Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I thought so. Judging by all of the editing he was doing to previous posts and making them the longest forum post you had ever seen, i was kind of expecting something.
You on the other hand Unix, have been a tremendous help and for that i thank you a ton!
Click here to see the post LQ members have rated as the most helpful post in this thread.
Thank you very much Win for bothing moving them, and locking that post! Super thanks!
Now! Back on topic! My friend was telling me that he found a GREAT site for tcpdump. Sadly he forgot to mention the name of that site! Any ideas of one? I have found the man page for it which by the way, is like you said huge!
hahah. Funny you should mention that site because yesterday I came across it. Then today my friend was telling me about a site that had a wealth of knowledge on it for tcpdump. He failed to tell me the name of the site so i sent him a message and he told me it was that one haha! I haven't looked into a whole lot but i have a little. Will definitely check it out if two people recommend it. Which they do haha.
This is a pretty good tutorial/howto/help page for tcpdump. Thanks for sharing!
Oh, and BTW, you aren't going to damage anything with tcpdump...no need for a disclaimer, IMO. On a properly configured system, a normal user won't be able to run it (I believe it'll put the sniffed interface within promisc mode...that would require escalated privs).
I know you meant "damaging" in other ways (not the fault of the tool but the intention of the user) but still, from the obvious-PEBCAK-department:
Code:
]# tcpdump -n -i eth1 -w /etc/shadow
. OTOH running
Code:
]# tcpdump -n -i eth1 -w /var/log/tcpdump.pcap
seems innocuous until one day one finds services refuse to run and one can no longer log in (as in filled up /var partition) :-]
Haha!
You'd have to be root to run it, though...I see the hash prompt. Or use sudo. Usually people that already have root access or can run it via sudo are trusted enough to have those types of permissions. The only other way would be to crack the system or apply social engineering. I've not heard of people purposely using tcpdump to fill up a drive slice. It can be done, but there are more direct ways of purposely borking a system, IMO. I have heard of coworkers leaving a tcpdump recording session going until the system's drive slice fills, though...these were by accident. These were security engineers who did this...these guys typically have escalated privileges to troubleshoot system errors and such. The 'lessons learned' from those instances were to cap the recording process (collect only 1 gig worth of logs, for instance, which tcpdump will allow you to do, or to create elaborate filters such as only looking for a certain protocol [tcp port 21 to a certain destination, for instance]).
From a malicious user standpoint, its a bit difficult to abuse tcpdump. If you've access to tcpdump, you probably have access to more potentially destructive commands. The combination of destructive potential of certain commands and escalated permissions along with intent can be deadly, but I think intent has the greatest weight in the above cases.
Yeah, I never heard of anyone using tcpdump in a malicious way. I always thought you really couldn't do much, unless you were trying to fill up useless space, like said before.
If you've access to tcpdump, you probably have access to more potentially destructive commands.
True. I did state PEBCAK though but never mind, it appears I'll have to have a look at my humor lexer again. Or avoid attempts at injecting humor altogether. Yeah, that prolly works best for me :-]
For the snaplen, I've found that the parameter requirements change according to platform... I'll have to check again, but I'd thought that OBSD's parameters were different than Linux's. Of all the options, -s is probably the most crucial, IMO. Without a full view, whatever you're looking for could be missed.
Also, whatever you record in tcpdump can also be viewed via snort (and the reverse also applies).
True. I did state PEBCAK though but never mind, it appears I'll have to have a look at my humor lexer again. Or avoid attempts at injecting humor altogether. Yeah, that prolly works best for me :-]
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.