Generating and Viewing Sniffer Reports in CentOS
To generate and view network traffic reports in CentOS, you can use command-line tools (like tcpdump and tshark) for automation/scripting or graphical tools (like Wireshark) for interactive analysis. Below is a structured guide covering both approaches:
Before generating reports, install the necessary sniffer tools using yum (CentOS 7) or dnf (CentOS 8/Stream):
# Install tcpdump (command-line packet capture)
sudo yum install tcpdump -y
# Install Wireshark (GUI for packet analysis)
sudo yum install wireshark -y
# Install tshark (command-line tool for Wireshark)
sudo yum install tshark -y
These tools allow you to capture, save, and analyze network traffic.
Use tcpdump or tshark to capture traffic and save it to a file (commonly in .pcap format, compatible with most analysis tools). Replace eth0 with your target network interface (check available interfaces with tcpdump -D).
# Capture all traffic on eth0 and save to 'capture.pcap'
sudo tcpdump -i eth0 -w capture.pcap
# Capture only HTTP traffic (port 80) on eth0
sudo tcpdump -i eth0 port 80 -w http_capture.pcap
# Limit capture to 100 packets (useful for testing)
sudo tcpdump -i eth0 -c 100 -w limited_capture.pcap
The -w flag writes packets to a file, while options like -c (packet count) or filters (e.g., port 80) help narrow the scope.
# Capture all traffic on eth0 and save to 'tshark_capture.pcap'
sudo tshark -i eth0 -w tshark_capture.pcap
tshark behaves similarly to tcpdump but offers more advanced filtering and field extraction.
Once traffic is captured, you can view the .pcap file using the same tools or convert it to other formats (e.g., CSV) for further analysis.
# Read and display the entire 'capture.pcap' file
sudo tcpdump -r capture.pcap
# Display in numeric format (no hostname resolution) for faster output
sudo tcpdump -r capture.pcap -nn
# Filter for SSH traffic (port 22) in the saved file
sudo tcpdump -r capture.pcap port 22
This is useful for quick command-line reviews of packet contents.
# Open 'capture.pcap' in Wireshark (graphical interface)
wireshark capture.pcap
Wireshark provides a detailed, interactive view of packets, including:
http.request for HTTP requests) to narrow down traffic.# Display all packets in 'capture.pcap' with basic details
sudo tshark -r capture.pcap
# Extract specific fields (frame number, source/dest IP, ports) to a CSV file
sudo tshark -r capture.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.port -E separator=, -E quote=d -E header=y > report.csv
The -T fields option lets you specify which packet attributes to include, making it ideal for automated reporting.
For structured summaries (e.g., traffic statistics, top talkers), use tshark or external tools like ELK Stack (Elasticsearch, Logstash, Kibana).
# Count packets by protocol (e.g., TCP, UDP, ICMP)
sudo tshark -r capture.pcap -qz io.phy.proto
# Get top 10 source IPs by packet count
sudo tshark -r capture.pcap -qz io.phy.src_ip
These commands provide concise insights into traffic patterns without opening the full GUI.
root access (use sudo) to capture network traffic.logrotate to manage .pcap file sizes and retention.By following these steps, you can effectively generate, capture, and analyze network traffic reports in CentOS using both command-line and graphical tools.
