15 Dec 08 Some simple filtering and sniffing with tcpdump
tcpdump is one of the best network debugging tools available. In it’s most basic form, it will print network traffic in terms of a source and destination address to the console, more advanced uses include printing out captured ASCII and simple but powerful filtering.
# Start tcpdump listening on interface eth0, and do not attempt to resolve IP addresses to hostnames ( -n ).
What we see is:
20:51:40.853726 IP 93.97.Y.Y.52381 > 217.10.X.X.22: . ack 59548 win 16848
And this is repeated over and over. Now this is a feedback loop. As we are connected via port 22 (SSH), this loop will continue, and we must therefore filter it out:
Now we can cleanly monitor traffic. What happens though if we want to view SSH traffic, but not our own?
We can build this filter up as much as we wish. Let’s start watching HTTP (tcp port 80) traffic only:
Finally, let’s set the ’snaplen’ to 1500 bytes, and print out the captured data in ASCII:
E..Mn @.@..w.
..Xn!..P….’@..\.P…3…HTTP/1.1 404 Not Found
Date: Mon, 15 Dec 2008 21:05:17 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13
Content-Length: 313
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
<hr>
<address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.[HIDDEN].com Port 80</address>
</body></html>
And from this we can see all HTTP traffic. As you can see, it’s that easy to capture and decode plaintext traffic. We can do the same on port 110 (POP3):
E..F.c@.x…NV|7.
…..n.7…U..P…….USER [HIDDEN]@[HIDDEN].com
20:58:19.346335 IP 217.10.X.X.110 > 78.86.Y.Y.57619: . ack 31 win 5840
E..(b.@.@.._.
..NV|7.n…U…7..P…….
20:58:19.346646 IP 217.10.X.X.110 > 78.86.Y.Y.57619: P 19:43(24) ack 31 win 5840
E..@b.@.@..F.
..NV|7.n…U…7..P…….+OK Password required.
20:58:19.368102 IP 78.86.Y.Y.57619 > 217.10.X.X.110: P 31:44(13) ack 43 win 65493
E..5.d@.x…NV|7.
…..n.7…U..P…….PASS [HIDDEN]
20:58:19.382552 IP 217.10.X.X.110 > 78.86.Y.Y.57619: P 43:59(16) ack 44 win 5840
E..8b.@.@..M.
..NV|7.n…U…7..P…t…+OK logged in.
Lucky that this is a test service only.. This is the prime reason why you want to be using POP3S, IMAPS, and HTTPS. Sniffing and decoding plain text traffic really is that easy. Hopefully this gives you a quick start to tcpdump, filtering and some basic plain text sniffing.
Tags: ascii, http, https, IMAP, imaps, POP3, pop3s, sniffing http, tcpdump
Reader's Comments
Leave a Comment
You must be logged in to post a comment.
|
I'm Adam Palmer, and I'm a Freelance Embedded Linux/Embedded Hardware enthusiast and Security Consultant. I run 'APNIC Solutions Ltd' and spend most of my time managing server clusters, and doing some PHP/MySQL development, whilst what little spare time I have is dedicated to playing with gadgets. I'm always happy to consult on or manage any Linux related, Web Application or Hosting project. Please get in touch with me! |
Duude! Thank u so much for this
i wrote this command:# tcpdump on the terminal but command not found.can u help me what should i do first before i start using the tcpdump?