How to add ASA Firewall to GNS3

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

Setup GNS3

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

GNS3 Images

3. Option 2.

Setup GNS3 Step By Step

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Test GNS3 Settings

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

GNS3 Idle PC

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a CiscoCCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOSimages, (I will just ignore you!).

GNS3 Router Images

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

IOS Images for GNS3

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

GNS3 IDLE PC calculation

9. When complete click Close > Save > Close.

IDLE PC

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Access Router in GNS3

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcore.

11. Edit > Preferences.

nEdit GNS Properties

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

GNS 3 Setup Host

13. Save > OK > Apply.

Linux Microscore Qemu Guest Settings

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

GNS 3 Host Cmd Window

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Set the Kernel cmd line option to;

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

GNS 3 Add ASA Firewall

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

Ad Virtual ASA to GNS3

17. Finally select the vmlunuz file > Open.

GNS3 ASA vmlinuz File

18. Save > OK > Apply.

ASA 8.4 Add to GNS3

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

ASA Activation Key

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

ASA Licences Features in GNS

gns3 to asa internet steps

To Allow ICMP (Pings) from the inside Workstation as it will be blocked by default: 

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

 

To Permanently save the ASA config in GNS3: 

copy running-config disk0:/.private/running-config
copy disk0:/.private/running-config disk0:/.private/startup-config
conf t
boot config disk0:/.private/startup-config

Advertisement

Botnets

botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of anInternet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the wordsrobot and network.

A quick introduction to botnets – what they are, how they work and the potential consequences of being unwittingly press-ganged into a botnet array.

What is a Botnet?

To understand botnets, we first need to know more about ‘bots’. The term ‘bot’ or ‘robot’ program refers to a program that:

•  Performs repetitive tasks OR
•  Acts as an ‘agent’ or user interface for controlling other programs

Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user’s control over various programs or systems.

Unfortunately, bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine. The ‘bot’ in botnets definitely refers to the second type, as these bots are used by an attacker to ‘hijack’ and control a computer system.

These malicious bots can arrive on a victim machine in many ways. The most common method involves dropping the bot in the payload of a Trojan or a similar malware. Other methods include infecting the computer via a drive-by download, or distributing the bot via spam e-mail messages with infected attachments.

Once installed, the bot can take control of the sytem. A remote attacker can then give commands to the infected computer via the bot and force it to perform malicious actions. In this context, a bot is very similar to a backdoorprogram, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine.

When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker. This network is a botnet – a network of ‘enslaved’ computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a ‘bot’, a ‘zombie’ or a ‘zombie computer’.

How A Botnet Is Controlled

The attacker giving directions to the botnet is usually referred to as the botherder or controller. Botnets used to be run by individuals, but in recent years, botnets have become more ‘commercialized’, and it is thought that many botnets nowadays are in the hands of criminal syndicates.

To control the botnet, the botherder uses an application known as a client program to issues commands to the bot programs installed on zombies. This is very similar to how a backdoor is controlled and allows the botherder to operate very efficiently, as they can easily give instructions to a single zombie, or multiple zombies, or even the entire botnet – all via a single client program.

Using the client, the botherder can direct a single zombieto perform a certain action. For example, it can be ordered to send all the e-mail addresses stored on its hard drive to a remote website, where it can be added to a spammer’s mailing list. Alternatively, all the zombies in the botnet can be commanded to perform the same routine, such as sending requests to a specific website (basically, a Denial of Service or DoS attack).

The relationship between the zombies and the client controlling them is known as a command-and-control (C&C)infrastructure. The zombie or website or server that hosts the client is known as the C&C server. The following image is a simplified view of this infrastructure:

Of course, in real life, a botnet’s organization can be far more complicated. Some botnets will use multiple C&C servers, using the redundancy as a type of protection; others will have only one C&C server, but will continually change the machine the client application is saved on, also for better security.

Botherders put in all these security measures for one simple reason: the C&C server is the nerve center of the entire botnet, and also its Achilles heel.

Botnet Take-Downs

To ‘kill’ a botnet, one of the most effective methods is to find and take down the C&C server. This action will usually be done by legal authorities such as national Computer Emergency Response Teams (CERTs), and effectively prevents the botherders from sending commands to their botnet. The zombies would still be infected, but because no new directions are coming in, they do not actively engage in malicious activities. This also makes it easier for administrators to take control of and disinfect their zombies, and implement more protective measures.

One noteworthy botnet takedown of recent years involved the rogue McColo Internet Service Provider (ISP), a US-based web hosting firm which many security experts believed hosted the C&C servers for a number of botnets (as well as malicious websites and other unsavory offerings). Following the takedown, the level of spam send globally over the Internet was estimated to have dropped by as much as 60 to 75 percent, depending on sources cited.

As botnets have become more sophisticated however, botherders have developed a number of techniques that made tracking down the C&C server almost impossible, forcing security researchers and CERTs to develop improved or new techniques to deal with the changing botnet threat.

Why are Botnets a Threat?

Botnets are considering a menace for three simple reasons:

•  To build them, attackers have to ‘steal’ a computer from its legitimate user
•  Botnet operations can directly impact large numbers of real-world organizations and individuals
•  Botnets appear to be increasing in size and capability

When a computer is harnessed into a botnet, the effects of the ‘theft’ can be direct, immediate and far-reaching. While ‘in use’ by the botherder, the machine may not perform its normal tasks effectively, or at all. If the compromised computer belongs to a major corporate, government, military or healthcare organization, a business or critical social service may be affected. Possible consequences may range from the relatively benign to significant.

For example, some of the machines pulled into the Conficker botnet were personal home computers; others were military resources in the United States, the United Kingdom and France. Many home users noticed no repercussions; others experienced major connection issues. Meanwhile, the various militaries concerned were forced to take significant disinfection actions due to security concerns.

Widespread Repercussions

Once created, a botnet can be used to commit more malicious acts, such as stealing data, sending out spam and launching attacks. Even then, a botnet might be considered only a nuisance if its impact were limited to a few dozen, or even hundreds of infected machines. Unfortunately, botnets can perform actions that directly affect hundreds of thousands, or even millions of people.

For example, one botnet known as Srizbi is thought to be responsible for up to 60 percent of all spam e-mails sent out globally in 2008 (approximately 60 billion messages per day), a major nuisance to the ISPs, businesses and home users who had to deal with the unwanted messages.

Another example involves the Conficker botnet, which some analysts believe has caused a disproportionately large effect on the Internet infrastructure of entire developing countries, in many cases severely impacting businesses and home users in the affected countries.

These examples show the impact botnets can have. These real-life cases involve the botnets of today, which can have zombies numbering in the hundreds of thousands, and even millions. What happens in the future, if the botnet becomes even larger?

With Greater Size Comes Greater Power

Generally, a botnet’s potential threat increases with its size, as the increased resources gives the controllers more power or capacity for their activities. For example, a DoS attack from a massive botnet is even harder to defend against than a similar attack from a smaller one, simply because a bigger botnet can generate more attack code.

There was a time – even as late as 2006 – when a big botnet comprised of hundreds, or at most, thousands of infected machines. Those days are long gone however, as contemporary botnets dwarf their predecessors. The Srizi botnet is thought to have about 250,000 infected computers, while the later Conficker botnet is estimated to have anywhere from 9 million to 15 million computers, depending on the source cited.

Unfortunately, current trends show that more and more users are connecting to the Internet, especially from developing countries. This translates to an increasing number of computers vulnerable to infection – and potentially far larger botnets emerging in the near future.

What Attackers Can Do With A Botnet

An attacker who controls a botnet can do a wide range of actions, both TO individual machines in the botnet and WITH the entire resources of the botnet.

Data Harvesting

Most people store highly sensitive personal information on their computers – personal identification, work-related materials, e-mail addresses of all contacts and so on. If all these details are stored on a computer in a botnet, then the bot herder is almost guaranteed access to it. Such information can be sold, often to criminals intent on perpetrating or facilitating fraud.

Botnets also actively harvest information related to banking accounts. For example, during research into the activities of the Torpig botnet in 2007, researchers observed the theft of credentials for thousands of accounts belonging to hundreds of financial institutions – all in a period of 10 days.

Stolen Resources

Rather than purchase all the hardware and bandwidth necessary for their operations, botnet controllers can siphon the physical resources they need (processing power, storage space, bandwidth, etc) from their zombies. These resources can be put to various uses, such as:

  • Cyber attacks
    A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack against a target. The target can be any resource linked to the Internet, be it a major corporate website or a military database.
  • Spam Generators
    Probably the most common way a botnet is used is to send out massive quantities of spam e-mails. Botnets known to perform this activity include Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153 billion spam messages were sent out every day – an estimated 60 percent of which is botnet-generated.
  • Malware Distributors
    Another “product” being distributed by botnets is malware – trojans, viruses, worms and other things of that ilk. These offerings may be attached to spam e-mails or sent out via vulnerability exploits, or other methods.
  • Storage Space
    Zombies in a botnet may also be used is as an illicit warehouse to store all the malicious or objectionable “merchandise” the botnet operators handle. The stored data may be everything from harvested personal details to pornographic images.

Rental

Last but not least, botnet ‘owners’ can rent use of the botnet to other users, almost always for malicious purposes. This is an increasingly lucrative activity for the botnet herders. According to Yuval Ben-Itzhak, Chief Technology Officer of computer security company Finjan, the botnet controllers can “make as much as $190,000 in one day” renting out “their” computers.

 

Proxy Servers / Anonymous Surfing (Hotspot Shield/Tor Browser – DarkNet/Deep Web)

In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Proxies were invented to add structure and encapsulation to distributed systems.[1]Today, most proxies are web proxies, facilitating access to content on the World Wide Web and providing anonymity.

Types of proxy

A proxy server may reside on the user’s local computer, or at various points between the user’s computer and destination servers on the Internet.

  • A proxy server that passes requests and responses unmodified is usually called a gateway or sometimes a tunneling proxy.

A proxy server connecting an internal network and the Internet.

A forward proxy taking requests from an internal network and forwarding them to the Internet.
  • A forward proxy (Open-Proxy/Public-Proxy) is an Internet-facing proxy used to retrieve from a wide range of sources (in most cases anywhere on the Internet).

Diagram of proxy server connected to the Internet.

An open proxy forwarding requests from and to anywhere on the Internet.
  • A reverse proxy is usually an Internet-facing proxy used as a front-end to control and protect access to a server on a private network. A reverse proxy commonly also performs tasks such as load-balancing, authentication, decryption or caching.

A proxy server connecting the Internet to an internal network.

A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.

Uses of proxy servers

Monitoring and filtering

Content-control software

Filtering of encrypted data

Bypassing filters and censorship

Logging and eavesdropping

Improving performance (caching proxy server)

Translation

Accessing services anonymously (anonymous proxy server (sometimes called a web proxy))

Access control

QA geotargeted advertising

Security

Cross-domain resources

Implementations of proxies

Web proxy servers

Web proxies forward HTTP requests. Some web proxies allow the HTTP CONNECT[12] to set up forwarding of arbitrary data through the connection; normally this is only allowed to port 443 to allow forwarding of HTTPS traffic.

Examples of web proxy servers include Apache (with mod_proxy or Traffic Server), IIS configured as proxy (e.g., with Application Request Routing), Squid, and WinGate.

Transparent proxy

Also known as an intercepting proxyinline proxy, or forced proxy, a transparent proxy intercepts normal communication at the network layer without requiring any special client configuration. Clients need not be aware of the existence of the proxy. A transparent proxy is normally located between the client and the Internet, with the proxy performing some of the functions of a gateway or router.

“A ‘transparent proxy’ is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification”.

