Linux Security: Packet Capture and Analysis
It’s crucial for any security or systems administrator to be able to capture and analyze network traffic. This allows for advanced troubleshooting as well as security review.
Use a tshark capture filter to collect TCP traffic on port 80.
- Use a
tsharkcapture filter to collect TCP traffic on port 80. Store the capture command output in/root/http_out.
tshark -f "tcp port 80" -V -R http > http_out
- In another SSH session, run
curl www.exapmle.com/index.htmlduring the capture
curl www.example.com/index.html
Use a tshark display filter to collect HTTP traffic and print only HTTP response codes.
- Use a
tsharkdisplay filter to collect HTTP traffic and print only HTTP response codes. Store the capture command output in/root/http_response.
tshark -Y http -Tfields -e http.response.code > http_resopnse
curl www.example.com/index.html curl www.example.com/error.html
- In a separate SSH session, run
curl www.example.com/index.htmland thencurl www.example.com/error.htmlduring the capture:
Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.
Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22. Observe any IP addresses printed after several seconds.
tshark -f "tcp src port 22" -Tfields -e ip.dst
Add the IP address(es) to /root/ssh_ip in a newline-delimited format.
