[Durham] Automating a network sniffer
Dougie Nisbet
dougie at highmoor.co.uk
Mon Nov 1 08:44:34 UTC 2010
I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit.
All my PCs are clean and I can't find anything amiss.
Abuse report:
For more information on this report please visit
http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
Asn: 13037
Geo: UK
Url: GET / HTTP/1.1
Type:
Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.11)
Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
Tor:
Src_port: 26691
P0f_genre: Windows
P0f_detail: 2000 SP4, XP SP1+
Hostname:
Dst_port: 80
Http_host: 87.106.24.200
Http_referer:
Http_referer_asn:
Http_referer_geo:
Dst_ip: 87.106.24.200
Dst_asn: 8560
Dst_geo: DE
How much of this is likely to be reliable? I don't run MS XP or 2000 for
example.
Anyway my question is; I'd like to set up a network sniffer on my LAN
with a rotating logfile. A few days if possible. I've had a look at
wireshark and thought it looked promising but I can't figure out how to
configure it to run out of a cron job and to close its data file each
day and re-open a new one. Would I be better looking at tcpdump or
tshark? I realise that the volumes may make this unrealistic anyway but
I think I could probably get a couple of day's worth in a logfile or
two. Can anyone offer an off-the-shelf command line/cron job that might
do it?
Thanks,
Dougie
More information about the Durham
mailing list