Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Packet Sniffing SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Packet Sniffing

Packet Sniffing

Many of our readers routinely ask us what ways they can capture packets to send data to the Storm Center.  A couple of different things to consider:

What do you want to capture? 
    Specific ports or protocols? 
    Snapshot of traffic?

What line speed are you capturing at?

What device are you capturing on?

Two common tools to do the packet capturing with are: tcpdump, wireshark/tshark.  In this diary we will examine each of these briefly, along with their pros and cons.

tcpdump

The venerable tcpdump is a staple to many of us that analyze traffic for a living.  It is simple, powerful, and above all ported to many platforms.  Tcpdump uses the bpf (Berkeley Packet Filter) format for filtering packets out of your capture. 

An example tcpdump command:

tcpdump -nn -i eth0 -s 1514 -w file.cap 'tcp and port 5050'

This command will capture full ethernet packets (1500 MTU + 14 bytes for the frame header), binding to interface eth0 (-i switch), and write to a file called "file.cap".  The end of the command line is the bpf, filtering packets matching tcp port 5050 (both source and destination).  The -nn disables name and port resolution.


wireshark / tshark

Wireshark and tshark are the new names for the oldschool tools, ethereal and tetheral.  Wireshark is the graphic tool, and tshark is a commandline tool.

Given that most probably have experience with wireshark or ethereal, lets look more closely at tshark.

The biggest advantage for using tshark is that it includes a ring buffer for packet capturing.  If you find yourself dropping packets with tcpdump, try using tshark with the ring buffer.

The following command runs tshark binding to interface en0 (-i) , disabling name resolution (-n), and using a ring buffer rotating files after every 10000K (-b filesize:10000) and writing to a basename of "foo" (-w foo).

tshark -i en0 -b filesize:10000 -w foo -n

You end up with files named as follows:
foo_00001_20070831000015
foo_00002_20070831000039

Next time we will look at Marty (of Snort fame) Roesch's new tool: Daemonlogger.
 
Mike Poor
Intelguardians

Mike

49 Posts

Sign Up for Free or Log In to start participating in the conversation!