Unix Security: Diagnostics and Forensics

7. Survey all network traffic

If at all possible, use statically-linked tools and utilities mounted from a CD-R for this investigation.

You need to understand all traffic going to and from your machine — this can be time-consuming! tcpdump and ethereal are your friends here. Any traffic which you do not recognise should be treated as suspicious — use lsof to determine the process responsible for such traffic.

Example

Darkstar has one network interface, hme0:

    tcpdump -i hme0 -n | egrep -v "130.88.99.10.22"
                       | egrep -v "130.88.119.67.53|130.88.120.67.53"
        # grep out things we already know about

    11:18:55.486997 130.88.99.10.47865 > 130.88.124.69.6000: P 420:436(16) \
                                                                ack 161 win 8760 (DF)
    11:18:55.487853 130.88.124.69.6000 > 130.88.99.10.47865: . ack 436 win 61304 (DF)
        # why are these people not tunnelling X traffic?
    
    tcpdump -i hme0 -n | egrep -v "130.88.99.10.22"
                       | egrep -v "130.88.119.67.53|130.88.120.67.53"
                       | egrep -v "130.88.\d\d\d.\d\d.6000"

    tcpdump -i hme0 -n | egrep -v "130.88.99.10.22"
                       | egrep -v "130.88.119.67.53|130.88.120.67.53"
                       | grep -v "130.88.[1-9][0-9][0-9].[1-9][0-9].6000"

    13:35:49.729925 130.88.119.65.59549 > 130.88.99.10.25: S \
            3404736403:3404736403(0) win 5840 <mss 1460,sackOK,timestamp \
                                                               1011349486[|tcp]> (DF)
    13:35:49.729967 130.88.99.10.25 > 130.88.119.65.59549: S \
            1333966013:1333966013(0) ack 3404736404 win 10136 <nop,nop,timestamp \
                                                267392917 1011349486,nop,[|tcp]> (DF)
        # email from UMIST email routers

    tcpdump -i hme0 -n | egrep -v "130.88.99.10.[22|25]"
                       | egrep -v "130.88.119.67.53|130.88.120.67.53" 
                       | grep -v "130.88.[1-9][0-9][0-9].[1-9][0-9].6000" 

    13:40:51.600950 130.88.99.10.2049 > 130.88.99.9.1007: . ack 2922688 win 8760 (DF)
    13:40:51.600999 130.88.99.9.1007 > 130.88.99.10.2049: P \
                                        2922688:2924148(1460) ack 14829 win 8760 (DF)
        # 2049 is nfsd, so this is NFS traffic to/from eric

    /usr/local/sbin/tcpdump -i hme0 -n | egrep -v "130.88.99.10.[22|25|123|2049]\
            |10.98.96.1|arp\ who|arp\ reply|802.1d\ config|130.88.1[1-2][0-9].67.53\
            |130.88.[1-9][0-9][0-9].[1-9][0-9].6000|130.88.1[1-2][0-9].6[5-6].25\
            |130.88.120.194.514"
    
    14:12:05.498637 CDP v2, ttl=180s DevID 'TBA03170480(sw-umain)' Addr (1): \
                                                              IPv4 130.88.98.2[|cdp]
    14:13:05.507362 CDP v2, ttl=180s DevID 'TBA03170480(sw-umain)' Addr (1): \
                                                              IPv4 130.88.98.2[|cdp]

...which leaves only CDP-related stuff.

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple