As a network administrator, you've got to cultivate a certain amount of professional paranoia. tcpdump indulges your need to know and tells you exactly what's going on over your networks.
I confess, I'm an outlaw at heart. I like using packet sniffers like tcpdump because it satisfies my base snooping impulses. Packet-sniffing is wiretapping after all, only it's applied to TCP/IP packets, not voice transmissions. Sure, they're my packets on my systems, but still the idea is appealing. Even more appealing is knowing I have the ability to monitor incoming and outgoing traffic, and knowing exactly what's going on.
For example, being an untrusting soul as all wise network administrators are, I can use tcpdump to verify that encryption is working. Here is what a plain unencrypted POP mail session looks like. This is an abbreviated example showing only the initial three-way TCP handshake. You can do this yourself by firing up tcpdump, then checking mail. Ctrl+C stops it:
# tcpdump port 110
15:04:49.050227 windbag.34348 > venus.domain.com.pop3: S 2974284112:2974284112(0) win 5840 (DF)
15:04:49.190076 venus.domain.com.pop3 > windbag.34348: S 2862911212:2862911212(0) ack 2974284113 win 5840(DF)
15:04:49.190168 windbag.34348 > venus.domain.com.pop3: . ack 1 win 5840 (DF)
Handshake Dissection
There is a whole lot going on here, which I shall now deign to explain.
15:04:49.050227 is the timestamp, in hh:mm:ss:fraction format.
windbag.34348 > is the originating host and port.
venus.domain.com.pop3: is the destination host and port (see /etc/services).
S is the first part of the three-way TCP handshake (SYN, SYN, ACK).
2974284112:2974284112 is the byte sequence/range. The initial sequence number (ISN) is generated randomly. Then sequence numbers for the rest of the bytes in the connection are incremented by 1 from the ISN. Since no data are exchanged at this stage, both numbers are the same.
win 5840 is the window size, or the number of bytes of buffer space the host has available for receiving data.
mss 1460 is the maximum segment size, or maximum IP datagram size that can be handled without using fragmentation. Both sides of the connection must agree on a value; if they are different, the lower value is used.
sackOK means "selective acknowledgments," or allow the receiver to acknowledge packets out of sequence. Originally, packets could only be acknowledged in sequence. So if the third packet out of a thousand packets received went missing, the host could only acknowledge the receipt of the first two packets, and the sender would have to resend all packets from number three through one thousand. sackOK allows only the missing third packet to be re-sent.
timestamp 995173 0 measures the round-trip time. There are two fields: the Timestamp Value and the Timestamp Echo Reply. On the first exchange, the Echo Reply is set to 0. When the second host receives that packet, it transfers the timestamp from the old packet's Timestamp Value field to the new packet's Timestamp Echo Reply field. Then it generates a new value for the Timestamp Value field. So the Timestamp Value field contains the latest timestamp, while the Timestamp Echo Reply field contains the previous timestamp.
nop, or "no operation," is just padding. TCP options must be multiples of 4 bytes, so nop is used to pad undersized fields.
wscale 0> is a nifty hack to get around the original window size limitation of 65,535 bytes, because the window size field is only 16 bits long. wscale provides for a full gigabyte of buffer. Both sides of the connection must support this and agree; otherwise the window size does not change.
(DF) means "don't fragment."
Here is a sample of the rest of the dump, showing data transfer:
15:04:49.548954 windbag.34348 > venus.domain.com.pop3: P 46:52(6) ack 181 win 5840 (DF)
15:04:49.653945 venus.domain.com.pop3 > windbag.34348: P 181:238(57) ack 52 win 5840 (DF)
The P flag means "push", or data are being sent. And now you see an example of the byte sequence/range when data are sent: 181:238(57); or 57 packets in this particular exchange.
Verifying Encryption
Now let's get back to our original task of examing packets to verify that logging in to our mail server is properly encrypted. Here is the quick way:
# tcpdump port 995
tcpdump: listening on eth0
16:10:05.054198 windbag.34465 > venus.euao.com.pop3s: S 2698160498:2698160498(0) win 5840 (DF)
16:10:05.171235 venus.domain.com.pop3s > windbag.34465: S 2694170013:2694170013(0) ack 2698160499 win 5840(DF)
16:10:05.171319 windbag.34465 > venus.domain.com.pop3s: . ack 1 win 5840 (DF)
This shows the protocol is pop3s, rather than pop3, which is what we want. We can dig even deeper and view the login itself:
# tcpdump -X port 995
The X option displays the packet in nice readable ASCII, as this snippet shows:
E...R(@.5..fE8..
................
P...`.......J...
F..A....yY.I.D..
=2....'i..E.....J.
Readable enough to verify that anyone snooping on our connection cannot capture logins and passwords. This snippet plainly shows the login and password in a clear text login:
# tcpdump -X port 110
E8.....n.....V%.
P...T...USER.car
la@domain.com..
32:46(14) ack 70 win 5840 (DF)
E..6..@.@..x....
E8.....n...".V&.
P...n...PASS.mgY6Rf9W..
Hubs Are Blabbermouths
If your LAN is connected with hubs, which is so twentieth century, you can sniff traffic for any host on the network from the comfort of your own chair. Anyone on the LAN can simply name the host they wish to surveil:
# tcpdump dst host workstation5
Or specify the host's IP address. tcpdump automatically puts your NIC into promiscuous mode, but you won't see this with ifconfig. You'll see it in dmesg or /var/log/messages. Just for kicks, open two terminal windows. In one, run tail -f /var/log/messages. In the other, run tcpdump, then stop it. The first one will show something like
Nov 22 20:43:30 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:43:30 windbag kernel: device eth0 entered promiscuous mode
Nov 22 20:44:07 windbag kernel: eth0: Promiscuous mode enabled.
Nov 22 20:44:07 windbag kernel: device eth0 left promiscuous mode
Foiled By Switches
If your LAN is blessed with switches instead of hubs, you cannot do this. You must first put the switch in SPAN (Switch Port Analyzer) mode. This is also called "port mirroring." Whatever you call it, it puts the switch in broadcast mode just like a hub, with one major difference: all the LAN traffic is directed to a sniffer port, so only you, the godlike admin, can see the packets. Low-cost SOHO switches, such as those made by Linksys, D-Link, and Netgear, cannot do this; this is a feature of higher-priced products from Cisco and Extreme.
Come back next week to learn some nifty network diagnostic tricks with tcpdump, such as finding signs of evil activity, diagnosing network problems, and sending tcpdump's output to binary files suitable for parsing by utilities like Ethereal and Snort.
Resources
Unlike my columns, RFCs are less-than-riveting reading. But they contain complete information.
- rfc 793 describes the transmission control protocol (tcp) in exhaustive detail.
- rfc 1180 is an excellent tutorial.
- tcpdump home page
相关推荐
标题中的“Spy4 win7.rar_spy4_spy4win7_spy4winwin7_spy查看窗口_查看窗口 title”表明这是一个与Windows操作系统相关的工具,特别是针对Windows 7设计的,名为“Spy4”。这个工具的主要功能是帮助用户查看和获取...
**标题:“spy lite spy++”** **描述:“spy++ 加强版,可获取窗口各类消息,灵活方便操作各类窗口”** **关键词:spylite、spy++** **正文:** `Spy Lite` 和 `Spy++` 是两种强大的Windows应用程序调试和分析...
《SPY4窗口句柄查看工具深度解析》 在Windows操作系统中,开发人员常常需要对窗口进行调试和分析,以了解应用程序的运行机制。而SPY4,作为一个专门的窗口句柄查看工具,成为了开发者们的得力助手。尤其是对于...
### spy3使用教程详解 #### 一、spy3入门概览与主要功能 **spy3**是一款由Intrepid Control Systems, Inc.开发的专业车载网络分析工具,主要用于CAN、LIN、FlexRay、Ethernet等多种车辆网络协议的监控、诊断及数据...
标题 "SPY c++builder 6 编写SPY源程序" 描述的是一个使用C++Builder 6(CBC6)开发的项目,其目的是创建一个类似于SPY的应用程序。这个程序可能涉及到系统监控、调试或者信息捕获等功能,因为"SPY"通常指的是能够...
64位 Spy++ 是一款专为64位操作系统设计的高效能、轻量级的Windows系统监控工具。这款工具主要用于帮助软件开发者、测试人员以及系统管理员深入理解Windows应用程序的内部运行机制,它提供了窗口、消息、过程以及...
"spy32 - 小巧好用的 windows spy 工具" 这个标题揭示了我们讨论的主题是一款名为 "spy32" 的软件,它是一款专为Windows操作系统设计的轻量级侦查工具。"小巧好用" 暗示该工具虽然体积不大,但功能强大且易于使用。 ...
《网络特工NetSpy——局域网病毒监测利器》 在信息化时代,网络安全的重要性日益凸显。网络特工NetSpy是一款专为局域网环境设计的网络监测工具,它旨在帮助用户实时监控网络中的病毒活动,保护系统免受恶意软件的...
Spy4Win, 适用于win10的版本. Spy4Win(Spy for Window)是一个类似MS Spy++的 辅助工具,主要功能是探测和获取窗口的更多信息 (窗口基本信息,样式描述及动态改变样式,识别控 件来源,窗口内容的读取,窗口消息截获,可视...
Vehicle Spy 3 是一款强大的车辆网络总线工具,它集数据监控、诊断和ECU仿真功能于一体。本篇学习手册将带你逐步了解其主界面、平台和数据库的使用。 首先,Vehicle Spy 3的主界面包含四个主要区域: 1. 区域一是...
**SPY课程_spy_** 本课程主要围绕“SPY”工具进行学习,重点在于掌握其在脚本编辑和发送数据方面的应用。虽然提供的资料仅是部分笔记,但足以让我们窥见SPY的强大功能和使用技巧。下面我们将深入探讨SPY在IT领域的...
笑话模拟模块通过监视所有函数和属性来扩展玩笑,以允许对模块进行深度自动模拟。... spy ( "src/example" ) ;const example = require ( "src/example" ) ;// Check module object propertiesjest
Spy++ 是一款强大的Windows系统监控工具,主要用于调试和分析应用程序的用户界面(UI)和窗口操作。这个绿色工具被封装在名为"spy++.zip"的压缩包中,无需安装即可直接使用,为开发者提供了一个便捷的环境来检测和...
开玩笑.fn()和spyOn()spy / stub / mock断言参考要求节点10 纱线1.x或npm设置克隆存储库运行yarn或npm install将安装所有必需的依赖项。npm脚本等效的npm run [removed]也应该起作用yarn test测试使用Jest运行...
标题中的“net-spy.rar”表明这是一个以RAR格式压缩的文件,通常用于打包和压缩多个文件以便于存储和传输。NETSPY和“_spy”可能是该程序的名称或者与其功能有关,暗示这是一个网络监控工具。"网络监控"是这个程序的...
《Vehicle Spy 详细中文教程》 Vehicle Spy 是一款由 Intrepid Control Systems, Inc. 开发的专业车载网络诊断和测试工具,广泛应用于汽车电子系统开发、调试和验证过程中。本教程将详细解读Vehicle Spy的各项功能...
《SPY++源代码解析与学习指南》 SPY++是一款强大的Windows系统监视工具,它由Microsoft提供,用于查看和分析Windows消息系统、线程、进程以及窗口等元素。源代码的学习是深入理解其工作原理的关键,对于软件开发者...
Spy4Win, 适用于win10的版本. Spy4Win(Spy for Window)是一个类似MS Spy++的 辅助工具,主要功能是探测和获取窗口的更多信息 (窗口基本信息,样式描述及动态改变样式,识别控 件来源,窗口内容的读取,窗口消息截获,可视...
Spy++ Lite版是一款专为那些只安装了Visual Studio Express版,无法使用完整版Spy++的用户设计的轻量化工具。Spy++通常是一个强大的Windows应用程序,用于监控系统中的窗口、消息、线程和进程,它是Microsoft Visual...
**P6Spy 简介** P6Spy 是一个开源的数据库监控工具,它能够记录并分析应用程序与数据库之间的所有SQL交互。对于开发者而言,P6Spy 是一个强大的调试和性能分析工具,尤其在使用MyBatis或Hibernate等ORM框架时,能够...