1 00:00:00,180 --> 00:00:02,820 In this video, we're going to cover tcpdump 2 00:00:02,820 --> 00:00:04,200 and how we use them in maintaining 3 00:00:04,200 --> 00:00:05,730 and troubleshooting our networks. 4 00:00:05,730 --> 00:00:07,800 tcpdump is a command line tool 5 00:00:07,800 --> 00:00:10,800 that allows a network technician to display TCP IP 6 00:00:10,800 --> 00:00:12,780 and other packets that are being transmitted 7 00:00:12,780 --> 00:00:15,720 or received over a network to the client screen. 8 00:00:15,720 --> 00:00:19,530 Now, tcpdump is not included on Windows clients by default, 9 00:00:19,530 --> 00:00:22,500 but it is installed by default on Linux, Unix, 10 00:00:22,500 --> 00:00:23,940 and OSX systems. 11 00:00:23,940 --> 00:00:25,470 If you want to use it on Windows, you'll have 12 00:00:25,470 --> 00:00:27,330 to actually download and install it. 13 00:00:27,330 --> 00:00:28,740 Now, tcpdump is used 14 00:00:28,740 --> 00:00:31,680 to simply dump the traffic from the network onto the screen, 15 00:00:31,680 --> 00:00:33,690 but this can also be redirected to a file, 16 00:00:33,690 --> 00:00:35,910 so you can store it and analyze it later on 17 00:00:35,910 --> 00:00:38,820 using the tcpdump-w option. 18 00:00:38,820 --> 00:00:39,900 This will create a file known 19 00:00:39,900 --> 00:00:42,810 as a PCAP file or packet capture file. 20 00:00:42,810 --> 00:00:44,280 When you use tcpdump, 21 00:00:44,280 --> 00:00:45,960 you can see the same standard format used 22 00:00:45,960 --> 00:00:47,490 for every single packet. 23 00:00:47,490 --> 00:00:48,930 This includes a timestamp, 24 00:00:48,930 --> 00:00:51,180 whether the packet is IPv4 notated 25 00:00:51,180 --> 00:00:53,130 by IP in the tcpdump, 26 00:00:53,130 --> 00:00:57,180 or IPv6 notated by IP6 in the tcpdump, 27 00:00:57,180 --> 00:01:00,330 the source IP import, the destination IP import. 28 00:01:00,330 --> 00:01:02,670 What flags were used in that TCP packet, 29 00:01:02,670 --> 00:01:04,980 the sequence number, the acknowledgement number, 30 00:01:04,980 --> 00:01:07,530 the windowing number, and the length of the packet. 31 00:01:07,530 --> 00:01:09,660 If any of these options are set in the packet, 32 00:01:09,660 --> 00:01:11,520 it's going to be shown between the windowing number 33 00:01:11,520 --> 00:01:12,900 and the packet length. 34 00:01:12,900 --> 00:01:15,330 If you create a PCAP file using tcpdump, 35 00:01:15,330 --> 00:01:17,730 it can later be loaded into a more graphical tool 36 00:01:17,730 --> 00:01:20,430 like Wireshark, where you can do more analysis on it 37 00:01:20,430 --> 00:01:23,100 or you can reload it back into tcpdump 38 00:01:23,100 --> 00:01:25,530 and analyze it in this text-based tool. 39 00:01:25,530 --> 00:01:28,920 Now, I'm going to show you a little bit how to use tcpdump. 40 00:01:28,920 --> 00:01:29,790 By the end of this lesson, 41 00:01:29,790 --> 00:01:32,070 you're not going to be an expert in it, but that's okay 42 00:01:32,070 --> 00:01:34,011 because for the exam, you don't need to know how 43 00:01:34,011 --> 00:01:36,057 to actually use tcpdump, 44 00:01:36,057 --> 00:01:38,580 but you should be familiar with the fact that tcpdump 45 00:01:38,580 --> 00:01:41,040 and Wireshark are often used together as a way 46 00:01:41,040 --> 00:01:43,470 to capture packets and then analyze packets. 47 00:01:43,470 --> 00:01:47,100 Unlike Wireshark, tcpdump is a text-based program 48 00:01:47,100 --> 00:01:49,106 and you use it inside the command line. 49 00:01:49,106 --> 00:01:51,720 Now, what I'm going to do here is first I'm going to start 50 00:01:51,720 --> 00:01:55,410 using tcpdump inside my Mac OSX environment. 51 00:01:55,410 --> 00:01:57,750 It comes to installed by default inside Mac 52 00:01:57,750 --> 00:01:59,400 as well as in Linux. 53 00:01:59,400 --> 00:02:01,590 If you're going to use tcpdump, you need to know 54 00:02:01,590 --> 00:02:04,020 what interface you're connected to the network on. 55 00:02:04,020 --> 00:02:07,560 In my case, it's en0, so to use it, 56 00:02:07,560 --> 00:02:08,669 I'm going to do sudo 57 00:02:08,669 --> 00:02:09,960 because you must be running this 58 00:02:09,960 --> 00:02:11,670 with administrative permissions to be able 59 00:02:11,670 --> 00:02:13,830 to turn your card into promiscuous mode 60 00:02:13,830 --> 00:02:16,230 and then tcpdump-i, 61 00:02:16,230 --> 00:02:19,230 and then your interface, en0 if you're on a Mac, 62 00:02:19,230 --> 00:02:22,290 if you're on a Linux machine, it should be eth0. 63 00:02:22,290 --> 00:02:25,530 So I'll go ahead and hit type in en0 and hit enter. 64 00:02:25,530 --> 00:02:28,290 Now at this point, I'm putting my card into promiscuous mode 65 00:02:28,290 --> 00:02:29,490 and I'm starting to look at everything 66 00:02:29,490 --> 00:02:31,090 that's going across the network. 67 00:02:33,720 --> 00:02:36,390 And here you see information going across the screen 68 00:02:36,390 --> 00:02:37,830 showing me all sorts of different connections 69 00:02:37,830 --> 00:02:40,470 that are happening on this network, both from my computer 70 00:02:40,470 --> 00:02:42,450 and other computers on the network. 71 00:02:42,450 --> 00:02:44,490 Now, this isn't nearly as helpful as being able 72 00:02:44,490 --> 00:02:47,400 to look at things slowly or by filtering it down, 73 00:02:47,400 --> 00:02:48,870 but that's okay because we can do 74 00:02:48,870 --> 00:02:51,120 that using tcpdump as well. 75 00:02:51,120 --> 00:02:53,190 Instead of displaying it to the screen, I'm going to go ahead 76 00:02:53,190 --> 00:02:55,710 and hit control C and that's going to pause that 77 00:02:55,710 --> 00:02:57,330 and cancel my collection. 78 00:02:57,330 --> 00:02:59,850 And now I can see a couple of things here. 79 00:02:59,850 --> 00:03:01,470 If we start up towards the top, you'll see 80 00:03:01,470 --> 00:03:06,090 that my IP address is 10.128.1.130. 81 00:03:06,090 --> 00:03:08,670 The first line there is actually going from my computer 82 00:03:08,670 --> 00:03:13,670 over port 57963 to that particular website that you see, 83 00:03:13,740 --> 00:03:16,113 which is 1e100.net. 84 00:03:17,100 --> 00:03:20,670 It's doing this over HTTPS, which is port 443. 85 00:03:20,670 --> 00:03:22,140 There is no flags in that packet. 86 00:03:22,140 --> 00:03:23,910 There was an acknowledgement that was received. 87 00:03:23,910 --> 00:03:27,030 You could see the windowing, the options and the value. 88 00:03:27,030 --> 00:03:29,790 That is one packet with one timestamp. 89 00:03:29,790 --> 00:03:31,326 Then you go down to the next one, there's another one 90 00:03:31,326 --> 00:03:33,330 and the next one, there's another one 91 00:03:33,330 --> 00:03:35,031 and there's lots of information here. 92 00:03:35,031 --> 00:03:36,480 Now, let's say instead 93 00:03:36,480 --> 00:03:39,120 of looking at data from all different things on the network, 94 00:03:39,120 --> 00:03:41,670 I only wanted to see things that came from my computer. 95 00:03:41,670 --> 00:03:43,740 Could I do that? Well, certainly. 96 00:03:43,740 --> 00:03:45,600 What I can do is clear my screen 97 00:03:45,600 --> 00:03:48,390 and then I will use sudo tcpdump. 98 00:03:48,390 --> 00:03:51,570 I will type in source, which is the IP I want to collect from, 99 00:03:51,570 --> 00:03:56,280 and in my case, it is going to be 10.128.1.130, 100 00:03:56,280 --> 00:03:58,050 and then I will hit enter. 101 00:03:58,050 --> 00:04:00,060 Now all you're going to see here is traffic going 102 00:04:00,060 --> 00:04:04,050 from the .130, my host to somewhere else on the network, 103 00:04:04,050 --> 00:04:05,730 and right now there's not much going on 104 00:04:05,730 --> 00:04:07,350 because I'm sitting here talking to you 105 00:04:07,350 --> 00:04:08,880 and not browsing the internet. 106 00:04:08,880 --> 00:04:10,140 But if I was browsing the internet 107 00:04:10,140 --> 00:04:11,430 and doing other connections, 108 00:04:11,430 --> 00:04:13,140 those would all be showing up here. 109 00:04:13,140 --> 00:04:15,180 What you're seeing here is a lot of different beaconing 110 00:04:15,180 --> 00:04:16,380 and keep alive traffic 111 00:04:16,380 --> 00:04:18,720 for different programs I have on my computer, 112 00:04:18,720 --> 00:04:20,519 and that's what we're seeing here. 113 00:04:20,519 --> 00:04:21,690 Now, the next thing we want to do 114 00:04:21,690 --> 00:04:23,460 is go ahead and hit control C 115 00:04:23,460 --> 00:04:24,660 and this is also helpful, 116 00:04:24,660 --> 00:04:26,670 but again, it's not extremely helpful 117 00:04:26,670 --> 00:04:29,460 because if I had this running on a large enterprise network, 118 00:04:29,460 --> 00:04:31,920 there'd be so much data whizzing by my screen, 119 00:04:31,920 --> 00:04:33,450 I wouldn't be able to read it all. 120 00:04:33,450 --> 00:04:35,640 So we would want to write that to a file. 121 00:04:35,640 --> 00:04:36,780 How do we do that? 122 00:04:36,780 --> 00:04:37,830 Well, again, I'm going to clear my screen 123 00:04:37,830 --> 00:04:39,060 so I can go to the top 124 00:04:39,060 --> 00:04:40,680 and I'll bring up the last command I did. 125 00:04:40,680 --> 00:04:42,840 If we want to do this and write it to us file, 126 00:04:42,840 --> 00:04:45,240 we can just type in -w 127 00:04:45,240 --> 00:04:46,650 and then the file name that we want. 128 00:04:46,650 --> 00:04:49,890 And so in my case, I'm going to call it host130.pcap 129 00:04:49,890 --> 00:04:51,330 and then hit enter. 130 00:04:51,330 --> 00:04:54,270 Now that information is going to go into a file 131 00:04:54,270 --> 00:04:56,640 that's going to be captured on my hard drive. 132 00:04:56,640 --> 00:04:59,250 As it's sitting there listening, it's picking up any traffic 133 00:04:59,250 --> 00:05:03,660 that's going from that source, 10.128.1.130, 134 00:05:03,660 --> 00:05:07,119 and it's writing it to the file, host130.pcap. 135 00:05:07,119 --> 00:05:10,220 Now, once we have enough of that, we can hit control C. 136 00:05:10,220 --> 00:05:14,190 In this case, we captured 161 packets of information. 137 00:05:14,190 --> 00:05:16,200 Again, it's very little information right now 138 00:05:16,200 --> 00:05:18,930 because it's basically background tasks on this computer 139 00:05:18,930 --> 00:05:21,210 because I'm not actively running things 140 00:05:21,210 --> 00:05:23,700 because I'm not sitting there browsing the internet. 141 00:05:23,700 --> 00:05:26,040 Now, if I wanted to be able to see that information, 142 00:05:26,040 --> 00:05:30,690 I can do that by doing sudo tcpdump and then -r 143 00:05:30,690 --> 00:05:34,260 and then the file that I did, host130.pcap. 144 00:05:34,260 --> 00:05:37,590 When I hit enter, I'm going to see all 161 packets 145 00:05:37,590 --> 00:05:40,320 from that file and display them to the screen. 146 00:05:40,320 --> 00:05:42,030 Here's the first bunch, and then I'm just going to keep 147 00:05:42,030 --> 00:05:44,310 reading them and displaying 'em to the screen. 148 00:05:44,310 --> 00:05:45,960 Now again, that's a lot of information 149 00:05:45,960 --> 00:05:48,360 and I only did that for about five or 10 seconds. 150 00:05:48,360 --> 00:05:49,830 If I had this running all day, 151 00:05:49,830 --> 00:05:52,140 that'd be way too much information to go through. 152 00:05:52,140 --> 00:05:55,200 So instead, we would want to start filtering that information 153 00:05:55,200 --> 00:05:57,990 and we can do that based on a lot of different things. 154 00:05:57,990 --> 00:06:00,480 For instance, if I look at this particular packet 155 00:06:00,480 --> 00:06:03,799 right here, you can see that it is going 156 00:06:03,799 --> 00:06:07,902 from the host at 130 over port 5475, 157 00:06:07,902 --> 00:06:09,990 and it's going out to the broadcast 158 00:06:09,990 --> 00:06:14,990 of the network at .255.255 over port 5474. 159 00:06:15,030 --> 00:06:17,220 If I just wanted to see every time that there was a beacon 160 00:06:17,220 --> 00:06:19,590 that was going out like that, I can do that. 161 00:06:19,590 --> 00:06:21,600 And so what I'll do is I'll hit clear. 162 00:06:21,600 --> 00:06:26,340 I would type in sudo tcpdump source, src, 163 00:06:26,340 --> 00:06:28,590 and then port, the port I want to see, 164 00:06:28,590 --> 00:06:31,110 in this case that was 5475, 165 00:06:31,110 --> 00:06:33,030 and then again, I need to read it from the file, 166 00:06:33,030 --> 00:06:36,120 so -r host130.pcap. 167 00:06:36,120 --> 00:06:38,670 If I don't put the -r host130.pcap, 168 00:06:38,670 --> 00:06:41,190 what it's going to do is it's going to look at the live traffic 169 00:06:41,190 --> 00:06:43,590 and anytime it sees a source port of 5475, 170 00:06:43,590 --> 00:06:45,030 it would display it to the screen. 171 00:06:45,030 --> 00:06:46,110 But in this case, I want to go through and 172 00:06:46,110 --> 00:06:48,000 analyze what I already captured. 173 00:06:48,000 --> 00:06:50,190 So as I did that, you can see here a handful 174 00:06:50,190 --> 00:06:51,630 of times that that happened. 175 00:06:51,630 --> 00:06:53,760 Now, if this was malware, it was beaconing out, 176 00:06:53,760 --> 00:06:55,800 I could see exactly when that happened. 177 00:06:55,800 --> 00:06:57,540 In this case, this particular packet 178 00:06:57,540 --> 00:06:59,640 is being sent out every second, 179 00:06:59,640 --> 00:07:04,640 19:06:51, 19:06:52, 19:06:53. 180 00:07:04,740 --> 00:07:05,977 Now, this is just the header we're seeing 181 00:07:05,977 --> 00:07:07,547 and we can see this is a UDP packet 182 00:07:07,547 --> 00:07:10,080 that's being sent out with a length of 5. 183 00:07:10,080 --> 00:07:12,060 Well, what if you wanted to look inside this packet 184 00:07:12,060 --> 00:07:13,650 and see what was actually sent? 185 00:07:13,650 --> 00:07:16,350 Can you do that? Well, sure you can. 186 00:07:16,350 --> 00:07:18,480 We can do the exact same thing we just did 187 00:07:18,480 --> 00:07:20,760 and then add the command -x, 188 00:07:20,760 --> 00:07:23,940 which will show the packets contents in both hex and ASCII. 