“PCAP or it didn’t happen” is a good network security philosophy. The primary idea being to capture network traffic for analysis. In a non-corporate environment where a CentOS-based Linux host has been used as a dual homed firewall (refer to the lame ASCII art network diagram below), tcpdump was used for continuous traffic capture.
_( )______ ________ +-----+ _( )__
( Internet )---/ Router \----| F/W |----( DMZ )
(____________) \________/ +-----+ (________)
Firstly, we create a location to save the pcap files. Next, since contemporary version of tcpdump are baked with the -Z switch which causes tcpdump to drop into a less privileges account (tcpdump in the case of this particular version of CentOS) we change ownership and permissions to the location, and change permissions to allow the tcpdump user and group to have full read and write permission.
[Read More]