User:Vitrinekast/Network Listening
Tried using this article: stopped doing that, as it was mostly about download speed installed #tcpdump instaed.
tcpdump prints out a description of the contents of packets on a network interface that match the Boolean expression (see pcap-filter(7) for the expression syntax); the description is preceded by a time stamp, printed, by default, as hours, minutes, seconds, and fractions of a second since midnight.
Voorbeeld packet tcpdump -c 5 -nn
10:44:30.577490 IP 145.137.127.98.50920 > 15.197.213.252.443: Flags [FP.], seq 42:119, ack 1, win 2048, options [nop,nop,TS val 4001084249 ecr 3400632910], length 77
10:44:30.577490 → timestamp 145.137.127.98.50920 → source ip 15.197.213.252. → destination ip Flags [FP.], seq 42:119, ack 1, win 2048, options [nop,nop,TS val 4001084249 ecr 3400632910], length 77 → alle TCP Flags?
| Value | Flag Type | Description |
|---|---|---|
| S | SYN | Connection Start |
| F | FIN | Connection Finish |
| P | PUSH | Data push |
| R | RST | Connection reset |
| . | ACK | Acknowledgment |
Or use yournalctl ``
Jan 15 11:42:08 chopchop sshd[9430]: Received disconnect from 145.137.127.193 port 56998:11: disconnected by user
Jan 15 11:42:08 chopchop sshd[9430]: Disconnected from user vitrinekast 145.137.127.193 port 56998
Feb 06 10:42:45 chopchop sshd[17331]: Accepted password for vitrinekast from 145.137.127.98 port 52462 ssh2
using journalctl -f i can log when users are login into chopcho
sudo tcpdump --interface=ens33 -n host 192.168.111.1 and port 80
sudo tcpdump --interface=ens33 -n host 145.24.139.16 and port 80
sudo tcpdump --interface=hub -n port 80
prints out all activyt on the XPUB chopchop hub/web interace! how to translate this into something else?
To try out ### 2. Capture only HTTP GET and POST packets
Going deep on the filter we can specify only packets that match GET.
:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
Alternatively we can select only on POST requests. Note that the POST data may not be included in the packet captured with this filter. It is likely that a POST request will be split across multiple TCP data packets.
:~$ sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'
The hexadecimal being matched in these expressions matches the ascii for GET and POST.
As an explanation tcp[((tcp[12:1] & 0xf0) >> 2):4] first determines the location of the bytes we are interested in (after the TCP header) and then selects the 4 bytes we wish to match against.