Análise de tráfego em redes TCP/IP com tcpdump - Eriberto.pro.br
Análise de tráfego em redes TCP/IP com tcpdump - Eriberto.pro.br
Análise de tráfego em redes TCP/IP com tcpdump - Eriberto.pro.br
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Análise <strong>de</strong> tráfego<<strong>br</strong> />
<strong>em</strong> re<strong>de</strong>s <strong>TCP</strong>/<strong>IP</strong><<strong>br</strong> />
<strong>com</strong> <strong>tcpdump</strong><<strong>br</strong> />
João <strong>Eriberto</strong> Mota Filho<<strong>br</strong> />
Curitiba, PR, 20 set. 2014<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
A análise <strong>de</strong> tráfego<<strong>br</strong> />
• Auxiliar <strong>de</strong> re<strong>de</strong> diz:<<strong>br</strong> />
Chefe, <strong>de</strong>u pane! Parou tudo!<<strong>br</strong> />
• Gerente <strong>de</strong> re<strong>de</strong> diz:<<strong>br</strong> />
Troca o switch!<<strong>br</strong> />
Agora troca o roteador!<<strong>br</strong> />
Não <strong>de</strong>u. Troca os cabos.<<strong>br</strong> />
Deve ser o link da tele. Liga pra lá.<<strong>br</strong> />
• Auxiliar <strong>de</strong> re<strong>de</strong> diz:<<strong>br</strong> />
Ai meu Deus... Tenho trabalho na<<strong>br</strong> />
faculda<strong>de</strong> hoje...<<strong>br</strong> />
• Gerente <strong>de</strong> re<strong>de</strong> diz:<<strong>br</strong> />
Nada disso! E já pe<strong>de</strong> a pizza...<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A análise <strong>de</strong> tráfego permite, <strong>de</strong>ntre outras possibilida<strong>de</strong>s:<<strong>br</strong> />
Encontrar pontos <strong>de</strong> bloqueio na re<strong>de</strong>.<<strong>br</strong> />
Detectar anomalias na re<strong>de</strong>.<<strong>br</strong> />
Desco<strong>br</strong>ir equipamentos e cabeamento <strong>de</strong>feituosos.<<strong>br</strong> />
Observar importantes mensagens <strong>de</strong> sist<strong>em</strong>a não mostradas<<strong>br</strong> />
pelas aplicações.<<strong>br</strong> />
• A análise <strong>de</strong>pen<strong>de</strong>rá, principalmente, do conhecimento a<<strong>br</strong> />
respeito <strong>de</strong> <strong>pro</strong>tocolos <strong>de</strong> re<strong>de</strong> e mo<strong>de</strong>lo OSI.<<strong>br</strong> />
• Para enten<strong>de</strong>r os <strong>pro</strong>tocolos, é necessário estudar RFCs.<<strong>br</strong> />
• RFCs regulam o funcionamento da Internet!!!<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
A análise <strong>de</strong> tráfego<<strong>br</strong> />
• Algumas RFCs importantes para a análise <strong>de</strong> tráfego: 768, 791,<<strong>br</strong> />
792, 793, 2460, 6890 e todas as respectivas atualizações.<<strong>br</strong> />
• Disponíveis <strong>em</strong> http://www.rfceditor.org e outros sites.<<strong>br</strong> />
• A ferramenta: <strong>tcpdump</strong>.<<strong>br</strong> />
• Outras formas <strong>de</strong> auxílio: tshark, wireshark, mtr, ping, netcat,<<strong>br</strong> />
iptraf, packeth etc.<<strong>br</strong> />
• Auxílio para testes e estudo: simulador <strong>de</strong> re<strong>de</strong>s CORE (# aptget<<strong>br</strong> />
install corenetwork <strong>em</strong> Debian Sid, Jessie e Backports).<<strong>br</strong> />
• <strong>TCP</strong>/<strong>IP</strong> and <strong>tcpdump</strong> Pocket Reference Gui<strong>de</strong>:<<strong>br</strong> />
http://www.sans.org/securityresources/tcpip.pdf<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
A análise <strong>de</strong> tráfego<<strong>br</strong> />
Simulador <strong>de</strong><<strong>br</strong> />
re<strong>de</strong>s CORE (#<<strong>br</strong> />
aptget install<<strong>br</strong> />
corenetwork).<<strong>br</strong> />
Disponível para<<strong>br</strong> />
Debian Sid, Jessie<<strong>br</strong> />
e Wheezybackports,<<strong>br</strong> />
além do Ubuntu<<strong>br</strong> />
posterior a<<strong>br</strong> />
nov<strong>em</strong><strong>br</strong>o <strong>de</strong> 2013.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• Protocolos <strong>de</strong> re<strong>de</strong> possu<strong>em</strong> uma estrutura básica, formada por<<strong>br</strong> />
um cabeçalho (ou hea<strong>de</strong>r) e um payload (ou área <strong>de</strong> dados).<<strong>br</strong> />
Cabeçalho<<strong>br</strong> />
Payload<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• <strong>IP</strong>, RFC 791. O <strong>pro</strong>tocolo mais importante da família <strong>TCP</strong>/<strong>IP</strong>.<<strong>br</strong> />
0 1 2 3<<strong>br</strong> />
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
|Version| IHL |Type of Service| Total Length |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| I<strong>de</strong>ntification |Flags| Fragment Offset |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Time to Live | Protocol | Hea<strong>de</strong>r Checksum |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Source Address |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Destination Address |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Options | Padding |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O campo TTL é importante porque permite estimar o sist<strong>em</strong>a<<strong>br</strong> />
operacional oposto e a quantida<strong>de</strong> <strong>de</strong> roteadores entre o host<<strong>br</strong> />
oposto e o local.<<strong>br</strong> />
• Por <strong>de</strong>fault, sist<strong>em</strong>as operacionais utilizam valores iniciais <strong>de</strong><<strong>br</strong> />
TTL que po<strong>de</strong>m ser alterados. Unix e <strong>de</strong>rivados diretos = 255,<<strong>br</strong> />
MS Windows = 128 e GNU/Linux = 64.<<strong>br</strong> />
• Protocolos <strong>IP</strong>: são os <strong>pro</strong>tocolos que são encapsulados pelo <strong>IP</strong>.<<strong>br</strong> />
São listados pela IANA e um resumo po<strong>de</strong>rá ser encontrado <strong>em</strong><<strong>br</strong> />
/etc/<strong>pro</strong>tocols. Ex<strong>em</strong>plos: ICMP, <strong>TCP</strong> e UDP.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>IP</strong> é utilizado para transportar outros <strong>pro</strong>tocolos. Então,<<strong>br</strong> />
s<strong>em</strong>pre haverá um <strong>pro</strong>tocolo <strong>IP</strong> no seu payload.<<strong>br</strong> />
Cabeçalho <strong>IP</strong><<strong>br</strong> />
Cabeçalho <strong>TCP</strong><<strong>br</strong> />
Payload <strong>TCP</strong><<strong>br</strong> />
Payload <strong>IP</strong><<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• Os <strong>pro</strong>tocolos <strong>IP</strong> mais importantes para a análise <strong>de</strong> tráfego<<strong>br</strong> />
são o <strong>TCP</strong>, o UDP e o ICMP.<<strong>br</strong> />
• Dentre todos os <strong>pro</strong>tocolos <strong>IP</strong>, somente o <strong>TCP</strong> e o UDP utilizam<<strong>br</strong> />
portas.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• <strong>TCP</strong>, RFC 793. O <strong>pro</strong>tocolo <strong>de</strong> transporte mais controlado e<<strong>br</strong> />
confiável da família <strong>TCP</strong>/<strong>IP</strong>.<<strong>br</strong> />
0 1 2 3<<strong>br</strong> />
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Source Port | Destination Port |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Sequence Number |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Acknowledgment Number |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Data | |U|A|P|R|S|F| |<<strong>br</strong> />
| Offset| Reserved |R|C|S|S|Y|I| Window |<<strong>br</strong> />
| | |G|K|H|T|N|N| |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Checksum | Urgent Pointer |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Options | Padding |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>TCP</strong> (e também o UDP) é utilizado para transportar<<strong>br</strong> />
<strong>pro</strong>tocolos <strong>de</strong> uso específico dos usuários e das suas aplicações.<<strong>br</strong> />
Ex.: http, smtp, pop3, ftp, msn, ssh, telnet, irc etc.<<strong>br</strong> />
Cabeçalho <strong>IP</strong><<strong>br</strong> />
Cabeçalho <strong>TCP</strong><<strong>br</strong> />
HTTP<<strong>br</strong> />
Payload <strong>TCP</strong><<strong>br</strong> />
Payload <strong>IP</strong><<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong> é orientado à conexão e a garante por<<strong>br</strong> />
intermédio do threeway handshake.<<strong>br</strong> />
• É um <strong>pro</strong>tocolo full duplex.<<strong>br</strong> />
• Em uma re<strong>de</strong>, in<strong>de</strong>pen<strong>de</strong>nte do <strong>pro</strong>tocolo, é s<strong>em</strong>pre o cliente<<strong>br</strong> />
qu<strong>em</strong> inicia a conexão.<<strong>br</strong> />
• Não há re<strong>de</strong> s<strong>em</strong> servidor.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
• Flags <strong>TCP</strong>:<<strong>br</strong> />
O <strong>pro</strong>tocolo <strong>TCP</strong> - flags<<strong>br</strong> />
Syn (synchronize): inicia conexões.<<strong>br</strong> />
Fin (finish): finaliza conexões.<<strong>br</strong> />
Psh (push): envia dados.<<strong>br</strong> />
Ack (acknowledgment): confirmação <strong>de</strong> que é conhecido o<<strong>br</strong> />
número <strong>de</strong> sequência do próximo segmento a ser enviado pelo<<strong>br</strong> />
lado oposto.<<strong>br</strong> />
Rst (reset): “não entendi”.<<strong>br</strong> />
IMPORTANTE: as flags <strong>TCP</strong> são disparadas contra portas e<<strong>br</strong> />
somente a flag push possui payload.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
cygnus:~# <strong>tcpdump</strong> -nSt host www.eriberto.<strong>pro</strong>.<strong>br</strong><<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.49012 > 74.55.41.178.80: Flags [S], seq 747415379, win 5840, options<<strong>br</strong> />
[mss 1460,sackOK,TS val 11081666 ecr 0,nop,wscale 6], length 0<<strong>br</strong> />
<strong>IP</strong> 74.55.41.178.80 > 10.1.1.15.49012: Flags [S.], seq 2372044971, ack 747415380,<<strong>br</strong> />
win 5840, options [mss 1460], length 0<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.49012 > 74.55.41.178.80: Flags [.], ack 2372044972, win 5840, length 0<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.49012 > 74.55.41.178.80: Flags [P.], seq 747415380:747415928, ack<<strong>br</strong> />
2372044972, win 5840, length 548<<strong>br</strong> />
<strong>IP</strong> 74.55.41.178.80 > 10.1.1.15.49012: Flags [.], ack 747415928, win 6576, length 0<<strong>br</strong> />
<strong>IP</strong> 74.55.41.178.80 > 10.1.1.15.49012: Flags [P.], seq 2372044972:2372045807, ack<<strong>br</strong> />
747415928, win 6576, length 835<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.49012 > 74.55.41.178.80: Flags [.], ack 2372045807, win 6680, length 0<<strong>br</strong> />
<strong>IP</strong> 74.55.41.178.80 > 10.1.1.15.49012: Flags [F.], seq 2372045807, ack 747415928,<<strong>br</strong> />
win 6576, length 0<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.49012 > 74.55.41.178.80: Flags [.], ack 2372045808, win 6680, length 0<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.49012 > 74.55.41.178.80: Flags [F.], seq 747415928, ack 2372045808,<<strong>br</strong> />
win 6680, length 0<<strong>br</strong> />
<strong>IP</strong> 74.55.41.178.80 > 10.1.1.15.49012: Flags [.], ack 747415929, win 6576, length 0<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
cygnus:~# <strong>tcpdump</strong> -nStA host www.eriberto.<strong>pro</strong>.<strong>br</strong><<strong>br</strong> />
[...]<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.49012 > 74.55.41.178.80: Flags [P.], seq 747415380:747415928, ack<<strong>br</strong> />
2372044972, win 5840, length 548<<strong>br</strong> />
E..L..@.@.<<strong>br</strong> />
...J7)..t.P,..T.b..P....Z..GET /teste.html HTTP/1.1<<strong>br</strong> />
Host: www.eriberto.<strong>pro</strong>.<strong>br</strong><<strong>br</strong> />
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.1.10) Gecko/20100623<<strong>br</strong> />
Iceweasel/3.5.10 (like Firefox/3.5.10)<<strong>br</strong> />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<<strong>br</strong> />
Accept-Language: pt-<strong>br</strong>,pt;q=0.8,en-us;q=0.5,en;q=0.3<<strong>br</strong> />
Accept-Encoding: gzip,<strong>de</strong>flate<<strong>br</strong> />
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<<strong>br</strong> />
Keep-Alive: 300<<strong>br</strong> />
Connection: keep-alive<<strong>br</strong> />
[...]<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
cygnus:~# <strong>tcpdump</strong> -nSt port 81<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.47887 > 200.17.202.1.81: Flags [S], seq 2535659221, win 5840, options<<strong>br</strong> />
[mss 1460,sackOK,TS val 295864 ecr 0,nop,wscale 6], length 0<<strong>br</strong> />
<strong>IP</strong> 200.17.202.1.81 > 10.1.1.15.47887: Flags [R.], seq 0, ack 2535659222, win 0,<<strong>br</strong> />
length 0<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
2008-04-30 02:52:37.137288 <strong>IP</strong> 192.168.1.100.52075 > 161.148.185.130.3456: Flags [S],<<strong>br</strong> />
seq 3214674887, win 5840, options [mss 1460,sackOK,TS val 810225 ecr 0,nop,wscale<<strong>br</strong> />
7], length 0<<strong>br</strong> />
2008-04-30 02:52:37.152227 <strong>IP</strong> 161.148.185.130.3456 > 192.168.1.100.52075: Flags [R.],<<strong>br</strong> />
seq 2748955468, ack 3214674888, win 62780, length 0<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
cygnus:~# <strong>tcpdump</strong> -nSt host hamurabi.acc.umu.se<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.36306 > 130.239.18.165.80: Flags [S], seq 1134470901, win 5840,<<strong>br</strong> />
options [mss 1460,sackOK,TS val 547187 ecr 0,nop,wscale 6], length 0<<strong>br</strong> />
<strong>IP</strong> 130.239.18.165.80 > 10.1.1.15.36306: Flags [S.], seq 1887642709, ack 1134470902,<<strong>br</strong> />
win 5792, options [mss 1460,sackOK,TS val 324228655 ecr 547187,nop,wscale 7],<<strong>br</strong> />
length 0<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.36306 > 130.239.18.165.80: Flags [.], ack 1887642710, win 92, options<<strong>br</strong> />
[nop,nop,TS val 547265 ecr 324228655], length 0<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.36306 > 130.239.18.165.80: Flags [P.], seq 1134470902:1134471443, ack<<strong>br</strong> />
1887642710, win 92, options [nop,nop,TS val 547265 ecr 324228655], length 541<<strong>br</strong> />
<strong>IP</strong> 130.239.18.165.80 > 10.1.1.15.36306: Flags [.], ack 1134471443, win 54, options<<strong>br</strong> />
[nop,nop,TS val 324228688 ecr 547265], length 0<<strong>br</strong> />
[...] Ctrl c<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.36306 > 130.239.18.165.80: Flags [F.], seq 1134471443, ack 1888127990,<<strong>br</strong> />
win 3563, options [nop,nop,TS val 549148 ecr 324229384,nop,nop,sack 2<<strong>br</strong> />
{1888135190:1888148150}{1888129430:1888130870}], length 0<<strong>br</strong> />
<strong>IP</strong> 130.239.18.165.80 > 10.1.1.15.36306: Flags [P.], seq 1888148150:1888149590, ack<<strong>br</strong> />
1134471443, win 54, options [nop,nop,TS val 324229401 ecr 549051], length 1440<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.36306 > 130.239.18.165.80: Flags [R], seq 1134471443, win 0, length 0<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
<strong>IP</strong>6 2001::10.33467 > 2001:1::10.80: Flags [S], seq 4052414885, win 14400, options<<strong>br</strong> />
[mss 1440,sackOK,TS val 222843 ecr 0,nop,wscale 7], length 0<<strong>br</strong> />
<strong>IP</strong>6 2001:1::10.80 > 2001::10.33467: Flags [S.], seq 3060786677, ack 4052414886, win<<strong>br</strong> />
14280, options [mss 1440,sackOK,TS val 222843 ecr 222843,nop,wscale 7], length 0<<strong>br</strong> />
<strong>IP</strong>6 2001::10.33467 > 2001:1::10.80: Flags [.], ack 1, win 113, options [nop,nop,TS<<strong>br</strong> />
val 222843 ecr 222843], length 0<<strong>br</strong> />
<strong>IP</strong>6 2001::10.33467 > 2001:1::10.80: Flags [P.], seq 1:237, ack 1, win 113, options<<strong>br</strong> />
[nop,nop,TS val 222844 ecr 222843], length 236<<strong>br</strong> />
<strong>IP</strong>6 2001:1::10.80 > 2001::10.33467: Flags [.], ack 237, win 120, options<<strong>br</strong> />
[nop,nop,TS val 222844 ecr 222844], length 0<<strong>br</strong> />
<strong>IP</strong>6 2001:1::10.80 > 2001::10.33467: Flags [P.], seq 1:725, ack 237, win 120,<<strong>br</strong> />
options [nop,nop,TS val 222845 ecr 222844], length 724<<strong>br</strong> />
<strong>IP</strong>6 2001::10.33467 > 2001:1::10.80: Flags [.], ack 725, win 124, options<<strong>br</strong> />
[nop,nop,TS val 222845 ecr 222845], length 0<<strong>br</strong> />
<strong>IP</strong>6 2001:1::10.80 > 2001::10.33467: Flags [F.], seq 725, ack 237, win 120, options<<strong>br</strong> />
[nop,nop,TS val 222845 ecr 222845], length 0<<strong>br</strong> />
<strong>IP</strong>6 2001::10.33467 > 2001:1::10.80: Flags [F.], seq 237, ack 726, win 124, options<<strong>br</strong> />
[nop,nop,TS val 222845 ecr 222845], length 0<<strong>br</strong> />
<strong>IP</strong>6 2001:1::10.80 > 2001::10.33467: Flags [.], ack 238, win 120, options<<strong>br</strong> />
[nop,nop,TS val 222845 ecr 222845], length 0<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• UDP, RFC 768. O <strong>pro</strong>tocolo <strong>de</strong> transporte mais rápido da<<strong>br</strong> />
família <strong>TCP</strong>/<strong>IP</strong>.<<strong>br</strong> />
0 7 8 15 16 23 24 31<<strong>br</strong> />
+--------+--------+--------+--------+<<strong>br</strong> />
| Source | Destination |<<strong>br</strong> />
| Port | Port |<<strong>br</strong> />
+--------+--------+--------+--------+<<strong>br</strong> />
| | |<<strong>br</strong> />
| Length | Checksum |<<strong>br</strong> />
+--------+--------+--------+--------+<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• Somente os <strong>pro</strong>tocolos <strong>TCP</strong> e UDP possu<strong>em</strong> portas.<<strong>br</strong> />
• S<strong>em</strong>pre que houver uma nova conexão <strong>TCP</strong> ou UDP, a porta do<<strong>br</strong> />
cliente mudará.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• ICMP, RFC 792. O <strong>pro</strong>tocolo <strong>de</strong> controle da re<strong>de</strong> <strong>TCP</strong>/<strong>IP</strong>.<<strong>br</strong> />
0 1 2 3<<strong>br</strong> />
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| Type | Co<strong>de</strong> | Checksum |<<strong>br</strong> />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<<strong>br</strong> />
| ICMP... |<<strong>br</strong> />
• Ex<strong>em</strong>plos:<<strong>br</strong> />
Tipo 8: echo request.<<strong>br</strong> />
Tipo 0: echo reply.<<strong>br</strong> />
Tipo 3, código 3: porta <strong>de</strong> <strong>de</strong>stino inacessível.<<strong>br</strong> />
Tipo 11, código 0: TTL expirado <strong>em</strong> trânsito.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O ICMP é utilizado para controlar as ativida<strong>de</strong>s <strong>de</strong> re<strong>de</strong>.<<strong>br</strong> />
• De um modo geral, somente o <strong>TCP</strong> não é assessorado pelo<<strong>br</strong> />
ICMP.<<strong>br</strong> />
• Há vários tipos e códigos ICMP.<<strong>br</strong> />
• Não se bloqueia ICMP <strong>em</strong> re<strong>de</strong>s!!! Isso não cria segurança e<<strong>br</strong> />
sim <strong>de</strong>scontrole. Se for o caso, controle alguns tipos <strong>de</strong> ICMP.<<strong>br</strong> />
• Use filtros <strong>de</strong> pacotes, <strong>com</strong>o o Netfilter, para controlar a<<strong>br</strong> />
quantida<strong>de</strong> máxima <strong>de</strong> echo requests permitidos. Ex<strong>em</strong>plo:<<strong>br</strong> />
# iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 10/s -j ACCEPT<<strong>br</strong> />
# iptables -A FORWARD -p icmp --icmp-type 8 -j DROP<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
cygnus:~# <strong>tcpdump</strong> -nSt port 54 or icmp<<strong>br</strong> />
<strong>IP</strong> 10.1.1.15.47014 > 10.1.1.1.54: UDP, length 6<<strong>br</strong> />
<strong>IP</strong> 10.1.1.1 > 10.1.1.15: ICMP 10.1.1.1 udp port 54 unreachable, length 42<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
21:03:42.745064 <strong>IP</strong> 201.22.137.119 > 10.1.4.25: ICMP 65.54.179.248 unreachable -<<strong>br</strong> />
need to frag (mtu 1492), length 556<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Mo<strong>de</strong>lo criado pela ISO para que fa<strong>br</strong>icantes <strong>de</strong> hardware <strong>de</strong><<strong>br</strong> />
re<strong>de</strong> possam <strong>de</strong>senvolver equipamentos <strong>com</strong>patíveis entre si.<<strong>br</strong> />
Dados<<strong>br</strong> />
Dados<<strong>br</strong> />
Dados<<strong>br</strong> />
Segmentos<<strong>br</strong> />
Pacotes[1]<<strong>br</strong> />
Quadros[2]<<strong>br</strong> />
Bits<<strong>br</strong> />
Aplicação<<strong>br</strong> />
Apresentação<<strong>br</strong> />
Sessão<<strong>br</strong> />
Transporte<<strong>br</strong> />
Re<strong>de</strong><<strong>br</strong> />
Enlace<<strong>br</strong> />
Física<<strong>br</strong> />
Usuário, http, ftp, smtp, pop3, chat etc<<strong>br</strong> />
SSL, conversão <strong>de</strong> padrões, <strong>de</strong>s/<strong>com</strong>pressão<<strong>br</strong> />
Sessão <strong>de</strong> aplicações<<strong>br</strong> />
<strong>TCP</strong>, UDP<<strong>br</strong> />
<strong>IP</strong> e <strong>pro</strong>tocolos <strong>IP</strong> (exceto <strong>TCP</strong> e UDP) / roteador<<strong>br</strong> />
Ethernet, ATM, PPP, frame relay / switch, <strong>br</strong>idge<<strong>br</strong> />
Hub, cabos, placa <strong>de</strong> re<strong>de</strong>, ondas wireless etc<<strong>br</strong> />
[1] pacotes ou datagramas<<strong>br</strong> />
[2] quadros ou frames<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI, na prática, é uma referência ao encapsulamento<<strong>br</strong> />
<strong>de</strong> dados e <strong>pro</strong>tocolos, <strong>com</strong> níveis <strong>de</strong> preparação e controle.<<strong>br</strong> />
• Um ex<strong>em</strong>plo, utilizando o <strong>pro</strong>tocolo HTTP <strong>com</strong>o aplicação:<<strong>br</strong> />
Aplicação<<strong>br</strong> />
Encapsulamento<<strong>br</strong> />
HTTP<<strong>br</strong> />
Apresentação<<strong>br</strong> />
Preparação<<strong>br</strong> />
Sessão<<strong>br</strong> />
Controle<<strong>br</strong> />
Transporte<<strong>br</strong> />
Encap. / Controle<<strong>br</strong> />
Hea<strong>de</strong>r<<strong>br</strong> />
<strong>TCP</strong><<strong>br</strong> />
Re<strong>de</strong><<strong>br</strong> />
Encap. / Controle<<strong>br</strong> />
Hea<strong>de</strong>r<<strong>br</strong> />
<strong>IP</strong> (v4 e v6)<<strong>br</strong> />
Enlace<<strong>br</strong> />
Encap. / Controle<<strong>br</strong> />
Hea<strong>de</strong>r<<strong>br</strong> />
Ethernet<<strong>br</strong> />
Física<<strong>br</strong> />
Despacho<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• É importante ressaltar que os <strong>pro</strong>tocolos <strong>de</strong> transporte (<strong>TCP</strong> e<<strong>br</strong> />
UDP) serv<strong>em</strong> para “transportar” dados referentes a usuários.<<strong>br</strong> />
Se não houver usuários, não haverá as camadas 4 a 7.<<strong>br</strong> />
Aplicação<<strong>br</strong> />
Encapsulamento<<strong>br</strong> />
HTTP<<strong>br</strong> />
Apresentação<<strong>br</strong> />
Preparação<<strong>br</strong> />
Sessão<<strong>br</strong> />
Controle<<strong>br</strong> />
Transporte<<strong>br</strong> />
Encap. / Controle<<strong>br</strong> />
Hea<strong>de</strong>r<<strong>br</strong> />
<strong>TCP</strong><<strong>br</strong> />
Re<strong>de</strong><<strong>br</strong> />
Encap. / Controle<<strong>br</strong> />
Hea<strong>de</strong>r<<strong>br</strong> />
