When analyzing actual network packets, TCPdump is a must-have tool. This tip explains how VARs and networking consultants can audit their customer's network traffic with this open source network application.
An alternative to using SACLs to qualify traffic is to use TCPdump. TCPdump is one of those staple tools that network and systems administrators alike reach for whenever they need to take a look at the actual network packets. It was written way back in the day and runs on Unix and Windows, and is consistently maintained by its author, Van Jacobson. It's not quite a packet sniffer, but it's close enough for government work.
Cleaned up data is necessary to make the information manageable as administrators will only be interested in the IP protocol information. By providing additional traffic information beyond just port and host details, TCPdump is a superior application over SACLs.
One of TCPdump's few weaknesses is that it must be run on a UNIX or Windows server connected to a hub with your customer's router to collect data.
Learn more about the TCPdump Unix traffic qualifying tool.
About the author Michael J. Martin has been working in the information technology field as a network and Unix system admin for over 10 years. What's his biggest strength as an expert? He says it's his "broad base of experience in working in the ISP/carrier and enterprise spaces as both a systems and a network engineer." His background in designing, implementing, and supporting MIS infrastructures for research and ISPs gives him a unique perspective on large-scale internetworking and security architecture. Michael shares his wealth of knowledge in his monthly Router Expert series and in frequent Live Expert Webcasts.
This was first published in January 2007