15 Dec 08 Some simple filtering and sniffing with tcpdump
tcpdump is one of the best network debugging tools available. In it’s most basic form, it will print network traffic in terms of a source and destination address to the console, more advanced uses include printing out captured ASCII and simple but powerful filtering.
# Start tcpdump listening on interface eth0, and do not attempt to resolve IP addresses to hostnames ( -n ).
What we see is:
20:51:40.853726 IP 93.97.Y.Y.52381 > 217.10.X.X.22: . ack 59548 win 16848
And this is repeated over and over. Now this is a feedback loop. As we are connected via port 22 (SSH), this loop will continue, and we must therefore filter it out:
Now we can cleanly monitor traffic. What happens though if we want to view SSH traffic, but not our own?
We can build this filter up as much as we wish. Let’s start watching HTTP (tcp port 80) traffic only:
Finally, let’s set the ’snaplen’ to 1500 bytes, and print out the captured data in ASCII:
E..Mn @.@..w.
..Xn!..P….’@..\.P…3…HTTP/1.1 404 Not Found
Date: Mon, 15 Dec 2008 21:05:17 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13
Content-Length: 313
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /favicon.ico was not found on this server.</p>
<hr>
<address>Apache/2.2.3 (Debian) PHP/5.2.0-8+etch13 Server at www.[HIDDEN].com Port 80</address>
</body></html>
And from this we can see all HTTP traffic. As you can see, it’s that easy to capture and decode plaintext traffic. We can do the same on port 110 (POP3):
Tags: ascii, http, https, IMAP, imaps, POP3, pop3s, sniffing http, tcpdump
|
I'm Adam Palmer, and I'm a Freelance Embedded Linux/Embedded Hardware enthusiast and Security Consultant. I run 'APNIC Solutions Ltd' and spend most of my time managing server clusters, and doing some PHP/MySQL development, whilst what little spare time I have is dedicated to playing with gadgets. I'm always happy to consult on or manage any Linux related, Web Application or Hosting project. Please get in touch with me! |
