LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-09-2007, 10:25 AM   #1
LinuxCrazy
Member
 
Registered: May 2007
Posts: 48

Rep: Reputation: 15
What is the pupose of sniffing network packets?


Everywhere on the net I see tutorials on how to use tcpdump or snort, but I just don't see a pupose in this. What is the true purpose of using tcpdump or snort? How will it secure my server?
Are there any good tutorials out there that does not only explain how to use a packet sniffer but also on what the purpose is?

why do I needs this below?
We can run tcpdump by simply typing:
# tcpdump

Resulting in:

23:29:04.050167 spider.3224 > 66-28-147-032.servercentral.net.6020: . ack 36517 win 16044
23:29:04.059645 66-28-147-032.servercentral.net.6020 > spider.3224: P 36517:37969(1452) ack 1 win 5840 (DF)
23:29:04.092955 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-query-req-bcast
23:29:04.093587 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-query-req-bcast
23:29:04.093836 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios-ns: nbt-query-positive-resp (DF)
23:29:04.095028 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios-ns: nbt-query-positive-resp (DF)
23:29:04.097645 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-registration-req-bcast
23:29:04.098410 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios-ns: nbt-registration-negative-resp (DF)
23:29:04.143267 66-28-147-032.servercentral.net.6020 > spider.3224: P 37969:39421(1452) ack 1 win 5840 (DF)
23:29:04.145122 spider.3224 > 66-28-147-032.servercentral.net.6020: . ack 39421 win 13140


source http://www2.papamike.ca:8082/tutorials/pub/tcpdump.html

Thanks for any help.
 
Old 06-09-2007, 12:04 PM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 97
If you ever need to debug a network issue beyond simple connectivity, then a network sniffer (my preference is wireshark...) is a useful tool. It won't secure your server, but it will let you see all the traffic going in and out, so you can get a better idea of what's going on. If you're on the same collision domain as another host, you can also see traffic to that host as well.

For example, I recently fixed an rcp issue at my work using the output from 'snooop' (the Solaris standard network sniffer) to diagnose the problem.

Dave
 
Old 06-09-2007, 01:27 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I've used tcpdump recently to troubleshoot two different issues: the first was to see whether Oracle encryption our dba 'turned on' was actually encrypting the data (it wasn't); the second was to figure out why a certain type of traffic was not hitting the packet filtering (ipfw) rule that I expected it would.

In the first instance I needed to see the data contained in each packet. In the second instance I needed to see the packet headers. tcpdump made both possible.

QED.
 
Old 06-09-2007, 01:30 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by LinuxCrazy
Are there any good tutorials out there that does not only explain how to use a packet sniffer but also on what the purpose is?

why do I needs this below?
It sounds like you have a tool that you are seeking a purpose for. Maybe when you're in a situation that you actually need to sniff traffic, you'll be glad you looked into it and studied some examples.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
distros for network sniffing? jackaninny Linux - Security 2 01-22-2006 10:45 AM
Sniffing Packets - Outside my LAN Palula Linux - Software 2 09-20-2005 12:31 PM
algorithm for sniffing IP packets? shrike_912 Programming 2 06-08-2004 02:48 PM
Sniffing: tcpdump gets some initial packets merlin-themage Linux - Networking 0 05-28-2004 07:07 AM
network sniffing / eavesdropping facefullofsnow Linux - Security 1 12-16-2003 04:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration