Documentation #7220
open
guides: add a post on using 'ip' and 'tcpdump' to Suricata forum's Guides
Added by Juliana Fajardini Reichow 2 months ago.
Updated 2 months ago.
Description
Our Userguide currently has a mention to an out-of-date guide on Sniffing_Packets_with_Wireshark.
While that is useful, it has some instructions that are not recommended in terms of security best practices
(running as sudo. We also understand that there are early steps that need coverage and are not tied to Wireshark.
Therefore, we need a guide to explain how to use ip and tcpdump to know which interface card the user system is
using for network traffic, as well as how to do packet sniffing etc:
- Convert ifconfig to ip --brief address as ifconfig isn't installed by default on many Linux systems these days
- Run tcpdump, are you seeing the packets you expect to see?, perhaps with an address filter
This task covers:
- creating a Forum post under the Guides category (https://forum.suricata.io/c/guides/12) respecting formatting etc., on the topics discussed above
- updating our Userguide to point to this new guide, instead of to the Sniffing Packets with Wireshark one: https://docs.suricata.io/en/latest/performance/packet-profiling.html#packet-profiling
Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:
It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
Jason Ish wrote in #note-1:
Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:
It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
Could this be a separate task? Reason: for a newcomer, I imagine it may be easier to try and reproduce the steps in the current guide, see what doesn't work, and then update as needed, than to write a guide from scratch. So while I agree that that's a good guide to have, I think the difficulty level may increase.
Jason Ish wrote in #note-1:
Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:
It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
I think I just confused myself. I interpreted that you wanted a guide on using tcpdump to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )
Juliana Fajardini Reichow wrote in #note-5:
Jason Ish wrote in #note-1:
Just a thought, I wonder if it would make more sense to use tcpdump instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:
It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
I think I just confused myself. I interpreted that you wanted a guide on using tcpdump to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )
I think the "missing guide" is the one that helps you determine what interface you need to be running Suricata on it. I think a guide using tcpdump is the most versatile here (but not a guide on tcpdump itself, out of scope). Following the Wireshark guide:
- Convert ifconfig to ip --brief address as ifconfig isn't install by default on many Linux systems these days
- Run tcpdump, are you seeing the packets you expect to see, perhaps with an address filter
- Subject changed from guides: update Sniffing packets... section and move it to Suricata forum's Guides to guides: add a post on using 'ip' and 'tcpdump' to Suricata forum's Guides
- Description updated (diff)
- Label deleted (
Beginner)
Updating Task and Description as per further discussion, as we think this makes more sense.
- Description updated (diff)
Also available in: Atom
PDF