wireshark
http://tombuntu.com/index.php/2007/09/10/analyze-network-protocols-with-wireshark-on-ubuntu/
Wireshark filters
By net1.scr>net2.dst ip.src==10.253.0.0/16 and ip.dst==10.254.0.0/16
By TCP Port tcp.port == 135
By IP address ip.addr == 192.168.10.67
IP 1 or IP 2 (ip.addr == 192.168.10.45) or (ip.addr == 192.168.10.67)
IP 1 and IP 2 (ip.addr == 192.168.10.45) && (ip.addr == 192.168.10.67)
By MAC address eth.addr == 00:01:02:68:59:ea
handshake tcp.flags.syn == 1 or tcp.flags.ack == 1
SYN’s only tcp.flags.ack != 1 && tcp.flags.syn == 1
ngrep
http://www.brandonhutchinson.com/ngrep.html
http://www.linux.com/articles/46268
To look for word in dump file (t option will print the time stamps)
ngrep -wt ‘word’ -I dump_file
Monitor all interfaces through port 80
ngrep -d any port 80
For the word ‘error’
ngrep -d any ‘error’ port syslog
For details
ngrep -d any -W byline port 80
libnids
Libnids is a C library which works along with libnids, libnet, and libpcap.
Install the latter from the Ubuntu repositories.
Even though, to use this open source programming skills are necessary, it’s very worth it.
http://libnids.sourceforge.net/
http://monkey.org/~jose/presentations/hitb04-tools.d/
tcpdump
Reading a dump file(-nn: don’t convert ports numbers and host addresses)
tcpdump -nn -r dump_file
Watch packets which have SYN sets
tcpdump tcp[13] == 2
Watch packets which have SYN-ACK sets
tcpdump ‘tcp[13] & 2 == 2′
Different ways of dumping packets: Interface: eth1, host: 192.168.0.1
tcpdump -i eth1 -nne host 192.168.0.1 and port 80
tcpdump -i eth1 -s0 -A -v host 192.168.0.1
tcpdump -i eth1 tcp dst port 80 and src host 192.168.0.1
tcpdump -n host 192.168.0.1 and tcp[13]=2 -w output_file
Monitoring with tcpdump
http://www-iepm.slac.stanford.edu/monitoring/passive/tcpdump.html
netcat
http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples/
http://www.datastronghold.com/articles/3.html
Port Scanning (check if TCP ports 80-90 are open)
nc -vzt 192.168.0.1 80-90
Banner grabbing
nc -v -n 192.168.0.1 80
netstat
netstat -s: Display summary statistics for each protocol.
netstat -ta: Active internet connections
tcp statistics
netstat -nc | grep tcp: Info per second
netstat -np | grep tcp: Show pid of programs
netstat -nl | grep tcp: Show listening sockets
Networking
In Linux, always check the man page for further info
Check this guide for Linux Network Administrators
http://www.faqs.org/docs/linux_network/
Top 5 unix network monitoring utilities
http://immike.net/blog/2007/05/01/top-5-unix-network-monitoring-utilities/
netstat prints information about the Linux networking subsystem
netcat reads and writes data across network connections, it can create almost any kind of connection you would need
wireshark is a sniffer computer application used for network troubleshooting, analysis, development
tcpdump dumps traffic on network
libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection.
ngrep searches regular expressions to match against data payloads of packets
tcpflow: TCP flow recorder, which can also has filtering capability
How to wireless security
http://ubuntuforums.org/showthread.php?t=202834&highlight=LEAP
PCAP tutorial
http://yuba.stanford.edu/~casado/pcap/section2.html
-
Archives
- February 2009 (1)
- November 2008 (11)
- October 2008 (4)
- September 2008 (8)
- August 2008 (10)
- June 2008 (2)
- May 2008 (1)
- April 2008 (1)
-
Categories
-
RSS
Entries RSS
Comments RSS
