[Durham] Automating a network sniffer

Mon Nov 1 10:13:30 UTC 2010

On 01/11/2010 09:49, Richard Mortimer wrote:
>
>
> On 01/11/2010 08:44, Dougie Nisbet wrote:
>> I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit.
>> All my PCs are clean and I can't find anything amiss.
>>
>> Abuse report:
>>
>> For more information on this report please visit
>> http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
>>
>>
>> Asn: 13037
>> Geo: UK
>> Url: GET / HTTP/1.1
>> Type:
>> Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.11)
>> Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
>> Tor:
>> Src_port: 26691
>> P0f_genre: Windows
>> P0f_detail: 2000 SP4, XP SP1+
>> Hostname:
>> Dst_port: 80
>> Http_host: 87.106.24.200
>> Http_referer:
>> Http_referer_asn:
>> Http_referer_geo:
>> Dst_ip: 87.106.24.200
>> Dst_asn: 8560
>> Dst_geo: DE
>>
>>
>> How much of this is likely to be reliable? I don't run MS XP or 2000 for
>> example.
> I'm assuming that you have a static IP address assignment and that the 
> abuse email really was about your address. The information above 
> doesn't list the email address
> That information doesn't list your IP address (at all) and doesn't 
> have a hostname. A quick check shows that the address you just sent 
> this mail from does have a reverse hostname so I'm wondering why that 
> isn't in the email (unless you edited it out for modesty!).
>

Yes you're right, I did. Although I'm not sure why. My static ip is 
there for all to see in my mail headers!

> tcpdump is an age old workhorse that will do what you want. Something 
> like
>
> sudo tcpdump -i eth0 -C 128 -w afilename.pcap
>
> of course tweak eth0 to suit the name of your interface. That will 
> rotate the file every 128Meg (see man page for what names it uses).
>
That looks nice and simple and elegant. I'll try that. Thanks.

>
> Of course one thing you have to remeber is that most networks are 
> switched these days so you really need to run the capture on your 
> router so that you see everything. If you don't do that then you are 
> likely to miss most of the exciting traffic. Wifi is slightly 
> different there.
>
My router (an old Zyxel) has a single LAN port that is connected to a 
switch, then to a collection of switches and hubs and APs. Running 
wireshark on the PC attached to the switch attached to the router 
*seems* to be picking up all my router traffic.

> Finally in my experience just capturing traffic for an hour or so is 
> often enough to find the culprit. Unless of course the culprit is your 
> neighbour doing drive by wifi hacking when you aren't in etc etc etc.
>
> Good luck in your quest.

Thanks. There's a really curious back-story to this that has me 
mystified. I can't find any malware on any of my PCs and I believe the 
network is secure. Unfortunately my APs (Netgear WG602) don't have a 
facility for logging of station lists to a logfile or other host so I 
can't do any retrospective digging on them.

Dougie