In forensic analysis, and in particular when creating a dump of network traffic in Linux, several utilities are used: first of all, the console tcpdump, the classics of the genre – Wireshark and the open source XPLICO framework, although the latter is more used for subsequent data analysis than for their initial collection.
Let’s start with tcpdump. A basic command looks like this:
$ tcpdump <options> <filter>
Here are some of the more important options:
- -i interface – specifies the interface from which to analyze traffic;
- -n – disables conversion of IP to domain names;
- -e – enables the output of data link layer (for example, MAC address);
- -v – display additional information (TTL, IP options);
- -w filename – specifies the name of the file to which the collected information should be saved (dump);
- -r filename – reading (loading) a dump from the specified file;
- -q – puts tcpdump into “silent mode”, in which the packet is analyzed at the transport level (TCP, UDP, ICMP), and not on the network (IP).
Dump all incoming traffic from the Internet to our server:
$ tcpdump -s 0 -i eth0 -n -nn -ttt dst host <ip-address of our host> -w forensic_cap.pcap
An example of creating a network traffic dump using FTP or SSH protocols on eth0 interface:
$ tcpdump -s 0 port ftp or ssh -i eth0 -w forensic_cap.pcap
Dump everything that goes to the eth0 interface:
$ tcpdump -w forensic_cap -i eth0
Another utility suitable for our purposes is TCPflow. In fact, a more advanced version of tcpdump, which supports even more filtering options and the ability to recover “broken” packets.
If TCPflow is not in the system by default, then first install the tcpflow package.
Further, the basic command syntax looks like this:
$ tcpflow [options] [expression] [host]
And here is a description of the options:
- -c – only console printing (do not create files);
- -d – debug level (default 1);
- -e – display each stream in alternating colors (blue – client-server, red – server-client, green – unknown);
- -i – network interface for listening;
- -r – read packages from the tcpdump output file;
- -s – remove non-printable characters (will be replaced by periods).
An example of collecting data coming from the external network to our server:
$ tcpflow -ce host <our host's IP address>
We collect all HTTP traffic on our network:
$ tcpflow -this port 80
Dump network stream data to local folder:
$ mkdir tcpflowdata $ cd tcpflowdata $ tcpflow host <IP-адрес целевой машины>
Now files containing network connections will be added to the / tcpflowdata directory. All that remains for us to do later is to transfer them to the parser for analysis.