<strong>IP</strong> (v4 e v6)<<strong>br</strong> />
Enlace<<strong>br</strong> />
Encap. / Controle<<strong>br</strong> />
Hea<strong>de</strong>r<<strong>br</strong> />
Ethernet<<strong>br</strong> />
Física<<strong>br</strong> />
Despacho<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Caso 1: bloqueio do tráfego <strong>em</strong> um el<strong>em</strong>ento intermediário <strong>de</strong><<strong>br</strong> />
re<strong>de</strong> (regras <strong>de</strong> filtrag<strong>em</strong> mal feitas, erro no roteamento etc).<<strong>br</strong> />
S e n t i d o d o t r á f e g o<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Aplicar o <strong>tcpdump</strong> ao longo da topologia para <strong>de</strong>sco<strong>br</strong>ir o ponto<<strong>br</strong> />
<strong>de</strong> bloqueio.<<strong>br</strong> />
S e n t i d o d o t r á f e g o<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Aplicar o <strong>tcpdump</strong> ao longo da topologia para <strong>de</strong>sco<strong>br</strong>ir o ponto<<strong>br</strong> />
<strong>de</strong> bloqueio.<<strong>br</strong> />
Syn Syn Syn Syn Nada<<strong>br</strong> />
S e n t i d o d o t r á f e g o<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Caso 2: bloqueio do tráfego por falha física na topologia.<<strong>br</strong> />
S e n t i d o d o t r á f e g o<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Aplicar o <strong>tcpdump</strong> ao longo da topologia para <strong>de</strong>sco<strong>br</strong>ir o ponto<<strong>br</strong> />
<strong>de</strong> falha.<<strong>br</strong> />
S e n t i d o d o t r á f e g o<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Aplicar o <strong>tcpdump</strong> ao longo da topologia para <strong>de</strong>sco<strong>br</strong>ir o ponto<<strong>br</strong> />
<strong>de</strong> falha.<<strong>br</strong> />
Syn Syn Syn Nada<<strong>br</strong> />
S e n t i d o d o t r á f e g o<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Payloads que falam...<<strong>br</strong> />
• Em casos <strong>de</strong> falhas <strong>de</strong> conexão <strong>em</strong> serviços, analise o payload<<strong>br</strong> />
do tráfego <strong>com</strong> o <strong>tcpdump</strong>.<<strong>br</strong> />
• Muitos servidores diz<strong>em</strong> as causas dos <strong>pro</strong>bl<strong>em</strong>as mas as<<strong>br</strong> />
aplicações não o faz<strong>em</strong>. Ex<strong>em</strong>plos: jabber, bancos <strong>de</strong> dados etc.<<strong>br</strong> />
• Utilize a opção A para ver o payload.<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Payloads que falam...<<strong>br</strong> />
Payload:<<strong>br</strong> />
00:12:03.499715 <strong>IP</strong> 192.168.1.104.3306 > 192.168.1.101.34941: Flags [P.], seq 1:75,<<strong>br</strong> />
ack 1, win 33, options [nop,nop,TS val 23718975 ecr 5218436], length 74<<strong>br</strong> />
E..~..@.@......h...e...}.(..@1&....!.......<<strong>br</strong> />
.i.?.O..F....j.Host '192.168.1.101' is not allowed to connect to this MySQL server<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Payloads que falam...<<strong>br</strong> />
Payload:<<strong>br</strong> />
16:48:26.120296 <strong>IP</strong> 172.16.10.49.3306 > 172.16.10.42.39903: Flags [P.], seq 79:162,<<strong>br</strong> />
ack 80, win 181, options [nop,nop,TS val 3773032 ecr 3202030], length 83<<strong>br</strong> />
E....E@.@......1...*......bx........Z......<<strong>br</strong> />
.9.h.0..O......#42000Access <strong>de</strong>nied for user 'alpha31'@'172.16.10.42' to database<<strong>br</strong> />
'wikinet3'<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Payloads que falam...<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Payloads que falam...<<strong>br</strong> />
Payload:<<strong>br</strong> />
11:22:42.833577 <strong>IP</strong> 208.68.163.220.5222 > 172.16.0.1.57148: Flags [P.], seq 1:355, ack<<strong>br</strong> />
126, win 46, options [nop,nop,TS val 1913276961 ecr 20144826], length 354<<strong>br</strong> />
E....$@.0....D.......f.
