You, however, won't need to work out all the rules on your own. You can take advantage of
the firewalls ability to set these filters itself. After you first install a firewall, you will be hit with a
flurry of warnings and requests for access, and you will have to determine whether or not a
program will be allowed to access the network. (The firewall may also give you the option to
let the firewall determine what rights programs have to access the network, but then you
wouldn't learn anything, would you?) This process is going to be similar to the one that we
used to identify the programs listed by netstat. A program named iexplorer.exe is obviously
Microsoft's Internet Explorer and, if you use it as your web browser, then the firewall must allow
it to access the Internet. But a program named cbox.exe could be anything. You've got no
choice but to go to your preferred web search engine and check it out. (Of course, before
you can do this, you've got to tell the firewall to allow your web browser to access the
Internet.)
The firewall program should also give you the option to allow access to a program
repeatedly, or just once. Some programs – like your web browser – should be allowed to
access the network anytime, but for other programs – such as the ones that automatically
check for program updates – you can learn a lot about how your computer works by having
the firewall ask for permission every time that the program requests access.
Firewalls are available as stand-alone programs (including a number of free versions for both
Windows and Linux) or they are often bundled with anti-virus software. Additionally, Windows
XP comes with a built-in firewall, but, as is the case with Windows Internet Explorer, it will be
targeted by people looking for exploits – flaws in other firewalls may never be found, but flaws
in a Microsoft firewall will be found and they will be exploited.
你不需要懂所有的原理,你可以直接用防火牆來過濾數據。在你第一次安裝防火牆後,你會收到很多的警告和請求,需要你決定一個程序是否能連接到網絡上。(防火牆也可以自己來判斷,但是你就不會學到任何東西了,不是嗎?),這個過程和我們曾用來鑑別程序的軟件類似。iexplorer.exe顯然是微軟瀏覽器,如果你將它設爲主瀏覽器,防火牆就要允許它連接網絡。但是我們不知道cbox.exe是什麼程序,你只有去用網頁瀏覽器查找這個程序的信息。(當然,你首先要通過防火牆將網頁瀏覽器連上網)
防火牆會反覆提醒你是否允許一個程序聯網,也可能只有一次。一些程序---你的瀏覽器---應該時刻都被允許聯網,但對其它程序來說---像程序升級的自動檢測---在防火牆每次發出請求時,你可以學到很多關於電腦的知識。
防火牆可以作爲一個獨立的程序使用(給Windows和Linux提供大量免費的版本),或者和在防病毒軟件裏面。另外,Windows XP 自帶防火牆,但是,和Windows自帶的網頁瀏覽器一樣,被攻擊的可能性比較大---在其它防火牆的漏洞可能不會被找到,但是微軟防火牆上的漏洞會被找到,並被加以利用。
Exercises:
Open up a command prompt on your computer and enter:
netstat -aon (for Windows) or
netstat -apn (for Linux)
Match the PID numbers with program names and try to determine which programs on your
computer are accessing the network. (This is something that you can try at home, also.)
練習
打開電腦上的命令提示符,鍵入:
netstat -aon (Windows) 或者
netstat -apn (Linux)
查看每個程序名的PID數字,查出你電腦上哪個程序接入了網絡。(你可以在家做)
7.2 Packet Sniffers
Netstat will tell you what programs are connected to the network, but it won't show you what
data these programs are sending. A packet sniffer, however, gives you the means to record
and study the actual data that the programs are sending through the network.
7.2.1 Sniffing
A packet sniffer will record the network traffic on your computer, allowing you to look at the
data. Tcpdump (and its Windows port, windump) may be considered the archetypical
packet sniffers, but we're going to use Ethereal for our examples, because its graphical
interface is simpler, and it allows you to more quickly record and view a basic capture file.
If you don't already have Ethereal, it can be downloaded from www.ethereal.com. Note to
Windows users: To use Ethereal on a Windows based system, you must first download and
install the WinPcap packet capture driver. WinPcap is available on the Ethereal download
page or you can go to www.winpcap.polito.it to download it directly.
Shut down all other applications, then start Ethereal. In the menu click on View then
Autoscroll in Live Capture. Next, click on Capture, then Start to go to the Capture Options
screen. On the Capture Options screen, make sure that the box marked “Capture packets in
promiscuous mode” is not checked, that the three check boxes under “Name Resolution” are
checked, and that the box marked “Update list of packets in real time” is checked.
7.2嗅探器
Netstat命令可以查看到聯網的程序,但不會顯示這些程序在傳送的數據。嗅探器可以記錄和分析這些程序通過網絡傳送的實際數據。
7.2.1 嗅探
一個數據嗅探器將記錄電腦上的網絡流通狀態,允許你查看資料。Tcpdump(如果有窗口接口,叫做windump(翻譯的很彆扭,自己都看不下去了))是公認的典型的數據嗅探器,我們用Ethreal作爲例子,因爲他的圖形接口很簡單,使你可以更快的記錄和瀏覽基本的被捕獲的文件。如果你沒有Ethereal,可以從 www.ethereal.com上下載。Windows用戶要注意:在Windows系統上裝Ethereal需要先下載並裝載WinPcap數據竊取驅動器。WinPcap在Ethereal下載頁面就可以下載到,或者在www.winpcap.polito.it上去下載。
關閉所有其他的應用程序,啓動Ethereal,在主菜單點擊View,在竊取選項頁面上,不要選 “Capture packets inpromiscuous mode” ,“Name Resolution” 下的三個選項都要選上,“Update list of packets in real time”的選項也要選上。如下圖所示:
Now, click on the “OK” button.
In theory, nothing should happen now. You'll see a window for Ethereal which displays the
number of packets that have been captured, and, behind this, you'll see the Ethereal screen
which displays the data in those packets. You may see a small amount of traffic that is
caused by the computers on the local network trying to keep track of each other (ARP, NBNS,
ICMP) followed by DNS activity as Ethereal attempts to resolve names.
To see activity, you're going to generate some activity. While Ethereal is running, open your
web browser. Minimize everything other than the main Ethereal screen and your web browser,
and arrange the Ethereal and web browser windows so that you can see both at the same
time. Now go to a web search engine, such as www.google.com.
As the web page loads, your should see information about captured packets scrolling up
through the Ethereal screen. Pick a search term and enter it into the search bar. Click on
some of the web pages that are brought up by the search and watch what happens in
Ethereal as you do.
Note: If Ethereal reports no network activity at all, you may have the wrong network interface
chosen. Go to the Interface drop-down list in the Capture Options screen and choose a
different network interface.
現在,點擊OK按鈕。
理論上,應該一切都可以了。你會看到一個Ethereal窗口顯示被截獲的數據包,在後面,會有一個屏幕顯示這些數據包裏面的數據。你會看到一小部分流量是由本地網絡產生的,這是由於Ethereal爲了搜查名字用了DNS搜索器來連接網絡中的服務器(ARP,NBNS,ICMP)。
如果要看到網絡流量,你就需要打開一些程序。在Ethereal運行的同時,打開瀏覽器。最小化其他的程序,只留Ethereal屏幕和網頁瀏覽器,合理調節這兩個屏幕的位置,好同時觀察這兩個屏幕。現在連接到一個搜索引擎上,如www.google.com.
在網頁打開的時候,你應該可以在Ethereal屏幕上滾動着被截獲的信息。在該搜索引擎中搜索某個信息,打開那些搜索到的網頁,然後看看Ethereal上發生了什麼事。
注意:如果Ethereal報告沒有網絡活動,你可能接錯了網絡接口了。在Capture Options 界面上打開接口下拉表,重新選擇一個網絡接口。