Below shows you the required steps for running a packet capture on a SourceFire Sensor.
Which Interfaces are Sniffing ?
First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump.
ps -ef | grep snort | grep fp | awk -F -i ' { print $2 } ' | awk '{print $1}' | head -n1
Tcpdump the Interface
Using the interface numbers output from the last command you can now use these to run a tcpdump.
[email protected]:/#tcpdump -ni <interface>
Example:
[email protected]:/#tcpdump -ni fp2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fp2, link-type EN10MB (Ethernet), capture size 68 bytes 15:35:51.477839 802.1d config 8001.00:15:13:de:a9:80.8001 root 8001.00:15:a3:ee:h5:80 pathcost 0 age 0 max 20 hello 2 fdelay 15
Overview of traffic
We can also get an overview of the traffic by running the following command,
[email protected]:/# watch 'netstat -ani'
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial