Skip to main content

Table Of Contents

  • NETWORK MONITORING
    • TCPDUMP
    • TSHARK
    • SNORT

NETWORK MONITORING

TCPDUMP

View ASCII (-A) or HEX (-X) traffic:

tcpdump -A
tcpdump -X

View traffic with timestamps and don't convert addresses and be verbose:

tcpdump -tttt -n -vv

Find top talkers after 1000 packets (Potential DDoS):

tcpdump -nn -c 1000 | awk '{print $3}' | cut -d. -f1-4 | sort -n | uniq -c | sort -nr

Capture traffic on any interface from a target host and specific port and output to a file:

tcpdump -w <FILENAME>.pcap -i any dst <TARGET IP ADDRESS> and port 80

View traffic only between two hosts:

tcpdump host 10.0.0.1 && host 10.0.0.2

View all traffic except from a net or a host:

tcpdump not net 10.10 && not host 192.168.1,2

View host and either of two other hosts:

tcpdump host 10.10.10.10 && \(10,10.10.20 or 10.10.10.30\)

Save pcap file on rotating size:

tcpdump -n -s65535 -c 1000 -w '%host_%Y-%m­%d_%H:%M:%S.pcap'

Save pcap file to a remote host:

tcpdump -w - | ssh <REMOTE HOST ADDRESS> -p 50005 "cat - > /tmp/remotecapture.pcap"

Grab traffic that contains the word pass:

tcpdump -n -A -s0 | grep pass

Grab many clear text protocol passwords:

tcpdump -n -A -s0 port http or port ftp or port smtp or port imap or port pop3 | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

Get throughput:

tcpdump -w - lpv -bert >/dev/null

Filter out ipv6 traffic:

tcpdump not ip6

Filer out ipv4 traffic:

tcpdump ip6

Script to capture multiple interface tcpdumps to files rotating every hour:

#!/bin/bash
tcpdump -pni any -s65535 -G 3600 -w any%Y-%m­%d_%H:%M:%S.pcap

Script to move multiple tcpdump files to alternate location:

#!/bin/bash
while true; do
    sleep 1;
    rsync -azvr -progress <USER NAME>@<IP ADDRESS>:<TRAFFIC DIRECTORY>/. <DESTINATION DIRECTORY/.
done

Look for suspicious and self-signed SSL certificates:

tcpdump -s 1500 -A '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)'

Get SSL Certificate:

openssl s_client -connect <URL>:443
openssl s_client -connect <SITE>:443 </dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <CERT>.pem

Examine and verify the certificate and check for Self-Signed:

openssl x509 -text -in <CERT>.pem
openssl x509 -in <CERT>.pem -noout -issuer -subject -startdate -enddate -fingerprint
openssl verify <CERT>.pem

Extract Certificate Server Name:

tshark -nr <PCAP FILE NAME> -Y "ssl.handshake.ciphersuites" -Vx | grep "ServerName:" | sort | uniq -c | sort -r

Extract Certificate info for analysis:

ssldump -Nr <FILE NAME>.pcap | awk 'BEGIN {c=0;} { if ($0 ~ /^[ ]+Certificate$/) {c=1; print "========================================";} if ($0 !~ /^ +/ ) {c=0;} if (c==1) print $0; }'

TSHARK

Get list of network interfaces:

tshark -D

Listen on multiple network interfaces:

tshark -i ethl -i eth2 -i eth3

Save to pcap and disable name resolution:

tshark -nn -w <FILE NAME>.pcap

Get absolute date and time stamp:

tshark -t a

Get arp or icmp traffic:

tshark arp or icmp

Capture traffic between to [hosts] and/or [nets]:

tshark "host <HOST 1> && host <HOST 2>"
tshark -n "net <NET 1> && net <NET 2>"

Filter just host and IPs (or not your IP):

tshark -r <FILE NAME>.pcap -q -z hosts,ipv4
tshark not host <YOUR IP ADDRESS>

Not ARP and not UDP:

tshark not arp and not (udp.port == 53)

Replay a pcap file:

tshark -r <FILE NAME>.pcap

Replay a pcap and just grab hosts and IPs:

tshark -r <FILE NAME>.pcap -q -z hosts

Setup a capture session(duration=60sec):

tshark -n -a files:10 -a filesize:100 -a duration:60 -w <FILE NAME>.pcap

Grab src/dst IPs only:

tshark -n -e ip.src -e ip.dst -T fields -E separator=, -R ip

Grab IP of src DNS and DNS query:

tshark -n -e ip.src -e dns.qry.name -E separator=';' -T fields port 53

Grab HTTP URL host and request:

tshark -R http.request -T fields -E separator=';' -e http.host -e http.request.uri

Grab just HTTP host requests:

tshark -n -R http.request -T fields -e http.host

Grab top talkers by IP dst:

tshark -n -c 150 | awk '{print $4}' | sort -n | uniq -c | sort -nr

Grab top stats of protocols:

tshark -q -z io,phs -r <FILE NAME>.pcap
tshark -r <PCAP FILE>.cap -R http.request -T fields -e http.host -e http.request.uri | sed -e 's/?.*$//' | sed -e 's#^(.*)t(.*)$#http://12#' | sort | uniq -c | sort -rn | head
tshark -n -c 100 -e ip.src -R "dns.flags.response eq 1" -T fields port 53
tshark -n -e http.request.uri -R http.request -T fields | grep exe
tshark -n -c 1000 -e http.host -R http.request -T fields port 80 | sort | uniq -c | sort -r

SNORT

Run test on snort config file:

snort -T -c /<PATH TO SNORT>/snort/snort.conf

Use snort(v=verbose,d=dump packet payload):

snort -dv -r <LOG FILE NAME>.log

Replay a log file and match icmp traffic:

snort -dvr packet.log icmp

Logs in ASCII:

snort -K ascii -l <LOG DIRECTORY>

Logs in binary:

snort -l <LOG DIRECTORY>

Sent events to console:

snort -q -A console -i eth0 -c /etc/snort/snort.conf
snort -c snort.conf -l /tmp/so/console -A console

Create a single snort rule and save:

echo alert any any <SNORT RULE> > one.rule

Test single rule:

snort -T -c one.rule

Run single rule and output to console and logs dir:

mkdir ./logs
snort -vd -c one.rule -r <PCAP FILE NAME>.pcap -A console -l logs