Linux Security: Packet Capture and Analysis

It’s crucial for any security or systems administrator to be able to capture and analyze network traffic. This allows for advanced troubleshooting as well as security review.

Use a `tshark` capture filter to collect TCP traffic on port 80.

Use a tshark capture filter to collect TCP traffic on port 80. Store the capture command output in /root/http_out.

 tshark -f "tcp port 80" -V -R http > http_out

In another SSH session, run curl www.exapmle.com/index.html during the capture

curl www.example.com/index.html

Use a `tshark` display filter to collect HTTP traffic and print only HTTP response codes.

Use a tshark display filter to collect HTTP traffic and print only HTTP response codes. Store the capture command output in /root/http_response.

tshark -Y http -Tfields -e http.response.code > http_resopnse

curl www.example.com/index.html
curl www.example.com/error.html

In a separate SSH session, run curl www.example.com/index.html and then curl www.example.com/error.html during the capture:

Use a `tshark` capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.

Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22. Observe any IP addresses printed after several seconds.

tshark -f "tcp src port 22" -Tfields -e ip.dst

Add the IP address(es) to /root/ssh_ip in a newline-delimited format.

Use a tshark capture filter to collect TCP traffic on port 80.

Use a tshark display filter to collect HTTP traffic and print only HTTP response codes.

Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.

Use a `tshark` capture filter to collect TCP traffic on port 80.

Use a `tshark` display filter to collect HTTP traffic and print only HTTP response codes.

Use a `tshark` capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.