tcpdump based on username

vinmansbrew · 03-17-2020, 11:36 AM

rhel 6.10
I need to know if there is a way to do a tcpdump based on username, or that shows the username initiating the connection.
I've been trying to look for this, but haven't found anything.

I have a lot of attempts to authenticate on an ldap server, and I am trying to find what is making the attempts.
I know a couple sources, so I'd like to run it on these sources, and also from the ldap server. Logs haven't been overly useful, and the guy doing ldap is pretty new and I don't think he has turned on the logging in the Oracle directory manager to trace where auth attempts are coming from.

So, I am trying to check some things and help him out, as well.

Thanks!

Turbocapitalist · 03-17-2020, 11:43 AM

I'm rather sure that tcpdump cannot do that by itself. What might work would be to use NFTables or IPTables to log packets based on uid or gid. Then use tcpdump to track those logged packets.

vinmansbrew · 03-17-2020, 12:01 PM

I was kind of coming to that conclusion with tcpdump. I'll have to look at iptables.

Turbocapitalist · 03-17-2020, 12:03 PM

If you haven't installed anything, nftables would be preferable if it is available for CentOS 6.

berndbausch · 03-17-2020, 03:58 PM

wireshark can filter on practically anything including LDAP details, and it runs on RHEL, too. Perhaps tshark, the text version, is as powerful.

vincix · 03-31-2020, 01:27 PM

You can actually generate pcaps with tcpdump and then visualise them with Wireshark. You don't necessarily have to use other tools (tshark) on the host itself. Not that using tshark on the server itself would be a bad idea.

e.g.

Code:

tcpdump port 389 -i eth0 -w mycap.pcap

I'm not sure if you need/can make it more verbose, but I think normally it should suffice.