[Durham] Automating a network sniffer
dougie at highmoor.co.uk
Mon Nov 1 10:13:30 UTC 2010
On 01/11/2010 09:49, Richard Mortimer wrote:
> On 01/11/2010 08:44, Dougie Nisbet wrote:
>> I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit.
>> All my PCs are clean and I can't find anything amiss.
>> Abuse report:
>> For more information on this report please visit
>> Asn: 13037
>> Geo: UK
>> Url: GET / HTTP/1.1
>> Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:22.214.171.124)
>> Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
>> Src_port: 26691
>> P0f_genre: Windows
>> P0f_detail: 2000 SP4, XP SP1+
>> Dst_port: 80
>> Http_host: 126.96.36.199
>> Dst_ip: 188.8.131.52
>> Dst_asn: 8560
>> Dst_geo: DE
>> How much of this is likely to be reliable? I don't run MS XP or 2000 for
> I'm assuming that you have a static IP address assignment and that the
> abuse email really was about your address. The information above
> doesn't list the email address
> That information doesn't list your IP address (at all) and doesn't
> have a hostname. A quick check shows that the address you just sent
> this mail from does have a reverse hostname so I'm wondering why that
> isn't in the email (unless you edited it out for modesty!).
Yes you're right, I did. Although I'm not sure why. My static ip is
there for all to see in my mail headers!
> tcpdump is an age old workhorse that will do what you want. Something
> sudo tcpdump -i eth0 -C 128 -w afilename.pcap
> of course tweak eth0 to suit the name of your interface. That will
> rotate the file every 128Meg (see man page for what names it uses).
That looks nice and simple and elegant. I'll try that. Thanks.
> Of course one thing you have to remeber is that most networks are
> switched these days so you really need to run the capture on your
> router so that you see everything. If you don't do that then you are
> likely to miss most of the exciting traffic. Wifi is slightly
> different there.
My router (an old Zyxel) has a single LAN port that is connected to a
switch, then to a collection of switches and hubs and APs. Running
wireshark on the PC attached to the switch attached to the router
*seems* to be picking up all my router traffic.
> Finally in my experience just capturing traffic for an hour or so is
> often enough to find the culprit. Unless of course the culprit is your
> neighbour doing drive by wifi hacking when you aren't in etc etc etc.
> Good luck in your quest.
Thanks. There's a really curious back-story to this that has me
mystified. I can't find any malware on any of my PCs and I believe the
network is secure. Unfortunately my APs (Netgear WG602) don't have a
facility for logging of station lists to a logfile or other host so I
can't do any retrospective digging on them.
More information about the Durham