- Nikhil Bhaskar
- July 7, 2021
How to Install & Configure Network Packet Analyzers(Sniffer) in Linux.
A packet sniffer (packet analyzer) is a protocol or network analyzer.It is a type of hardware or software used to monitor the network traffic.We can use multiple tools & commands to monitor the network traffic in linux.
Network Packet Analyzers
Tcpdump Command
- It is a command-line network sniffer & used to capture and analyze TCP/IP packets transmitted or received over a network on a specific interface.
Install tcpdump
apt-get install tcpdump
Capture packets from a interface.
tcpdump -i interface-name
Capture a specific number of packets.
tcpdump -c 5 -i interface-name
Here is the command output.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
12:48:03.425233 IP localhost.50973 > localhost.domain: 58744+ A? 1-263071-885178703872
12:48:03.425288 IP localhost.50973 > localhost.domain: 40014+ AAAA? 1-263071-885178703.
12:48:03.425857 IP localhost.domain > localhost.50973: 58744 2/0/0 CNAME b-0005t.b
12:48:03.426501 IP localhost.45801 > localhost.domain: 29887+ PTR? 53.0.0.127.in-addr.
12:48:03.426848 IP localhost.domain > localhost.45801: 29887 1/0/0 PTR localhost. (64)
5 packets captured
10 packets received by filter
0 packets dropped by kernel
Wireshark Utility
- It is used for capturing and analyzing packets in a packet-switched network, in real-time.
Update the system.
apt-get update
Install Wireshark.
apt install wireshark
Enable Root Privileges.
Select yes.
Bmon Tool:
- It is command line network monitoring and debugging utility.It captures networking related statistics and prints them visually in a human friendly format.
Install Bmon tool.
apt-get install bmon
Monitor the specific interface.
bmon -p enp1s0
Ngrep (network grep):
- It is command line utility used for network packet analyzer. It is similer to grep tool applied to the network layer & it matches traffic passing over a network interface.
Install Ngrep.
apt-get install ngrep
Display all ping requests on the default interface.
ngrep -q '.' 'icmp'
Here is the command output.
interface: enp0s3 (172.15.0.0/255.255.255.0)
filter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .
I 172.15.0.104 -> 172.15.0.103 8:0
]...~oG[....j....................... !"#$%&'()*+,-./01234567
I 172.15.0.103 -> 172.15.0.104 0:0
]...~oG[....j....................... !"#$%&'()*+,-./01234567
I 172.15.0.104 -> 172.15.0.103 8:0
]....oG[............................ !"#$%&'()*+,-./01234567
I 172.15.0.103 -> 172.15.0.104 0:0
]....oG[............................ !"#$%&'()*+,-./01234567
Match only traffic going to a particular destination site.
ngrep -q '.' 'host google.com'
Here is the command output.
interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>......p..
T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
.............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;
Monitor which files browser is requesting.
ngrep -q '^GET .* HTTP/1.[01]'
Display all activity crossing source or destination port.
ngrep port 25
Monitor any network-based syslog traffic.
ngrep -d any 'error' port 514