Payloads que falam...<<strong>br</strong> />
Payload:<<strong>br</strong> />
16:19:50.614450 <strong>IP</strong> 172.30.1.5.3306 > 172.30.1.4.58868: Flags [P.], seq 391:467, ack<<strong>br</strong> />
611, win 972, options [nop,nop,TS val 306116600 ecr 306114953], length 76<<strong>br</strong> />
E...~.@.@.a=............~e..........Z......<<strong>br</strong> />
.>...>..H......#HY000File './agenda1/webcal_entry_log.MYD' not found (Errco<strong>de</strong>: 30)<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Bridges são el<strong>em</strong>entos que atuam na camada 2 do mo<strong>de</strong>lo OSI<<strong>br</strong> />
e são <strong>com</strong>o switches (e são invisíveis!).<<strong>br</strong> />
• Caso os ativos <strong>de</strong> re<strong>de</strong> não permitam o uso <strong>de</strong> <strong>tcpdump</strong><<strong>br</strong> />
(roteadores <strong>pro</strong>prietários etc), utilize um notebook, <strong>com</strong> duas<<strong>br</strong> />
placas <strong>de</strong> re<strong>de</strong> configuradas <strong>com</strong>o <strong>br</strong>idge, para fazer a análise.<<strong>br</strong> />
• A opção e no <strong>tcpdump</strong> mostra a camada <strong>de</strong> enlace no tráfego.<<strong>br</strong> />
• A segunda placa <strong>de</strong> re<strong>de</strong> po<strong>de</strong>rá ser um adaptador USB<<strong>br</strong> />
Ethernet.<<strong>br</strong> />
• Bridges no Debian: http://bit.ly/<strong>br</strong>idge_<strong>de</strong>bian<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• O uso <strong>de</strong> <strong>br</strong>idge na análise <strong>de</strong> tráfego.<<strong>br</strong> />
BRIDGE<<strong>br</strong> />
Adaptador USBEthernet (venda<<strong>br</strong> />
<strong>em</strong> lojas, Mercado Livre e eBay).<<strong>br</strong> />
Custa US$ 3,50 no eBay, já<<strong>br</strong> />
incluída a entrega no Brasil!<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Sumário<<strong>br</strong> />
• A análise <strong>de</strong> tráfego<<strong>br</strong> />
• A estrutura <strong>de</strong> um <strong>pro</strong>tocolo<<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>IP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo <strong>TCP</strong><<strong>br</strong> />
• O <strong>pro</strong>tocolo UDP<<strong>br</strong> />
• O <strong>pro</strong>tocolo ICMP<<strong>br</strong> />
• O mo<strong>de</strong>lo OSI<<strong>br</strong> />
• Técnica <strong>de</strong> uso do <strong>tcpdump</strong> na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Payloads que falam...<<strong>br</strong> />
• Bridges na análise <strong>de</strong> tráfego<<strong>br</strong> />
• Conclusão<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Conclusão<<strong>br</strong> />
• A análise <strong>de</strong> tráfego é um conhecimento fundamental para<<strong>br</strong> />
qu<strong>em</strong> trabalha <strong>com</strong> re<strong>de</strong>s <strong>de</strong> <strong>com</strong>putadores. S<strong>em</strong> ela, <strong>em</strong><<strong>br</strong> />
momentos <strong>de</strong> panes e <strong>pro</strong>bl<strong>em</strong>as <strong>em</strong> re<strong>de</strong>s, o administrador<<strong>br</strong> />
será um mero testador <strong>de</strong> possibilida<strong>de</strong>s infundadas.<<strong>br</strong> />
• A ferramenta <strong>tcpdump</strong> é a melhor aliada na análise <strong>de</strong> tráfego.<<strong>br</strong> />
No entanto, outras ferramentas <strong>com</strong>o o wireshark e o mtr<<strong>br</strong> />
po<strong>de</strong>rão ser úteis, principalmente para o estudo e aprendizado.<<strong>br</strong> />
• Payloads falam coisas importantes... ouçaos!<<strong>br</strong> />
• Não se bloqueia ICMP <strong>em</strong> re<strong>de</strong>s! S<strong>em</strong> ele haverá uma perda <strong>de</strong><<strong>br</strong> />
controle.<<strong>br</strong> />
continua...<<strong>br</strong> />
<strong>Eriberto</strong> set. 14
Conclusão<<strong>br</strong> />
Referências (usando <strong>tcpdump</strong>) para estudo:<<strong>br</strong> />
• MOTA FILHO, João <strong>Eriberto</strong>. Análise <strong>de</strong> tráfego <strong>em</strong> re<strong>de</strong>s <strong>TCP</strong>/<strong>IP</strong>.<<strong>br</strong> />
Editora Novatec, 2013.<<strong>br</strong> />
• STEVENS, W. Richard; FALL, Kevin R. <strong>TCP</strong>/<strong>IP</strong> Illustrated, Volume<<strong>br</strong> />
I, 2ª edição. Editora AddisonWesley, 2011.<<strong>br</strong> />
• WIRESHARK.ORG. Seção <strong>de</strong> capturas no site, <strong>em</strong><<strong>br</strong> />
http://wiki.wireshark.org/SampleCaptures.<<strong>br</strong> />
Esta palestra está disponível <strong>em</strong>:<<strong>br</strong> />
http://eriberto.<strong>pro</strong>.<strong>br</strong><<strong>br</strong> />
Sigame no Twitter @eribertomota<<strong>br</strong> />
<strong>Eriberto</strong> set. 14