Pcap worksheet: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
(Replaced content with "<poem>1.) OS Stats $ ifconfig eth0; ifconfig -a $ netstat -ni $ netstat -s $ cat /proc/net/dev | columns -t $ awk '{ print $1,$5 }' /proc/net/dev $ watch -n 1 cat /proc/i...")
No edit summary
Line 1: Line 1:
<poem>1.) OS Stats $ ifconfig eth0; ifconfig -a $ netstat -ni $ netstat -s $ cat /proc/net/dev | columns -t $ awk '{ print $1,$5 }' /proc/net/dev $ watch -n 1 cat /proc/interrupts $ watch -n 1 cat /proc/softirqs<code>  
1.) OS Stats
</poem>
$ ifconfig eth0; ifconfig -a $ netstat -ni $ netstat -s$ cat /proc/net/dev | columns -t $ awk '{ print $1,$5 }' /proc/net/dev$ watch -n 1 cat /proc/interrupts $ watch -n 1 cat /proc/softirqs$ vmstat -S m 1$ ifpps --dev eth0
2.) Ethtool - NIC Configuration
Show            ;          Set
$ ethtool -S eth0 // Statistics$ ethtool -S eth0 | egrep '(rx_missed|no_buffer)'    // Drop Values  $ ethtool -g eth0 ; ethtool -G eth0 rx 4096 tx 4096 // FIFO RX Descriptors$ ethtool -k eth0 ; ethtool -K gro on gso on rx on // Offloading$ ethtool -a eth0 ; ethtool -A rx off autoneg off // Pause Frames$ ethtool -c eth0 ; ethtool -C eth0 rx-usecs 100 // Interrupt Coalescence
3.) More OS Configurables
$ cat /proc/net/softnet_stats; printf "%d" 0xffff //Backlog Queue Stats$ echo "1" > /proc/sys/net/core/bpf_jit_enable$ sysctl net.core.netdev_max_backlog; sysctl -w net.core.netdev_max_backlog=3000$ sysctl net.core.wmem_max; sysctl net.core.rmem_max $ sysctl net.core.wmem_default; sysctl net.core.rmem_default $ sysctl net.core.optmem_max$ echo "net.core.netdev_max_backlog=1024" >>  /etc/sysctl.conf
4.) Example NIC Driver Configuration
$ /etc/modprobe.d# cat e1000.confoptions e1000 XsumRX=0,0,0,0,0 TxDescriptors=48,48,48,48,48  RxDescriptors=4096,4096,4096,4096,4096 FlowControl=0,0,0,0,0,1 InterruptThrottleRate=5000,5000,5000,5000,5000 debug=16
$ modinfo -p e1000
*/TxDescriptors:Number of transmit descriptors (array of int)RxDescriptors:Number of receive descriptors (array of int)Speed:Speed setting (array of int)Duplex:Duplex setting (array of int)AutoNeg:Advertised auto-negotiation setting (array of int)FlowControl:Flow Control setting (array of int)XsumRX:Disable or enable Receive Checksum offload (array of int)TxIntDelay:Transmit Interrupt Delay (array of int)TxAbsIntDelay:Transmit Absolute Interrupt Delay (array of int)RxIntDelay:Receive Interrupt Delay (array of int)RxAbsIntDelay:Receive Absolute Interrupt Delay (array of int)InterruptThrottleRate:Interrupt Throttling Rate (array of int)SmartPowerDownEnable:Enable PHY smart power down (array of int)copybreak:Maximum size of packet that is copied to a new buffer on receive (uint)debug:Debug level (0=none,...,16=all) (int)*/
5.) Basic TCPdump Usage
// name resolution off (-n) $ tcpdump -c 10 -s0 -nni eth0 -w file.pcap$ tcpdump -c 10 -eXXvnnr file.pcap
7.) PCAP Header, Redirection, & Reading Multiple Files
$ cat file.pcap | tcpdump -nnr -  $ cat file1.pcap file2.pcap | tcpdump -nnr -  // doesn't work - bogus save file error
