Tuesday, November 8, 2016

tcpdump


In order to record the traffic, you can use tcpdump on linux


tcpdump -G 15 -W 1 -i any -nn  -w /tmp/slor-wto176.cap' -t 60


This will record for 15 sec , with rollover file of 1 only (taken from http://stackoverflow.com/questions/25731643/how-to-schedule-tcpdump-to-run-for-a-specfic-time-of-period

We listen to all network card (-i any) and output the file into a file.

Then, you can open the .cap file into WireShark 

For filter, you can use elasticsearch , for ex, or tcp.flags.reset ==1 or tcp.stream eq 28 or ip.dst_host == 10.32.134.203 etc ...


Here's some snapshot of wireshark usage: 


and when clicking on "Follow Stream" : 


No comments: