Project

General

Profile

Actions

Documentation #7220

open

guides: add a post on using 'ip' and 'tcpdump' to Suricata forum's Guides

Added by Juliana Fajardini Reichow 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Outreachy

Description

Our Userguide currently has a mention to an out-of-date guide on Sniffing_Packets_with_Wireshark.

While that is useful, it has some instructions that are not recommended in terms of security best practices
(running as sudo. We also understand that there are early steps that need coverage and are not tied to Wireshark.

Therefore, we need a guide to explain how to use ip and tcpdump to know which interface card the user system is
using for network traffic, as well as how to do packet sniffing etc:
- Convert ifconfig to ip --brief address as ifconfig isn't installed by default on many Linux systems these days
- Run tcpdump, are you seeing the packets you expect to see?, perhaps with an address filter

This task covers:
- creating a Forum post under the Guides category (https://forum.suricata.io/c/guides/12) respecting formatting etc., on the topics discussed above
- updating our Userguide to point to this new guide, instead of to the Sniffing Packets with Wireshark one: https://docs.suricata.io/en/latest/performance/packet-profiling.html#packet-profiling

Actions #1

Updated by Jason Ish 4 months ago

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

Actions #2

Updated by Juliana Fajardini Reichow 4 months ago

Jason Ish wrote in #note-1:

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

Could this be a separate task? Reason: for a newcomer, I imagine it may be easier to try and reproduce the steps in the current guide, see what doesn't work, and then update as needed, than to write a guide from scratch. So while I agree that that's a good guide to have, I think the difficulty level may increase.

Actions #3

Updated by Jason Ish 4 months ago

I suppose it could be its own guide. I've never paid attention to this one before...

But, Running Wireshark with sudo or as root is considered bad security practice, even by the Wireshark project: https://wiki.wireshark.org/Security

Requiring a bit more setup to run safely on live traffic: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#setting-network-privileges-for-dumpcap-if-your-kernel-and-file-system-support-file-capabilities

Actions #4

Updated by Juliana Fajardini Reichow 4 months ago

Jason Ish wrote in #note-3:

I suppose it could be its own guide. I've never paid attention to this one before...

But, Running Wireshark with sudo or as root is considered bad security practice, even by the Wireshark project: https://wiki.wireshark.org/Security

Requiring a bit more setup to run safely on live traffic: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#setting-network-privileges-for-dumpcap-if-your-kernel-and-file-system-support-file-capabilities

Let's make this change a requirement, when someone claims this one, then :)

Actions #5

Updated by Juliana Fajardini Reichow 4 months ago

Jason Ish wrote in #note-1:

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

I think I just confused myself. I interpreted that you wanted a guide on using tcpdump to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )

Actions #6

Updated by Jason Ish 4 months ago

Juliana Fajardini Reichow wrote in #note-5:

Jason Ish wrote in #note-1:

Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:

It is necessary to know which interface card on your computer is being used for traffic.

would be very useful. Its a pretty common question I think.

I think I just confused myself. I interpreted that you wanted a guide on using tcpdump to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )

I think the "missing guide" is the one that helps you determine what interface you need to be running Suricata on it. I think a guide using tcpdump is the most versatile here (but not a guide on tcpdump itself, out of scope). Following the Wireshark guide:

- Convert ifconfig to ip --brief address as ifconfig isn't install by default on many Linux systems these days
- Run tcpdump, are you seeing the packets you expect to see, perhaps with an address filter

Actions #7

Updated by Juliana Fajardini Reichow 4 months ago

  • Subject changed from guides: update Sniffing packets... section and move it to Suricata forum's Guides to guides: add a post on using 'ip' and 'tcpdump' to Suricata forum's Guides
  • Description updated (diff)
  • Label deleted (Beginner)

Updating Task and Description as per further discussion, as we think this makes more sense.

Actions #8

Updated by Juliana Fajardini Reichow 4 months ago

  • Description updated (diff)
Actions

Also available in: Atom PDF