Network Traffic Analysis Using tcpdump Reference Material Judy Novak Johns Hopkins University Applied Physics Laboratory jhnovak@ix.netcom.com All material Copyright  Novak, 2000, 2001 All rights reserved References This page intentionally left blank Reference Material W Richard Stevens, TCP/IP Illustrated, Volume The Protocols, Addison-Wesley Eric A Hall, Internet Core Protocols, O’Reilly Craig H Rowland, “Covert Channels in the TCP/IP Protocol Suite”, www.psionic.com/papers/covert/covert.tcp.txt Ofir Arkin, “ICMP Usage in Scanning”, www.sys-security.com Fyodor, “Remote OS detection via TCP/IP Stack FingerPrinting” www.insecure.org/nmap/nmap-fingerprinting-article Thomas Ptacek, Timothy Newsham, “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection”, www.robertgraham.com/ mirror/Ptacek-Newsham-Evasion-98.html Rain Forest Puppy, “A look at whisker’s anti-IDS tactics”, www.wiretrip.net/rfp This page intentionally left blank Referenced Links • www.nswc.navy.mil/ISSEC/CID Site to obtain Shadow software • www.map2.ethz.ch/ftp-probleme.htm Site for list of initial TTL’s by operating system and protocol • www.phrack.com Site to find out more about the loki exploit • ftp.su.se/pub/security/security/tools/net/tcpshow Site to download source code for tcpshow • www.cisco.com/warp/public/770/nifrag.shtml Site to read about a particular denial of service using fragmentation against Cisco routers This page intentionally left blank Referenced Links • www.cert.org/advisories Site to read about CERT advisory concerning an inverse query exploit, ToolTalk exploit • ftp.isi.edu/in-notes/iana/ assignments/ Information about protocols, reserved address spaces • ftp.ee.lbl.gov/tcpdump.tar.Z • ftp.ee.lbl.gov/libpcap.tar.Z netgroup-serv.polito.it/windump netgroup-serv.polito.it/winpcap www.tcpdump.org Sites for tcpdump and support software www.whitefang.com/rin Site for article on “Raw IP Networking FAQ” This page intentionally left blank 5 Referenced Links • www.packetfactory.net Site to obtain libnet software • www.insecure.org Site to obtain nmap software • packetstorm.securify.com • • Site to obtain hping2-beta54.tar.gz Site to obtain isic-0.05.tar.gz www.sans.org/y2k/gnutella.htm Site for write-up on Gnutella www.napster.com www.f11.org/david.weekly.org/ opennap.sourceforge.net/napster.txt Sites for write-up about napster This page intentionally left blank Referenced Links • www.computerworld.com/cwi/story/0,1199,NAV47_STO4680 • • 2,00.html sites for write-up on wrapster www.sans.org/topten.htm Site for write-up from SANS of top ten security threats www.wiretrip.net/rfp/pages.whitepapers/whiskerids.html Site to read about whisker NID evasion tool This page intentionally left blank Common Services and Ports ftp-data ftp telnet smtp domain domain bootps tftp finger pop-3 sunrpc sunrpc imap snmp X-Server 20/tcp 21/tcp 23/tcp 25/tcp 53/udp 53/tcp 67/udp 69/udp 79/tcp 110/tcp 111/udp 111/tcp 143/tcp 161/udp 6000/tcp sendmail DNS DNS rpcbind rpcbind To find more well-known server ports, go to: http://www.isi.edu/in-notes/iana/assignments/port-numbers IP Header 15 16 4-bit version 4-bit IP header length 8-bit TOS 16-bit total length (in bytes) 16-bit IP identification number 8-bit time to live (TTL) 31 3-bit flags 8-bit protocol 13-bit fragment offset 16-bit header checksum 20 bytes 32-bit source IP address 32-bit destination IP address options (if any) data This page intentionally left blank TCP Header 15 16 16-bit source port number 31 16-bit destination port number 32-bit sequence number 32-bit acknowledgement number 4-bit header length reserved (6-bits) 20 bytes U A P R S F R C S S Y I G K H T N N 16-bit window size 16-bit checksum 16-bit urgent pointer options (if any) data (if any) 10 This page intentionally left blank 10 UDP Header 15 16 16-bit source port number 31 16-bit destination port number 16-bit UDP length 16-bit UDP checksum data (if any) 11 This page intentionally left blank 11 ICMP Header 15 16 8-bit message type 8-bit message code 31 16-bit checksum (contents depends on type and code) Type Code Message 0 Echo Reply Echo Request 12 Time exceeded in-transit 12 Reassembly time exceeded 12 This page intentionally left blank 12 Course Revision History 13 v1.0 – 10 February 2001 13 ...References This page intentionally left blank Reference Material W Richard Stevens, TCP/IP Illustrated, Volume The Protocols,... “A look at whisker’s anti-IDS tactics”, www.wiretrip.net/rfp This page intentionally left blank Referenced Links • www.nswc.navy.mil/ISSEC/CID Site to obtain Shadow software • www.map2.ethz.ch/ftp-probleme.htm... denial of service using fragmentation against Cisco routers This page intentionally left blank Referenced Links • www.cert.org/advisories Site to read about CERT advisory concerning an inverse