Jay Anderson on 3 Sep 2014 18:55:16 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Tools for analyzing network traffic from personal computer?

On 09/03/14 21:36, Rich Freeman wrote:
On Wed, Sep 3, 2014 at 9:17 PM, brent timothy saner
<brent.saner@gmail.com> wrote:
netstat, lsof, and ilk are great for seeing listening UDP
sockets/established TCP connections/etc...

and wireshark is great for a graphical breakdown of packet flow..

But if you're on a server and you want to capture complete traffic from
the commandline for analysis (which the cli-version of wireshark CAN do,
but on some distros it requires installation of the GUI wireshark as
well- which pulls in gtk2, X, etc. as dependencies) I do the following:

tcpdump -w /path/to/desired/pcap/file -i <interface>
It is also recommended to run tcpdump as root and then process the
resulting dump file as non-root using wireshark, that way you're not
exposing your system to any wireshark vulnerabilities.

Another useful tool is ntop, though it is a bit less conventional in
that its UI is a website.  It is better for looking at the big picture
- connections, traffic flow, etc.  It isn't suitable for packet
inspection, but it isn't limited to a single host like netstat is.

Somebody mentioned looking at pids using lsof.  I find lsof a pain
since it is SO verbose with the unix sockets (I'm sure you can turn
that off).  I find a quick netstat -tlnp tends to tell me everything I
need to know.

Check out snort as well (http://snort.org).  It has rules to detect all sorts of interesting (and not necessarily nice) things on the network.  It has been a around awhile.


Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug