Created
November 8, 2020 23:11
-
-
Save Spencer-Doak/3fe6d7b15c953fa5cea63f760662e45f to your computer and use it in GitHub Desktop.
Script for recording unexpected outbound connections. TCPDump has a lot of options. This script includes the options which I have found to be the most useful.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# This is a script I use when checking for unexpected outbound connections. | |
# Script requires root-level permissions, so this should be executed with sudo. | |
# Before running, export INTERFACE='eth0' (or whatever interface) and | |
# export EXPECTED_IP='1.1.1.1' (or whatever IP Address you are expecting | |
# communication with). | |
# Summary of variables used in TCP Dump command: | |
# -A: This option causes tcpdump to display ASCII versions of packets, where it | |
# makes sense to do so. E.g., an unencrypted HTTP call might be displayed in | |
# the output as: | |
# HEAD /index.html HTTP/1.1 | |
# Host: example.com | |
# User-Agent: curl/7.58.0 | |
# And likewise, the output would be shown in full. | |
# -e: Show link-level headers on each dump line. (Can show things like MAC) | |
# -n: Show numbers instead of names. (E.g., shows 1.1.1.1:53 instead of | |
# one.one.one.one:dns) | |
# -K: Do not verify checksums of packets. (I use this option because I am | |
# interested in monitoring the traffic in general, regardless of the | |
# checksum validity. Therefore, I don't bother dedicating any CPU time | |
# towards this.) | |
# -i: The interface that we are monitoring (e.g., "eth0") | |
# --number: Show a number next to each packet | |
# -tt: Show time as seconds since the epoch (number is a floating point) | |
# -U: Buffer output so whole packets are written to output | |
# -vv: Second level of verbosity (2/3). Shows additional info like TTL, packet | |
# length, identification, etc. and in some cases, extra fields are | |
# displayed or packets may be fully decoded. | |
# -XX: Print packet headers & data, including link-level headers, and output in | |
# both hex and ASCII. (Like hexdump's "Canonical hex+ASCII display" (-C).) | |
tcpdump -A -e -n -K -i "$INTERFACE" --number -tt -U -vv -XX \ | |
"(not host ${EXPECTED_IP}) and (tcp or udp or icmp)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment