COEN 252 Computer Forensics Using TCPDump / Windump
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis. TCPDump / Windump Low level package sniffer. Good, if you see a new type of attack
or try to diagnose a problem Bad, since you have to look at all these packages and learn how to interpret them. TCPDump / Windump: The Good Provides an audit trail of network activity.
Provides absolute fidelity. Universally available and cheap. TCPDump / Windump: The Bad Does not collect the payload by default. Does not scale well.
State / connections are hidden. Very Limited analysis of packages. Versions Unix Version 3.4. ftp.ee.lbl.gov/tcpdump.tar.Z Windump http://netgroup-serv.polito.it/windum
p http://netgroup-serv.polito.it/winpcap www.tcpdump.org Shadow Collects tcpdump data in hourly files. Analyzes for anomalies
Formates anomalous data in HTML Comes with Scripts Download it for free for UNIX http://www.nswc.navy.mil/ISSEC/CID/ Running TCPDump tcpdump x looks at packages in hex format Running tcpdump IP Header ICMP Header
Capture only packages that are useful. Specify in the filter what items are interesting. Filters use common fields such as host or port. Filters also for individual bytes and bits in the datagram TCPDump Filters
Format 1: macro and value tcpdump port 23 Only displays packages going to or from port 23. TCPDump Filters Format 2:
[offset:length] ip = 1 Selects any record with the IP protocol of 1. icmp = 8 Selects any record that is an ICMP echo
requests. TCPDump Filters Reference single bits through bit masking. An example is TCP flag bits Byte 13 in a TCP header has the 8
flag fields. CWR,ECE,URG,ACK,PSH,RST,SYN,FI N TCPDump Filters Assume we want to mask out the PSH field. Translate the mask into binary. 0x04
TCPDump Filters Set filter to tcp & 0x40 != 0. Your turn: Filter for packets that have the Syn or the Ack flag set.
TCPDump Filters Your turn: Filter for packets that have the Syn or the Ack flag set. tcp & 0x12 != 0 TCPDump Filters
We can of course use exact values for filtering. tcp = 0x20 looks only for tcppackets that have the urg flag set. TCPDump Filters
Can combine filters with the and, or, not operators (tcp and tcp&0x0f != 0 and not port 25) or port 20 Filter can be written in file, specified with the F flag. NMap
Available in Windows and Unix version. Scans host with many different connections. Uses responses to determine OS. Target Acquisition. Network mapping. TCPDump
Use Filters to check for NMap activity. For example, send a TCP packet with SYN|FIN|URG|PSH options set. Use packages with the first two TCP flags set of OS-mapping
Technological Fix. Cognitive Fix. Structural Fix. The environment doesn't have problems, we as humans have problems When we. have problems with the environment, there are three ways of trying to fix them . ... Advanced Lake Leaders Conference
Business-to-Business is a transaction that occurs between a company and another company B2B is an electronic commerce between businesses Business-to-business exchanges are electronic marketplaces in which multiple buyers and multiple suppliers come together to exchange goods and services What are...
Political Ideology. A political ideology is a certain set of ethical ideals, principles, doctrines, myths or symbols of a social movement, institution, class or large group that explains how society should work, and offers some political and cultural blueprint for...
Under "My Working Time," you can enter working time and leave, request leave from your supervisor, and view and print your leave quota balances. Remember, ONLY employees at locations that are authorized to enter time/leave shall enter work time and...
VIOLENCE AND SUBSTANCE ABUSE AT A CAPE TOWN TRAUMA CENTRE. Astrid Leusink ,Andrew Nicol, Katherine Sorsdahl, Ross Hoffman, James Burger, Sean Tromp, Patricia Leighton, Robyn Richmond Cathy Ward, Richard Matzopoulos, Pradeep Navsaria, Dan Stein, Guy Lamb.
Presentation. My focus today will be on the Shared Care platform, which we have developed in collaboration with IBM because we believe that this platform is a very good investment that leads to happy people.
A virus hoax is a message warning the recipient of non-existent computer virus threat, usually sent as a chain email that tells the recipient to forward it to everyone they know. This is a form of social engineering that plays...
Ready to download the document? Go ahead and hit continue!