Solved

tcpdump question

Posted on 2004-09-05
10
818 Views
Last Modified: 2012-08-14
What are the TCPDUMP switches I should be using to monitor traffic effectively (both for security and network analysis)
I've been using  windump -s 1531 so far? Any recommendations?
Thanks
0
Comment
Question by:dissolved
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984535
What is your goal for the analysis?  Are you analyzing an entire network, a collection of computers on a network, or just a single host?  Have you considered using Ethereal for a more graphical viewing of the packets?
0
 
LVL 4

Expert Comment

by:JonSh
ID: 11984592
new one on me, I do all my network analysis via packet capture; ethereal is a good answer as suggested by catdaddy007 above.  Now, I'm stumped, as I've never heard of TCPDUMP or WINDUMP.......

0
 

Author Comment

by:dissolved
ID: 11984698
Analyzing an entire network.  I need to be able to view race output. Ethereal is nice, but I need to view output from a ids box.. Unfortunately, it is not as nice as ethereals layout. unless someone here knows of a way to output it in Ethereal readable format
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:dissolved
ID: 11984704
I meant raw* output. Not "race" output. Sorry, late night.
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984793
So you have a host on a network that is collecting traffic via TCP/Windump (probably outputting to plain text file) and you want to "import" that data to an IDS box in order to determine if there have been any intrusions and probably to just look at the traffic.

Honestly, your windump -s 1531 is probably pretty good if all you want is 100% of packet data in raw format.  You will probably want to put a -n in there so that it doesnt do hostname lookups.

If you are getting too much traffic through this host and windump cant keep up (as evidenced by dropped packets by the kernel) then use the -w option and specify a filename to dump the raw data to.  Like so:

windump -w output.out

You'll find that you cant read that format with a normal text editor.  What you have to do is run windump again to process the output file into a readable format.  Like so:

windump -n -r output.out >c:\human_readable_format.txt

What the -w does is tell windump not format the captured data in readable format on the fly; merely dump it to a text file.  Then you have to do the formating manually once your capture is complete.  You could probably script all this and rotate your captured files if you like, but that is beyond the scope of this question.  

Another thing:  are your switches setup to mirror all traffic to the port that your collection box is on?  Otherwise, you'll only get traffic that has a source or destination address of your collection box.  Or are hubs used throughout the network?
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984806
Also windump switches are pretty much the same as tcpdump switches, with the obvious exception of interface names (eth1 vs. \device\npf_blah_blah_blah).  So a google search on tcpdump switches would prove fruitful.
0
 

Author Comment

by:dissolved
ID: 11984864
Yea, this is actually a home lab so no port spanning. Just an IDS on a hub.

I usually only use the -w option when I want to import the output into ethereal. Works great.

PS: Isnt there a way to show the hex of the packet to ? Like at the bottom payne of the ethereal program?
0
 
LVL 1

Accepted Solution

by:
Catdaddy007 earned 500 total points
ID: 11984936
True... The -w is the real "raw" output of the capture.  Once you have that info, you can import into all kinds of stuff.  The -x switch will show the hex values of the packet.  Like so:

windump -x -n -s 1531

If the IDS is the macine that is doing the "captures" shouldnt the IDS software do the packet capture for you, rather than relying on you to first capture in windump and then import into IDS?
0
 

Author Comment

by:dissolved
ID: 11984942
you da man
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11986142
w00t..thx
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question