![]() ![]() Recently I have gotten heavily involved in a project where we are testing the capabilities of several different IDS sensors and methods of packet capture. Wireshark does not have the ability to identify suspicious traffic patterns by cross referencing traffic to an anomaly signature database such as Snort. Wireshark is great for looking at source and destination traffic, ports, and handshake information. After the traffic has been captured to a pcap, I usually transfer it across to my workstation, and load it straight into Wireshark for analysis. ![]() The above command will dump all traffic from eth0 to a file in pcap format called traffic.pcap by using the –w switch. Within linux I usually always use the following basic command syntax to execute a packet dump whilst the traffic in question traverses the interface: # tcpdump –i eth0 –w traffic.pcap I can’t remember the amount of times I have been involved in troubleshooting a connection from A to B and performed a packet capture to see what is happening with the traffic. Both will do complete packet captures with the ability to save to. Wireshark and TCPdump are tools which are used widely for a variety of different purposes. A front end IDS interface such as Snorby.The lsof package which can be obtained via yum.Centos 6.x (in my case I am using CentOS 6.4).You should have a reasonable understanding of CentOS.You should have a basic understanding of how Snort IDS works. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |