Connect to the SO machine via SSH.
sudo tcpdump -i eth0 -c 10
When asked for your password, enter it.
Tcpdump displays twn packets, as shown below.
These packets are from SSH, showing the traffic we are using to control SecurityOnion.
sudo tcpdump -i eth0 -c 10 icmp
Tcpdump just sits there listening,
as shown below. It's waiting for ICMP
packets and ignoring everything else.
On your SecurityOnion desktop, right-click and click "Open Terminal Here".
In the Terminal window, execute this command:
ping 8.8.8.8
Wait for five or more replies, and then press
Ctrl+C to stop the pings,
as shown below.
In your SSH session, tcpdump displays the ICMP packets, as shown below.
cd Desktop
sudo tcpdump -i eth0 -c 500 -w YOURNAME.pcap
Tcpdump just sits there listening,
as shown below.
On your SecurityOnion desktop, right-click and click "Open Terminal Here".
In the Terminal window, execute this command:
ping 8.8.8.8
In the new terminal, execute these commands:
ping 8.8.8.8 -c 5
ping 8.8.4.4 -c 5
ping 208.67.222.222 -c 5
dig @8.8.8.8 kittenwar.com
dig @8.8.4.4 yahoo.com
dig @208.67.222.222 msn.com
wget ad.samsclass.info
The commands complete,
as shown below.
In your SSH session, execute these commands:
ping 8.8.8.8 -c 5
ping 8.8.4.4 -c 5
ping 208.67.222.222 -c 5
dig @8.8.8.8 kittenwar.com
dig @8.8.4 4 yahoo.com
dig @208.67.222.222 msn.com
wget ad.samsclass.info
The tcpdump command should now
have enough packets and finish,
as shown below.
cd Desktop
ls -l
You should see a PCAP file with your
name on it,
as shown below.
tcpdump -r YOURNAME.pcap
500 lines of text scroll by.
tcpdump -r YOURNAME.pcap icmp
The output is a lot shorter,
but still many lines,
as shown below.
tcpdump -r YOURNAME.pcap icmp and host 8.8.8.8
The output is even shorter,
as shown below.
tcpdump -r YOURNAME.pcap icmp and src host 8.8.8.8
The output is even shorter,
as shown below.
Capture a whole-desktop image and save it as "Proj 5a from YOURNAME".
YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT
dumpcap -i eth0
You see an error message,
as shown below.
sudo dpkg-reconfigure wireshark-common
A purple window appears,
with the message
shown below.
Use Tab as needed to highlight Yes and press Enter. In your SSH session, execute these commands, replacing "so" with your login name:
sudo usermod -a -G wireshark so
sudo reboot
dumpcap -i eth0
Dumpcap runs now. Stop the
capture with Ctrl+C,
as shown below.
cd
tshark -r YOURNAME.pcap -Y 'icmp and ip.src == 8.8.8.8'
You see only echo replies from 8.8.8.8,
as shown below.
Capture a whole-desktop image and save it as "Proj 5b from YOURNAME".
YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT
sudo sed -i 's|ARGUS_ENABLED="no"|ARGUS_ENABLED="yes"|g' /etc/nsm/*/sensor.conf
sudo service nsm restart
sudo nsm_sensor_ps-status
"argus" should now show a status of
OK,
as shown below.
ping 8.8.8.8 -c 5
dig @8.8.8.8 kittenwar.com
wget ad.samsclass.info
The commands complete,
as shown below.
cd /nsm/sensor_data/so-virtual-machine-eth0/argus/
ls -l
You should see one or more log files,
as shown below.
In your SSH session, execute this command, replacing the file name with the name of your most recent logfile:
ra -r 2017-10-10.log
The command shows many lines of data,
as shown below.
racluster -nr 2017-10-10.log
The command shows many types of data,
as shown below.
racluster -nr 2017-10-10.log -m saddr daddr
The command shows a short list of
grouped data,
as shown below.
ip ... <-> 8.8.8.8
Capture a whole-desktop image and save it as
"Proj 5c from YOURNAME".
YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT
Send a Cc to yourself.
Posted 10-11-17
Rev. 10-28-17 to fix space in IP Address