, and Belgium.
The sniffer can capture all packets on the network. However, an attacker must select packets. The sniffer attack is not as easy as it sounds. it requires attackers to have a certain understanding of the network. Simply setting a sniffer and placing it in any place will not play any role. Because even a network with only five workstations can transmit thousands of packets within one hour. In this way, in a short time, the files used by the sniffer to store captured packets will fill the entire hard disk (if every packet is recorded ).
To cleverly solve this problem, attackers only sniff the first 200 to 300 bytes of each packet. Both the user name and password are included in this part, which is a real concern of all attackers. Of course, if you have enough space for storage and sufficient capacity for processing, you can also sniff all the packets on the given interface, and you will find something terrible.
Defends against sniffing attacks
There are two ways to defend against sniffing attacks:
1. detect and eliminate the sniffer;
2. hide the data so that the sniffer cannot discover it.
For the first method: to detect and eliminate the sniffer, you can use a tool to detect the Nic in the hybrid mode.
Because the sniffer needs to set the network card that has been infiltrated into the network to work in the hybrid mode, Anto-sniff is a good tool to effectively detect the network card in the hybrid mode. The software can be downloaded at http://www.securitysoftwatech.com/antisniff. However, sniffing is very difficult to detect because they are passive programs. A sophisticated hacker can easily conceal information by damaging log files. it does not leave a tail for verification.
The second method is to hide the data so that the sniffer cannot find the key information.
There are generally two defense methods:
1. secure topology;
2. session encryption.
The sniffer can only capture data in the current network segment. This means that the finer the network segment, the less information the sniffer can collect. However, unless your company is an ISP or your resources are relatively unrestricted, such a solution will be costly. Network segments require expensive hardware devices. Three network devices cannot be crossed by the sniffer: switches, routers, and bridges.
We can use these devices flexibly for network segmentation. Readers may use 20 workstations as a group, which is a reasonable number. Then, each segment is manually detected every month (or a specific segment can be randomly detected using MD5 every month ). Network segments are only applicable to small networks. If there is a network of 500 workstations distributed in more than 50 departments, the full segment is not allowed by the price. Even if there are security considerations in the unit budget, it is difficult for the unit supervisor to believe that 50 hardware devices are needed, just to prevent sniffer attacks. In this case, it is a good choice to encrypt sessions. Session encryption provides another solution. Do not worry about data being sniffed, but try to make the sniffer not aware of the data. The advantage of this method is obvious: even if the attacker sniffed the data, the data is useless to him. However, its shortcomings are also very obvious. There are two main problems in encryption: technical problems and human problems.
Technical issues include whether the encryption is powerful enough or simply taking it for granted. For example, 40-bit encryption may not be enough, and not all applications are integrated with encryption support. In addition, cross-platform encryption solutions are rare, which are generally only available in some special applications. In addition, some users may resist using encryption, which they think is too troublesome. Users may agree to use encryption at the beginning, but they rarely stick to it. In short, we must look for a friendly media and it must be user friendly. SecureShell (SSH) has the preceding features. By using SSH, you can encrypt all transmitted data so that the "intermediate server" attack method is impossible and can also prevent DNS and IP spoofing. Another advantage is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. it can replace Telnet and provide a secure "channel" for FTP, POP, and even PPP ". SSH is bound to port 22, and its connections are encrypted using RSA through negotiation. After the authentication is complete, all subsequent traffic is encrypted using IDEA. The SSH (Secure Shell) program can log on to the remote host over the network and execute commands. The SSH encrypted tunnel only protects the security of intermediate transmission, so that any common sniffing tool software cannot obtain the sent content. It provides strong security verification for secure communication in insecure networks, so it is a method to prevent sniffing. Simple use of SSH
Install
1. download the software package www.ssh.com and download the latest software package SSH2. It is best to download the source program package and compile it by yourself.
2. unzip and install:
# Tar-zxvf ssh2-2.4.0.tar.gz
# Cd ssh2-2.4.0
#./Configure
# Make
# Make install
Installation is complete. In this process, the server software package and the client software are installed together, so you do not have to install the client software package again.
Compiled binary packages are stored in the ftp://ftp.ssh.com/pub/ssh/rpmdirectory in rpm format. It is a software package for non-commercial users, named ssh-2.4.0-1.i386.rpm, which contains support for X-Window. Another software package that does not support X-Window is a ssh-2.4.0-1nox.i386.rpm, which can be installed directly after download. The installer installs the SSH2 package under/usr/local/bin and/usr/local/sbin.
Configuration
The SSH configuration file is under/etc/ssh2, including the host public key and private key of sshd2: hostkey and hostkey. pub. These two files are usually automatically generated during SSH installation. You can use the following command to generate them again:
# Rm/etc/ssh2/hostkey *
# Ssh-keygen2? P/etc/ssh2/hostkey
In general, the ssh2_config file does not need to be modified.
Start
In the Uinux/Linux environment, the server program is placed in the/usr/local/sbin Directory. The Startup method is as follows:
# Sshd
# Ps x
We can see that SSHD has been started. If you do not want to manually start SSHD every time you restart the system, you can write a script and place it in init. d Directory. after the system is started, the SSHD service is automatically started. Or directly add/usr/local/sbin/sshd to rc. local.
Use SSH
The client is SSH in the Uinux/Linux system and is stored in the/usr/local/bin directory. There are client tools such as SSH2 and scp. Use SSH to log on to the remote host as follows:
Host. ip. of. remote
The method is similar to Telnet. The difference is that the user must enter an authentication string. If the authentication string passes the authentication, the user logs on to the system directly. if the authentication string fails, the user is required to enter the system password. After successful password authentication, you can also log on to the system. In terms of usage, it is no different from Telnet. With the SSH client software, you do not have to open another FTP window, authenticate the file again, and then upload the file. Using the scp tool provided by the SSH client, you can directly upload files to the remote server. The usage is as follows:
Host1: dir/filenamehost2:/home/abc/filename
Sniffer technology is widely used in network maintenance and management. It works like a passive sonar, silently receiving various information from the network. Through the analysis of the data, the network administrator can gain an in-depth understanding of the current running status of the network to identify vulnerabilities in the network. I do not want to deny the good effect of the sniffer. Today, with increasing attention to network security, we must not only correctly use the sniffer, but also properly prevent the dangers of the sniffer. Sniffer can cause great security hazards, mainly because they are not easily discovered. You can learn how to use the sniffer and how to use the sniffer to defend against the attack. At the same time, we should also see that the best way to defend against the sniffer is to secure the topology structure and session encryption.