// pcap version 2.4 header is 24 bytes
$ dd if=file2.pcap of=new.pcap bs=1 skip=24; cat file1.pcap new.pcap | tcpdump -nnr - $ tail -c +25 file2.pcap > new-cut.pcap; cat file1.pcap file2.pcap | tcpdump -nnr - $ (cat file1.pcap ; ( tail -c +25 file1.pcap | cat )) | tcpdump -nnr -$ (cat file1.pcap ; ( tail -c +25 ; cat ) <file2.pcap) | tcpdump -nnr -$ (cat file1.pcap; (dd bs=24 count=0 skip=1; cat) <file2.pcap) | tcpdump -nnr -$ (cat test.pcap; (dd bs=24 count=0 skip=1 2>/dev/null; cat) <test1.pcap;  \ (dd bs=24 count=0 skip=1 2>/dev/null; cat) <test.pcap ) | tcpdump -nnr -
// Linux cooked PCAP - uses pseudo linux-layer header$ tcpdump -nni any -c 10 -w cooked.pcap$ file cooked.pcap
8.) Mergecap
$ mergecap file1.pcap file2.pcap file3.pcap -w combined.pcap$ mergecap -F // shows formats$ mergecap -F libpcap *.pcap -w combine_all.pcap$ mergecap -a -F libpcap *.pcap -w - | tcpdump -nnr - // don't arrange TS
9.) PCAP Statistical Data
capinfos file.pcaptcpslice -r file.pcaptcpdstat file.pcaptcpprof -S lipn -P 30000 -r file.pcap
9.) BPF (Berkely Packet Filters)
// see print out of  // http://staff.washington.edu/dittrich/talks/core02/tools/tcpdump-filters.txt// http://www.wains.be/pub/networking/tcpdump_advanced_filters.txt // proper shell input with ''
$ tcpdump -nni eth0 '((ip) and ((host 192.168.1.1 or 192.168.1.2) \and not (host 192.168.1.254 and 192.168.1.253)) \and (port 80 or 443 or 53))'
// proper shell input with escapes "\"
$ tcpdump -nni eth0 \(\(ip\) and \(\(host 192.168.1.1 or 192.168.1.2\) \and not \(host 192.168.1.254 and 192.168.1.253\)\) \and \(port 80 or 443 or 53\)\)
10.) Number System Conversions
$ printf "%d" 0x2d$ printf "%x" 45$ printf '\x47\x45\x54\x0a'$ echo "GET" | hexdump -c $ echo "GET" | hexdump -C
11.) Session & Flow Data
iftop -i eth0.pcap // live only, replay for same effect
// use -i instead of -r for interface$ tcpflow -c -e -r file.pcap 'tcp and port (80 or 443)'$ tcpflow -r file.pcap tcp and port \(80 or 443\)$ tcpick -r file.pcap -C -yP -h 'port (25 or 587)'
// [-wRu] write both flows; [-wRC] write client flows only ; [-wRS] write server flows only$ tcpick -r file.pcap -wRu
// Audit Record Generation And Utilization System
$ argus -r file.pcap -w file.argus$ ra -nnr file.argus ; ra -Z b -nnr file.argus$ ra -nnr file.argus - host 192.168.1.1 and port 80$ racluster -M rmon -m saddr -r file.argus$ ra -nnr file.argus -w - - port 22 | racluster -M rmon -m saddr -r - | rasort -m bytes -r -$ racluster -M rmon -m proto -r file.argus -w - | rasort -m pkts -r - $ racluster -M rmon -m proto sport -r file.argus$ ragraph bytes -M 30s -r file.argus -w bytes.png$ ragraph pkts -M 30s -r file.argus -w pkts.png$ ra -nnr file2.argus -s saddr,daddr,loss | sort -nr -k 3 | head -20$ ragraph dbytes sbytes -M 30s -r file.argus - dst port 80 and dst port 443$ ragraph dbytes sbytes dport sport -fill -M 30s -r file.argus
12.) Network Forensics - File Extraction
$ tcpdump -nni eth0 -w image.pcap port 80 &$ wget http://upload.wikimedia.org/wikipedia/en/5/55/Bsd_daemon.jpg$ jobs$ kill %1$ tcpflow -r image.pcap$ foremost -v 192.168.001.002.36130-208.080.152.211.00080 \208.080.152.211.00080-192.168.001.006.36130$ cd output/jpg; ls *.jpg; gqview *.jpg
$ tcpxtract -f file.pcap -o xtract/
13.) Visualizations and Statistical Data
// Statistics w/ RRDtool graphs$ ntop -f file.pcap -w 80 -W 443
$ /usr/sbin/ntop -w 80 -W 443 -4 -d -u ntop \-t 0 -X --use-syslog=local7 -b -C \--output-packet-path=/var/log/ntop --create-other-packets \--create-suspicious-packets --local-subnets \192.168.1.0/24,192.168.2.0/24 \-o -p /etc/ntop/protocol.list -f file.pcap
13.) Replay
tcpreplay -M10 -i eth0 file.pcapnetsniff-ng --in file.pcap --out eth0netsniff-ng --in eth0.pcap --out eth1.pcaptrafgen --dev eth0 --conf trafgen.txf --bind-cpu 0
14.) IDS - Offline Analysis
snort -r file.pcap --pcap-filter='ip and tcp' -c /etc/snort/snort.conf -l .u2spewfoo snort.unified2.* > alert.txtbro -r file.pcap -f ipbro-cut service proto id.resp_p id.resp_h < conn.log | head  // print out fieldsbro-cut service < conn.log | sort | uniq -c | sort -n        // most used servicebro-cut user_agent < http.log | sort -u                    // list unique of user agent stringsbro-cut mime_type < http.log | sort -u                    // list unique MIME typesbro-cut service id.resp_p id.resp_h < conn.log \    | awk '$1 == "http" && ! ($2 == 80 || $2 == 8080) { print $3 }' \    | sort -u // find web traffic not on port 80 or 8080
15.) Editing PCAPs
# change MAC's tcprewrite --enet-dmac=00:44:66:FC:29:AF,00:55:22:AF:C6:37--enet-smac=00:66:AA:D1:32:C2,00:22:55:AC:DE:AC --infile=in.pcap--outfile=out.pcap
# randomize IP'stcprewrite --seed=423 --infile=in.pcap --outfile=out.pcap
# randomize IP's in argus filesranonymize -r in.argus -w out.argus

Revision as of 17:34, 12 November 2013

1.) OS Stats $ ifconfig eth0; ifconfig -a $ netstat -ni $ netstat -s$ cat /proc/net/dev | columns -t $ awk '{ print $1,$5 }' /proc/net/dev$ watch -n 1 cat /proc/interrupts $ watch -n 1 cat /proc/softirqs$ vmstat -S m 1$ ifpps --dev eth0 2.) Ethtool - NIC Configuration Show  ; Set $ ethtool -S eth0 // Statistics$ ethtool -S eth0 | egrep '(rx_missed|no_buffer)' // Drop Values $ ethtool -g eth0 ; ethtool -G eth0 rx 4096 tx 4096 // FIFO RX Descriptors$ ethtool -k eth0 ; ethtool -K gro on gso on rx on // Offloading$ ethtool -a eth0 ; ethtool -A rx off autoneg off // Pause Frames$ ethtool -c eth0 ; ethtool -C eth0 rx-usecs 100 // Interrupt Coalescence 3.) More OS Configurables $ cat /proc/net/softnet_stats; printf "%d" 0xffff //Backlog Queue Stats$ echo "1" > /proc/sys/net/core/bpf_jit_enable$ sysctl net.core.netdev_max_backlog; sysctl -w net.core.netdev_max_backlog=3000$ sysctl net.core.wmem_max; sysctl net.core.rmem_max $ sysctl net.core.wmem_default; sysctl net.core.rmem_default $ sysctl net.core.optmem_max$ echo "net.core.netdev_max_backlog=1024" >> /etc/sysctl.conf 4.) Example NIC Driver Configuration $ /etc/modprobe.d# cat e1000.confoptions e1000 XsumRX=0,0,0,0,0 TxDescriptors=48,48,48,48,48 RxDescriptors=4096,4096,4096,4096,4096 FlowControl=0,0,0,0,0,1 InterruptThrottleRate=5000,5000,5000,5000,5000 debug=16 $ modinfo -p e1000

