Sniffing traffic passing through iptable rules and spitting out a formatted log

Fallen_Demon · 06-15-2011, 06:52 PM

We have a Linux based router routing traffic for a public network. I want to beef up security by closing up some of the ports, but need to know which are in use (there are some crazy applications running, don't want to break them). Is there possibly a way to get cron to run ethereal or tcpdump for a short time, grep the output for new ports and add them to a text file? I'm not very good with awk or sed, so if someone could give me a couple of commands for parsing a line of output I would be very thankful.

szboardstretcher · 06-16-2011, 02:52 PM

use the 'ss' command?

Code:

watch -n 1 ss

To see what is happening at the moment...

Or you could run it every couple of minutes to a file, then later sort and uniq the file to see what services were used.

Code:

Crontab:
*/1 * * * * ss >> /tmp/ss.out

Code:

View uniq services:
cat /tmp/ss.out|cut -c72-|sort|uniq

Fallen_Demon · 06-17-2011, 01:45 AM

Hrmm, this seems to investigating application sockets on the local machine. Useful for something else I'm doing, but I need something that can sniff the traffic getting forwarded by my iptables rules

DJRcomputing · 06-24-2011, 01:17 AM

Quote:

Originally Posted by Fallen_Demon

...I need something that can sniff the traffic getting forwarded by my iptables rules

You mean like a "packet sniffer"?

Not to be cheeky, but a Synaptic (I see you're Ubuntu) search for said description yields quite a few. I'm trying Wireshark at the moment, but I haven't worked with it enough to be pro/con. Seems promising, though. Snort looked REALLY promising for intrusion detection (slightly OT), but they require a paid subscription for their ruleset. Pass, for now...uninstalled.

In terms of CLI, there are also the commands netstat -lptu & lsof -i. Their outputs may be useful to you.