[Durham] Automating a network sniffer
richm at oldelvet.org.uk
Mon Nov 1 09:49:33 UTC 2010
On 01/11/2010 08:44, Dougie Nisbet wrote:
> I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit.
> All my PCs are clean and I can't find anything amiss.
> Abuse report:
> For more information on this report please visit
> Asn: 13037
> Geo: UK
> Url: GET / HTTP/1.1
> Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:18.104.22.168)
> Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
> Src_port: 26691
> P0f_genre: Windows
> P0f_detail: 2000 SP4, XP SP1+
> Dst_port: 80
> Http_host: 22.214.171.124
> Dst_ip: 126.96.36.199
> Dst_asn: 8560
> Dst_geo: DE
> How much of this is likely to be reliable? I don't run MS XP or 2000 for
I'm assuming that you have a static IP address assignment and that the
abuse email really was about your address. The information above doesn't
list the email address
That information doesn't list your IP address (at all) and doesn't have
a hostname. A quick check shows that the address you just sent this mail
from does have a reverse hostname so I'm wondering why that isn't in the
email (unless you edited it out for modesty!).
> Anyway my question is; I'd like to set up a network sniffer on my LAN
> with a rotating logfile. A few days if possible. I've had a look at
> wireshark and thought it looked promising but I can't figure out how to
> configure it to run out of a cron job and to close its data file each
> day and re-open a new one. Would I be better looking at tcpdump or
> tshark? I realise that the volumes may make this unrealistic anyway but
> I think I could probably get a couple of day's worth in a logfile or
> two. Can anyone offer an off-the-shelf command line/cron job that might
> do it?
tcpdump is an age old workhorse that will do what you want. Something like
sudo tcpdump -i eth0 -C 128 -w afilename.pcap
of course tweak eth0 to suit the name of your interface. That will
rotate the file every 128Meg (see man page for what names it uses).
I'm not sure you need to run using cron because it will just keep
capturing until you kill it.
By default tcpdump only captures the first 68 bytes of each packet. This
reduces the size of the capture file and makes it (mostly) suitable for
working out how said what/when but obviously you don't get all the data
to find out what was said.
Once you have a capture then wireshark is a pretty good tool for
analysing the data. I'd suggest going to the Statistics -> Conversations
and Statistics -> Endpoints options as a first port of call.
Another option is to use argus, http://www.qosient.com/argus/ , I've
used this a small amount but it is designed to audit traffic and
summarizes where things are coming and going to.
Of course one thing you have to remeber is that most networks are
switched these days so you really need to run the capture on your router
so that you see everything. If you don't do that then you are likely to
miss most of the exciting traffic. Wifi is slightly different there.
Finally in my experience just capturing traffic for an hour or so is
often enough to find the culprit. Unless of course the culprit is your
neighbour doing drive by wifi hacking when you aren't in etc etc etc.
Good luck in your quest.
> Durham mailing list - Durham at mailman.lug.org.uk
More information about the Durham