Tools of the Trade: Part 2
by Carl Constantine06/29/2001
Welcome back to our continuing discussion of the various tools of the Linux trade.
This article is the second of a three-part series that takes a look at some of the common tools you can use on your own systems to spot holes, look for potential problems, and then take steps to tighten your grip on the system.
Last time, I took you through a brief introduction to "honey pots," Ethereal, and the venerable nmap. This time, we'll take a look at a few more common tools, namely tcpdump and Tripwire.
tcpdump
Tcpdump is a network traffic analysis tool originally created by the Network Research Group at Lawrence Berkley National Lab. As the name implies, tcpdump allows you to "dump" TCP traffic to screen or file for later analysis. Actually, tcpdump also serves as a back-end program to many other network analysis tools such as snort and shadow. The underlying traffic capture library, libcap, is also used in other tools such as Ethereal (which we discussed last time), tcptrace, and many others. You can find out more details on these tools from the tcpdump web site. Tcpdump comes with most Linux distributions by default so you don't have to grab it yourself.
Like many other tools, tcpdump can only be used by the root user. There are many other tools, including some commercial tools, that provide slightly different or more elegant output than tcpdump. However, tcpdump is a good raw tool that can help you understand other tools and your network.
By default, tcpdump reads all the traffic from the default network interface (usually eth0M) and spews all the output to the console. For many reasons, primarily the data whips up the screen at a rather uncontrollable rate on a busy network; this is probably not always the behavior you want or need. Thus, tcpdump includes many command options to change the behavior into something more manageable.
Let's take a look at a typical packet you might capture using tcpdump. This output was captured without any command-line options given to tcpdump.
13:37:11.950966 Mallard.36872 > archive.progeny.com.www: . ack 1259760 win 376
48 <nop,nop,timestamp 249582195 600468459,nop,nop,sack sack 1 {1261208:1280032
} > (DF)
This packet is a download session from a web server. How do I know that? Well a little experience for one thing, and I set it up that way. But let me break down the packet into more detail for you.
Notice the destination port on archive.progeny.com is www, port 80. Therefore, this is a web session. Notice that the source and destination addresses are resolved. "Mallard" is the name of my machine. You can restrict the output to show IP addresses and numbers instead of the resolved host name (use the -n option) or you can not show some things such as the time stamp (use the -t option).
TCP flags
There are several TCP flags you might encounter when using tcpdump. They are s, ack, f, r, p, urg, and . (period). I'll describe them briefly here.
| TCP Flag | Flag in tcpdump | Flag Meaning |
| SYN | s | Syn packet, a session establishment request. The first part of any TCP connection. |
| ACK | ack | Ack packet, used to acknowledge the receipt of data from the sender. May appear in conjunction with other flags. |
| FIN | f | Finish flag, used to indicate the sender's intention to terminate the connection to the receiving host. |
| RESET | r | Indicates the sender's intention to immediately abort the existing connection. |
| PUSH | p | Signals the immediate push of data from the sending host to the receiving host. For interactive applications such as telnet, the main issue is the quickest response time, which this "push" flag signals. |
| URGENT | urg | Urgent data should take precedence over other data. For example, a Ctrl-C to terminate a FTP download. |
| Placeholder | . | If the connection does not have a syn, finish, reset, or push flag set, this placefolder flag will be found after the destination port. Note that it also appears in conjunction with the ack flag. |
Understanding the information provided by tcpdump takes a bit of time and practice. It does help to have a good TCP reference book such as TCP/IP Illustrated, Volume 1 by Dr. Richard Stevens.
