We can parse the capture output of tcpdump. There are numerous ways to use tcpdump to view traffic on your network.
- SPAN or mirror port: The most effective is to configure a port on your switch to be a SPAN or mirror port. You would then connect a system to that port and run tcpdump on that interface.
- On the firewall directly: If your firewall can run tcpdump, you can run it from there.
- Since pcap files are not firewall logs, there is no way to block traffic. We treat all entries as blocked traffic for reporting purposes.
- There are no dates in pcap files. We use the date the file is parsed.
To run tcpdump and save output to the file output.txt:
To view the output and save to a file:
Replace the <interface> tag with the name of the interface from which you want to perform the capture.
Sending Your Logs
You can send the logs to ThreatSTOP via email or the Log Submission page.
To email the log, send it to<Device IP>@threatstop.com.
If you run tcpdump on a Unix based system, you may be able to email the log directly from the command line:
Restore to Previous State
Since tcpdump is a manual process, unless setup to run in a script, there is no uninstall to perform. Simply refrain from running tcpdump and submitting the logs.