How to Install & Configure Network Packet Analyzers(Sniffer) in Linux.

A packet sniffer (packet analyzer) is a protocol or network analyzer.It is a type of hardware or software used to monitor the network traffic.We can use multiple tools & commands to monitor the network traffic in linux.

Network Packet Analyzers

Tcpdump Command

  • It is a command-line network sniffer & used to capture and analyze TCP/IP packets transmitted or received over a network on a specific interface.

Install tcpdump

apt-get install tcpdump

Capture packets from a interface.

tcpdump -i interface-name

Capture a specific number of packets.

tcpdump -c 5 -i interface-name

Here is the command output.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
12:48:03.425233 IP localhost.50973 > localhost.domain: 58744+ A? 1-263071-885178703872
12:48:03.425288 IP localhost.50973 > localhost.domain: 40014+ AAAA? 1-263071-885178703.
12:48:03.425857 IP localhost.domain > localhost.50973: 58744 2/0/0 CNAME b-0005t.b
12:48:03.426501 IP localhost.45801 > localhost.domain: 29887+ PTR? 53.0.0.127.in-addr.
12:48:03.426848 IP localhost.domain > localhost.45801: 29887 1/0/0 PTR localhost. (64)
5 packets captured
10 packets received by filter
0 packets dropped by kernel

Wireshark Utility

  • It is used for capturing and analyzing packets in a packet-switched network, in real-time.

Update the system.

apt-get update

Install Wireshark.

apt install wireshark

Enable Root Privileges.

Select yes.

Bmon Tool:

  • It is command line network monitoring and debugging utility.It captures networking related statistics and prints them visually in a human friendly format.

Install Bmon tool.

apt-get install bmon

Monitor the specific interface.

bmon -p enp1s0

Ngrep (network grep):

  • It is command line utility used for network packet analyzer. It is similer to grep tool applied to the network layer & it matches traffic passing over a network interface.

Install Ngrep.

apt-get install ngrep

Display all ping requests on the default interface.

ngrep -q '.' 'icmp'

Here is the command output.

interface: enp0s3 (172.15.0.0/255.255.255.0)
filter: ( icmp ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .

I 172.15.0.104 -> 172.15.0.103 8:0
  ]...~oG[....j....................... !"#$%&'()*+,-./01234567                                                                                                             

I 172.15.0.103 -> 172.15.0.104 0:0
  ]...~oG[....j....................... !"#$%&'()*+,-./01234567                                                                                                             

I 172.15.0.104 -> 172.15.0.103 8:0
  ]....oG[............................ !"#$%&'()*+,-./01234567                                                                                                             

I 172.15.0.103 -> 172.15.0.104 0:0
  ]....oG[............................ !"#$%&'()*+,-./01234567  

Match only traffic going to a particular destination site.

ngrep -q '.' 'host google.com'

Here is the command output.

interface: enp0s3 (192.168.0.0/255.255.255.0)
filter: ( host google.com ) and ((ip || ip6) || (vlan && (ip || ip6)))
match: .

T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
  ..................;.(...RZr..$....s=..l.Q+R.U..4..g.j..I,.l..:{y.a,....C{5>......p..                                                                

T 172.217.160.174:443 -> 192.168.0.103:54008 [AP]
  .............l.......!,0hJ....0.%F..!...l|.........PL..X...t..T.2DC..... ..y...~Y;

Monitor which files browser is requesting.

ngrep -q '^GET .* HTTP/1.[01]'

Display all activity crossing source or destination port.

ngrep port 25

Monitor any network-based syslog traffic.

ngrep -d any 'error' port 514

 

Leave a Reply

Your email address will not be published.