9.16. Observing Network Traffic

Problem

You want to watch network traffic flowing by (or through) your machine.

Solution

Use a packet sniffer such as tcpdump.[7]

To sniff packets and save them in a file:

# tcpdump -w filename [-c count] [-i interface] [-s snap-length] [expression]

To read and display the saved network trace data:

$ tcpdump -r filename [expression]

To select packets related to particular TCP services to or from a host:

# tcpdump tcp port service [or service] and host server.example.com

For a convenient and powerful GUI, use Ethereal. [Recipe 9.17]

To enable an unconfigured interface, for a “stealth” packet sniffer:

# ifconfig interface-name 0.0.0.0 up

To print information about all of your network interfaces with loaded drivers: [Recipe 3.1]

$ ifconfig -a

Discussion

Is your system under attack? Your firewall is logging unusual activities, you see lots of half-open connections, and the performance of your web server is degrading. How can you learn what is happening so you can take defensive action? Use a packet sniffer to watch traffic on the network!

In normal operation, network interfaces are programmed to receive only the following:

  • Unicast packets , addressed to a specific machine

  • Multicast packets , targeted to systems that choose to subscribe to services like streaming video or sound

  • Broadcast packets , for when an appropriate destination is not known, or for important information that is probably of interest to all machines on the network

The term “unicast” is not an oxymoron: ...

Get Linux Security Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.