“A ‘non-transparent proxy’ is a proxy that modifies the request or response in order to provide some added service to the user agent, such as group annotation services, media type transformation, protocol reduction, or anonymity filtering”.

Intercepting proxies are commonly used in businesses to enforce acceptable use policy, and to ease administrative overheads, since no client browser configuration is required. This second reason however is mitigated by features such as Active Directory group policy, or DHCP and automatic proxy detection.

Intercepting proxies are also commonly used by ISPs in some countries to save upstream bandwidth and improve customer response times by caching. This is more common in countries where bandwidth is more limited (e.g. island nations) or must be paid for

In integrated firewall / proxy servers where the router/firewall is on the same host as the proxy, communicating original destination information can be done by any method, for example Microsoft TMG or WinGate.

Interception can also be performed using Cisco’s WCCP (Web Cache Control Protocol). This proprietary protocol resides on the router and is configured from the cache, allowing the cache to determine what ports and traffic is sent to it via transparent redirection from the router. This redirection can occur in one of two ways: GRE Tunneling (OSI Layer 3) or MAC rewrites (OSI Layer 2).

Once traffic reaches the proxy machine itself interception is commonly performed with NAT (Network Address Translation). Such setups are invisible to the client browser, but leave the proxy visible to the web server and other devices on the internet side of the proxy. Recent Linux and some BSD releases provide TPROXY (transparent proxy) which performs IP-level (OSI Layer 3) transparent interception and spoofing of outbound traffic, hiding the proxy IP address from other network devices.

Anonymous HTTPS proxy

Users wanting to bypass web filtering, that want to prevent anyone from monitoring what they are doing, will typically search the internet for an open and anonymous HTTPS transparent proxy. They will then program their browser to proxy all requests through the web filter to this anonymous proxy. Those requests will be encrypted with https. The web filter cannot distinguish these transactions from, say, a legitimate access to a financial website. Thus, content filters are only effective against unsophisticated users.

Use of HTTPS proxies are detectable even without examining the encrypted data, based simply on firewall monitoring of addresses for frequency of use and bandwidth usage. If a massive amount of data is being directed through an address that is within an ISP address range such as Comcast, it is likely a home-operated proxy server. Either the single address or the entire ISP address range is then blocked at the firewall to prevent further connections.

Tor onion proxy software

The Vidalia Tor-network map.

Tor (short for The Onion Router) is a system intended to enable online anonymity.[18] Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user’s location or usage from someone conducting network surveillance ortraffic analysis. Using Tor makes it more difficult to trace Internet activity, including “visits to Web sites, online posts, instant messages and other communication forms”, back to the user.[18] It is intended to protect users’ personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored.

Onion routing” refers to the layered nature of the encryption service: The original data are encrypted and re-encrypted multiple times, then sent through successive Tor relays, each one of which decrypts a “layer” of encryption before passing the data on to the next relay and ultimately the destination. This reduces the possibility of the original data being unscrambled or understood in transit.[19]

The Tor client is free software, and there are no additional charges to use the network.

 

Proxy vs. NAT

Most of the time ‘proxy’ refers to a layer-7 application on the OSI reference model. However, another way of proxying is through layer-3 and is known as Network Address Translation (NAT). The difference between these two technologies is the tier in which they operate, and the way of configuring the clients to use them as a proxy.

In client configuration of NAT, configuring the gateway is sufficient. However, for client configuration of a layer-7 proxy, the destination of the packets that the client generates must always be the proxy server (layer-7), then the proxy server reads each packet and finds out the true destination.

Because NAT operates at layer-3, it is less resource-intensive than the layer-7 proxy, but also less flexible. As we compare these two technologies, we might encounter a terminology known as ‘transparent firewall’. Transparent firewall means that the layer-3 proxy uses the layer-7 proxy advantages without the knowledge of the client. The client presumes that the gateway is a NAT in layer-3, and it does not have any idea about the inside of the packet, but through this method the layer-3 packets are sent to the layer-7 proxy for investigation.

DNS proxy

DNS proxy server takes DNS queries from a (usually local) network and forwards them to an Internet Domain Name Server. It may also cache DNS records.

 

An open proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server only allows users within a network group (i.e. a closed proxy) to store and forwardInternet services such as DNS or web pages to reduce and control the bandwidth used by the group. With an open proxy, however, any user on the Internet is able to use this forwarding service.

Diagram of proxy server connected to the Internet.

An open proxy forwarding requests from and to anywhere on the Internet.

Advantages

An anonymous open proxy allows users to conceal their IP address and thereby help preserve their anonymity and maintain their security while browsing the web or using otherinternet services.

Disadvantages

It is possible for a computer to run as an open proxy server without the computer’s owner knowing it. This can result from misconfiguration of proxy software running on the computer, or from infection with malware (virusestrojans or worms) designed for this purpose.[1] If it is caused by malware, the infected computer is known as a zombie computer.

Running an open proxy is a high risk for the server operator; providing an anonymous proxy server can cause real legal troubles to the owner. Such services are frequently used to break into foreign computer systems, child pornography is usually consumed through proxies, and illegal content is likely to be spread through such proxies. Also, such a proxy can cause a high bandwidth usage resulting in higher latency to the subnetwork and violation of bandwidth limits. A badly configured open proxy can also allow access to a private subnetwork or DMZ: this is a high security concern for any company or home network because computers that usually are out of risk or firewalled can be directly attacked.

Many open proxies run very slowly, sometimes below 14.4 kbit/s, or even below 300 bit/s, while other times the speed may change from fast to slow every minute. Some, such asPlanetLab proxies, run faster and were intentionally set up for public use.

Because open proxies are often implicated in abuse, a number of methods have been developed to detect them and to refuse service to them. IRC networks with strict usage policies automatically test client systems for known types of open proxies.[2] Likewise, a mail server may be configured to automatically test mail senders for open proxies, usingsoftware such as proxycheck.[3] Increasingly, mail servers are configured out of the box to consult various DNSBL servers in order to block spam; some of those DNSBLs also list open proxies.

An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It is a proxy server computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet. It accesses the Internet on the user’s behalf, protecting personal information by hiding the client computer’s identifying information.

Purposes

There are many reasons for using anonymizers. Anonymizers help minimize risk. They can be used to prevent identity theft, or to protect search histories from public disclosure.

Some countries apply heavy censorship on the internet. Anonymizers can help in allowing free access to all of the internet content, but cannot help against persecution for accessing the Anonymizer website itself. Furthermore, as information itself about Anonymizer websites are banned in these countries,[8] users are wary that they may be falling into a government-set trap.[9]

Anonymizers are also used by people who wish to receive objective information with the growing target marketing on the internet and targeted information. For example, large news outlets such as CNN target the viewers according to region and give different information to different populations. Websites such as YouTube obtain information about the last videos viewed on a computer, and propose “recommended” videos accordingly, and most of the online targeted marketing is done by showing advertisements according to that region. Anonymizers are used for avoiding this kind of targeting and getting a more objective view of information.

Use of anonymizers

Protocol specific anonymizers

Sometimes anonymizers are implemented to work only with one particular protocol. The advantage is that no extra software is needed. The operation occurs in this manner: A connection is made by the user to the anonymizer. Commands to the anonymizer are included inside a typical message. The anonymizer then makes a connection to the resource specified by the inbound command and relays the message with the command stripped out.

An example of a protocol-specific anonymizer is an anonymous remailer for e-mail. Also of note are web proxies, and bouncers for FTP and IRC.

Protocol independent anonymizers

Protocol independence can be achieved by creating a tunnel to an anonymizer. The technology to do so varies. Protocols used by anonymizer services may include SOCKS,PPTP, or OpenVPN.

In this case either the desired application must support the tunneling protocol, or a piece of software must be installed to force all connections through the tunnel. Web browsers, FTP and IRC clients often support SOCKS for example, unlike telnet.

Use of multiple relays

Proxies can be daisy chained. Chaining anonymous proxies can make traffic analysis far more complex and costly by requiring the eavesdropper to be able to monitor different parts of the Internet.[1] An anonymizing remailer can use this concept by relaying a message to another remailer, and eventually to its destination.

Even stronger anonymity can be gained by using Tor. Tor is not merely a proxy chain, but an onion router, which means that routing information (as well as message content) isencrypted in such a way as to prevent linking the origin and destination. Like all anonymity networks, Tor cannot end-to-end encrypt messages destined for the public Internet;[11]that must be arranged between the sender and recipient. Tor’s hidden service protocol does, however, provide end-to-end encryption, along with the ability to anonymize servers to make them more censorship-resistant.

Another anonymity network is the Invisible Internet Project (I2P). Unlike Tor, I2P is a fully internal network. The philosophy behind I2P is that each node routes traffic for others and blends its own traffic in, whereas one’s own traffic will be relayed by other peers through so-called tunnels made up of various other peers. As you never know if a given mix logs all connections or not, the only way to be really sure there is no logging is to run your own anonymizing mix node and blend your traffic with those of other users, who in turn need not trust you, as they blend their traffic with yours and other users’ traffic in their own mix nodes. The network is highly dynamic and totally decentralized. It also takes care of other nodes learning about your node existing, for without peers using your node, there would be no traffic to blend yours with. As all traffic always stay within the I2P network, a routing user’s I2P can remain end-to-end encrypted and will never show on public websites’ logs.

 

 

 

 

BYOD security (ISE/Airwatch/Fixmo/LabTech) (MDM/MCM/NAC)

Bring your own device (BYOD) (also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC) refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications.[1] The term is also used to describe the same practice applied to students using personally owned devices in education settings.[2]

BYOD is making significant inroads in the business world, with about 75% of employees in high growth markets such as Brazil and Russia and 44% in developed markets already using their own technology at work.[3] In most cases, businesses simply can’t block the trend. Some[who?] believe that BYOD may help employees be more productive.[4]Others[who?] say it increases employee morale and convenience by using their own devices and makes the company look like a flexible and attractive employer.[5] Many[who?] feel that BYOD can even be a means to attract new hires, pointing to a survey that indicates 44% of job seekers view an organization more positively if it supports their device.[6]

 

AirWatch

Support Personal Devices in Your Enterprise Deployment

With the consumerization of mobility, many enterprises are turning to Bring Your Own Device (BYOD) programs, or a hybrid approach including deployed corporate-owned devices and a BYOD program. By enabling a BYOD program, or taking a hybrid approach, enterprises allow employees access to corporate resources from anywhere, increasing productivity and driving employee satisfaction. Securing employee-owned devices and supporting different mobile platforms, however, can create complex issues for IT departments.

AirWatch supports Bring Your Own Device (BYOD) programs by enabling unprecedented device choice and supporting the device ownership models you choose without compromising the security and management of your mobile fleet. AirWatch provides a flexible model for asset management, policy enforcement, and distributing profiles, apps and content, based on device ownership type.

Device Choice

Device Choice

AirWatch supports all major mobile platforms, allowing you to implement a flexible BYOD program. Your employees can choose from the latest makes and models for their smartphones, tablets and laptops. Define devices eligible for enrollment with custom device whitelists and blacklists.

Access to Corporate Resources

AirWatch’s simple enrollment process provides a consistent agent-based flow for major platforms. Once users are authenticated, profiles, applications and content are configured automatically based on the user and device ownership type. AirWatch enables secure access to enterprise resources from employee-owned devices. Provide employees connections to intranet sites and corporate content, apps, Wi-Fi, VPN networks and more from their mobile devices by pushing profiles automatically or on-demand. AirWatch also empowers your employees and reduces the burden on IT with our self-service portal. From the portal, employees can enroll additional devices, view detailed device information and perform remote actions.

