Running a packet capture on a SourceFire Sensor

Monday, 01 March 2010 15:26

IDS - Snort / Sourcefire

Below shows you the required steps for running a packet capture on a SourceFire Sensor.

Which Interfaces are Sniffing ?

First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump. 

ps -ef | grep snort | grep fp | awk -F -i ' { print $2 } ' | awk '{print $1}' | head -n1

Tcpdump the Interface

Using the interface numbers output from the last command you can now use these to run a tcpdump. 

root@3d:/#tcpdump -ni <interface>
Example:
root@3d:/#tcpdump -ni fp2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on fp2, link-type EN10MB (Ethernet), capture size 68 bytes
 15:35:51.477839 802.1d config 8001.00:15:13:de:a9:80.8001 root 8001.00:15:a3:ee:h5:80 pathcost 0 age 0 max 20 hello 2 fdelay 15
Overview of traffic

We can also get an overview of the traffic by running the following command,

root@3d:/# watch 'netstat -ani'

 

Article updates via email..


We have 30 guests online