Network Traffic Analysis Using tcpdump Reference Material

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:13

Thêm vào BST

Báo xấu

187
lượt xem 17
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Reference Material W. Richard Stevens, TCP/IP Illustrated, Volume 1 The Protocols, Addison-Wesley Eric A. Hall, Internet Core Protocols, O’Reilly Craig H. Rowland, “Covert Channels in the TCP/IP Protocol Suite”, www.psionic.com/papers/covert/covert.tcp.txt Ofir Arkin, “ICMP Usage in Scanning”, www.sys-security.com Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting” www.insecure.org/nmap/nmap-fingerprinting-article Thomas Ptacek, Timothy Newsham, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, www.robertgraham.com/ mirror/Ptacek-Newsham-Evasion-98.html Rain Forest Puppy, “A look at whisker’s anti-IDS tactics”, www.wiretrip.net/rfp...

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Network Traffic Analysis Using tcpdump Reference Material

Network Traffic Analysis Using tcpdump Reference Material Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com 1 All material Copyright  Novak, 2000, 2001. All rights reserved. 1
References 2 This page intentionally left blank. 2
Reference Material W. Richard Stevens, TCP/IP Illustrated, Volume 1 The Protocols, Addison-Wesley Eric A. Hall, Internet Core Protocols, O’Reilly Craig H. Rowland, “Covert Channels in the TCP/IP Protocol Suite”, www.psionic.com/papers/covert/covert.tcp.txt Ofir Arkin, “ICMP Usage in Scanning”, www.sys-security.com Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting” www.insecure.org/nmap/nmap-fingerprinting-article Thomas Ptacek, Timothy Newsham, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, www.robertgraham.com/ mirror/Ptacek-Newsham-Evasion-98.html Rain Forest Puppy, “A look at whisker’s anti-IDS tactics”, www.wiretrip.net/rfp 3 This page intentionally left blank. 3
Referenced Links • www.nswc.navy.mil/ISSEC/CID Site to obtain Shadow software • www.map2.ethz.ch/ftp-probleme.htm Site for list of initial TTL’s by operating system and protocol • www.phrack.com Site to find out more about the loki exploit • ftp.su.se/pub/security/security/tools/net/tcpshow Site to download source code for tcpshow • www.cisco.com/warp/public/770/nifrag.shtml Site to read about a particular denial of service using fragmentation against Cisco routers 4 This page intentionally left blank. 4
Referenced Links • www.cert.org/advisories Site to read about CERT advisory concerning an inverse query exploit, ToolTalk exploit • ftp.isi.edu/in-notes/iana/ assignments/ Information about protocols, reserved address spaces • ftp.ee.lbl.gov/tcpdump.tar.Z ftp.ee.lbl.gov/libpcap.tar.Z netgroup-serv.polito.it/windump netgroup-serv.polito.it/winpcap www.tcpdump.org Sites for tcpdump and support software • www.whitefang.com/rin Site for article on “Raw IP Networking FAQ” 5 This page intentionally left blank. 5
Referenced Links • www.packetfactory.net Site to obtain libnet software • www.insecure.org Site to obtain nmap software • packetstorm.securify.com Site to obtain hping2-beta54.tar.gz Site to obtain isic-0.05.tar.gz • www.sans.org/y2k/gnutella.htm Site for write-up on Gnutella • www.napster.com www.f11.org/david.weekly.org/ opennap.sourceforge.net/napster.txt Sites for write-up about napster 6 This page intentionally left blank. 6
Referenced Links • www.computerworld.com/cwi/story/0,1199,NAV47_STO4680 2,00.html sites for write-up on wrapster • www.sans.org/topten.htm Site for write-up from SANS of top ten security threats • www.wiretrip.net/rfp/pages.whitepapers/whiskerids.html Site to read about whisker NID evasion tool 7 This page intentionally left blank. 7
Common Services and Ports ftp-data 20/tcp ftp 21/tcp telnet 23/tcp smtp 25/tcp sendmail domain 53/udp DNS domain 53/tcp DNS bootps 67/udp tftp 69/udp finger 79/tcp pop-3 110/tcp sunrpc 111/udp rpcbind sunrpc 111/tcp rpcbind imap 143/tcp snmp 161/udp X-Server 6000/tcp 8 To find more well-known server ports, go to: http://www.isi.edu/in-notes/iana/assignments/port-numbers. 8
IP Header 0 15 16 31 4-bit 4-bit IP 8-bit TOS 16-bit total length (in bytes) version header length 16-bit IP identification number 3-bit 13-bit fragment offset flags 8-bit time to live 8-bit protocol 16-bit header checksum (TTL) 20 bytes 32-bit source IP address 32-bit destination IP address options (if any) data 9 This page intentionally left blank. 9
TCP Header 0 15 16 31 16-bit source port number 16-bit destination port number 32-bit sequence number 32-bit acknowledgement number 20 4-bit U A P R S F bytes reserved 16-bit window size header (6-bits) R C S S Y I length G K H T N N 16-bit checksum 16-bit urgent pointer options (if any) data (if any) 10 . This page intentionally left blank. 10
UDP Header 0 15 16 31 16-bit source port number 16-bit destination port number 16-bit UDP length 16-bit UDP checksum data (if any) 11 This page intentionally left blank. 11
ICMP Header 0 15 16 31 8-bit message 8-bit message 16-bit checksum type code (contents depends on type and code) Type Code Message 0 0 Echo Reply 8 0 Echo Request 12 0 Time exceeded in-transit 12 1 Reassembly time exceeded 12 This page intentionally left blank. 12
Course Revision History 13 v1.0 – 10 February 2001 13