9.16. Observing Network Traffic
Problem
You want to watch network traffic flowing by (or through) your machine.
Solution
Use a packet sniffer such as tcpdump.[7]
To sniff packets and save them in a file:
# tcpdump -wfilename[-ccount] [-iinterface] [-ssnap-length] [expression]
To read and display the saved network trace data:
$ tcpdump -rfilename[expression]
To select packets related to particular TCP services to or from a host:
# tcpdump tcp portservice[orservice] and host server.example.com
For a convenient and powerful GUI, use Ethereal. [Recipe 9.17]
To enable an unconfigured interface, for a “stealth” packet sniffer:
# ifconfig interface-name 0.0.0.0 upTo print information about all of your network interfaces with loaded drivers: [Recipe 3.1]
$ ifconfig -a
Discussion
Is your system under attack? Your firewall is logging unusual activities, you see lots of half-open connections, and the performance of your web server is degrading. How can you learn what is happening so you can take defensive action? Use a packet sniffer to watch traffic on the network!
In normal operation, network interfaces are programmed to receive only the following:
Unicast packets , addressed to a specific machine
Multicast packets , targeted to systems that choose to subscribe to services like streaming video or sound
Broadcast packets , for when an appropriate destination is not known, or for important information that is probably of interest to all machines on the network
The term “unicast” is not an oxymoron: ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
