Click here to start

Table of contents

Using tcpdump for Network Traffic Analysis

Agenda

Introduction

Why Use tcpdump?

tcpdump Versions

tcpdump in Action

Sample tcpdump TCP output

Shadow

Beginning Analysis

Different Categories of Traffic

Hostile Fire

Hostile Fire Sample 1

Hostile Fire Sample 2

Hostile Fire Sample 3

Hostile Fire Sample 4

More Hostile Fire

One of Your Hosts Initiated Activity

Your Host Initiated Activity Example

Slide 19

All Activity Examined to/from myhost.com

PowerPoint Presentation

Someone is “Spoofing” Your IP’s

Spoofing Example

Spoofing Example

Peer-to-Peer (P2P)

Gnutella

Finding Gnutella Traffic

KaZaA

Denial of Service

WinNuke

Stacheldraht (barbed wire)

Handler/Agent Communication

Detection of Handler/Agent Communication

Using tcpdump Filters

Checking for False Positives

Examining Payload

Crawlers, Agents, and Bots – Oh my!

3DNS Activity

Types of Activity Seen

ICMP Echo Request

DNS Queries to UDP Port 53

Attempted Connection to TCP Port 53

Version of BIND

Opportunistic Reconnaissance/Corruption?

Web Reconnaissance

DNS Reconnaissance

Demon.net’s Explanation

Corruption Analysis

Reflector Attacks

Sample Traffic

Who is the Victim?

Real World Events

You’ve Had a Compromise!!!!

What a “Normal” TCP Connection Session Looks Like

tcpdump Output from the Break-in

NFR SYN Flood Alert

tcpdump Output

tcpdump Output Retries

Truncated UDP Response

Network Configuration

Beginning Analysis Wrap-up

Author: Judy Novak

Homepage: http://www.calug.com/

Further information:
Presentation given 15 May, 2002 at the Columbia Area Linux Users Group meeting