What is the pupose of sniffing network packets?

LinuxCrazy · 06-09-2007, 10:25 AM

Everywhere on the net I see tutorials on how to use tcpdump or snort, but I just don't see a pupose in this. What is the true purpose of using tcpdump or snort? How will it secure my server?
Are there any good tutorials out there that does not only explain how to use a packet sniffer but also on what the purpose is?

why do I needs this below?
We can run tcpdump by simply typing:
# tcpdump

Resulting in:

23:29:04.050167 spider.3224 > 66-28-147-032.servercentral.net.6020: . ack 36517 win 16044
23:29:04.059645 66-28-147-032.servercentral.net.6020 > spider.3224: P 36517:37969(1452) ack 1 win 5840 (DF)
23:29:04.092955 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-query-req-bcast
23:29:04.093587 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-query-req-bcast
23:29:04.093836 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios-ns: nbt-query-positive-resp (DF)
23:29:04.095028 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios-ns: nbt-query-positive-resp (DF)
23:29:04.097645 daffy.pmatulis.homeunix.net.netbios-ns > 192.168.1.255.netbios-ns: nbt-registration-req-bcast
23:29:04.098410 mudra.pmatulis.homeunix.net.netbios-ns > daffy.pmatulis.homeunix.net.netbios-ns: nbt-registration-negative-resp (DF)
23:29:04.143267 66-28-147-032.servercentral.net.6020 > spider.3224: P 37969:39421(1452) ack 1 win 5840 (DF)
23:29:04.145122 spider.3224 > 66-28-147-032.servercentral.net.6020: . ack 39421 win 13140

source http://www2.papamike.ca:8082/tutorials/pub/tcpdump.html

Thanks for any help.

ilikejam · 06-09-2007, 12:04 PM

If you ever need to debug a network issue beyond simple connectivity, then a network sniffer (my preference is wireshark...) is a useful tool. It won't secure your server, but it will let you see all the traffic going in and out, so you can get a better idea of what's going on. If you're on the same collision domain as another host, you can also see traffic to that host as well.

For example, I recently fixed an rcp issue at my work using the output from 'snooop' (the Solaris standard network sniffer) to diagnose the problem.

Dave

anomie · 06-09-2007, 01:27 PM

I've used tcpdump recently to troubleshoot two different issues: the first was to see whether Oracle encryption our dba 'turned on' was actually encrypting the data (it wasn't); the second was to figure out why a certain type of traffic was not hitting the packet filtering (ipfw) rule that I expected it would.

In the first instance I needed to see the data contained in each packet. In the second instance I needed to see the packet headers. tcpdump made both possible.

QED.

anomie · 06-09-2007, 01:30 PM

Quote:

Originally Posted by LinuxCrazy

Are there any good tutorials out there that does not only explain how to use a packet sniffer but also on what the purpose is?

why do I needs this below?

It sounds like you have a tool that you are seeking a purpose for. Maybe when you're in a situation that you actually need to sniff traffic, you'll be glad you looked into it and studied some examples.