  • /TxDescriptors:Number of transmit descriptors (array of int)RxDescriptors:Number of receive descriptors (array of int)Speed:Speed setting (array of int)Duplex:Duplex setting (array of int)AutoNeg:Advertised auto-negotiation setting (array of int)FlowControl:Flow Control setting (array of int)XsumRX:Disable or enable Receive Checksum offload (array of int)TxIntDelay:Transmit Interrupt Delay (array of int)TxAbsIntDelay:Transmit Absolute Interrupt Delay (array of int)RxIntDelay:Receive Interrupt Delay (array of int)RxAbsIntDelay:Receive Absolute Interrupt Delay (array of int)InterruptThrottleRate:Interrupt Throttling Rate (array of int)SmartPowerDownEnable:Enable PHY smart power down (array of int)copybreak:Maximum size of packet that is copied to a new buffer on receive (uint)debug:Debug level (0=none,...,16=all) (int)*/

5.) Basic TCPdump Usage // name resolution off (-n) $ tcpdump -c 10 -s0 -nni eth0 -w file.pcap$ tcpdump -c 10 -eXXvnnr file.pcap 7.) PCAP Header, Redirection, & Reading Multiple Files $ cat file.pcap | tcpdump -nnr - $ cat file1.pcap file2.pcap | tcpdump -nnr - // doesn't work - bogus save file error // pcap version 2.4 header is 24 bytes $ dd if=file2.pcap of=new.pcap bs=1 skip=24; cat file1.pcap new.pcap | tcpdump -nnr - $ tail -c +25 file2.pcap > new-cut.pcap; cat file1.pcap file2.pcap | tcpdump -nnr - $ (cat file1.pcap ; ( tail -c +25 file1.pcap | cat )) | tcpdump -nnr -$ (cat file1.pcap ; ( tail -c +25 ; cat ) <file2.pcap) | tcpdump -nnr -$ (cat file1.pcap; (dd bs=24 count=0 skip=1; cat) <file2.pcap) | tcpdump -nnr -$ (cat test.pcap; (dd bs=24 count=0 skip=1 2>/dev/null; cat) <test1.pcap; \ (dd bs=24 count=0 skip=1 2>/dev/null; cat) <test.pcap ) | tcpdump -nnr - // Linux cooked PCAP - uses pseudo linux-layer header$ tcpdump -nni any -c 10 -w cooked.pcap$ file cooked.pcap 8.) Mergecap $ mergecap file1.pcap file2.pcap file3.pcap -w combined.pcap$ mergecap -F // shows formats$ mergecap -F libpcap *.pcap -w combine_all.pcap$ mergecap -a -F libpcap *.pcap -w - | tcpdump -nnr - // don't arrange TS 9.) PCAP Statistical Data capinfos file.pcaptcpslice -r file.pcaptcpdstat file.pcaptcpprof -S lipn -P 30000 -r file.pcap 9.) BPF (Berkely Packet Filters) // see print out of // http://staff.washington.edu/dittrich/talks/core02/tools/tcpdump-filters.txt// http://www.wains.be/pub/networking/tcpdump_advanced_filters.txt // proper shell input with $ tcpdump -nni eth0 '((ip) and ((host 192.168.1.1 or 192.168.1.2) \and not (host 192.168.1.254 and 192.168.1.253)) \and (port 80 or 443 or 53))' // proper shell input with escapes "\" $ tcpdump -nni eth0 \(\(ip\) and \(\(host 192.168.1.1 or 192.168.1.2\) \and not \(host 192.168.1.254 and 192.168.1.253\)\) \and \(port 80 or 443 or 53\)\) 10.) Number System Conversions $ printf "%d" 0x2d$ printf "%x" 45$ printf '\x47\x45\x54\x0a'$ echo "GET" | hexdump -c $ echo "GET" | hexdump -C 11.) Session & Flow Data iftop -i eth0.pcap // live only, replay for same effect // use -i instead of -r for interface$ tcpflow -c -e -r file.pcap 'tcp and port (80 or 443)'$ tcpflow -r file.pcap tcp and port \(80 or 443\)$ tcpick -r file.pcap -C -yP -h 'port (25 or 587)' // [-wRu] write both flows; [-wRC] write client flows only ; [-wRS] write server flows only$ tcpick -r file.pcap -wRu // Audit Record Generation And Utilization System $ argus -r file.pcap -w file.argus$ ra -nnr file.argus ; ra -Z b -nnr file.argus$ ra -nnr file.argus - host 192.168.1.1 and port 80$ racluster -M rmon -m saddr -r file.argus$ ra -nnr file.argus -w - - port 22 | racluster -M rmon -m saddr -r - | rasort -m bytes -r -$ racluster -M rmon -m proto -r file.argus -w - | rasort -m pkts -r - $ racluster -M rmon -m proto sport -r file.argus$ ragraph bytes -M 30s -r file.argus -w bytes.png$ ragraph pkts -M 30s -r file.argus -w pkts.png$ ra -nnr file2.argus -s saddr,daddr,loss | sort -nr -k 3 | head -20$ ragraph dbytes sbytes -M 30s -r file.argus - dst port 80 and dst port 443$ ragraph dbytes sbytes dport sport -fill -M 30s -r file.argus 12.) Network Forensics - File Extraction $ tcpdump -nni eth0 -w image.pcap port 80 &$ wget http://upload.wikimedia.org/wikipedia/en/5/55/Bsd_daemon.jpg$ jobs$ kill %1$ tcpflow -r image.pcap$ foremost -v 192.168.001.002.36130-208.080.152.211.00080 \208.080.152.211.00080-192.168.001.006.36130$ cd output/jpg; ls *.jpg; gqview *.jpg $ tcpxtract -f file.pcap -o xtract/ 13.) Visualizations and Statistical Data // Statistics w/ RRDtool graphs$ ntop -f file.pcap -w 80 -W 443 $ /usr/sbin/ntop -w 80 -W 443 -4 -d -u ntop \-t 0 -X --use-syslog=local7 -b -C \--output-packet-path=/var/log/ntop --create-other-packets \--create-suspicious-packets --local-subnets \192.168.1.0/24,192.168.2.0/24 \-o -p /etc/ntop/protocol.list -f file.pcap 13.) Replay tcpreplay -M10 -i eth0 file.pcapnetsniff-ng --in file.pcap --out eth0netsniff-ng --in eth0.pcap --out eth1.pcaptrafgen --dev eth0 --conf trafgen.txf --bind-cpu 0 14.) IDS - Offline Analysis snort -r file.pcap --pcap-filter='ip and tcp' -c /etc/snort/snort.conf -l .u2spewfoo snort.unified2.* > alert.txtbro -r file.pcap -f ipbro-cut service proto id.resp_p id.resp_h < conn.log | head // print out fieldsbro-cut service < conn.log | sort | uniq -c | sort -n // most used servicebro-cut user_agent < http.log | sort -u // list unique of user agent stringsbro-cut mime_type < http.log | sort -u // list unique MIME typesbro-cut service id.resp_p id.resp_h < conn.log \ | awk '$1 == "http" && ! ($2 == 80 || $2 == 8080) { print $3 }' \ | sort -u // find web traffic not on port 80 or 8080 15.) Editing PCAPs

  1. change MAC's tcprewrite --enet-dmac=00:44:66:FC:29:AF,00:55:22:AF:C6:37--enet-smac=00:66:AA:D1:32:C2,00:22:55:AC:DE:AC --infile=in.pcap--outfile=out.pcap
  2. randomize IP'stcprewrite --seed=423 --infile=in.pcap --outfile=out.pcap
  3. randomize IP's in argus filesranonymize -r in.argus -w out.argus