Network traffic dump in Linux

In forensic analysis, and in particular when creating a dump of network traffic in Linux, several utilities are used: first of all, the console tcpdump, the classics of the genre – Wireshark and the open source XPLICO framework, although the latter is more used for subsequent data analysis than for their initial collection.

Let’s start with tcpdump. A basic command looks like this: 

$ tcpdump <options> <filter> 

Here are some of the more important options: 

  • -i interface – specifies the interface from which to analyze traffic;
  • -n – disables conversion of IP to domain names;
  • -e – enables the output of data link layer (for example, MAC address);
  • -v – display additional information (TTL, IP options);
  • -w filename – specifies the name of the file to which the collected information should be saved (dump);
  • -r filename – reading (loading) a dump from the specified file;
  • -q – puts tcpdump into “silent mode”, in which the packet is analyzed at the transport level (TCP, UDP, ICMP), and not on the network (IP). 

Dump all incoming traffic from the Internet to our server: 

$ tcpdump -s 0 -i eth0 -n -nn -ttt dst host <ip-address of our host> -w forensic_cap.pcap 

An example of creating a network traffic dump using FTP or SSH protocols on eth0 interface: 

$ tcpdump -s 0 port ftp or ssh -i eth0 -w forensic_cap.pcap 

Dump everything that goes to the eth0 interface: 

$ tcpdump -w forensic_cap -i eth0
Tcpdump output

Another utility suitable for our purposes is TCPflow. In fact, a more advanced version of tcpdump, which supports even more filtering options and the ability to recover “broken” packets. 

If TCPflow is not in the system by default, then first install the tcpflow package. 

Further, the basic command syntax looks like this: 

$ tcpflow [options] [expression] [host] 

And here is a description of the options: 

  • -c – only console printing (do not create files);
  • -d – debug level (default 1);
  • -e – display each stream in alternating colors (blue – client-server, red – server-client, green – unknown);
  • -i – network interface for listening;
  • -r – read packages from the tcpdump output file;
  • -s – remove non-printable characters (will be replaced by periods). 

An example of collecting data coming from the external network to our server: 

$ tcpflow -ce host <our host's IP address> 

We collect all HTTP traffic on our network: 

$ tcpflow -this port 80 

Dump network stream data to local folder: 

$ mkdir tcpflowdata  
$ cd tcpflowdata  
$ tcpflow host <IP-адрес целевой машины> 

Now files containing network connections will be added to the / tcpflowdata directory. All that remains for us to do later is to transfer them to the parser for analysis.

TCPflow result

What do you think?

47 Points
Upvote Downvote
Red Hat Professional

Written by Admin

NewbieAvatar uploadFirst contentFirst commentPublishing content 3 times


Leave a Reply



Popular password cracking software

How our accounts are snatched away via the npm