Intruder detection with tcpdump

Sniff Test

Article from ADMIN 07/2012

By David J. Dodd

Tcpdump is a general-purpose packet sniffer and incident response tool that should be in your toolshed.

Tcpdump is a widely used and powerful tool that captures, parses, and analyzes network traffic. Created by the Network Research Group at Lawrence Berkeley National Laboratory in Berkeley, California, tcpdump [1] is deployed with libpcap (a C/C++ library for network traffic capture) and maintained by the libpcap developers. With tcpdump, you can analyze large binary files that are too large to view casually with a tool like Wireshark by whittling your file down to only the information pertinent to your investigation. Most distributions have tcpdump installed by default; if yours does not, use your distro's package manager. SourceForge [2] has project information as well as the code.

Tcpdump runs locally on your machine and can read or write network traffic information to a file. A basic capture uses the syntax

tcpdump -n -I <interface> -s <snaplen>

where -n means tcpdump should not resolve IP addresses to domain names or port numbers to service names, -I <interface> is the interface to use, and -s specifies how much of the packet to record – I use 1515, which is usually sufficient. If you do not specify a size, it will only capture the first 68 bytes of each packet. Except in older versions of tcpdump, a snaplen value of 0 uses a length needed to capture whole packets. Figure 1 dissects the output of a sample dump, and Table 1 shows other tcpdump options.

...

Use Express-Checkout link below to read the full article (PDF).