So, I found myself one day sitting at my Linux box (without Wireshark installed) having the results of four tcpdumps from separate hosts in separate files. I needed to combine the captures together and then filter out the partner-specific traffic. Took me a while to remember the filtering options, so I thought I'd post the process here in the form of a journal - I can't even remember how old I am sometimes.
First, you have to combine the packet capture files together. You cannot just cat the files together as you might have an incomplete packet from when you started. The later versions of tcpdump actually have a tool to facilitate this :
mergecap -w silverhawk.cap host1.cap host2.cap host3.cap
After merging the captures together, you will want to remove the stuff not related to your current problem (to prevent the prying eyes from seeing inside of your network). To do this, take the combined packet capture, and write another one, feeding it through a filter. Your filters can be complex or simple. I prefer the simple filters :
The above would grab all of the TCP port 443 traffic, or the SSL-encrypted traffic (for HTTPS connections). For most concerns, that alone would be enough (decrypting the SSL traffic would require the SSL certificate keys for the traffic streams you need to see). However, if you have multiple connections to different port 443 traffic and you would prefer the partner doesn't see whom else you are connecting to, you can do it via IP address :tcpdump -r silverhawk.cap -w silverhawk-filtered.cap -n "port 443"
Those are fairly simple filters, and should definitely assist in restricting who sees what. I'd strongly suggest looking at those, and then adjusting as necessary (e.g. adding other, fancier filters by merging them together).tcpdump -r silverhawk.cap -w silverhawk-filtered.cap -n "host 200.20.200.20"
No comments:
Post a Comment