Privacy Concerns

AirWatch enables companies to separate corporate and personal data on devices through customizable privacy policies that can be based on device ownership type. Configure policies to prevent data collection from personal email, content or applications on an employee-owned device. GPS location, personal user information and telecom data can also remain private, and employee-owned devices can be protected from a full device wipe or remote control. AirWatch also allows businesses to mitigate risks that are presented when employee-owned devices are accessing corporate resources. With custom Terms of Use (TOU) agreements based on user role, organization group and device platform, users can be informed about data that will be captured and what they are allowed to do with the device.

Security and Compliance

Corporations need to enable BYOD without sacrificing the security needs of IT. WithAirWatch Workspace, provide enterprise-grade security for corporate resources and applications that are delivered to a device while preserving the separation of corporate and personal data. Create enrollment restrictions to limit the number of specific device types to ensure uniformity. Compartmentalize and manage enterprise applications and data without having to manage the entire device. AirWatch container solutions are designed to work together to deliver a seamless user experience with single sign on capabilities and cross-container integration. Provide enterprise-grade security for your applications with user authentication, data encryption, app-level policies, compliance monitoring and management.

Removing Corporate Resources

Administrators can remove access to corporate email, Wi-Fi and VPN when an end user un-enrolls or leaves the company. Remove internal apps and corporate content from devices upon end user departure. Finally, perform an enterprise wipe without affecting personal content on the device.

 

TCPDump Packet Sniffing on Linux Back track 5

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. 

Tcpdump prints the contents of network packets. It can read packets from a network interface card or from a previously created saved packet file. Tcpdump can write packets to standard output or a file.

It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer. A user with the necessary privileges on a system acting as a router or gateway through which unencrypted traffic such as Telnet or HTTP passes can use tcpdump to view login IDs, passwords, the URLs and content of websites being viewed, or any other unencrypted information.

tcpdump is a most powerful and widely used command-line packets sniffer or package analyzer tool which is used to capture or filter TCP/IP packets that received or transferred over a network on a specific interface. It is available under most of the Linux/Unix based operating systems. tcpdump also gives us a option to save captured packets in a file for future analysis. It saves the file in a pcap format, that can be viewed by tcpdump command or a open source GUI based tool called Wireshark (Network Protocol Analyzier) that reads tcpdump pcap format files.

How to Install tcpdump in Linux

Many of Linux distributions already shipped with tcpdump tool, if in case you don’t have it on systems, you can install it using following Yum command.

# yum install tcpdump

Once tcpdump tool is installed on systems, you can continue to browse following commands with their examples.

1. Capture Packets from Specific Interface

The command screen will scroll up until you interrupt and when we execute tcpdumpcommand it will captures from all the interfaces, however with -i switch only capture from desire interface.

# tcpdump -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:33:31.976358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500440357:3500440553, ack 3652628334, win 18760, length 196

11:33:31.976603 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64487, length 0

11:33:31.977243 ARP, Request who-has tecmint.com tell 172.16.25.126, length 28

11:33:31.977359 ARP, Reply tecmint.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46

11:33:31.977367 IP 172.16.25.126.54807 > tecmint.com: 4240+ PTR? 125.25.16.172.in-addr.arpa. (44)

11:33:31.977599 IP tecmint.com > 172.16.25.126.54807: 4240 NXDomain 0/1/0 (121)

11:33:31.977742 IP 172.16.25.126.44519 > tecmint.com: 40988+ PTR? 126.25.16.172.in-addr.arpa. (44)

11:33:32.028747 IP 172.16.20.33.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

11:33:32.112045 IP 172.16.21.153.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

11:33:32.115606 IP 172.16.21.144.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

11:33:32.156576 ARP, Request who-has 172.16.16.37 tell old-oraclehp1.midcorp.mid-day.com, length 46

11:33:32.348738 IP tecmint.com > 172.16.25.126.44519: 40988 NXDomain 0/1/0 (121)

2. Capture Only N Number of Packets

When you run tcpdump command it will capture all the packets for specified interface, until you Hit cancel button. But using -c option, you can capture specified number of packets. The below example will only capture 6 packets.

# tcpdump -c 5 -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

11:40:20.281355 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3500447285:3500447481, ack 3652629474, win 18760, length 196

11:40:20.281586 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 65235, length 0

11:40:20.282244 ARP, Request who-has tecmint.com tell 172.16.25.126, length 28

11:40:20.282360 ARP, Reply tecmint.com is-at 00:14:5e:67:26:1d (oui Unknown), length 46

11:40:20.282369 IP 172.16.25.126.53216 > tecmint.com.domain: 49504+ PTR? 125.25.16.172.in-addr.arpa. (44)

11:40:20.332494 IP tecmint.com.netbios-ssn > 172.16.26.17.nimaux: Flags [P.], seq 3058424861:3058424914, ack 693912021, win 64190, length 53 NBT Session Packet: Session Message

6 packets captured

23 packets received by filter

0 packets dropped by kernel

3. Print Captured Packets in ASCII

The below tcpdump command with option -A displays the package in ASCII format. It is a character-encoding scheme format.

# tcpdump -A -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

09:31:31.347508 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3329372346:3329372542, ack 4193416789, win 17688, length 196

M.r0…vUP.E.X…….~.%..>N..oFk………KQ..)Eq.d.,….r^l……m\.oyE….-….g~m..Xy.6..1…..c.O.@…o_..J….i.*…..2f.mQH…Q.c…6….9.v.gb……..;..4.).UiCY]..9..x.)..Z.XF….’|..E……M..u.5…….ul

09:31:31.347760 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64351, length 0

M….vU.r1~P.._……….

^C09:31:31.349560 IP 192.168.0.2.46393 > b.resolvers.Level3.net.domain: 11148+ PTR? 1.0.168.192.in-addr.arpa. (42)

E..F..@.@…………9.5.2.f+…………1.0.168.192.in-addr.arpa…..

