When working with many different devices in an infrastructure, it is necessary to ensure their correct and secure functioning. One source of potential threats is network traffic, both external and internal. Without proper systems in place to analyse and monitor it, many attacks or system problems can go unnoticed or cause significant damage when working!
In this article, we will look at how to collect and more effectively analyse network traffic on a machine using the tcpdump + wireshark toolkit on Linux and Windows.
How is traffic sniffing done?
To sniff or intercept network connections on a device, tcpdump uses the sniffing technique. In which, the pcap library accesses the network adapter driver to gather information about the connections. After all, it is in the buffer used by the driver that the original and unchanged network packets are found!
And Wireshark in this connection can additionally analyse them and provide analytics for each of them, as well as provide a convenient panel for searching and filtering the necessary connections!
Collecting and analysing network traffic
Let's determine the layout of our infrastructure and the machines from which we will intercept connections:
- For networks where we need to collect from servers we will use tcpdump, it will generate a pcap file and send it to the working machine where Wireshark is installed for analytics;
- If we collect traffic from a user's work machine, we can immediately perform analytics on it using only Wireshark.
We will need only the standard set of distribution packages and additionally installed tcpdump, Wireshark.
In most cases it is already there, however, you can install it with the Linux command for deb-like systems:
For rpm-like solutions, the command will look like this:
Let's look at the main features and examples of using tcpdump: filters, options and modes of operation. Let's define a pool of interfaces:
In order to intercept traffic from a specific interface, let's specify the -i option:
There is a lot of traffic and the output on the screen will be just as voluminous, so it is almost impossible to analyse almost anything in this view. Let's specify with the -w option the file to which we will record, as well as filters to search for a specific connection:
- port - Filtering by port (for example, port 80);
- host - Filtering by IP address or host name (for example, host 192.168.1.1);
- src - Filtering by source address (e.g., src 192.168.1.1);
- dst - Filtering by destination address (e.g., dst 192.168.1.2);
- tcp - TCP packet filtering;
- udp - Packet filtering by UDP protocol;
- icmp - ICMP packet filtering.
All these filters must be linked by the operators:
- AND;
- OR;
- NOT.
For example, I am interested in my SSH connection, hence the command will look like this:
Instead of a thousand packets, there are already a few! But sometimes we need all the traffic to analyse the picture, so we record it from all interfaces with the command with the option -i any, where any is a pseudo-interface that listens to traffic from all sources. To view the recorded traffic on the same machine we open the command:
We can then open it via WireShark by passing the file to the primary device:
The filters on Wireshark have the same filtering logic where we specify:
It is important that each of the expressions be in separate brackets! To view the payload in Wireshark software, select the desired packet, and for tcpdump, add the -A option when reading it:
In a similar way, you can check for connectivity to different devices and the information they are transmitting. Intruders often modify packets or protocol algorithms, this formulations allows you to identify this immediately! In that article, we learned how to utilize packet analyzer or network packet capture tools!
As a result of executing these commands you should get a list of parameters of the requested objects. If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.