We need to be able to dump all the traffic information for an interface to a log file. Investigate how to do that using tcpdump (hint: turning off name resolution helps speed things up. . . )
tcpdump stp -n -i eth0 -U -s 0 -w /tmp/var/log/$hostname-`date +%H%M`.dmp
- STP - only listen for STP packets as we are now focusing on layer2 topology. But I did not use it. I'd rather have the full dump and filter later by using other options.
- -n - turn off name resolution.
- -i eth0 - listen only on interface eth0
- -U - save the packet immediately instead of waiting till the buffer is full
- -s 0 - Do not slice the packet. Log the raw packet.
- -w - write the log to another file instead of the stdio
What other options does tcpdump have?
- tcpdump can be used in combination with filters, like stp (only capture or display stp), icmp (only capture or display icmp)
- tcpdump can be used to read a dump file
- -r - read from a dump file
- -xx - print out the contents in addition to the header
- -vv - print out more verbose output. It will decode the packet if possible and print out the additional fields according to the man page.
These are the options I use in the scripts. And the full list can be found on the man page of it.
Even if you do not use an interface it is still actively participating in the network; what protocols are running? Make sure the interface is not active at all. I.e. stop all background protocols for it
The ARP protocol is still running in the background. We can stop it by the following command in the UML sniffer instance
ifconfig eth0 -arp up
This command will only bring the interface up without an address and disable the ARP protocol.
To be able to log the traffic we need to be able to receive all packets sent over the network. Investigate how to set up an interface to be able to do that.
Normally, the NIC should only listen to its own packets, either as source or destination address. But in the mode of promiscuous mode the NIC will just pick up every packet it sees. To enter this mode we can use the following command
ifconfig eth0 promisc
However, we do not have to do it in our assignment since tcpdump will do it for us.
Use the role=sniffer option in the script you created, perhaps adding an option to differentiate it from other sniffers.
Please see the work log. I add a role in the guest script to be used specifically for “sniffer” and assigned a name for it.
Look at the traffic. Is the sniffer really invisible?
Yes. I check the dump. And did not see a trace for the sniffer in the log file. Since the ARP is disabled, there should not be any activity of the NIC anymore.
What options to tcpdump did you use?
To let tcpdump only capture ICMP, we only have to add the icmp filter to it
tcpdump icmp -i eth0 -U -s 0 -w /var/log/$hostname-`date+%H%M`.dmp
During reading we can also use the filter to let the tcpdump display only the icmp packets
tcpdump icmp -r log.dmp
