Solved

tcpdump question

Posted on 2004-09-05
10
814 Views
Last Modified: 2012-08-14
What are the TCPDUMP switches I should be using to monitor traffic effectively (both for security and network analysis)
I've been using  windump -s 1531 so far? Any recommendations?
Thanks
0
Comment
Question by:dissolved
  • 5
  • 4
10 Comments
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984535
What is your goal for the analysis?  Are you analyzing an entire network, a collection of computers on a network, or just a single host?  Have you considered using Ethereal for a more graphical viewing of the packets?
0
 
LVL 4

Expert Comment

by:JonSh
ID: 11984592
new one on me, I do all my network analysis via packet capture; ethereal is a good answer as suggested by catdaddy007 above.  Now, I'm stumped, as I've never heard of TCPDUMP or WINDUMP.......

0
 

Author Comment

by:dissolved
ID: 11984698
Analyzing an entire network.  I need to be able to view race output. Ethereal is nice, but I need to view output from a ids box.. Unfortunately, it is not as nice as ethereals layout. unless someone here knows of a way to output it in Ethereal readable format
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:dissolved
ID: 11984704
I meant raw* output. Not "race" output. Sorry, late night.
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984793
So you have a host on a network that is collecting traffic via TCP/Windump (probably outputting to plain text file) and you want to "import" that data to an IDS box in order to determine if there have been any intrusions and probably to just look at the traffic.

Honestly, your windump -s 1531 is probably pretty good if all you want is 100% of packet data in raw format.  You will probably want to put a -n in there so that it doesnt do hostname lookups.

If you are getting too much traffic through this host and windump cant keep up (as evidenced by dropped packets by the kernel) then use the -w option and specify a filename to dump the raw data to.  Like so:

windump -w output.out

You'll find that you cant read that format with a normal text editor.  What you have to do is run windump again to process the output file into a readable format.  Like so:

windump -n -r output.out >c:\human_readable_format.txt

What the -w does is tell windump not format the captured data in readable format on the fly; merely dump it to a text file.  Then you have to do the formating manually once your capture is complete.  You could probably script all this and rotate your captured files if you like, but that is beyond the scope of this question.  

Another thing:  are your switches setup to mirror all traffic to the port that your collection box is on?  Otherwise, you'll only get traffic that has a source or destination address of your collection box.  Or are hubs used throughout the network?
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984806
Also windump switches are pretty much the same as tcpdump switches, with the obvious exception of interface names (eth1 vs. \device\npf_blah_blah_blah).  So a google search on tcpdump switches would prove fruitful.
0
 

Author Comment

by:dissolved
ID: 11984864
Yea, this is actually a home lab so no port spanning. Just an IDS on a hub.

I usually only use the -w option when I want to import the output into ethereal. Works great.

PS: Isnt there a way to show the hex of the packet to ? Like at the bottom payne of the ethereal program?
0
 
LVL 1

Accepted Solution

by:
Catdaddy007 earned 500 total points
ID: 11984936
True... The -w is the real "raw" output of the capture.  Once you have that info, you can import into all kinds of stuff.  The -x switch will show the hex values of the packet.  Like so:

windump -x -n -s 1531

If the IDS is the macine that is doing the "captures" shouldnt the IDS software do the packet capture for you, rather than relying on you to first capture in windump and then import into IDS?
0
 

Author Comment

by:dissolved
ID: 11984942
you da man
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11986142
w00t..thx
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question