week 4security coursera

1. menu
2. arrow_back
3. Introducing tcpdump
4.  
5.  
6. Search
7. close
8. home
9. Home
10. school
11. Catalog
12. event_note
13. My Learning
14. help
15. Help
16. Privacy
17. Terms of Service
18. 1m setup · 60m access · 60m completion
19. Rate Lab Lab Details
20. Connection Details
21. Open Google Console
22. Username
23.  
24. ••••••••
25.  
26. Password
27.  
28. ••••••••
29.  
30. GCP Project ID
31.  
32. ••••••••
33.  
34. connectionProtocol
35.  
36. ••••••••
37.  
38. externalIp
39.  
40. ••••••••
41.  
42. username
43.  
44. ••••••••
45.  
46. password
47.  
48. ••••••••
49.  
50. New to labs? View our introductory video!
51.  
52. Lab Setting Up
53. Start Lab
54. 01:00:00
55. Thanks for reviewing this lab.
56.  
57.  
58. Introduction
59. In this lab, you'll be introduced to tcpdump and some of its features. Tcpdump is the premier network analysis tool for information security and networking professionals. As an IT Support Specialist, having a solid grasp of this application is essential if you want to understand TCP/IP. Tcpdump will help you display network traffic in a way that's easier to analyze and troubleshoot.
60.  
61. You'll have 60 minutes to complete this lab.
62.  
63. What you'll do
64.  
65. Command basics: You'll learn how to use tcpdump and what some of its flags do, as well as interpret the output.
66. Packet captures: You'll practice saving packet captures to files, and reading them back.
67. There will be a few parts of this lab that require more than one terminal open at a time, so make sure you keep a window with the Google Cloud Console open. This way, you can choose to SSH into a VM more than once.
68.  
69. Go ahead and connect to the linux-instance Google Cloud instance now. As a reminder, your machines are available in Google Cloud Console under Compute Engine -> VM instances. If you're having difficulty connecting to your instance, no worries! Just follow the steps outlined in the Accessing Qwiklabs reading for detailed instructions on how to connect.
70.  
71. Using tcpdump
72.  
73. Now, you'll perform some tasks using tcpdump, starting with basic usage and working up to slightly more advanced topics.
74.  
75. Basic Usage
76.  
77. We'll kick things off by introducing tcpdump and running it without any options. Head's up that tcpdump does require root or administrator privileges in order to capture traffic, so every command must begin with sudo. At a minimum, you must specify an interface to listen on with the -i flag. You may want to check what the primary network interface name is using ip link. In this case, we'll be using the interface eth0 for all the examples; this is not necessarily the interface you'd use on your own machine, though.
78.  
79. To use tcpdump to start listening for any packets on the interface, enter the command below.
80.  
81. Head's up: This command will fill your terminal with a constant stream of text as new packets are read. It won't stop until you press ctrl+C.
82.  
83. sudo tcpdump -i eth0
84. This will output some basic information about packets it sees directly to standard out. It'll continue to do this until we tell it to stop. Press ctrl+C to stop the stream at any time.
85.  
86. You can see that once tcpdump exits, it prints a summary of the capture performed, showing the number of packets captured, filtered, or dropped:
87.  
88.  
89.  
90. By default, tcpdump will perform some basic protocol analysis. To enable more detailed analysis, use the -v flag to enable more verbose output. By default, tcpdump will also attempt to perform reverse DNS lookups to resolve IP addresses to hostnames, as well as replace port numbers with commonly associated service names. You can disable this behavior using the -n flag. It's recommended that you use this flag to avoid generating additional traffic from the DNS lookups, and to speed up the analysis. To try this out, enter this command:
91.  
92. sudo tcpdump -i eth0 -vn
93. You can see how the output now provides more details for each packet:
94.  
95.  
96.  
97. Without the verbose flag, tcpdump only gives us:
98.  
99. the layer 3 protocol, source, and destination addresses and ports
100. TCP details, like flags, sequence and ack numbers, window size, and options
101. With the verbose flag, you also get all the details of the IP header, like time-to-live, IP ID number, IP options, and IP flags.
102.  
103. Filtering
104.  
105. Let's explore tcpdump's filter language a bit next, along with the protocol analysis. Tcpdump supports a powerful language for filtering packets, so you can capture only traffic that you care about or want to analyze. The filter rules go at the very end of the command, after all other flags have been specified. We'll use filtering to only capture DNS traffic to a specific DNS server. Then, we'll generate some DNS traffic, so we can demonstrate tcpdump's ability to interpret DNS queries and responses.
106.  
107. Go ahead and enter the command now. It'll run until you stop it using ctrl+C like the previous command, but you shouldn't see any output yet.
108.  
109. sudo tcpdump -i eth0 -vn host 8.8.8.8 and port 53
110. Let's analyze how this filter is constructed, and what exactly it's doing. Host 8.8.8.8 specifies that we only want packets where the source or destination IP address matches what we specify (in this case 8.8.8.8). If we only want traffic in one direction, we could also add a direction qualifier, like dst or src (for the destination and source IP addresses, respectively). However, leaving out the direction qualifier will match traffic in either direction.
111.  
112. Next, the port 53 portion means we only want to see packets where the source or destination port matches what we specify (in this case, DNS). These two filter statements are joined together with the logical operator "and". This means that both halves of the filter statement must be true for a packet to be captured by our filter.
113.  
114. Now, use SSH to open a second terminal in a new window, and run this command:
115.  
116. dig @8.8.8.8 A example.com
117. You should see this output to the screen:
118.  
119.  
120.  
121. This uses the dig utility to query a specific DNS server (in this case 8.8.8.8), asking it for the A record for the specified domain (in this case "example.com").
122.  
123. Back in the original terminal, you should now see two captured packets, as our filter rules should filter out any other traffic:
124.  
125.  
126.  
127. The first one is the DNS query, which is our question (from the second terminal) going to the server. Note that, in this case, the traffic is UDP. Tcpdump's analysis of the DNS query begins right after the UDP checksum field. It starts with the DNS ID number, followed by some UDP options, then the query type (in this case A? which means we're asking for an A record). Next is the domain name we're interested in (example.com).
128.  
129.  
130.  
131. The second packet is the response from the server, which includes the same DNS ID from the original query, followed by the original query. After this is the answer to the query, which contains the IP address associated with the domain name.
132.  
133.  
134.  
135. You can stop the tcpdump session in the original terminal now by pressing ctrl+C. Make sure to leave your second terminal window open; you'll need it again soon.
136.  
137. Up next, we'll explore tcpdump's ability to write packet captures to a file, then read them back from a file.
138.  
139. Saving Captured Packets
140.  
141. In one of your terminals, run this command:
142.  
143. sudo tcpdump -i eth0 port 80 -w http.pcap
144. This starts a capture on our eth0 interface that filters for only HTTP traffic by specifying port 80. The -w flag indicates that we want to write the captured packets to a file named http.pcap. Like the other captures, this will run until you force it to stop with ctrl+C.
145.  
146. Once that's running, switch back to your second terminal, where you'll generate some http traffic that'll be captured in the original terminal. Don't stop the capture you started with the previous command just yet. (If you have, you can restart it now.)
147.  
148. In the second terminal window, execute this command to generate some traffic:
149.  
150. curl example.com
151. This command fetches the html from example.com and prints it to your screen. It should look like the below. (Head's up that only the first part of the output is shown here.)
152.  
153.  
154.  
155. Once that's done, close the second terminal window and return to the original terminal where the capture is running. Stop the capture with ctrl+C. It should return a summary of the number of packets captured:
156.  
157.  
158.  
159. A binary file containing the packets we just captured, called http.pcap, will also have been created. Don't try to print the contents of this file to the screen; since it's a binary file, it'll display as a bunch of garbled text that you won't be able to read.
160.  
161.  
162.  
163. Somewhere in that file, there's information about the packets created when you pulled down the html from example.com. We can read from this file using tcpdump now, using this command:
164.  
165. tcpdump -r http.pcap -nv
166.  
167.  
168. Note that we don't need to use sudo to read packets from a file. Also note that tcpdump writes full packets to the file, not just the text-based analysis that it prints to the screen when it's operating normally. For example, somewhere in the output you should see the html that was returned as the body of the original query in the other terminal:
169.  
170.  
171.  
172. Conclusion
173.  
174. Congrats! You've successfully used tcpdump for basic network monitoring, including filtering for specific traffic. You've also learned how to interpret the information that tcpdump outputs about a packet, along with how to save and load summaries of the packets captured during a session.
175.  
176. Introduction
177. Score
178. —/10
179.  
180. Writing packets to a file
181.  
182. Run Step
183.  
184. — / 10
185.  
186.  
187. help