1

I am trying to troubleshoot one of my linux servers (ubuntu server). Therefore I want to intercept all traffic that is sent to the default gateway and then write it to a file: preferably some kind of pcap format that is readable by tcpdump and/or tshark.

Since I do not know, if the machine is infected by malware, I want to drop the whole traffic after it has been written to the file.

Is this scenario doable?

So far I was just able to intercept the traffic with tshark (the current default gateway comes from a bash script):

tshark host <current default gateway> -o traffic.pcap
user1252280
  • 119
  • 4
  • If you have physical access to the machine you can set a blackhole route to "isolate" the rig to the LAN and log traffic attempts with tcpdump to a file. Or drop all outgoing traffic with iptables. Also, possible duplicate of [this thread](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server). – Xavier Lucas Oct 21 '14 at 18:45
  • Yeah, I also thought about tapping the traffic and then dropping, but there is no physical access to the server (hosted somewhere else). – user1252280 Oct 21 '14 at 18:46
  • You can still only allow SSH for your IP and drop the rest then capture all traffic except ssh. – Xavier Lucas Oct 21 '14 at 18:49

0 Answers0