Linux primer for networkers: Using the sniffer

A few years back, I used an old 486 running Red Hat Linux and tcpdump to easily diagnose a client's denial-of-service attack, illustrating the benefits of creating a powerful network analysis tool from "scrap" parts. There are plenty of tools to build a similar Windows-based network analyzer, but Linux can run on machines that can't efficiently run Windows.

I will now show you how to test the system and install libcap, a package that grabs network packet data; tcpdump, a basic but crucial sniffer package that displays that data sequentially; and iptraf, which presents trends and summaries of the data.

Because your system will be used as a remote machine for data gathering and performance testing, ensuring network connectivity is critical. As part of the Linux distribution installation, the Secure Shell daemon (SSHD) should have been enabled. This is a program for logging into and executing commands on a remote machine. Note that the Windows equivalent to a daemon is, essentially, a service. It may be started and stopped at boot-up or during a root session.

Get root and check ssh

Log into the machine as the account created during the installation, and then become root (the administrative account) by typing su root. If the machine is running the SSHD, TCP Port 22 will be open and listening for connections. The command netstat -an|grep 22 will produce a line showing that the machine is listening on Port 22. Also check to see if the process is running. By typing ps ax|grep sshd the process ID and file-system location of the SSHD should appear. You may also get another line of output showing the grep process that you just ran. For more information on these or any other commands, simply type man followed by the command name.

So what if these tests indicate that SSHD isn't running? It can be enabled for the session by manually running the program -- usually at /usr/sbin/sshd -- but you should instead ensure that the program starts up at system boot. To manually enable the SSHD requires editing run-level directories and the service file and is beyond the scope of this primer. Fortunately, many distributions (including Fedora Core) include a text-based menu-configuration program. With Fedora, simply type setup, select "System Services" and ensure that SSHD has an asterisk next to it. The machine will need to be rebooted.

Finally, go to a machine elsewhere on the network that the Linux machine has been configured to allow access from (via the /etc/hosts.allow file) ands open up an ssh connection. My personal favorite SSH client is PuTTY; it has a small footprint, is easy to install and is part of an ssh suite that lets you pick and choose what components you want to load.

Ideally, you should verify network connectivity from a machine not on the local subnet, as that tests the gateway configuration as well. You can also ping or run a trace (traceroute) to an off-subnet site to verify connectivity. If the test fails, examine the network settings via setup.

Load the packages

Having verified network connectivity, it's time to load packages. TCPdump is one of the oldest, best known and best performing packet sniffers available. True, it's only text-based, but when diagnosing network problems, sometimes less is much better. With TCPdump, you can rapidly filter on sniffs to whatever granularity is necessary with a few command-line options.

When loading packages on a network analyzer, it's sometimes preferable to burn all of the packages to a CD first. For example, for a basic network analyzer, download iptraf, libpcap and tcpdump to a directory on a machine that has a CD writer (it can be on a Windows machine) and copy the files (compressed and zipped) to the CD. The unzipping and unpacking of the packages occurs on the Linux machine. While it may seem like a waste of a CD to burn only three packages, it provides two benefits I have discovered from experience. First, you can take the CD from machine to machine without having to download packages for every machine. Second, for a more complex analyzer with many packages, having them all on one CD eliminates the chance that one will be forgotten.

Take the CD with the three packages and mount it on the Linux machine. It isn't quite as simple as cd d:. The CD must be mounted first. Usually the command mount -t iso9660 /dev/cdrom /cdrom is enough, provided that a directory named /cdrom exists. If not, simply create it with the command mkdir /cdrom. Create a directory to hold the packages (such as /download) and copy the packages there (cp /cdrom/* /download).

One possible problem is that packages often have dependencies. That is, to function properly (or even install in some cases), the dependent package must be present. Such is the case for TCPdump; it depends on libpcap. It may be a good exercise of proof to try to install TCPdump without installing libpcap to see what type of error message will occur without a dependent package.

Sometimes packages come as self-extracting and installable executables that require simply running the downloaded file. In other cases, packages can be installed via a package manager (such as rpm). But usually you have to unzip and unpack a package and then run three commands on it: configure, make and make install.

Unzip and unpack

In the /download directory, first unzip libpcap (gzip-d libpcap-version.tar.gz) and then unpack the resultant tar file (tar -xvf libpcap-version.tar). This will build the directory structure under /download. When the unpacking is complete, change to the libpcap directory.

In most packages, there are text files -- usually called Readme, Install or something similar -- that contain installation instructions and other tidbits of information, such as dependencies (such as in the case of installing TCPdump without libpcap). The directions should be followed closely, but most contain the same three steps mentioned above: run configure, make and make install.

Run these commands in the package source directory -- remembering to type the path (./) -- and your package is installed. Note that if you didn't choose the developer option when installing Linux, you probably are lacking a compiler. If the error messages indicate that, download gcc as a package and follow the same procedure.

Once libpcap is installed, install TCPdump and iptraf.

Congratulations, you now have built a powerful network sniffer. In the next article, I'll discuss how to use TCPdump and iptraf.

Join the newsletter!

Error: Please check your email address.

More about AsteriskGatewayRed HatSnifferVIA

Show Comments

Market Place