LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-02-2016, 01:33 AM   #1
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,218
Blog Entries: 3

Rep: Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704
Learning to analyze pcap files


I have a passing familiarity with "tcpdump" but I'm rather a newb at network analysis. I'm getting VERY high volumes of traffic like shown in the pcap excerpt below, apparently from a great many different hosts. It seems to interfere with network usage here.

What am I looking at? It's not normal web traffic, I can see that here and in the absence of connections in the web logs. And what should I really be looking for in the pcap file?

Code:
$ tcpdump -nlr www1.pcap 'host 141.138.135.171'   
xx:43:07.879158 141.138.135.171.80 > xx.xx.xx.xx.80: S 3599114981:3599114981(0) win 8192 (DF)
xx:43:07.879402 xx.xx.xx.xx.80 > 141.138.135.171.80: S 465493987:465493987(0) ack 3599114982 win 16384 <mss 1460> (DF)
xx:43:07.879433 141.138.135.171.80 > xx.xx.xx.xx.80: S 3599114981:3599114981(0) win 8192 (DF)
xx:43:07.879524 xx.xx.xx.xx.80 > 141.138.135.171.80: S 465493987:465493987(0) ack 3599114982 win 16384 <mss 1460> (DF)
xx:43:10.869587 xx.xx.xx.xx.80 > 141.138.135.171.80: S 465493987:465493987(0) ack 3599114982 win 16384 <mss 1460> (DF)
xx:43:16.869365 xx.xx.xx.xx.80 > 141.138.135.171.80: S 465493987:465493987(0) ack 3599114982 win 16384 <mss 1460> (DF)
xx:43:28.868922 xx.xx.xx.xx.80 > 141.138.135.171.80: S 465493987:465493987(0) ack 3599114982 win 16384 <mss 1460> (DF)
Just a minute or so of capture shows patterns like that for many dozens of remote hosts. Albeit the remote hosts seem to cluster in just a few networks.

Last edited by Turbocapitalist; 11-02-2016 at 06:03 AM. Reason: grammar
 
Old 11-02-2016, 06:03 PM   #2
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323

Rep: Reputation: 100Reputation: 100
You could start by taking the captures to a Wireshark box for better analysis with the Wireshark tools. See thishttps://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html for how to capture with tcpdump for Wireshark.

In general though what ports are being used, will give you an idea of what type of traffic it is, for instance 80 suggests www/http traffic, 22 ssh, 443 https, 21 ftp, 25 smtp/email, etc...

Additionally check on geo location of the IPs, who are they registered to, take a look at the processes and netstat on the internal machines you see communicating in the traffic.I find whatsmyip.org very useful in helping collect some of this info.
 
Old 11-02-2016, 06:18 PM   #3
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian 6+, CentOS 5+
Posts: 1,323

Rep: Reputation: 100Reputation: 100
Further correlating this capture with additional data like bandwidth usage via snmp or flows can be useful. Additionally log file correlating can be helpful too. Snmp can help visualize dropped packets and error packets on interfaces like your WAN and LAN ports on your router or firewall.

A tool like bandwidthD could help visualize the types of traffic that are going on and times.
 
Old 11-03-2016, 06:35 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,218

Original Poster
Blog Entries: 3

Rep: Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704Reputation: 3704
I'm looking with Wireshark. The connections look like the beginning of a TCP handshake but with no reply from the originating machines.

"tcpdump" has been easy to work with since I can pipe that through other utilities to come up with the networks involved.

Again, it's not web traffic. I can see that by looking at the content of the packets. If I make a guess, it looks like it could be a SYN flood attack originating from a handful of networks, but that's not my domain of expertise so I ask here. Maybe I should ask over in the security sub-forum.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Analysis of PCAP Files danmartinj Linux - Newbie 1 03-06-2013 02:45 PM
Analyze squid log files for analyze pattern harshaabba Linux - Software 1 10-13-2011 10:21 PM
how to analyze huge tcpdump files? hedpe Linux - Networking 1 03-13-2006 08:22 PM
Pcap Files OriDagan Linux - Networking 0 07-15-2005 05:20 AM
Program to analyze flash (.swf) files csr99001 Linux - Software 1 06-30-2004 05:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration