Read tcpdump logs 閱讀 tcpdump 日誌
A network protocol analyzer, sometimes called a packet sniffer or a packet analyzer, is a tool designed to capture and analyze data traffic within a network. They are commonly used as investigative tools to monitor networks and identify suspicious activity. There are a wide variety of network protocol analyzers available, but some of the most common analyzers include:
網路協議分析器,有時也稱為封包嗅探器或封包分析器,是一種設計用來捕捉和分析網路內數據流量的工具。它們通常用作調查工具,以監控網路並識別可疑活動。市面上有各種各樣的網路協議分析器,但一些最常見的分析器包括:
SolarWinds NetFlow Traffic Analyzer
ManageEngine OpManager
Azure Network Watcher
Wireshark
tcpdump
This reading will focus exclusively on tcpdump, though you can apply what you learn here to many of the other network protocol analyzers you'll use as a cybersecurity analyst to defend against any network intrusions. In an upcoming activity, you’ll review a tcpdump data traffic log and identify a DoS attack to practice these skills.
本次閱讀將專注於 tcpdump,儘管您可以將在此學到的知識應用於許多其他網路協議分析工具,作為網路安全分析師來防禦任何網路入侵。在即將進行的活動中,您將查看一份 tcpdump 數據流量日誌並識別一個 DoS 攻擊,以練習這些技能。
tcpdump
tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it uses little memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions.
tcpdump 是一個命令列網路協議分析器。它因為輕量化——意味著它使用的記憶體少且 CPU 使用率低——而受到歡迎,並使用開源的 libpcap 函式庫。tcpdump 是基於文字的,這意味著所有的命令都在終端機中執行。它也可以安裝在其他基於 Unix 的作業系統上,例如 macOS®。在許多 Linux 發行版中,它是預先安裝的。
tcpdump provides a brief packet analysis and converts key information about network traffic into formats easily read by humans. It prints information about each packet directly into your terminal. tcpdump also displays the source IP address, destination IP addresses, and the port numbers being used in the communications.
tcpdump 提供簡要的封包分析,並將網路流量的關鍵資訊轉換為易於人類閱讀的格式。它會將每個封包的資訊直接打印到您的終端機中。tcpdump 還顯示來源 IP 地址、目的地 IP 地址以及通訊中使用的埠號。
Interpreting output 解讀輸出
tcpdump prints the output of the command as the sniffed packets in the command line, and optionally to a log file, after a command is executed. The output of a packet capture contains many pieces of important information about the network traffic.
tcpdump 在執行命令後,會將嗅探到的封包輸出到命令行中,並可選擇性地輸出到日誌文件中。封包捕獲的輸出包含許多關於網路流量的重要資訊。
Some information you receive from a packet capture includes:
從封包擷取中獲得的一些資訊包括:
Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds, and fractions of a second.
時間戳記:輸出以時間戳記開始,格式為小時、分鐘、秒和秒的小數部分。Source IP: The packet’s origin is provided by its source IP address.
來源 IP:數據包的來源由其來源 IP 地址提供。Source port: This port number is where the packet originated.
來源端口:這個端口號是數據包的起始位置。Destination IP: The destination IP address is where the packet is being transmitted to.
目的地 IP:目的地 IP 地址是數據包被傳輸到的地方。Destination port: This port number is where the packet is being transmitted to.
目的地端口:這個端口號是數據包被傳輸到的地方。
Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It'll also replace port numbers with commonly associated services that use these ports.
注意:預設情況下,tcpdump 會嘗試將主機地址解析為主機名稱。它還會將端口號替換為通常與這些端口相關聯的服務。
Common uses 常見用途
tcpdump and other network protocol analyzers are commonly used to capture and view network communications and to collect statistics about the network, such as troubleshooting network performance issues. They can also be used to:
tcpdump 和其他網路協議分析器通常用於捕捉和查看網路通信,並收集有關網路的統計數據,例如排除網路性能問題。它們還可以用於:
Establish a baseline for network traffic patterns and network utilization metrics.
建立網路流量模式和網路使用率指標的基準。Detect and identify malicious traffic
檢測並識別惡意流量Create customized alerts to send the right notifications when network issues or security threats arise.
創建自訂警報,以便在網絡問題或安全威脅出現時發送正確的通知。Locate unauthorized instant messaging (IM), traffic, or wireless access points.
定位未經授權的即時通訊(IM)、流量或無線接入點。
However, attackers can also use network protocol analyzers maliciously to gain information about a specific network. For example, attackers can capture data packets that contain sensitive information, such as account usernames and passwords. As a cybersecurity analyst, It’s important to understand the purpose and uses of network protocol analyzers.
然而,攻擊者也可以惡意使用網絡協議分析器來獲取特定網絡的信息。例如,攻擊者可以捕獲包含敏感信息的數據包,如帳戶用戶名和密碼。作為一名網絡安全分析師,了解網絡協議分析器的目的和用途是很重要的。
Key takeaways 關鍵要點
Network protocol analyzers, like tcpdump, are common tools that can be used to monitor network traffic patterns and investigate suspicious activity. tcpdump is a command-line network protocol analyzer that is compatible with Linux/Unix and macOS®. When you run a tcpdump command, the tool will output packet routing information, like the timestamp, source IP address and port number, and the destination IP address and port number. Unfortunately, attackers can also use network protocol analyzers to capture data packets that contain sensitive information, such as account usernames and passwords.
網路協定分析器,如 tcpdump,是常用的工具,可以用來監控網路流量模式並調查可疑活動。tcpdump 是一個命令行網路協定分析器,兼容 Linux/Unix 和 macOS®。當你執行 tcpdump 命令時,該工具會輸出封包路由資訊,如時間戳、來源 IP 地址和埠號,以及目的地 IP 地址和埠號。不幸的是,攻擊者也可以使用網路協定分析器來捕獲包含敏感資訊的數據封包,例如帳戶用戶名和密碼。