Tutorial in a text file ----------------------- -- Libpcap, its architecture and building up basic sniffer. [Tcpdump + Wireshark] -- Nmap, a little bit on how to snoop around in networks. -- Sniffing FTP, DNS and some more tcp stuff -- Insights into working of tcp -- Assignment discussion Standard TCPdump commands ----------------------------------------- Tcpdump [tcpdump -i -w/r -F -s -n] tcpdump -i 13 tcp [listen to only tcp packets] tcpdump -i 13 -F filter.txt tcpdump -i 13 -s 65536 // size of packet tcpdump -i 13 -n -F filter.txt // No hostname resolution Tcpdump default snapshot is of 68 bytes. Basically it is header, you get the framer header (14 bytes), the IP header (20 bytes), the TCP header (20 bytes), and the TCP data (14 bytes); basically the entire Ethernet header Inside TCP packet ------------------------ win, seq numbers, timestamp ?? in tcppacket TCP flags Three way handshake S -- syn Ack F -- fin R -- reset -- sender immedeate request to disconnect P -- push -- push data urg -- Urgent -- takes priority over everything , -- Placeholder -- if tcp packet does not have S,R,F,ack,P flag set, then this is done. Get length of tcp payload ?? Architecture of libpcap ------------------------ this library is responsible for ethreal/wireshark and tcpdump. It lays framework to filter packets, and then capture them. It is efficient and uses concepts of operating systems to get necessary improvement. Flow of a pcap code -------------------- ** Determine an interface, you want to work on, say p3p1,eth0,wlan,localhost ** Now, after we have chosen interface, one or multiple, we create file handles for each of those sessions.(Everyting is file in unix) **In case, we want to address particular packets, like tcp, we have to address them on port 23. [This is called rule] --Now, in this process, we need to compile these rules, so that pcap can understand them. --pcap enters its primary execution loop. In this state, pcap waits until it has received however many packets we want. Every time it gets a new packet in, it calls another function that we have already defined. The function that it calls can do anything we want; it can dissect the packet and print it to the user, it can save it in a file, or it can do nothing at all. --another important lesson in the chapters of unix, close your files, and hence close your sessions. Design issues ------------------ Filtering model (high level filter desc) --> (low level filter description) -- kernel module bpf berkeley packet filter-- filter packets before stack tcpdump user mode ------------------------------- kernel mode tcpstack bpf nic filesystem -------------------------------- ethernet disk Questions ------------ why there is need for low level description for filters, and why it sits below tcp stack ?? Function calls ----------------- --pcap_findall_devs --pcap_lookup_dev; --pcap_open_live; --pcap_compile / pcap_setfileter --pcap_loop/pcap_dispatch/pcap_next --pcap_dumpfile Concepts: Promiscuous/Non-Promiscuous mode ?? Difference Some interesting ports TCP/Telnet -- 23 DNS(UDP) -- 52 FTP -- 21 Some more properties of a sniffing code -- Callback funtions Network Snooping ----------------------- Nmap -- basically a port scanner, can do many nifty tricks, scan all active ips that are in your network, scan all ports, os detection, tcp based scans, non-tcp based scans. ping probes -- Some commands -T1-5 from paranoid to insane -O operating system detection -PN -- don't ping before scan -PE -- icmp ping ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Following tutorial is free, and you are free to redistribute it. And if you want to edit it, then mail me@ rarchk 8 gmail d0t com, so that I can also know better.