Spencer-Doak/record_unexpected_network_connections.sh

## record_unexpected_network_connections.sh
#!/usr/bin/env bash
# This is a script I use when checking for unexpected outbound connections.
# Script requires root-level permissions, so this should be executed with sudo.
# Before running, export INTERFACE='eth0' (or whatever interface) and
# export EXPECTED_IP='1.1.1.1' (or whatever IP Address you are expecting
# communication with).

# Summary of variables used in TCP Dump command:
# -A: This option causes tcpdump to display ASCII versions of packets, where it
#     makes sense to do so. E.g., an unencrypted HTTP call might be displayed in
#     the output as:
#       HEAD /index.html HTTP/1.1
#       Host: example.com
#       User-Agent: curl/7.58.0
#     And likewise, the output would be shown in full.
# -e: Show link-level headers on each dump line. (Can show things like MAC)
# -n: Show numbers instead of names. (E.g., shows 1.1.1.1:53 instead of
#     one.one.one.one:dns)
# -K: Do not verify checksums of packets. (I use this option because I am
#     interested in monitoring the traffic in general, regardless of the
#     checksum validity. Therefore, I don't bother dedicating any CPU time
#     towards this.)
# -i: The interface that we are monitoring (e.g., "eth0")
# --number: Show a number next to each packet
# -tt: Show time as seconds since the epoch (number is a floating point)
# -U: Buffer output so whole packets are written to output
# -vv: Second level of verbosity (2/3). Shows additional info like TTL, packet
#     length, identification, etc. and in some cases, extra fields are
#     displayed or packets may be fully decoded.
# -XX: Print packet headers & data, including link-level headers, and output in
#     both hex and ASCII. (Like hexdump's "Canonical hex+ASCII display" (-C).)
tcpdump -A -e -n -K -i "$INTERFACE" --number -tt -U -vv -XX \
  "(not host ${EXPECTED_IP}) and (tcp or udp or icmp)"
	#!/usr/bin/env bash
	# This is a script I use when checking for unexpected outbound connections.
	# Script requires root-level permissions, so this should be executed with sudo.
	# Before running, export INTERFACE='eth0' (or whatever interface) and
	# export EXPECTED_IP='1.1.1.1' (or whatever IP Address you are expecting
	# communication with).

	# Summary of variables used in TCP Dump command:
	# -A: This option causes tcpdump to display ASCII versions of packets, where it
	# makes sense to do so. E.g., an unencrypted HTTP call might be displayed in
	# the output as:
	# HEAD /index.html HTTP/1.1
	# Host: example.com
	# User-Agent: curl/7.58.0
	# And likewise, the output would be shown in full.
	# -e: Show link-level headers on each dump line. (Can show things like MAC)
	# -n: Show numbers instead of names. (E.g., shows 1.1.1.1:53 instead of
	# one.one.one.one:dns)
	# -K: Do not verify checksums of packets. (I use this option because I am
	# interested in monitoring the traffic in general, regardless of the
	# checksum validity. Therefore, I don't bother dedicating any CPU time
	# towards this.)
	# -i: The interface that we are monitoring (e.g., "eth0")
	# --number: Show a number next to each packet
	# -tt: Show time as seconds since the epoch (number is a floating point)
	# -U: Buffer output so whole packets are written to output
	# -vv: Second level of verbosity (2/3). Shows additional info like TTL, packet
	# length, identification, etc. and in some cases, extra fields are
	# displayed or packets may be fully decoded.
	# -XX: Print packet headers & data, including link-level headers, and output in
	# both hex and ASCII. (Like hexdump's "Canonical hex+ASCII display" (-C).)
	tcpdump -A -e -n -K -i "$INTERFACE" --number -tt -U -vv -XX \
	"(not host ${EXPECTED_IP}) and (tcp or udp or icmp)"