COEN 252 Computer Forensics Using TCPDump / Windump
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis. TCPDump / Windump Low level package sniffer. Good, if you see a new type of attack
or try to diagnose a problem Bad, since you have to look at all these packages and learn how to interpret them. TCPDump / Windump: The Good Provides an audit trail of network activity.
Provides absolute fidelity. Universally available and cheap. TCPDump / Windump: The Bad Does not collect the payload by default. Does not scale well.
State / connections are hidden. Very Limited analysis of packages. Versions Unix Version 3.4. ftp.ee.lbl.gov/tcpdump.tar.Z Windump http://netgroup-serv.polito.it/windum
p http://netgroup-serv.polito.it/winpcap www.tcpdump.org Shadow Collects tcpdump data in hourly files. Analyzes for anomalies
Formates anomalous data in HTML Comes with Scripts Download it for free for UNIX http://www.nswc.navy.mil/ISSEC/CID/ Running TCPDump tcpdump x looks at packages in hex format Running tcpdump IP Header ICMP Header
Capture only packages that are useful. Specify in the filter what items are interesting. Filters use common fields such as host or port. Filters also for individual bytes and bits in the datagram TCPDump Filters
Format 1: macro and value tcpdump port 23 Only displays packages going to or from port 23. TCPDump Filters Format 2:
[offset:length] ip = 1 Selects any record with the IP protocol of 1. icmp = 8 Selects any record that is an ICMP echo
requests. TCPDump Filters Reference single bits through bit masking. An example is TCP flag bits Byte 13 in a TCP header has the 8
flag fields. CWR,ECE,URG,ACK,PSH,RST,SYN,FI N TCPDump Filters Assume we want to mask out the PSH field. Translate the mask into binary. 0x04
TCPDump Filters Set filter to tcp & 0x40 != 0. Your turn: Filter for packets that have the Syn or the Ack flag set.
TCPDump Filters Your turn: Filter for packets that have the Syn or the Ack flag set. tcp & 0x12 != 0 TCPDump Filters
We can of course use exact values for filtering. tcp = 0x20 looks only for tcppackets that have the urg flag set. TCPDump Filters
Can combine filters with the and, or, not operators (tcp and tcp&0x0f != 0 and not port 25) or port 20 Filter can be written in file, specified with the F flag. NMap
Available in Windows and Unix version. Scans host with many different connections. Uses responses to determine OS. Target Acquisition. Network mapping. TCPDump
Use Filters to check for NMap activity. For example, send a TCP packet with SYN|FIN|URG|PSH options set. Use packages with the first two TCP flags set of OS-mapping
EMLA is a eutectic mixture of the local anesthetics lidocaine and prilocaine, which is available as an anesthetic disc or cream, but it has not been approved by the FDA for any neuropathic pain indications.
NOT a barrier against: a. Oxygen, carbon dioxide, and some anesthetics H. Blood Flow through Capillary Bed 1. vascular shunt (meta-arteriole) a. connects terminal arteriole and postcapillary venule 2. true capillaries a. 10-100 per capillary bed b. branch off metarteriole...
Pipeline inventory . This inventory exists because material cannot be transported immediately, once ordered. For example a supermarket ordering fixed amount of items from the suppliers and suppliers first allocate the same in their ware house, pack, load and send...
Since and , The only variable is r, so Pg. 344, #50: Standing Waves; Resonance Standing waves occur on a string of length L when the waves have a wavelength,λ, in which L is a multiple of .5λ Standing Waves;...
Wordle.net is a way to express yourself and others in word clouds. It is a way of being creative, a way to show how to speak your mind with something really simple. You don't need very much to make something...
Words of Roadtrip Nation. What's Your Roadtrip: A life-changing journey; to define your own Road and pursue your interests in life by seeking advice from others and looking inside yourself to figure out what you are truly passionate about.
"You should help me with my math homework before you study for your Biology test. That's what couples do." ... "I know its Mike's birthday, but you know we don't get along too well. ... I don't think we can...
Ready to download the document? Go ahead and hit continue!