{"id":377,"date":"2010-03-01T15:26:53","date_gmt":"2010-03-01T15:26:53","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2010\/03\/01\/running-a-packet-capture-on-a-sourcefire-sensor\/"},"modified":"2021-08-01T10:12:11","modified_gmt":"2021-08-01T10:12:11","slug":"running-a-packet-capture-on-a-sourcefire-sensor","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Ids\/Sourcefire\/running-a-packet-capture-on-a-sourcefire-sensor.html","title":{"rendered":"Running a packet capture on a SourceFire Sensor"},"content":{"rendered":"
Below shows you the required steps for running a packet capture on a SourceFire Sensor.<\/p>\n
Which Interfaces are Sniffing ?<\/span><\/span> First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump. <\/span><\/p>\n <\/p>\n Tcpdump the Interface <\/span><\/span><\/p>\n Using the interface numbers output from the last command you can now use these to run a tcpdump.<\/p>\n Example:<\/p>\n Overview of traffic<\/span><\/span><\/p>\n We can also get an overview of the traffic by running the following command,<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Below shows you the required steps for running a packet capture on a SourceFire Sensor. Which Interfaces are Sniffing ? First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump. ps … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"yoast_head":"\n
\n<\/strong><\/p>\nps -ef | grep snort | grep fp | awk -F -i ' { print $2 } ' | awk '{print $1}' | head -n1<\/pre>\n
root@3d:\/#tcpdump -ni <interface><\/pre>\n
root@3d:\/#tcpdump -ni fp2\r\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\r\nlistening on fp2, link-type EN10MB (Ethernet), capture size 68 bytes\r\n15:35:51.477839 802.1d config 8001.00:15:13:de:a9:80.8001 root 8001.00:15:a3:ee:h5:80 pathcost \r\n0 age 0 max 20 hello 2 fdelay 15<\/pre>\n
root@3d:\/# watch 'netstat -ani'<\/pre>\n