TCPDump
Un article de Backtrack-fr.
Sommaire |
[modifier] Introduction
TCPDump est un Sniffer réseau puissant fonctionnant en ligne de commande.
[modifier] Usage & Options
tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ] [ -y datalinktype ] [ -Z user ]
[ expression ]
[modifier] Exemples
Pour suivre ces exemples, il vous faudra ouvrir 2 consoles: une pour TCPDump, l'autre pour les programmes relatifs à nos tests.
[modifier] Envois de 2 Ping à une Freebox V5
Mise en écoute:
bt ~ # tcpdump -vv -c 12 -i eth0
Envoi des PINGs:
bt ~ # ping -c 2 -i 0.5 -s 512 -t 64 192.168.0.254 PING 192.168.0.254 (192.168.0.254) 512(540) bytes of data. 520 bytes from 192.168.0.254: icmp_seq=1 ttl=64 time=1.07 ms 520 bytes from 192.168.0.254: icmp_seq=2 ttl=64 time=0.884 ms --- 192.168.0.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 500ms rtt min/avg/max/mdev = 0.884/0.979/1.074/0.095 ms
Résultats:
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 02:14:32.987010 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 540) 192.168.0.1 > 192.168.0.254: ICMP echo request, id 36644, seq 1, length 520 02:14:32.987913 IP (tos 0x0, ttl 64, id 25991, offset 0, flags [none], proto: ICMP (1), length: 540) 192.168.0.254 > 192.168.0.1: ICMP echo reply, id 36644, seq 1, length 520 02:14:33.487283 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: ICMP (1), length: 540) 192.168.0.1 > 192.168.0.254: ICMP echo request, id 36644, seq 2, length 520 02:14:33.488164 IP (tos 0x0, ttl 64, id 25992, offset 0, flags [none], proto: ICMP (1), length: 540) 192.168.0.254 > 192.168.0.1: ICMP echo reply, id 36644, seq 2, length 520 02:14:35.541502 arp who-has 192.168.0.4 tell 192.168.0.254 02:14:36.541503 arp who-has 192.168.0.4 tell 192.168.0.254 02:14:37.541538 arp who-has 192.168.0.4 tell 192.168.0.254 02:14:37.981217 arp who-has 192.168.0.1 tell 192.168.0.254 02:14:37.981236 arp reply 192.168.0.1 is-at 00:11:d8:39:4c:00 (oui Unknown) ... 12 packets captured 24 packets received by filter 0 packets dropped by kernel
[modifier] Scan Nmap de type Services detection sur le port n°25
Mise en écoute:
tcpdump -vv -c 24 -i eth0
Scan et service detection du port n°25 avec nmap:
bt ~ # nmap -vv -sV -p25 127.0.0.1 Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-03 02:32 CEST Initiating SYN Stealth Scan at 02:32 Scanning bt.example.net (127.0.0.1) [1 port] Discovered open port 25/tcp on 127.0.0.1 Completed SYN Stealth Scan at 02:32, 0.01s elapsed (1 total ports) Initiating Service scan at 02:32 Scanning 1 service on bt.example.net (127.0.0.1) Completed Service scan at 02:32, 0.00s elapsed (1 service on 1 host) Host bt.example.net (127.0.0.1) appears to be up ... good. Interesting ports on bt.example.net (127.0.0.1): PORT STATE SERVICE VERSION 25/tcp open smtp Sendmail 8.13.8/8.13.8 Service Info: OS: Unix Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 0.086 seconds Raw packets sent: 1 (44B) | Rcvd: 2 (88B)
Résulats:
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 02:01:51.723315 IP (tos 0x0, ttl 58, id 24152, offset 0, flags [none], proto: TCP (6), length: 44) localhost.57736 > localhost.smtp: S, cksum 0x39aa (correct), 2584926405:2584926405(0) win 3072 <mss 1460> 02:01:51.723564 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 44) localhost.smtp > localhost.57736: S, cksum 0xdec3 (correct), 772046432:772046432(0) ack 2584926406 win 32792 <mss 16396> 02:01:51.723585 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) localhost.57736 > localhost.smtp: R, cksum 0x5d63 (correct), 2584926406:2584926406(0) win 0 02:01:51.817021 IP (tos 0x0, ttl 64, id 58919, offset 0, flags [DF], proto: TCP (6), length: 60) localhost.healthd > localhost.smtp: S, cksum 0x5238 (correct), 762270708:762270708(0) win 32792 <mss 16396,sackOK,timestamp 17413587 0,nop,wscale 2> 02:01:51.817044 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) localhost.smtp > localhost.healthd: S, cksum 0x4e9b (correct), 769269485:769269485(0) ack 762270709 win 32768 <mss 16396,sackOK,timestamp 17413587 17413587,nop,wscale 2> 02:01:51.817060 IP (tos 0x0, ttl 64, id 58920, offset 0, flags [DF], proto: TCP (6), length: 52) localhost.healthd > localhost.smtp: ., cksum 0x17b5 (correct), 1:1(0) ack 1 win 8198 <nop,nop,timestamp 17413587 17413587> 02:01:51.820203 IP (tos 0x0, ttl 64, id 43837, offset 0, flags [DF], proto: TCP (6), length: 133) localhost.smtp > localhost.healthd: P 1:82(81) ack 1 win 8192 <nop,nop,timestamp 17413588 17413587> 02:01:51.820223 IP (tos 0x0, ttl 64, id 58921, offset 0, flags [DF], proto: TCP (6), length: 52) localhost.healthd > localhost.smtp: ., cksum 0x1762 (correct), 1:1(0) ack 82 win 8198 <nop,nop,timestamp 17413588 17413588> 02:01:51.821374 IP (tos 0x0, ttl 64, id 58922, offset 0, flags [DF], proto: TCP (6), length: 52) localhost.healthd > localhost.smtp: F, cksum 0x1761 (correct), 1:1(0) ack 82 win 8198 <nop,nop,timestamp 17413588 17413588> 02:01:51.821596 IP (tos 0x0, ttl 64, id 43838, offset 0, flags [DF], proto: TCP (6), length: 52) localhost.smtp > localhost.healthd: F, cksum 0x1766 (correct), 82:82(0) ack 2 win 8192 <nop,nop,timestamp 17413588 17413588> 02:01:51.821606 IP (tos 0x0, ttl 64, id 58923, offset 0, flags [DF], proto: TCP (6), length: 52) localhost.healthd > localhost.smtp: ., cksum 0x1760 (correct), 2:2(0) ack 83 win 8198 <nop,nop,timestamp 17413588 17413588> ... 24 packets captured 48 packets received by filter 0 packets dropped by kernel
[modifier] Référence
- Site officiel (en)
