Solved

tcpdump question

Posted on 2004-09-05
10
809 Views
Last Modified: 2012-08-14
What are the TCPDUMP switches I should be using to monitor traffic effectively (both for security and network analysis)
I've been using  windump -s 1531 so far? Any recommendations?
Thanks
0
Comment
Question by:dissolved
  • 5
  • 4
10 Comments
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984535
What is your goal for the analysis?  Are you analyzing an entire network, a collection of computers on a network, or just a single host?  Have you considered using Ethereal for a more graphical viewing of the packets?
0
 
LVL 4

Expert Comment

by:JonSh
ID: 11984592
new one on me, I do all my network analysis via packet capture; ethereal is a good answer as suggested by catdaddy007 above.  Now, I'm stumped, as I've never heard of TCPDUMP or WINDUMP.......

0
 

Author Comment

by:dissolved
ID: 11984698
Analyzing an entire network.  I need to be able to view race output. Ethereal is nice, but I need to view output from a ids box.. Unfortunately, it is not as nice as ethereals layout. unless someone here knows of a way to output it in Ethereal readable format
0
 

Author Comment

by:dissolved
ID: 11984704
I meant raw* output. Not "race" output. Sorry, late night.
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984793
So you have a host on a network that is collecting traffic via TCP/Windump (probably outputting to plain text file) and you want to "import" that data to an IDS box in order to determine if there have been any intrusions and probably to just look at the traffic.

Honestly, your windump -s 1531 is probably pretty good if all you want is 100% of packet data in raw format.  You will probably want to put a -n in there so that it doesnt do hostname lookups.

If you are getting too much traffic through this host and windump cant keep up (as evidenced by dropped packets by the kernel) then use the -w option and specify a filename to dump the raw data to.  Like so:

windump -w output.out

You'll find that you cant read that format with a normal text editor.  What you have to do is run windump again to process the output file into a readable format.  Like so:

windump -n -r output.out >c:\human_readable_format.txt

What the -w does is tell windump not format the captured data in readable format on the fly; merely dump it to a text file.  Then you have to do the formating manually once your capture is complete.  You could probably script all this and rotate your captured files if you like, but that is beyond the scope of this question.  

Another thing:  are your switches setup to mirror all traffic to the port that your collection box is on?  Otherwise, you'll only get traffic that has a source or destination address of your collection box.  Or are hubs used throughout the network?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11984806
Also windump switches are pretty much the same as tcpdump switches, with the obvious exception of interface names (eth1 vs. \device\npf_blah_blah_blah).  So a google search on tcpdump switches would prove fruitful.
0
 

Author Comment

by:dissolved
ID: 11984864
Yea, this is actually a home lab so no port spanning. Just an IDS on a hub.

I usually only use the -w option when I want to import the output into ethereal. Works great.

PS: Isnt there a way to show the hex of the packet to ? Like at the bottom payne of the ethereal program?
0
 
LVL 1

Accepted Solution

by:
Catdaddy007 earned 500 total points
ID: 11984936
True... The -w is the real "raw" output of the capture.  Once you have that info, you can import into all kinds of stuff.  The -x switch will show the hex values of the packet.  Like so:

windump -x -n -s 1531

If the IDS is the macine that is doing the "captures" shouldnt the IDS software do the packet capture for you, rather than relying on you to first capture in windump and then import into IDS?
0
 

Author Comment

by:dissolved
ID: 11984942
you da man
0
 
LVL 1

Expert Comment

by:Catdaddy007
ID: 11986142
w00t..thx
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Suggested Solutions

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now