 

3 packets captured

11 packets received by filter

0 packets dropped by kernel

4. Display Available Interfaces

To list number of available interfaces on the system, run the following command with -Doption.

# tcpdump -D

 

1.eth0

2.eth1

3.usbmon1 (USB bus number 1)

4.usbmon2 (USB bus number 2)

5.usbmon3 (USB bus number 3)

6.usbmon4 (USB bus number 4)

7.usbmon5 (USB bus number 5)

8.any (Pseudo-device that captures on all interfaces)

9.lo

5. Display Captured Packets in HEX and ASCII

The following command with option -XX capture the data of each packet, including its link level header in HEX and ASCII format.

# tcpdump -XX -i eth0

 

11:51:18.974360 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509235537:3509235733, ack 3652638190, win 18760, length 196

0x0000:  b8ac 6f2e 57b3 0001 6c99 1468 0800 4510  ..o.W…l..h..E.

0x0010:  00ec 8783 4000 4006 275d ac10 197e ac10  ….@.@.’]…~..

0x0020:  197d 0016 1129 d12a af51 d9b6 d5ee 5018  .}…).*.Q….P.

0x0030:  4948 8bfa 0000 0e12 ea4d 22d1 67c0 f123  IH…….M”.g..#

0x0040:  9013 8f68 aa70 29f3 2efc c512 5660 4fe8  …h.p)…..V`O.

0x0050:  590a d631 f939 dd06 e36a 69ed cac2 95b6  Y..1.9…ji…..

0x0060:  f8ba b42a 344b 8e56 a5c4 b3a2 ed82 c3a1  …*4K.V……..

0x0070:  80c8 7980 11ac 9bd7 5b01 18d5 8180 4536  ..y…..[…..E6

0x0080:  30fd 4f6d 4190 f66f 2e24 e877 ed23 8eb0  0.OmA..o.$.w.#..

0x0090:  5a1d f3ec 4be4 e0fb 8553 7c85 17d9 866f  Z…K….S|….o

0x00a0:  c279 0d9c 8f9d 445b 7b01 81eb 1b63 7f12  .y….D[{….c..

0x00b0:  71b3 1357 52c7 cf00 95c6 c9f6 63b1 ca51  q..WR…….c..Q

0x00c0:  0ac6 456e 0620 38e6 10cb 6139 fb2a a756  ..En..8…a9.*.V

0x00d0:  37d6 c5f3 f5f3 d8e8 3316 d14f d7ab fd93  7…….3..O….

0x00e0:  1137 61c1 6a5c b4d1 ddda 380a f782 d983  .7a.j\….8…..

0x00f0:  62ff a5a9 bb39 4f80 668a                 b….9O.f.

11:51:18.974759 IP 172.16.25.126.60952 > mddc-01.midcorp.mid-day.com.domain: 14620+ PTR? 125.25.16.172.in-addr.arpa. (44)

0x0000:  0014 5e67 261d 0001 6c99 1468 0800 4500  ..^g&…l..h..E.

0x0010:  0048 5a83 4000 4011 5e25 ac10 197e ac10  .HZ.@.@.^%…~..

0x0020:  105e ee18 0035 0034 8242 391c 0100 0001  .^…5.4.B9…..

0x0030:  0000 0000 0000 0331 3235 0232 3502 3136  …….125.25.16

0x0040:  0331 3732 0769 6e2d 6164 6472 0461 7270  .172.in-addr.arp

0x0050:  6100 000c 0001                           a…..

6. Capture and Save Packets in a File

As we said, that tcpdump has a feature to capture and save the file in a .pcap format, to do this just execute command with -w option.

# tcpdump -w 0001.pcap -i eth0

 

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

4 packets captured

4 packets received by filter

0 packets dropped by kernel

7. Read Captured Packets File

To read and analyze captured packet 0001.pcap file use the command with -r option, as shown below.

# tcpdump -r 0001.pcap

 

reading from file 0001.pcap, link-type EN10MB (Ethernet)

09:59:34.839117 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3353041614:3353041746, ack 4193563273, win 18760, length 132

09:59:34.963022 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 132, win 65351, length 0

09:59:36.935309 IP 192.168.0.1.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138)

09:59:37.528731 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [P.], seq 1:53, ack 132, win 65351, length 5

8. Capture IP address Packets

To capture packets for a specific interface, run the following command with option -n.

# tcpdump -n -i eth0

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:07:03.952358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509512873:3509513069, ack 3652639034, win 18760, length 196

12:07:03.952602 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64171, length 0

12:07:03.953311 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308

12:07:03.954288 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164

12:07:03.954502 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 65535, length 0

12:07:03.955298 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276

12:07:03.955425 IP 172.16.23.16.netbios-ns > 172.16.31.255.netbios-ns: NBT UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST

12:07:03.956299 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1236, ack 1, win 18760, length 292

12:07:03.956535 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1236, win 64967, length 0

9. Capture only TCP Packets.

To capture packets based on TCP port, run the following command with option tcp.

# tcpdump -i eth0 tcp

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

12:10:36.216358 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 3509646029:3509646225, ack 3652640142, win 18760, length 196

12:10:36.216592 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 196, win 64687, length 0

12:10:36.219069 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 196:504, ack 1, win 18760, length 308

12:10:36.220039 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 504:668, ack 1, win 18760, length 164

12:10:36.220260 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 668, win 64215, length 0

12:10:36.222045 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 668:944, ack 1, win 18760, length 276

12:10:36.223036 IP 172.16.25.126.ssh > 172.16.25.125.apwi-rxspooler: Flags [P.], seq 944:1108, ack 1, win 18760, length 164

12:10:36.223252 IP 172.16.25.125.apwi-rxspooler > 172.16.25.126.ssh: Flags [.], ack 1108, win 65535, length 0

^C12:10:36.223461 IP mid-pay.midcorp.mid-day.com.netbios-ssn > 172.16.22.183.recipe: Flags [.], seq 283256512:283256513, ack 550465221, win 65531, length 1[|SMB]

10. Capture Packet from Specific Port

Let’s say you want to capture packets for specific port 22, execute the below command by specifying port number 22 as shown below.

