Solved

How to sniff network traffic on linux without interruption on interface down events

Posted on 2010-09-06
11
1,108 Views
Last Modified: 2012-05-10
I sniff traffic on network interface (with tcpdump or wireshark). My problem is that if the interface goes down and then up again the sniffer stops sniffing. I don't like it.

Any ideas how to make sure _all_ packets get intercepted?
0
Comment
Question by:gremwell
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33611643
>My problem is that if the interface goes down and then up again the sniffer stops sniffing. I don't like it.

The best way to sniff traffic is to have a dedicated reliable system just for Wireshark (Or tcpdump). If your switch supports SPAN (Port mirroring), then this is the recommended path for any long term solution. For short term solution, then any old system that is fairly reliable will suite your needs, but you might run into issues as you are experiencing.

Here is some more information:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml

Billy
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33611781
tcpdump doesnt bring your interface down. Just run it, it will simply display all traffics on the nic without interfering existing traffic.

/Kvistofta
0
 
LVL 3

Author Comment

by:gremwell
ID: 33611926
rfc1180: It is not very convenient to carry around a switch + additional system + extra cables.

kvistofta: The interface goes down for number of reason, indeed not related to tcpdump. However, when the interface goes down, tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.

All I want is to run wireshark in the morning and let it log all the traffic I generate during the day. I reconfigure/repatch my network interface very often and it is extremely inconvenient that I always have to remember to switch to Wireshark, save old file, and restart the same capturing. This is counter-productive.

I have a partial solution -- run 'snort' in background and watch pcap files it generates Wireshark. But this way I'm not getting live updates in Wireshark... Just now I though it should be possible to feed snort's pcap files to wireshark via pipe (something like http://www.commandlinefu.com/commands/view/4487/analyze-traffic-remotely-over-ssh-w-wireshark)...

0
 
LVL 1

Expert Comment

by:99star
ID: 33611996

 mirror port in managed switch to achieve uninterrupted packets on that interface
switch ( port mirroring ) is ideal     no one can know ( expect the concerned ) what is happening and at the same time it is less taxing on interface

tks
0
 
LVL 3

Author Comment

by:gremwell
ID: 33612053
Guys, I'm sorry, but I'm really not interested in switches... Why should I possibly need extra hardware? I just need to log all traffic on my laptop's port, that is all. Pretty please don't mention switches again. Thanks in advance.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 24

Expert Comment

by:rfc1180
ID: 33612101
>rfc1180: It is not very convenient to carry around a switch + additional system + extra cables.
you never mentioned your requirements; typically, with no requirements, defaults will be used.

>tcpdump/wireshark stop sniffing and do not continue automatically when interface is up again.
Correct, this is by design. Again, this is the facts of networking; typical NICs will stay active, if they are bouncing then there is something physically wrong with the hardware and/or drivers (You need a reliable system).

>just need to log all traffic on my laptop's port
if that is all you need then you do not need extra hardware; run wireshark and capture the packets; but do not expect to capture ALL network traffic without some type of extra hardware and cables.

Billy
0
 
LVL 3

Accepted Solution

by:
gremwell earned 0 total points
ID: 33612236
> you never mentioned your requirements; typically, with no requirements, defaults will be used.

I'm truly sorry that my question was not clear enough. Indeed I should have mentioned mobility requirements from the start.

> typical NICs will stay active, if they are bouncing then there is something physically wrong with the
> hardware and/or drivers

Not necessarily. I often need to restart DHCP client or switch from one connection to another during the day. I know that I cause interface-down events.

> but do not expect to capture ALL network traffic without some type of extra hardware and cables

I wonder what do you mean by this. As I have said I want to log traffic send to/from my laptop.

I have just found this http://www.tcpdump.org/libpcap-changes.txt: "ignore ENETDOWN so we can continue to capture packets if the interface goes down and comes back up again.". Apparently tcpdump 4.0 distributed with Ubuntu 10 does what I want. Time to upgrade...


Thanks to everyone for considering my problem.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33612299
>I wonder what do you mean by this. As I have said I want to log traffic send to/from my laptop.
Yes, but you stated "I just need to log all traffic on my laptop's port"; the statement leaves it open for interpretation. The type of traffic that you want logged (Captured) will be only traffic destined to the laptop and any traffic that was sourced by the laptop; any other traffic sourced and destined elsewhere in the network you will not be able to capture. I just want to make sure that you are clear on that and that there is no misunderstanding.

>I have just found this http://www.tcpdump.org/libpcap-changes.txt
There you go, I have never had an issue like this so I never had to investigate.

Good Luck
Billy
0
 
LVL 1

Expert Comment

by:99star
ID: 33612794

if I am not Wrong you to analyze you own laptop network traffic
  Right

tcpdump and similar tools are there use them only pitfall are as to my mind
    Too much of Hard disk activity ( will slow down system and your normal operations will be slow  )
    Processor too will do most of time devote to tcp dump process ( will slow down system and your normal operations will be slow  )
   if too much on internet browsing it pose alarm of hard disk getting full
   these are the primary things man the list will exceed..........................
Tks
0
 
LVL 7

Expert Comment

by:expert1010
ID: 33615927
You might get away with monitoring your interface with ifplugd and do something everytime the link comes up.

something like this:
ifplugd -i eth0 -r /home/gremwel/script/starttcpdump
0
 
LVL 3

Author Comment

by:gremwell
ID: 33625619
As I have mentioned earlier, I have a solution -- upgrade to libpcap 1.0. This is was what I was after as it solves the problem described in OP -- interruption of sniffing when the interface goes down.

Thanks again for everyone participation.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now