API tools faq
paste
Advertisement
kaiux

tshark http filter

kaiux
Oct 1st, 2014
229
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.53 KB | None | 0 0
raw download clone embed print report
  1. A Very stupid filter using tshark to see a HTTP DDoS statistics.
  2.  
  3. I made a filter to capture only TCP destination port 80. I want to see the requests and whether I receive any confirmation (ACK) as response.
  4.  
  5. ## Filter explained
  6. Only TCP SYN request: tcp.flags.syn==1 && tcp.flags.ack==0
  7. Only ACK response: tcp.flags == 0x0010
  8. Statistics within 60s: io,stat,60,
  9.  
  10. ### Legitimate traffic
  11. tshark -n -l -qz "io,stat,60,tcp.flags.syn==1 && tcp.flags.ack==0,tcp.flags == 0x0010" -r http.pcap
  12.  
  13. ===================================================================
  14. IO Statistics
  15. Interval: 60.000 secs
  16. Column #0: tcp.flags.syn==1 && tcp.flags.ack==0
  17. Column #1: tcp.flags == 0x0010
  18. | Column #0 | Column #1
  19. Time |frames| bytes |frames| bytes
  20. 000.000-060.000 23 1702 92 6072
  21. 060.000-120.000 30 2220 120 7920
  22. 120.000-180.000 35 2590 137 9042
  23. 180.000-240.000 30 2220 120 7920
  24. 240.000-300.000 30 2220 120 7920
  25. 300.000-360.000 29 2146 116 7656
  26. 360.000-420.000 30 2220 120 7920
  27. 420.000-480.000 36 2664 141 9306
  28. 480.000-540.000 29 2146 116 7656
  29. 540.000-600.000 30 2220 120 7920
  30. 600.000-660.000 7 518 28 1848
  31.  
  32. ### Malicious traffic
  33. tshark -n -l -qz "io,stat,60,tcp.flags.syn==1 && tcp.flags.ack==0,tcp.flags == 0x0010" -r mal.pcap
  34.  
  35. ===================================================================
  36. IO Statistics
  37. Interval: 60.000 secs
  38. Column #0: tcp.flags.syn==1 && tcp.flags.ack==0
  39. Column #1: tcp.flags == 0x0010
  40. | Column #0 | Column #1
  41. Time |frames| bytes |frames| bytes
  42. 000.000-060.000 27422 1645320 0 0
  43. 060.000-120.000 8504 510240 0 0
  44. 120.000-180.000 1746 104802 6 396
  45. ===================================================================
  46.  
  47. The number of requests (Column #0) and responses (Column #1:) at Legitimate traffic follows a proportion. However, the amount of requests without responses at Malicious traffic is notable. Since TCP SYN flooding attacks use forged IP it is obvious that I would not receive any response.
  48.  
  49. If you run 'netstat -nautlp' on the attacked system, one should note that the number of SYN_RECV state increases exponentially.
  50.  
  51. ### Generate DDoS attack
  52. sudo ./t50 -S --flood --dport 80 192.168.0.2
  53.  
  54. Best explanation than RFC :)
  55. http://www.youtube.com/watch?v=sUrM7_G_y7A
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!