# tcpdump -i eth0 port 22

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:37:49.056927 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364204694:3364204890, ack 4193655445, win 20904, length 196

10:37:49.196436 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 4294967244:196, ack 1, win 20904, length 248

10:37:49.196615 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 196, win 64491, length 0

10:37:49.379298 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 196:616, ack 1, win 20904, length 420

10:37:49.381080 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 616:780, ack 1, win 20904, length 164

10:37:49.381322 IP 192.168.0.1.nokia-ann-ch1 > 192.168.0.2.ssh: Flags [.], ack 780, win 65535, length 0

11. Capture Packets from source IP

To capture packets from source IP, say you want to capture packets for 192.168.0.2, use the command as follows.

# tcpdump -i eth0 src 192.168.0.2

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:49:15.746474 IP 192.168.0.2.ssh > 192.168.0.1.nokia-ann-ch1: Flags [P.], seq 3364578842:3364579038, ack 4193668445, win 20904, length 196

10:49:15.748554 IP 192.168.0.2.56200 > b.resolvers.Level3.net.domain: 11289+ PTR? 1.0.168.192.in-addr.arpa. (42)

10:49:15.912165 IP 192.168.0.2.56234 > b.resolvers.Level3.net.domain: 53106+ PTR? 2.0.168.192.in-addr.arpa. (42)

10:49:16.074720 IP 192.168.0.2.33961 > b.resolvers.Level3.net.domain: 38447+ PTR? 2.2.2.4.in-addr.arpa. (38)

12. Capture Packets from destination IP

To capture packets from destination IP, say you want to capture packets for 50.116.66.139, use the command as follows.

# tcpdump -i eth0 dst 50.116.66.139

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:55:01.798591 IP 192.168.0.2.59896 > 50.116.66.139.http: Flags [.], ack 2480401451, win 318, options [nop,nop,TS val 7955710 ecr 804759402], length 0

10:55:05.527476 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [F.], seq 2521556029, ack 2164168606, win 245, options [nop,nop,TS val 7959439 ecr 804759284], length 0

10:55:05.626027 IP 192.168.0.2.59894 > 50.116.66.139.http: Flags [.], ack 2, win 245, options [nop,nop,TS val 7959537 ecr 804759787], length 0

This article may help you to explore tcpdump command in depth and also to capture and analysis packets in future.

 

————————————————————

TCPdump is a very powerful command line interface packet sniffer.

It must be launched as root or with superuser rights because of the its use of the promiscuous mode or to be sure to have sufficent privilileges on a network device or a socket. 

Wireshark (formerly ethereal) can be used as an alternative to TCPdump but with a GUI interface. Wireshark can be used to read the logs captured by TCPdump too. 

1. TCPDUMP DOWNLOAD:

 To download TCPdump:

#apt-get install tcpdump

 To see the TCPdump dependencies:

#apt-cache depends tcpdump

tcpdump
Depends: libc6
Depends: libpcap0.8
Depends: libssl0.9.8 

 To see the installed TCPdump version:

#apt-cache policy tcpdump

tcpdump:
Installed: 3.9.4-2ubuntu0.1
Candidate: 3.9.4-2ubuntu0.1
Version table:
*** 3.9.4-2ubuntu0.1 0
500 http://security.ubuntu.com dapper-security/main Packages
100 /var/lib/dpkg/status
3.9.4-2 0
500 http://ch.archive.ubuntu.com dapper/main Packages 

 


2. TCPDUMP SYNTAX

Syntax: Protocol Direction Host(s) Value Logical Operations Other expression
Example: tcp dst 10.1.1.1 80 and tcp dst 10.2.2.2 3128

 Protocol:
Values: ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp and udp.
If no protocol is specified, all the protocols are used.

 Direction:
Values: src, dst, src and dst, src or dst
If no source or destination is specified, the “src or dst” keywords are applied.
For example, “host 10.2.2.2” is equivalent to “src or dst host 10.2.2.2”.

 Host(s):
Values: net, port, host, portrange.
If no host(s) is specified, the “host” keyword is used.
For example, “src 10.1.1.1” is equivalent to “src host 10.1.1.1”.

 Logical Operations:
Values: not, and, or.
Negation (“not”) has highest precedence. Alternation (“or”) and concatenation (“and”) have equal precedence and associate left to right.
For example,
“not tcp port 3128 and tcp port 23” is equivalent to “(not tcp port 3128) and tcp port 23”.
“not tcp port 3128 and tcp port 23” is NOT equivalent to “not (tcp port 3128 and tcp port 23)”.

 


3. TCPDUMP USE

 To display the Standard TCPdump output:

#tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

21:57:29.004426 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:31.228013 arp who-has 192.168.1.2 tell 192.168.1.1
21:57:31.228020 arp reply 192.168.1.2 is-at 00:04:75:22:22:22 (oui Unknown)
21:57:38.035382 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
21:57:38.613206 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36 

 To display the verbose output:

#tcpdump -v

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:00:11.625995 IP (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:20.691903 IP (tos 0x0, ttl 128, id 31026, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:21.230970 IP (tos 0x0, ttl 114, id 4373, offset 0, flags [none], proto: UDP (17), length: 64) valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:00:26.201715 arp who-has 192.168.1.2 tell 192.168.1.1
22:00:26.201726 arp reply 192.168.1.2 is-at 00:04:11:11:11:11 (oui Unknown)
22:00:29.706020 IP (tos 0x0, ttl 128, id 31133, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:00:38.751355 IP (tos 0x0, ttl 128, id 31256, offset 0, flags [none], proto: UDP (17), length: 81) 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 

 Network interfaces available for the capture:

#tcpdump -D

1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo 

 To display numerical addresses rather than symbolic (DNS) addresses:

