Linux Security Fundamentals Part 5: Introduction to tcpdump and wireshark

894

Start exploring Linux Security Fundamentals by downloading the free sample chapter today. DOWNLOAD NOW

In this exercise, we learn about two of the most useful tools for troubleshooting networks. These tools will show what is happening as network traffic is transmitted and received. The tools are tcpdump and wireshark.

These are passive tools; they simply listen to all traffic exposed to the system by the networking infrastructure.

A fair amount of network traffic is broadcasted to all the devices that are connected to the networking gear. Much of the traffic is simply ignored by the individual systems because the traffic’s destination does not match the system’s address. The tools tcpdump and wireshark can “see”  all of the traffic on the connection and display the traffic in a format that can be analyzed.

tcpdump is a command-line, low-level tool that is generally available as part of a Linux distribution’s default package installation. tcpdump has a filtering capability as described in the pcap-filter man page; both tcpdump and wireshark use the pcap libraries to capture and decipher traffic data.

tcpdump lacks a graphical component as well as the ability to analyze the traffic it captures. For this reason, it is typically used to capture network traffic during an interesting session and then the resulting capture files are copied to a workstation for analysis using the wireshark utility.

Packet capture also requires placing the network interfaces into promiscuous mode, which requires root permissions.

Set up your system

Access to The Linux Foundation’s lab environment is only possible for those enrolled in the course. However, we’ve created a standalone lab for this tutorial series to run on any single machine or virtual machine which does not need the lab setup to be completed. The commands will be altered to comply with the standalone environment.  

To make this lab exercise standalone, let’s add a couple of IP aliases to the default adapter.

To add a temporary IP alias, determine the default adapter:

$ sudo ip a | grep "inet "

The result should be similar to:

   inet 127.0.0.1/8 scope host lo

   inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic enp0s3

   inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

This system shows several adapters: the “lo” is the loopback device, “enp0s3” is the adapter with the address assigned by the DHCP server and is the default adapter. The “virbr0” adapter is a network bridge adapter used by the hypervisor, we will not use this one.  

To add IP aliases on adapter enp0s3:

$ sudo ip addr add 192.168.52.101 dev enp0s3

Then add the following to /etc/hosts:

192.168.52.101 main

This /etc/hosts entry should be removed after the exercise is completed.

On our testing system the commands looked like:

Setup.png

Start the exercise

Open a terminal and run the command:

$ sudo tcpdump -D

Notice that the “adapters” are shown by device name not by IP address. We will be using the adapter we added the extra IP addresses to. In the case of our test system “enp0s3” would be the logical choice. However, because we have a single system with IP aliases we will use the interface “any” for our monitoring. If you had several interfaces you could select traffic monitoring from any specific interface.  Below is the output from our test system.

tcpdump-D.png

$ sudo tcpdump -i any 

This will print a brief summary of each packet that the system sees on the interface, regardless of whether it is intended for the system “main”. Leave the process running and open a second terminal. In this second terminal, run ping, first pinging “main” and then pinging the broadcast address,(this is the same network as your adapter but with a host number of ”255”, something like 192.168.56.255.

$ ping -c4 main

$ ping -c4 -b  192.168.56.255

There may be extra packets displayed that are not related to our purpose. As an example, the command “ping -c4 www.google.com“ will generate traffice on the interface we are listening to “-i any”.  We can add a pcap filter to our tcpdump command to ignore packets that are not related to our subnet. The command would be:

$sudo tcpdump -i any net 192.168.52.0/24 

The tcpdump output from the “ping -c2 main” as captured by our test system is listed below:

ping-host.png

The tcpdump output from the “ping -c2 -b 192.168.52.255” as captured by our test system is listed below:

ping-broadcast.png

Notice that our system can see the broadcast ping coming in but there is no reply, this is because of a system tunable.  Broadcast pings could be used as a denial of service attack so are disabled by default.

Next, explore the pcap-filter and tcpdump man pages. We are going to construct a tcpdump command that captures HTTP traffic on our interface and save that traffic to a file.

Run the following commands:

For Fedora, RHEL, CentOS systems:

$ sudo yum install httpd elinks 

$ sudo systemctl start httpd

For Ubuntu and Debian systems:

$ sudo apt-get install apache2 elinks

$ sudo systemctl start apache2

For all distributions, create a test file:

$ sudo su -c ‘echo "test page" > /var/www/html/test.html’

Note: If your system has the “firewalld” service running you may need to open some ports.

To test if firewalld is running:

$ sudo systemctl status firewalld 

To open the http port:

$ sudo -i  

# firewall-cmd --zone=public --add-port=80/tcp --permanent

# firewall-cmd --reload

Start tcpdump listening for traffic on port 80:

$ sudo tcpdump -i any port 80

We could be more specific and say:

$ sudo tcpdump -i amy port 80 and host main 

Now let’s generate some HTTP traffic to test, first with a http get of a missing page then a good page:

$ elinks -dump http://main/no-file.html

$ elinks -dump http://main/file.html

Observe the output of tcpdump then terminate tcpdump command with a “ctl-c”

tcpdump-404.png

Analyze with wireshark

First lets create some information to analyse, on one terminal session:

$ sudo tcpdump -i any port 80 -w http-dump.pcap 

And on another terminal session issue the following commands:

Generates a “404 not found” error:

$ elinks -dump http://main/no-file.html

Should return the text of the file we created earlier:

$ elinks -dump http://main/file.html

Terminate the http://main/no-file.html tcpdump command and verify the file “http-dump.pcap exists and has bytes in it.

Next, we will analyze the captured data with wireshark. Verify wireshark is installed:

$ sudo  which wireshark

If the previous command fails, you will have to install the utility.

On RHEL-based systems:

$ sudo yum install wireshark wireshark-gnome

Or Debian based systems:

$ sudo apt-get install wireshark-gtk wireshark-qt 

You can launch it by running /usr/sbin/wireshark or finding it the application menus on your desktop, e.g., under Applications -> Internet menu, you may find the Wireshark Network Analyzer. If wireshark is launched from the GUI, go to the File -> Open dialog and browse to the capture file created above. Or launch wireshark with the capture file from the command line:

wireshark  http-dump.pcap

wireshark-404.png

Explore the wireshark output.  Wireshark can be run in an interactive mode without the requirement of tcpdump, but requires a GUI. A text version of wireshark exists called “tshark”. The process of capturing with tcpdump and analysing with wireshark, possibly on a different machine is handy for production type systems without GUI or console access.

Cleanup

Please remember to remove the entries from /etc/hosts. A reboot will remove the network alias we added.

Stay one step ahead of malicious hackers with The Linux Foundation’s Linux Security Fundamentals course. Download a sample chapter today!

Read the other articles in the series:

Linux Security Threats: The 7 Classes of Attackers

Linux Security Threats: Attack Sources and Types of Attacks

Linux Security Fundamentals Part 3: Risk Assessment / Trade-offs and Business Considerations

Linux Security Fundamentals: Estimating the Cost of a Cyber Attack

Linux Security Fundamentals Part 6: Introduction to nmap