[Durham] Automating a network sniffer

Dougie Nisbet dougie at highmoor.co.uk
Mon Nov 1 08:44:34 UTC 2010


I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit. 
All my PCs are clean and I can't find anything amiss.

Abuse report:

For more information on this report please visit 
http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone


Asn: 13037
Geo: UK
Url: GET / HTTP/1.1
Type:
Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.11) 
Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
Tor:
Src_port: 26691
P0f_genre: Windows
P0f_detail: 2000 SP4, XP SP1+
Hostname:
Dst_port: 80
Http_host: 87.106.24.200
Http_referer:
Http_referer_asn:
Http_referer_geo:
Dst_ip: 87.106.24.200
Dst_asn: 8560
Dst_geo: DE


How much of this is likely to be reliable? I don't run MS XP or 2000 for 
example.

Anyway my question is; I'd like to set up a network sniffer on my LAN 
with a rotating logfile. A few days if possible. I've had a look at 
wireshark and thought it looked promising but I can't figure out how to 
configure it to run out of a cron job and to close its data file each 
day and re-open a new one. Would I be better looking at tcpdump or 
tshark? I realise that the volumes may make this unrealistic anyway but 
I think I could probably get a couple of day's worth in a logfile or 
two. Can anyone offer an off-the-shelf command line/cron job that might 
do it?

Thanks,

Dougie




More information about the Durham mailing list