I would like to collect logs of all network communications between my home devices (laptops, phones etc.) and the outside world in this format:
Timestamp / Device MAC Address / Source IP:Port / Destination IP:Port / Protocol (Internet/Transport Layers) / Amount of data in bytes
The idea is to setup a physical Linux box ("Logging Server") just for the logging and run tcpdump
on it:
Internet ⟺ Logging Server ⟺ Wi-Fi/Ethernet Switch ⟺ Devices
(the box will have two Ethernet interfaces — for the Internet connection and for the local switch).
Assuming that I take care of handling the log files (rotation, parsing, feeding to reporting tools), how the tcpdump
command will look like?
To be clear, I know that this question most likely can be answered by digging the man page; I just would like to take advantage of someone's extensive experience with tcpdump
to save time, avoid common mistakes etc.
P. S. The main purpose of this is to monitor/investigate potentially existing backdoors or otherwise unwanted/unexpected network activity.
Best Answer
tcpdump -n -e -q -i any
With:
-n
: Don't convert addresses to names (this notably preventstcpdump
from doing reverse DNS lookups)-e
: Print the link-level header on each dump line (notably mac address). Use this in coordination with-i any
, you will need this to re-determine the incoming/outgoing network interface.-q
: Print less protocol information so output lines are shorter-i any
: theany
keyword can be used to capture packets from all interfacesNote that the lenght given by the above command is the payload length. If you also want the packet length, remove the '-q' option.