Effectuer une capture réseau
Visualiser les echanges au niveau de la couche liaison
Exemple : émission et réception d'un ping
.
Options tcpdump
utilisée :
-i
: interface-e
: Affiche l'en-tête de niveau liaison pour chaque ligne. TCela peut être utilisé pour afficher les adresses MAC-n
: Ne pas convertir les adresses
root@serveurWebX:~# tcpdump -nvei enp0s3 icmp tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes 15:33:37.385864 08:00:27:5c:fa:b2 > 08:00:27:39:a3:8d, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 25477, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.56.201 > 192.168.56.51: ICMP echo request, id 27402, seq 1, length 64 15:33:37.385968 08:00:27:39:a3:8d > 08:00:27:5c:fa:b2, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 52559, offset 0, flags [none], proto ICMP (1), length 84) 192.168.56.51 > 192.168.56.201: ICMP echo reply, id 27402, seq 1, length 64
Afficher une capture sur port 443
root@serveurWebX:~# tcpdump -i enp0s3 port https tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes 16:06:09.737854 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [S], seq 3301550659, win 64240, options [mss 1460,sackOK,TS val 2594663710 ecr 0,nop,wscale 7], length 0 16:06:09.737896 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [S.], seq 2792750790, ack 3301550660, win 65160, options [mss 1460,sackOK,TS val 831224560 ecr 2594663710,nop,wscale 7], length 0 16:06:09.739351 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [.], ack 1, win 502, options [nop,nop,TS val 2594663711 ecr 831224560], length 0 16:06:09.746910 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 2594663719 ecr 831224560], length 517 16:06:09.746958 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [.], ack 518, win 506, options [nop,nop,TS val 831224569 ecr 2594663719], length 0 16:06:09.749072 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [P.], seq 1:241, ack 518, win 506, options [nop,nop,TS val 831224571 ecr 2594663719], length 240 16:06:09.750487 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [.], ack 241, win 501, options [nop,nop,TS val 2594663723 ecr 831224571], length 0 16:06:09.756794 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [P.], seq 518:582, ack 241, win 501, options [nop,nop,TS val 2594663729 ecr 831224571], length 64 16:06:09.757338 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [P.], seq 582:1060, ack 241, win 501, options [nop,nop,TS val 2594663730 ecr 831224571], length 478 16:06:09.757685 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [P.], seq 241:320, ack 1060, win 502, options [nop,nop,TS val 831224579 ecr 2594663729], length 79 16:06:09.762718 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [P.], seq 320:879, ack 1060, win 502, options [nop,nop,TS val 831224584 ecr 2594663729], length 559 16:06:09.767788 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [.], ack 879, win 501, options [nop,nop,TS val 2594663740 ecr 831224579], length 0 16:06:14.768651 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [P.], seq 879:903, ack 1060, win 502, options [nop,nop,TS val 831229590 ecr 2594663740], length 24 16:06:14.768867 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [F.], seq 903, ack 1060, win 502, options [nop,nop,TS val 831229591 ecr 2594663740], length 0 16:06:14.770672 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [P.], seq 1060:1084, ack 904, win 501, options [nop,nop,TS val 2594668743 ecr 831229590], length 24 16:06:14.771420 IP 192.168.56.201.48956 > 192.168.56.51.https: Flags [F.], seq 1084, ack 904, win 501, options [nop,nop,TS val 2594668744 ecr 831229590], length 0 16:06:14.771436 IP 192.168.56.51.https > 192.168.56.201.48956: Flags [.], ack 1085, win 502, options [nop,nop,TS val 831229593 ecr 2594668743], length 0
Afficher les tentatives de connexion TCP
Ci-dessous les connexions sur les ports 443 et 22 sont acceptées. La connexion sur le port 24 est rejetée.
root@serveurWebX:~# tcpdump -n -i enp0s3 'tcp[tcpflags] & (tcp-syn|tcp-rst) != 0' tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes 16:16:49.287573 IP 192.168.56.201.58476 > 192.168.56.51.443: Flags [S], seq 4204018496, win 64240, options [mss 1460,sackOK,TS val 2595303260 ecr 0,nop,wscale 7], length 0 16:16:49.287622 IP 192.168.56.51.443 > 192.168.56.201.58476: Flags [S.], seq 3979902155, ack 4204018497, win 65160, options [mss 1460,sackOK,TS val 831864109 ecr 2595303260,nop,wscale 7], length 0 16:16:57.634558 IP 192.168.56.1.52086 > 192.168.56.51.22: Flags [S], seq 4114485106, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 16:16:57.634618 IP 192.168.56.51.22 > 192.168.56.1.52086: Flags [S.], seq 1163333614, ack 4114485107, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 16:17:17.350582 IP 192.168.56.201.56738 > 192.168.56.51.24: Flags [S], seq 3881389185, win 64240, options [mss 1460,sackOK,TS val 2595331323 ecr 0,nop,wscale 7], length 0 16:17:17.350617 IP 192.168.56.51.24 > 192.168.56.201.56738: Flags [R.], seq 0, ack 3881389186, win 0, length 0
Afficher les rejets ICMP -> UDP Port Unreachable
root@serveurWebX:~# tcpdump -vni enp0s3 'icmp[0] == 3' tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), snapshot length 262144 bytes 16:28:07.279344 IP (tos 0xc0, ttl 64, id 34989, offset 0, flags [none], proto ICMP (1), length 68) 192.168.56.51 > 192.168.56.201: ICMP 192.168.56.51 udp port 53 unreachable, length 48 IP (tos 0x0, ttl 37, id 34365, offset 0, flags [none], proto UDP (17), length 40) 192.168.56.201.51923 > 192.168.56.51.53: 0 stat [0q] (12) 16:28:07.280168 IP (tos 0xc0, ttl 64, id 34990, offset 0, flags [none], proto ICMP (1), length 86) 192.168.56.51 > 192.168.56.201: ICMP 192.168.56.51 udp port 53 unreachable, length 66 IP (tos 0x0, ttl 50, id 34365, offset 0, flags [none], proto UDP (17), length 58) 192.168.56.201.51923 > 192.168.56.51.53: 30583+ TXT CHAOS? version.bind. (30)