Ejemplo básico de tcpdump

tcpdump es una aplicación de consola que nos permite analizar el tráfico de la red. Con la misma podremos ver los paquetes que se envían por y hacia una interfaz de red en su “estado natural”. Es decir, por ejemplo, si utilizamos un protocolo no cifrado, como telnet, ftp o http, podríamos ver la lo que el server ftp le envia al cliente y a la vez, lo que el cliente envía al server, empezando por el nombre de usuario y contraseña.

Veamos un breve ejemplo de captura de paquetes en una sesión telnet.

Para este ejemplo se utilizó:

Ejemplo:

Ahora, veremos los resultados en el símbolo de sistema de Windows y en el archivo tcpdump.txt donde redireccionamos el stderr y stdout del tcpdump.

[CODE]
ftp 192.168.0.6
Connected to 192.168.0.6.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 1 of 50 allowed.
220-Local time is now 14:42. Server port: 21.
220-This is a private system – No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (192.168.0.6:(none)): pepe
331 User pepe OK. Password required
Password:
530 Login authentication failed
Login failed.
>close
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
>open 192.168.0.6
Connected to 192.168.0.6.
220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 1 of 50 allowed.
220-Local time is now 14:42. Server port: 21.
220-This is a private system – No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (192.168.0.6:(none)): luciano
331 User luciano OK. Password required
Password:
230 OK. Current directory is /home/luciano
>by
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
[/CODE]

[CODE]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
38 packets captured
38 packets received by filter
0 packets dropped by kernel
093486765(0) win 16384
E..0.v@….H

…….|…….p.@………….
14:47:34.557498 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: S 2925739634:2925739634(0) ack 2093486766 win 5840
E..0..@.@.&.

……..c>r|…p……………
14:47:34.557556 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: . ack 1 win 17520
E..(.w@….O

…….|….c>sP.Dp.=……..
14:47:34.379708 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: P 1:321(320) ack 1 win 5840
E..hp.@.@…

……..c>s|…P….u..220———- Welcome to Pure-FTPd [privsep] [TLS] ———-
220-You are user number 2 of 50 allowed.
220-Local time is now 14:47. Server port: 21.
220-This is a private system – No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

14:47:34.516066 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: . ack 321 win 17200
E..(..@….;

…….|….c?.P.C0.=……..
14:47:37.271760 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: P 1:12(11) ack 321 win 17200
E..3..@…..

…….|….c?.P.C08…USER pepe

14:47:37.271823 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: . ack 12 win 5840
E..(p.@.@…

……..c?.|…P…….
14:47:37.272347 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: P 321:358(37) ack 12 win 5840
E..Mp.@.@…

……..c?.|…P….W..331 User pepe OK. Password required

14:47:37.433257 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: . ack 358 win 17163
E..(..@….&

…….|….c?.P.C..2……..
14:47:40.887394 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: P 12:27(15) ack 358 win 17163
E..7..@…..

…….|….c?.P.C.Z… PASS pepepass

14:47:40.928542 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: . ack 27 win 5840
E..(p.@.@…

……..c?.|…P….^..
14:47:52.703447 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: P 358:391(33) ack 27 win 5840
E..Ip.@.@…

……..c?.|…P…….530 Login authentication failed

14:47:52.824051 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: . ack 391 win 17130
E..(..@…..

…….|….c?.P.B..#……..
14:47:54.649346 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: P 27:33(6) ack 391 win 17130
E…..@…..

…….|….c?.P.B. b..QUIT

14:47:54.649413 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: . ack 33 win 5840
E..(p.@.@…

……..c?.|…P….7..
14:47:56.912427 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: P 391:458(67) ack 33 win 5840
E..kp.@.@…

……..c?.|…P…XP..221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

14:47:56.913919 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4795: F 458:458(0) ack 33 win 5840
E..(p.@.@…

……..c@<|...P....... 14:47:56.914340 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: . ack 459 win 17063
E..(..@…..

…….|….c@=P.B………..
14:47:56.914345 IP 192.168.0.4.local.4795 > 192.168.0.6.local.ftp: R 33:33(0) ack 459 win 0
E..(..@…..

…….|….c@=P…
………
14:48:04.680108 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: S 1009100365:1009100365(0) win 16384
E..0.B@….|

…….<%.M....p.@.9........... 14:48:04.680236 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: S 3481964295:3481964295(0) ack 1009100366 win 5840
E..0..@.@.&.

………..<%.Np....O.......... 14:48:04.680352 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: . ack 1 win 17520
E..(.C@…..

…….<%.N....P.Dp.s........ 14:48:09.995764 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: P 1:321(320) ack 1 win 5840
E..h..@.@.&.

………..<%.NP.......220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 2 of 50 allowed. 220-Local time is now 14:48. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. 14:48:10.126131 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: . ack 321 win 17200
E..(.n@….X

…….<%.N...HP.C0.s........ 14:48:12.741696 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: P 1:15(14) ack 321 win 17200
E..6.}@….;

…….<%.N...HP.C0....USER luciano 14:48:12.741755 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: . ack 15 win 5840
E..(..@.@.(.

……….H<%.\P.../... 14:48:12.742292 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: P 321:361(40) ack 15 win 5840
E..P..@.@.’.

……….H<%.\P.......331 User luciano OK. Password required 14:48:12.942759 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: . ack 361 win 17160
E..(..@….B

…….<%.\...pP.C..e........ 14:48:15.765483 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: P 15:29(14) ack 361 win 17160
E..6..@….1

…….<%.\...pP.C.....PASS luciano 14:48:15.803185 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: . ack 29 win 5840
E..(..@.@.(.

……….p<%.jP.../... 14:48:21.058831 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: P 361:574(213) ack 29 win 5840
E…..@.@.’B

……….p<%.jP...?]..230 OK. Current directory is /home/luciano 14:48:21.191415 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: . ack 574 win 16947
E..(..@….

…….<%.j...EP.B3.W........ 14:48:24.176680 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: P 29:35(6) ack 574 win 16947
E…..@…..

…….<%.j...EP.B3[...QUIT 14:48:24.176747 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: . ack 35 win 5840
E..(..@.@.(.

……….E<%.pP....... 14:48:24.177144 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: P 574:641(67) ack 35 win 5840
E..k..@.@.’.

……….E<%.pP.......221-Goodbye. You uploaded 0 and downloaded 0 kbytes. 221 Logout. 14:48:24.178496 IP 192.168.0.6.local.ftp > 192.168.0.4.local.4812: F 641:641(0) ack 35 win 5840
E..(..@.@.(.

………..<%.pP....p.. 14:48:24.178776 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: . ack 642 win 16880
E..(..@…..

…….<%.p....P.A..P........ 14:48:24.178975 IP 192.168.0.4.local.4812 > 192.168.0.6.local.ftp: R 35:35(0) ack 642 win 0
E..(..@…..

…….<%.p....P...E<........ [/CODE]

Tags: , ,


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.