Tcpdump

From Wiki
Jump to: navigation, search

Collect Data

Before you can handle an attack you need to identify what's going on.

tcpdump -nnqt ether dst `awk '/eth0/ {print $4}' /proc/net/arp` > out
tcpdump -n -i eth0 -c 20000 tcp port 80 | tee out

Note: Do not run this command for more than a second or two after receiving the following or similar output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

Hit CTL-C to break.

Isolate Destination

If you want to isolate the IP protocol and port being attacked use the following command otherwise skip to isolating the source:

awk '{print $4,$5}' out | sort | uniq -c | sort -n

The output will be similar to the following. The first number is the number of packets followed by the IP.port then the protocol.

34 209.59.139.206.48865: tcp

Once you have the IP protocol and port being attacked issue the following command to only collect the data directed there. You can omit the protocol if you are unsure.

tcpdump -nnqt dst host <IP> and <PROTO> dst port <PORT> > out
Example:
tcpdump -nnqt dst host 192.168.0.1 and tcp dst port 48865 > out

Isolate Source(s)

Now that we have data collected it is time to find the source. To isolate the source issue the following command:

awk '{OFS=FS="."} {print $1,$2,$3,$4}' out | sed -e "s/IP //" | sort -n | uniq -c | sort -n

The output will look similar to this:

 1 209.59.139.7
 1 35.8.2.41
 43 64.236.34.67
 49 198.172.239.14

Blocking Attacks

Now that you know which IPs are generating the most traffic it is time to block them. For example:

iptables -A INPUT -s 198.172.239.14 -j DROP

If you see conntrack table full errors you can increase the table limit at the expense of memory.

sysctl -w net.netfilter.nf_conntrack_max=256000

Dumping SSL Traffic

TLS and SSL traffic can be dumped using tshark as long as you have a copy of the private key.

For example, to dump TLS traffic on port 26.

tshark -x -o "ssl.desegment_ssl_records: TRUE" -o "ssl.desegment_ssl_application_data: TRUE" -o "ssl.keys_list: 1.2.3.4,start_tls,smtp,/etc/postfix/postfix_default.pem" -o "ssl.debug_file: /root/.wireshark-log" -i eth0 -R "tcp.port == 26 and ip.src==1.2.3.4"

https://wiki.wireshark.org/SSL