Running a packet capture on a SourceFire Sensor

Below shows you the required steps for running a packet capture on a SourceFire Sensor.

Which Interfaces are Sniffing ?

First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump.

ps -ef | grep snort | grep fp | awk -F -i ' { print $2 } ' | awk '{print $1}' | head -n1

Tcpdump the Interface

Using the interface numbers output from the last command you can now use these to run a tcpdump.

root@3d:/#tcpdump -ni <interface>

Example:

root@3d:/#tcpdump -ni fp2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fp2, link-type EN10MB (Ethernet), capture size 68 bytes
15:35:51.477839 802.1d config 8001.00:15:13:de:a9:80.8001 root 8001.00:15:a3:ee:h5:80 pathcost 
0 age 0 max 20 hello 2 fdelay 15

Overview of traffic

We can also get an overview of the traffic by running the following command,

root@3d:/# watch 'netstat -ani'

 

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial