Page tree

Contents

We can parse the capture output of tcpdump. There are numerous ways to use tcpdump to view traffic on your network.

  • SPAN or mirror port: The most effective is to configure a port on your switch to be a SPAN or mirror port. You would then connect a system to that port and run tcpdump on that interface.
  • On the firewall directly: If your firewall can run tcpdump, you can run it from there.

Caveats

  • Since pcap files are not firewall logs, there is no way to block traffic. We treat all entries as blocked traffic for reporting purposes.
  • There are no dates in pcap files. We use the date the file is parsed.

To run tcpdump and save output to the file output.txt:

tcpdump -n -q -i <interface> > output.txt

To view the output and save to a file:

tcpdump -n -q -i <interface> | tee output.txt

Replace the <interface> tag with the name of the interface from which you want to perform the capture.

Sending Your Logs

You can send the logs to ThreatSTOP via email or the Log Submission page.

To email the log, send it to<Device IP>@threatstop.com.
If you run tcpdump on a Unix based system, you may be able to email the log directly from the command line:

 cat output.txt | mail -s "pcap log"<Device IP>@threatstop.com

Restore to Previous State

Since tcpdump is a manual process, unless setup to run in a script, there is no uninstall to perform. Simply refrain from running tcpdump and submitting the logs.