[Durham] Automating a network sniffer

Richard Mortimer richm at oldelvet.org.uk
Mon Nov 1 09:49:33 UTC 2010

On 01/11/2010 08:44, Dougie Nisbet wrote:
> I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit.
> All my PCs are clean and I can't find anything amiss.
> Abuse report:
> For more information on this report please visit
> http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
> Asn: 13037
> Geo: UK
> Url: GET / HTTP/1.1
> Type:
> Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:
> Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
> Tor:
> Src_port: 26691
> P0f_genre: Windows
> P0f_detail: 2000 SP4, XP SP1+
> Hostname:
> Dst_port: 80
> Http_host:
> Http_referer:
> Http_referer_asn:
> Http_referer_geo:
> Dst_ip:
> Dst_asn: 8560
> Dst_geo: DE
> How much of this is likely to be reliable? I don't run MS XP or 2000 for
> example.
I'm assuming that you have a static IP address assignment and that the 
abuse email really was about your address. The information above doesn't 
list the email address
That information doesn't list your IP address (at all) and doesn't have 
a hostname. A quick check shows that the address you just sent this mail 
from does have a reverse hostname so I'm wondering why that isn't in the 
email (unless you edited it out for modesty!).

> Anyway my question is; I'd like to set up a network sniffer on my LAN
> with a rotating logfile. A few days if possible. I've had a look at
> wireshark and thought it looked promising but I can't figure out how to
> configure it to run out of a cron job and to close its data file each
> day and re-open a new one. Would I be better looking at tcpdump or
> tshark? I realise that the volumes may make this unrealistic anyway but
> I think I could probably get a couple of day's worth in a logfile or
> two. Can anyone offer an off-the-shelf command line/cron job that might
> do it?

tcpdump is an age old workhorse that will do what you want. Something like

sudo tcpdump -i eth0 -C 128 -w afilename.pcap

of course tweak eth0 to suit the name of your interface. That will 
rotate the file every 128Meg (see man page for what names it uses).

I'm not sure you need to run using cron because it will just keep 
capturing until you kill it.

By default tcpdump only captures the first 68 bytes of each packet. This 
reduces the size of the capture file and makes it (mostly) suitable for 
working out how said what/when but obviously you don't get all the data 
to find out what was said.

Once you have a capture then wireshark is a pretty good tool for 
analysing the data. I'd suggest going to the Statistics -> Conversations 
and Statistics -> Endpoints options as a first port of call.

Another option is to use argus, http://www.qosient.com/argus/ , I've 
used this a small amount but it is designed to audit traffic and 
summarizes where things are coming and going to.

Of course one thing you have to remeber is that most networks are 
switched these days so you really need to run the capture on your router 
so that you see everything. If you don't do that then you are likely to 
miss most of the exciting traffic. Wifi is slightly different there.

Finally in my experience just capturing traffic for an hour or so is 
often enough to find the culprit. Unless of course the culprit is your 
neighbour doing drive by wifi hacking when you aren't in etc etc etc.

Good luck in your quest.



> Thanks,
> Dougie
> _______________________________________________
> Durham mailing list - Durham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/durham
> http://www.nelug.org.uk/

More information about the Durham mailing list