189 00:07:23,940 --> 00:07:25,470 So let me go ahead and clear my screen 190 00:07:25,470 --> 00:07:27,718 and then go here and add -x. 191 00:07:27,718 --> 00:07:31,650 Now I see all those packets again done by time, 192 00:07:31,650 --> 00:07:34,050 and here I see the IP, where it's going from, 193 00:07:34,050 --> 00:07:36,810 where it's going to, UDP length 5. 194 00:07:36,810 --> 00:07:40,020 Then you're seeing that 5 bytes of data. 195 00:07:40,020 --> 00:07:41,970 Notice here, we see it in hex first, 196 00:07:41,970 --> 00:07:44,610 and then we see it in ASCII on the right hand side. 197 00:07:44,610 --> 00:07:45,870 This will allow us to go through 198 00:07:45,870 --> 00:07:47,370 and see what was being sent. 199 00:07:47,370 --> 00:07:49,500 This can be extremely helpful if somebody's using something 200 00:07:49,500 --> 00:07:53,910 like FTP or HTTP where things are being sent in the clear. 201 00:07:53,910 --> 00:07:56,790 Now, as I said, what I did here was just a very, 202 00:07:56,790 --> 00:07:58,920 very quick demonstration to show you some 203 00:07:58,920 --> 00:08:00,630 of the capabilities of this tool. 204 00:08:00,630 --> 00:08:01,680 If you want to learn more, 205 00:08:01,680 --> 00:08:05,070 I recommend you go into the man pages for tcpdump 206 00:08:05,070 --> 00:08:08,370 and just type in man tcpdump and hit enter. 207 00:08:08,370 --> 00:08:09,450 This will bring up the manual 208 00:08:09,450 --> 00:08:11,310 and you can see all of the different options 209 00:08:11,310 --> 00:08:13,950 and all of the different ways you can filter down content. 210 00:08:13,950 --> 00:08:16,170 Remember, you can filter during collection, 211 00:08:16,170 --> 00:08:17,250 or you can filter 212 00:08:17,250 --> 00:08:19,680 after you've collected when you're reading things. 213 00:08:19,680 --> 00:08:21,930 Why would you want to do one versus the other? 214 00:08:21,930 --> 00:08:23,040 Well, again, let's say I was 215 00:08:23,040 --> 00:08:24,924 running a big large enterprise network. 216 00:08:24,924 --> 00:08:27,424 One of the organizations I work for, we ran a network 217 00:08:27,424 --> 00:08:30,150 with tens of thousands of computers, 218 00:08:30,150 --> 00:08:31,470 and so if I said, "Show me everything 219 00:08:31,470 --> 00:08:33,330 that's coming from this particular IP address 220 00:08:33,330 --> 00:08:34,590 or this particular port, 221 00:08:34,590 --> 00:08:36,539 or is beaconing out to a known bad actors command 222 00:08:36,539 --> 00:08:39,741 and control server," that could be a ton of information. 223 00:08:39,741 --> 00:08:42,990 So we would want to just filter down on the collection 224 00:08:42,990 --> 00:08:45,240 because we're only interested in what we are looking 225 00:08:45,240 --> 00:08:48,330 for instead of every single packet sent across the network 226 00:08:48,330 --> 00:08:50,730 internally or out to the internet. 227 00:08:50,730 --> 00:08:52,890 And so this is why it's important for you to think about 228 00:08:52,890 --> 00:08:54,240 what are you trying to collect 229 00:08:54,240 --> 00:08:57,690 and filter that down on the collection to reduce the size. 230 00:08:57,690 --> 00:08:59,730 On the other hand, if you're not sure what you're trying 231 00:08:59,730 --> 00:09:00,720 to collect yet, you're still trying 232 00:09:00,720 --> 00:09:02,670 to identify the indicators of compromise, 233 00:09:02,670 --> 00:09:06,240 you may collect everything, which can take up tons of space 234 00:09:06,240 --> 00:09:08,670 and then filter it down as you start reading through 235 00:09:08,670 --> 00:09:10,120 and going through those logs.