Auditing network attacks (Become an expert)
In this recipe you will learn how to identify well-known network attacks. Some of these attacks can have serious consequences in environments that do not implement appropriate countermeasures. We'll see how, with some skill with Tshark and by applying the correct filters, we can detect most of these attacks.
How to do it...
The examples that follow show how to detect some network attacks (internal and external) using just Tshark from the command line.
ARP spoofing
- If you suspect that someone is playing with ARP traffic, it would be advisable to run Tshark in SPAN or HUB mode (see the Capturing traffic (Must know) recipe). Subsequently, a good start would be to look at the rate of ARP reply packets:
bmerino@Mordor:~$ ...
Get Instant Traffic Analysis with Tshark How-to now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.