I’ve been using tcpdump daily for a few years now. This all started when I thought that it would be the best way to detect if my computer was compromised. So when logging on my computer I would start tcpdump immediately and then spend a minute or two trying to grasp what was going on.
I saw a few things
- first of all a computer is nearly silent when just booted, but as soon as an app that needs “live updating” such as whatsapp, or emails is open then there is a constant “noise” on the tcpdump.
- when on “public” networks such as universities/libraries the traffic that is recieved becomes way more amusing,
- You can see all the apple users, get their names, what they own (apple devices keep broadcasting things such as “Bob’s Iphone 95 is looking for his MacBookPro++with_so_many_features”)
- The network itself is monitoring itself: you can get the names of different parts of the infrastructure…
- Steam and other apps also keep broadcasting info on the network
- You can see all the apple users, get their names, what they own (apple devices keep broadcasting things such as “Bob’s Iphone 95 is looking for his MacBookPro++with_so_many_features”)
- people seeing the tcpdump think you are either
- a hacker as your terminal is displaying seemingly nonsensical text (that you do not read)
- a lunatic that can read extreemly fast
- another weird linux guy that will try and convice you to ditch your mouse
This was already quite fun ; when I was bored in class I would try to see where the people whose devices I was hearing so much were…
But I was frustrated that I would lose so much of the information just because the output scrolled to fast and there was too much traffic between my own and the broadcasts of all the others.
Scripting the listening
At first I wrote a bash script that would run loads of tcpdumps with greps… to try and separate all this, before I realized that scapy provided just the tooling I would need: it already analysed partially packets and provided a very simple API.
I then wrote net_watch.py a basic script that would
- listen to all traffic
- DNS
- mDNS
- ARP
- TCP
- UDP
- …
- perform a reverse lookup of the ip addresses
- group traffic by IP address
- identify the process responsible of the packets when the traffic came from my computer
- give statistics on number of packets per minute…
This gave a live view of the real discussions that my computer was doing, and what he was recieving.
Other network scripts
I had already done a few bash scripts to get the ports that are open and listening on my computer
- get_connections.sh: this one would just use ss to display nicely the ports open and listening on my computer
- get_ip_info.sh: this one would just reformat the output of the ip command to know what is the ip address associated with each interface
These scripts were to be able to have a nice menu in a terminal based dashboard such as wtf
Wrapping up
This simple script provided great insight on
- who is on the network
- who is my computer chatting with
- what is what on the internet (where is such service hosted, who owns what…)
- what consumes bandwidth
Check it out on github/toby-bro/netwatch
(I did not provide snapshots as it revealed to much personal info for my taste)