RE: How do you use TCPDump?
> On Wed, 2 Mar 2011 22:00:41 -0600 <email@example.com> wrote:
> I have it installed, and I can look up the parameters in the command.
> What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this?
What kind of intrusions are you looking for? TCPDump is a packet analyze so what is analyzed is based on what filters you are looking for. TCPDump uses the libpcap library to capture packets. You can receive the packets based on the protocol type. You can specify
one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,
tcp and udp.
You may also specify a port number to monitor which is nice if you are investigating a particular service. Or an IP address if you are interested in a specific host.
The filter may be used in combinations with and'ing / or'ing them together. I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n 'tcp and port 80 and dst 10.0.0.1'
One tip is to pass the -n switch when running because DNS queries slow down captures.
Hope that helps :)