Thursday, May 29, 2014

How to capture network traffic for analysis in Linux

While working to verify some windows setting, i had to capture the network traffic and confirm that the setting is in place. This steps below may help you as much as it did for me. :)

Capturing the network traffic

We can use our favourite packet capture tool to capture the network traffic between the source and destination hosts. Here, i will demonstrate both using the plain vanilla 'tcpdump' and 'tethereal' tool.

  # tcpdump -vvXX port 445 -w /dir_path/file_name


  # tethereal -p -w /dir_path/file_name port 445


You can see that i'm trying to capture as much data as i can although it may be excessive but it may be worthwhile if you find that you need those data later on.

Once you have the above in placed, you can then fire off the traffic that you want to capture. As in above example, i'm trying to capture SMB traffic.

Trigger the traffic

In this demonstration, i will use 'nmap' to trigger the SMB traffic.

  # nmap --script smb-security-mode.nse 192.168.1.1



You should see the 'tcpdump' output reporting that some traffic are captured.


[root@server ~]# tethereal -p -w /tmp/smb.capture port 445
Capturing on bond0
12


Below is the output for 'tethereal'. Your output should be similar.

[root@server ~]# tcpdump -vvXX port 445 -w /tmp/smb.capture
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
12 packets captured
0 packets received by filter
0 packets dropped by kernel

Display the network traffic for analysis

Now that the traffic has been captured, time to display them.
If you are using 'tcpdump', you may have to use another tool to analyse the network traffic as there is no functionality built in to decode the protocol that you are looking at.


To display using 'tcpdump', try this.
  # tcpdump -vvXX  -r /tmp/smb.capture



Here, you may want to use a free, online tool at [http://sadjad.me/phd/]. This is literally a packet HEX decoder. you need to copy out those HEX for a particular packet into the webpage and click 'decode'. After that, just click on the result to expand and read the information that is decoded.

If you are using 'tethereal', try this instead.

  # tethereal -Vx -r /tmp/smb,capture  | more



Yes, i was trying to find out if the SMB protocol was set to encrypted plus signing enabled + signing required. Here's the essential part of the output.


        Security Mode: 0x0f
            .... ...1 = Mode: USER security mode
            .... ..1. = Password: ENCRYPTED password. Use challenge/response
            .... .1.. = Signatures: Security signatures ENABLED
            .... 1... = Sig Req: Security signatures REQUIRED



Thats all folks!

No comments: