Rich Freeman on 3 Sep 2014 18:43:57 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Tools for analyzing network traffic from personal computer?


On Wed, Sep 3, 2014 at 9:17 PM, brent timothy saner
<brent.saner@gmail.com> wrote:
> netstat, lsof, and ilk are great for seeing listening UDP
> sockets/established TCP connections/etc...
>
> and wireshark is great for a graphical breakdown of packet flow..
>
> But if you're on a server and you want to capture complete traffic from
> the commandline for analysis (which the cli-version of wireshark CAN do,
> but on some distros it requires installation of the GUI wireshark as
> well- which pulls in gtk2, X, etc. as dependencies) I do the following:
>
> tcpdump -w /path/to/desired/pcap/file -i <interface>

It is also recommended to run tcpdump as root and then process the
resulting dump file as non-root using wireshark, that way you're not
exposing your system to any wireshark vulnerabilities.

Another useful tool is ntop, though it is a bit less conventional in
that its UI is a website.  It is better for looking at the big picture
- connections, traffic flow, etc.  It isn't suitable for packet
inspection, but it isn't limited to a single host like netstat is.

Somebody mentioned looking at pids using lsof.  I find lsof a pain
since it is SO verbose with the unix sockets (I'm sure you can turn
that off).  I find a quick netstat -tlnp tends to tell me everything I
need to know.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug