© Monika Wisniewska, 123RF.com

© Monika Wisniewska, 123RF.com

Intruder detection with tcpdump

Sniff Test

Article from ADMIN 07/2012
By
Tcpdump is a general-purpose packet sniffer and incident response tool that should be in your toolshed.

Tcpdump is a widely used and powerful tool that captures, parses, and analyzes network traffic. Created by the Network Research Group at Lawrence Berkeley National Laboratory in Berkeley, California, tcpdump [1] is deployed with libpcap (a C/C++ library for network traffic capture) and maintained by the libpcap developers. With tcpdump, you can analyze large binary files that are too large to view casually with a tool like Wireshark by whittling your file down to only the information pertinent to your investigation. Most distributions have tcpdump installed by default; if yours does not, use your distro's package manager. SourceForge [2] has project information as well as the code.

Tcpdump runs locally on your machine and can read or write network traffic information to a file. A basic capture uses the syntax

tcpdump -n -I <interface> -s <snaplen>

where -n means tcpdump should not resolve IP addresses to domain names or port numbers to service names, -I <interface> is the interface to use, and -s specifies how much of the packet to record – I use 1515, which is usually sufficient. If you do not specify a size, it will only capture the first 68 bytes of each packet. Except in older versions of tcpdump, a snaplen value of 0 uses a length needed to capture whole packets. Figure 1 dissects the output of a sample dump, and Table 1 shows other tcpdump options.

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=