using tcpdump. tcpdump is a powerful tool that allows us to sniff network packets and make some...

Click here to load reader

Post on 15-Jan-2016




5 download

Embed Size (px)


  • Using tcpdump

  • Using tcpdumptcpdump is a powerful tool that allows us to sniff network packets and make some statistical analysis out of those dumps. tcpdump operates by putting the network card into promiscuous mode in order to capture all the packetsUsing tcpdump we have a view on any TCP/UDP connection establishment and termination

  • Using tcpdumpFlags can be any of the listS -> SYN (Synchronize sequence numbers Connection establishment) F -> FIN (Ending of sending by sender - Connection termination) R -> RST (Reset connection) P -> PSH (Push data) (No flag is set)ACK -> AcknowledgementURG -> Urgent

  • Using tcpdumpThe three way handshakeThe client sends a SYN segment with the port number of the server it wants to connect to and the client's initial sequence number (Line 1).The server responds with its own SYN segment containing its initial sequence number (Line 2). This segment also contains an ack flag. So this segment acknowledges the client SYN (segment 1412042008 +1).The client acknowledges this SYN from the server by sending another segment containing the "." flag and ack (Line 3).

  • Using tcpdumpSome examples:tcpdump -n tcpdump -n host tcpdump -n host port 80tcpdump -n host port 80 or 443tcpdump -n host and not port 22Other switches -i specify the network interface-f send results to -ccapture until specified number of packets are captured

  • Using tcpdumpNow some Demos.

  • Unix Processes and CRON

  • What is a Process?A process is an instance of a running program. A process consists of A process IDAn owner who created the processA program counter that keeps track of where you are A copy of the stack and registers used by the processAn address space (Chunk of Memory) that containsText Segment - executable instructionData segment - all the data used by the programUser segment - process ID information

  • Unix is a Multitasking OSIn multitasking the OS loads several processes into memory and switches rapidly amongst them. This keeps the processor busy. The processor switches processes when:A program terminatesA program has to wait for IOA program has used up its time allotment The challenge of multitasking is scheduling which process should run at any given moment. The kernel is responsible for managing all of the processes.

  • The Life of a ProcessThe user enters a command at the shellThe shell examines the command, finds the program file, and invokes the loader.The loader examines the file and loads the instructions and data into main memory. A process control block (PCB) is created and placed into a ready queue.The CPU scheduler chooses processes from the ready queue and executes them.The process get selected and is loader by the dispatcher.The process runs until it has to wait. After waiting it goes back in the ready queue.Repeat 5-7 until the process terminates.

  • Parent and Child ProcessesEvery process, save one, has a parent process that created it. Thus, every process is a child of another one. Processes cannot be orphaned, at the very least they belong to the first process, the root process, created when the system booted. All processes have an ancestory, a hierarchy of process between it an the root process. vicatshell1pineShell2root process

  • Process Creation Functionsfork() - processes are created by the fork system call. This call creates a new process that is identical to its parent but has its own ID. exec() - loads a copy of the program to be executed over the address space it currently has. This overwrites the text and data areas of the process with the new code and data. wait() - waits for a child process to end

  • The Init ProcessThe init process is the ultimate parent of most processes on the computer. It is the second process created by the computer and has a pid of 1. Remember, numbering starts at 0. The following process shows how a shell is run.When the computer boots up it switches into multiuser mode.Upon switching, init forks and executes getty for every terminal portGetty prints a login prompt at each port and then sleepsWhen user tries to log in getty executes login (overlays itself) Login verifies user info and executes the shell (overlays itself)Init is left as the only parent of the shellWhen the shell dies, init forks and executes getty again. Thus, the process repeats for a new user.

  • The Shell ProcessThe shell is a child process of init and is the first process available to the user. The shell runs other processes that are its children. These processes may include another shell or a program. When the primary shell dies, the user is logged out. The shell keeps the same PID for the entire time you are logged in. If you kill this PID, you kill your login session.

  • Shell Commands for Manipulating ProcessesThe shell provides several commands that allow it to manipulate its child processes. Child processes may execute in the foreground or the background.When run in the foreground, the shell waits for the program and displays its output.When run in the background, the process runs and the shell keeps running and can continue to process commands. The following keys manipulate processes:cntrl-z suspends the foreground processescntrl-c kill the foreground process

  • Shell Commands for Manipulating Processes Cont.In addition to keys, the bash shell includes the following commands:bg puts a process (pid) in the backgroundfg puts a process (pid) in the foregroundjobs lists active jobs for the shellkill kill a process (pid)stop suspend a background process (pid)wait wait for background processes to finish If a pid is not given for bg or fg, it assumes the process most recently suspended from the foreground. Placing a & after a shell command will run it in the background. Note, that you cannot logout until process ends.

  • The nohup CommandThe & option provided by the shell will not allow a background process to run if the shell is killed or the user logs out. Therefore, you cannot logout until all background processes have been dealt with. The nohup command gets around this issue by guaranteeing that the command that follows it will not cause these hangup. If the shell dies, the ppid of the process transfers to 1, the init process. Examplenohup sort emp.lst & Standard output from this command may be redirected to nohup.out

  • Listing Process StatusThe ps [options] command is used to list the status of all processes.

    Common ps optionsa list all processes associated with the current terminal-u user list processes of a particular user (usr)-e list everything including system processes f get a full listing with parents ID listed (ppid)l give a long list with memory information Note that the ps options may differ by system. For example, Linuz uses ax instead of e.

  • Killing a ProcessThe kill [options] pid command is used to terminate a process. A process can only be killed by its owner or by someone with administrative permissions. The kill command has the following options:l lists all of the signals kill can send9 sends a special kill signal that cannot be caught

  • at - Controlling Job ExecutionThe at [options] time command can be used to set a job to run at a later time. The at command takes commands from standard input. You enter the at command, hit enter, type the command to run, and then hit cntrl-D. Examples:at 15 runs the command at 3:00 PMat 5pm runs the command at 5:00 PMat noon runs command at noonAt now + 1 year run command a year from nowAt 15 + 1 day run command at 3:00PM tomorrowAt 9am tomorrow run command at 9:00AM tomorrow

  • at and batchat continued The -l option will list all jobs placed in the at queue and their job number The -r # option will remove the job with the provided number from the queue Batch Command The batch command will run a series of commands when time is available on the system. It does not take a time argument.Typically you enter the commands into a file and redirect that file into standard input. For example, batch < cmnds.txtBatch places jobs into the at queue and they can be listed and removed using at -l and at -rOr use atq or atrm

  • Cron - Scheduling Periodic JobsCron is a complex program that allows you to schedule jobs/processes for periodic execution. For example, if you want to check the file system or run a virus checked each day.Cron requires you to create a file with the commands and times and notify the cron daemon using crontab -e. This creates a file with the users name in /var/spool/cron/crontabs