Linux Security: Packet Capture and Analysis


It’s crucial for any security or systems administrator to be able to capture and analyze network traffic. This allows for advanced troubleshooting as well as security review.

Use a tshark capture filter to collect TCP traffic on port 80.

  • Use a tshark capture filter to collect TCP traffic on port 80. Store the capture command output in /root/http_out.
 tshark -f "tcp port 80" -V -R http > http_out
  • In another SSH session, run curl www.exapmle.com/index.html during the capture
curl www.example.com/index.html

Use a tshark display filter to collect HTTP traffic and print only HTTP response codes.

  • Use a tshark display filter to collect HTTP traffic and print only HTTP response codes. Store the capture command output in /root/http_response.
tshark -Y http -Tfields -e http.response.code > http_resopnse
curl www.example.com/index.html
curl www.example.com/error.html
  • In a separate SSH session, run curl www.example.com/index.html and then curl www.example.com/error.html during the capture:

Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22.

Use a tshark capture filter that prints the IP address of hosts sending traffic to the test workstation on TCP port 22. Observe any IP addresses printed after several seconds.

tshark -f "tcp src port 22" -Tfields -e ip.dst

Add the IP address(es) to /root/ssh_ip in a newline-delimited format.