[Tutorial] Monitorando conexões TCP com tcptrack
Basicamente, o tcptrack é um sniffer que mostra as informações sobre as conexões TCP de uma interface específica. Este artigo, disponibilizado pelo HowToForge.com, apresenta mais informações sobre esta ferramenta…
Obs: Os melhores textos sobre Hacking e Segurança são em inglês, e este também. Achei melhor não traduzir o texto para não excluir alguma informação ou modificar seu sentido, assim preservando a sua originalidade. Espero que gostem…
Basically, tcptrack is a sniffer which will show the information about TCP connections on a specific interface. tcptrack will watch all the connections that occur and show the information in a nice interface. Although it’s on a text user interface but it’s simple and easy to understand. tcptrack has been packaged on several popular Linux distributions. The latest version of tcptrack is 1.2.0 released on December 20, 2006. You can download the source code from the tcptrack website.
tcptrack provides some useful information for administrators to track every single connection to their servers. I use tcptrack to watch my proxy to make sure that every user gets an apropriate bandwidth, no one saturates the whole bandiwdth. It just gives me a way to watch the traffic. The information that tcptrack provides are:
- source address and port
- destination address and port
- connection state
- idle time
- bandwidth usage
tcptrack also has a filtering feature, it uses the pcap filtering standard (it’s identic with the one used in tcpdump).
tcptrack installation is fairly easy, on Debian GNU/Linux or ubuntu you can simply use
apt-get install tcptrack
Searching on rpmfind.net I found the one matching my needs, tcptrack for CentOS. I use rpm for RHEL 4. I took the rpm and installed it manually. If you want to use yum, you have to enable the DAG repository. If you want to build it from source, you can read the INSTALL file in the package or read it online.
You have to be a superuser to run tcptrack, the basic usage of tcptrack is using such a command:
# tcptrack -i <networkInterface>
# tcptrack -i eth1
After invoking such a command tcptrack will run, capturing all TCP connections, and show it to you with an easy-to-understand interface. Another option that might be useful is -r and port. -r will make tcptrack wait for a given time (in seconds) before it deletes the closed connection from the screen. For example:
# tcptrack -i eth0 -r 10
port will do a filtering for you based on port number. For example:
# tcptrack -i eth1 port 22