[Novalug] tcpdump questions [where is all my traffic going?]

James Ewing Cottrell 3rd JECottrell3@Comcast.NET
Fri Oct 28 23:45:27 EDT 2011


  On 10/15/2011 6:16 PM, Peter Larsen wrote:
> I would not use tcpdump if I needed detailed information on network
> communication. Instead, look at wireshark. You'll be able to record the
> traffic and do analytics on it afterwards using a gui. Follow sessions,
> look at every aspect of the IP protocol layers to see exactly what's on
> the wire and when.
AFAIK you can use tcpdump to capture packets into a dump and use 
wireshark to display them.
> In regards to DNS/bind I would recommend you turn on query logging. A
Bingo! Have bind tell you what it is doing. You can also dump the 
database to see what is in its cache.

> common mistake in setting up DNS servers is to allow external requests
> to resolve. Once discovered attackers can use your "hidden" DNS to hide
> their movements from ISP DNS records which can be subpoenaed. Once
> found, the address is easily shared and you may see a lot of traffic
> coming in.
Subpoenaed? Like anyone actually saves query logs! Where would you store 
them all???

Your systems can also be misconfigured, so that errant search domains 
get appended to partial local names, or querys for RFC1918 Nets go to 
the root name servers...thru your recursive name servers.
> You may also have some rouge internal system that is busy doing "secret"
> hidden work that has it crawling the net and hence firing a lot of DNS
Most likely something is misconfigured. Localhost is another issue.
> requests. Wireshark will show you where requests are coming from - and
> so will turning on query logging on the DNS (hint - do NOT let that
> option stay on - your logs will grow VERY large VERY fast).
Back to "where would you store them all?"



More information about the Novalug mailing list