Documentation #7220
openguides: add a post on using 'ip' and 'tcpdump' to Suricata forum's Guides
Description
Our Userguide currently has a mention to an out-of-date guide on Sniffing_Packets_with_Wireshark.
While that is useful, it has some instructions that are not recommended in terms of security best practices
(running as sudo
. We also understand that there are early steps that need coverage and are not tied to Wireshark.
Therefore, we need a guide to explain how to use ip
and tcpdump
to know which interface card the user system is
using for network traffic, as well as how to do packet sniffing etc:
- Convert ifconfig
to ip
--brief address as ifconfig
isn't installed by default on many Linux systems these days
- Run tcpdump
, are you seeing the packets you expect to see?, perhaps with an address filter
This task covers:
- creating a Forum post under the Guides category (https://forum.suricata.io/c/guides/12) respecting formatting etc., on the topics discussed above
- updating our Userguide to point to this new guide, instead of to the Sniffing Packets with Wireshark one: https://docs.suricata.io/en/latest/performance/packet-profiling.html#packet-profiling
Updated by Jason Ish 2 months ago
Just a thought, I wonder if it would make more sense to use tcpdump
instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:
It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
Updated by Juliana Fajardini Reichow 2 months ago
Jason Ish wrote in #note-1:
Just a thought, I wonder if it would make more sense to use
tcpdump
instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
Could this be a separate task? Reason: for a newcomer, I imagine it may be easier to try and reproduce the steps in the current guide, see what doesn't work, and then update as needed, than to write a guide from scratch. So while I agree that that's a good guide to have, I think the difficulty level may increase.
Updated by Jason Ish 2 months ago
I suppose it could be its own guide. I've never paid attention to this one before...
But, Running Wireshark with sudo
or as root
is considered bad security practice, even by the Wireshark project: https://wiki.wireshark.org/Security
Requiring a bit more setup to run safely on live traffic: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#setting-network-privileges-for-dumpcap-if-your-kernel-and-file-system-support-file-capabilities
Updated by Juliana Fajardini Reichow 2 months ago
Jason Ish wrote in #note-3:
I suppose it could be its own guide. I've never paid attention to this one before...
But, Running Wireshark with
sudo
or asroot
is considered bad security practice, even by the Wireshark project: https://wiki.wireshark.org/SecurityRequiring a bit more setup to run safely on live traffic: https://wiki.wireshark.org/CaptureSetup/CapturePrivileges#setting-network-privileges-for-dumpcap-if-your-kernel-and-file-system-support-file-capabilities
Let's make this change a requirement, when someone claims this one, then :)
Updated by Juliana Fajardini Reichow 2 months ago
Jason Ish wrote in #note-1:
Just a thought, I wonder if it would make more sense to use
tcpdump
instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
I think I just confused myself. I interpreted that you wanted a guide on using tcpdump
to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )
Updated by Jason Ish 2 months ago
Juliana Fajardini Reichow wrote in #note-5:
Jason Ish wrote in #note-1:
Just a thought, I wonder if it would make more sense to use
tcpdump
instead, it's applicable to many more scenarios like when there is no desktop environment available. So a more generic guide on:It is necessary to know which interface card on your computer is being used for traffic.
would be very useful. Its a pretty common question I think.
I think I just confused myself. I interpreted that you wanted a guide on using
tcpdump
to sniff packets.
But... do you also want a guide on how to know which interface card is being used for traffic? (just so I create the correct tickets :P )
I think the "missing guide" is the one that helps you determine what interface you need to be running Suricata on it. I think a guide using tcpdump is the most versatile here (but not a guide on tcpdump itself, out of scope). Following the Wireshark guide:
- Convert ifconfig to ip --brief address
as ifconfig
isn't install by default on many Linux systems these days
- Run tcpdump, are you seeing the packets you expect to see, perhaps with an address filter
Updated by Juliana Fajardini Reichow 2 months ago
- Subject changed from guides: update Sniffing packets... section and move it to Suricata forum's Guides to guides: add a post on using 'ip' and 'tcpdump' to Suricata forum's Guides
- Description updated (diff)
- Label deleted (
Beginner)
Updating Task and Description as per further discussion, as we think this makes more sense.