how to investigate attacher

how to investigate attacker

hrk1l2x

1 minute read

investigate the attacks and fraudulent access

tcpdump

# -i LAN interface
# -s packet data length
# -A display with ASCII
# -w {destination} (you can open with wireshark)
# -nn display raw host name and port number.
# -p promiscuous mode (reccomend off)

$ sudo tcpdump -i eth0 -s 0 -A -w ./dumfile.pcap -nn -p [port xx]
$ sudo tcpdump -i eth0 -s 0 -p port xx | grep 10.0

if you turn on promiscuous mode (mode of NIC), remove packet filter and read all packets on same networking. if you turn off, only capture packets which to host. although you can see the networking without being noticed by anyone, syslog is stored and you can see as below. monitoring tool judge it fraudulent access.

# xxx kernel: device eth0 entered promiscuous mode
# xxx kernel: device eth0 left promiscuous mode
comments powered by Disqus