#tcpdump -n

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:02:36.111595 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:36.669853 IP 68.142.64.164.27014 > 192.168.1.2.1034: UDP, length 36
22:02:41.702977 arp who-has 192.168.1.2 tell 192.168.1.1
22:02:41.702984 arp reply 192.168.1.2 is-at 00:04:11:11:11:11
22:02:45.106515 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:50.392139 IP 192.168.1.2.138 > 192.168.1.255.138: NBT UDP PACKET(138)
22:02:54.139658 IP 192.168.1.2.1034 > 68.142.64.164.27014: UDP, length 53
22:02:57.866958 IP 125.175.131.58.3608 > 192.168.1.2.9501: S 3275472679:3275472679(0) win 65535 

 To display the quick output:

#tcpdump -q

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:03:55.594839 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:55.698827 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:56.068088 IP a213-22-130-46.cpe.netcabo.pt.3546 > 192.168.1.2.9501: tcp 0
22:03:56.068096 IP 192.168.1.2.9501 > a213-22-130-46.cpe.netcabo.pt.3546: tcp 0
22:03:57.362863 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:03:57.964397 IP valve-68-142-64-164.phx3.llnw.net.27014 > 192.168.1.2.1034: UDP, length 36
22:04:06.406521 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53
22:04:15.393757 IP 192.168.1.2.1034 > valve-68-142-64-164.phx3.llnw.net.27014: UDP, length 53 

 Capture the traffic of a particular interface:

tcpdump -i eth0

 To capture the UDP traffic:

#tcpdump udp

 To capture the TCP port 80 traffic:

#tcpdump port http

 To capture the traffic from a filter stored in a file:

#tcpdump -F file_name

To create a file where the filter is configured (here the TCP 80 port)

#vim file_name
port 80

 To stop the capture after 20 packets:

#tcpdump -c 20

To send the capture output in a file instead of directly on the screen:

#tcpdump -w capture.log

 To read a capture file:

#tcpdump -r capture.log

reading from file capture.log, link-type EN10MB (Ethernet)

09:33:51.977522 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: P 1548302662:1548303275(613) ack 148796145 win 16527 <nop,nop,timestamp 90351=”” 151123756=””>
09:33:52.031729 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: . ack 613 win 86 <nop,nop,timestamp 151126015=”” 90351=””>
09:33:52.034414 IP rr.knams.wikimedia.org.www > 192.168.1.36.40332: P 1:511(510) ack 613 win86 <nop,nop,timestamp 151126015=”” 90351=””>
09:33:52.034786 IP 192.168.1.36.40332 > rr.knams.wikimedia.org.www: . ack 511 win 16527 <nop,nop,timestamp 90372=”” 151126015=””>

The captured data isn’t stored in plain text so you cannot read it with a text editor, you have to use a special tool like TCPdump (see above) or Wireshark (Formerly Ethereal) which provides a graphical interface.

The capture.log file is opened with Wireshark.

 To display the packets having “www.openmaniak.com” as their source or destination address:

#tcpdump host http://www.openmaniak.com

 To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:

#tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp

 

——————————————————————–

See the list of interfaces on which tcpdump can listen:
tcpdump -D

Listen on interface eth0:
tcpdump -i eth0

Listen on any available interface (cannot be done in promiscuous mode. Requires Linux kernel 2.2 or greater):
tcpdump -i any

Be verbose while capturing packets:
tcpdump -v

Be more verbose while capturing packets:
tcpdump -vv

Be very verbose while capturing packets:
tcpdump -vvv

Be less verbose (than the default) while capturing packets:
tcpdump -q

Limit the capture to 100 packets:
tcpdump -c 100

Record the packet capture to a file called capture.cap:
tcpdump -w capture.cap

Record the packet capture to a file called capture.cap but display on-screen how many packets have been captured in real-time:
tcpdump -v -w capture.cap

Display the packets of a file called capture.cap:
tcpdump -r capture.cap

Display the packets using maximum detail of a file called capture.cap:
tcpdump -vvv -r capture.cap

Display IP addresses and port numbers instead of domain and service names when capturing packets:
tcpdump -n

Capture any packets where the destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n dst host 192.168.1.1

Capture any packets where the source host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n src host 192.168.1.1

Capture any packets where the source or destination host is 192.168.1.1. Display IP addresses and port numbers:
tcpdump -n host 192.168.1.1

Capture any packets where the destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n dst net 192.168.1.0/24

Capture any packets where the source network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n src net 192.168.1.0/24

Capture any packets where the source or destination network is 192.168.1.0/24. Display IP addresses and port numbers:
tcpdump -n net 192.168.1.0/24

Capture any packets where the destination port is 23. Display IP addresses and port numbers:
tcpdump -n dst port 23

Capture any packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n dst portrange 1-1023

Capture only TCP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n tcp dst portrange 1-1023

Capture only UDP packets where the destination port is is between 1 and 1023 inclusive. Display IP addresses and port numbers:
tcpdump -n udp dst portrange 1-1023

Capture any packets with destination IP 192.168.1.1 and destination port 23. Display IP addresses and port numbers:
tcpdump -n “dst host 192.168.1.1 and dst port 23”

Capture any packets with destination IP 192.168.1.1 and destination port 80 or 443. Display IP addresses and port numbers:
tcpdump -n “dst host 192.168.1.1 and (dst port 80 or dst port 443)”

Capture any ICMP packets:
tcpdump -v icmp

Capture any ARP packets:
tcpdump -v arp

Capture either ICMP or ARP packets:
tcpdump -v “icmp or arp”

Capture any packets that are broadcast or multicast:
tcpdump -n “broadcast or multicast”

Capture 500 bytes of data for each packet rather than the default of 68 bytes:
tcpdump -s 500

Capture all bytes of data within the packet:
tcpdump -s 0

http://www.youtube.com/watch?v=1CaYHeMrCiA