fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Running a packet capture on a SourceFire Sensor

Below shows you the required steps for running a packet capture on a SourceFire Sensor.

Which Interfaces are Sniffing ?

First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump.

ps -ef | grep snort | grep fp | awk -F -i ' { print $2 } ' | awk '{print $1}' | head -n1

Tcpdump the Interface

Using the interface numbers output from the last command you can now use these to run a tcpdump.

root@3d:/#tcpdump -ni <interface>

Example:

root@3d:/#tcpdump -ni fp2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fp2, link-type EN10MB (Ethernet), capture size 68 bytes
15:35:51.477839 802.1d config 8001.00:15:13:de:a9:80.8001 root 8001.00:15:a3:ee:h5:80 pathcost 0 age 0 max 20 hello 2 fdelay 15

Overview of traffic

We can also get an overview of the traffic by running the following command,

root@3d:/# watch 'netstat -ani'

 

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001