Solved

tcpdump question

Posted on 2004-09-05
10
810 Views
Last Modified: 2012-08-14
What are the TCPDUMP switches I should be using to monitor traffic effectively (both for security and network analysis)
I've been using  windump -s 1531 so far? Any recommendations?
Thanks
0
Comment
Question by:dissolved
  • 5
  • 4
10 Comments
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984535
What is your goal for the analysis?  Are you analyzing an entire network, a collection of computers on a network, or just a single host?  Have you considered using Ethereal for a more graphical viewing of the packets?
0
 
LVL 4

Expert Comment

by:JonSh
ID: 11984592
new one on me, I do all my network analysis via packet capture; ethereal is a good answer as suggested by catdaddy007 above.  Now, I'm stumped, as I've never heard of TCPDUMP or WINDUMP.......

0
 

Author Comment

by:dissolved
ID: 11984698
Analyzing an entire network.  I need to be able to view race output. Ethereal is nice, but I need to view output from a ids box.. Unfortunately, it is not as nice as ethereals layout. unless someone here knows of a way to output it in Ethereal readable format
0
 

Author Comment

by:dissolved
ID: 11984704
I meant raw* output. Not "race" output. Sorry, late night.
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984793
So you have a host on a network that is collecting traffic via TCP/Windump (probably outputting to plain text file) and you want to "import" that data to an IDS box in order to determine if there have been any intrusions and probably to just look at the traffic.

Honestly, your windump -s 1531 is probably pretty good if all you want is 100% of packet data in raw format.  You will probably want to put a -n in there so that it doesnt do hostname lookups.

If you are getting too much traffic through this host and windump cant keep up (as evidenced by dropped packets by the kernel) then use the -w option and specify a filename to dump the raw data to.  Like so:

windump -w output.out

You'll find that you cant read that format with a normal text editor.  What you have to do is run windump again to process the output file into a readable format.  Like so:

windump -n -r output.out >c:\human_readable_format.txt

What the -w does is tell windump not format the captured data in readable format on the fly; merely dump it to a text file.  Then you have to do the formating manually once your capture is complete.  You could probably script all this and rotate your captured files if you like, but that is beyond the scope of this question.  

Another thing:  are your switches setup to mirror all traffic to the port that your collection box is on?  Otherwise, you'll only get traffic that has a source or destination address of your collection box.  Or are hubs used throughout the network?
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984806
Also windump switches are pretty much the same as tcpdump switches, with the obvious exception of interface names (eth1 vs. \device\npf_blah_blah_blah).  So a google search on tcpdump switches would prove fruitful.
0
 

Author Comment

by:dissolved
ID: 11984864
Yea, this is actually a home lab so no port spanning. Just an IDS on a hub.

I usually only use the -w option when I want to import the output into ethereal. Works great.

PS: Isnt there a way to show the hex of the packet to ? Like at the bottom payne of the ethereal program?
0
 
LVL 1

Accepted Solution

by:
Catdaddy007 earned 500 total points
ID: 11984936
True... The -w is the real "raw" output of the capture.  Once you have that info, you can import into all kinds of stuff.  The -x switch will show the hex values of the packet.  Like so:

windump -x -n -s 1531

If the IDS is the macine that is doing the "captures" shouldnt the IDS software do the packet capture for you, rather than relying on you to first capture in windump and then import into IDS?
0
 

Author Comment

by:dissolved
ID: 11984942
you da man
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11986142
w00t..thx
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now