Spencer-Doak · November 8, 2020 23:11 · Nov 8, 2020
diff --git a/record_unexpected_network_connections.sh b/record_unexpected_network_connections.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# This is a script I use when checking for unexpected outbound connections.
+# Script requires root-level permissions, so this should be executed with sudo.
+# Before running, export INTERFACE='eth0' (or whatever interface) and
+# export EXPECTED_IP='1.1.1.1' (or whatever IP Address you are expecting
+# communication with).
+
+# Summary of variables used in TCP Dump command:
+# -A: This option causes tcpdump to display ASCII versions of packets, where it
+#     makes sense to do so. E.g., an unencrypted HTTP call might be displayed in
+#     the output as:
+#       HEAD /index.html HTTP/1.1
+#       Host: example.com
+#       User-Agent: curl/7.58.0
+#     And likewise, the output would be shown in full.
+# -e: Show link-level headers on each dump line. (Can show things like MAC)
+# -n: Show numbers instead of names. (E.g., shows 1.1.1.1:53 instead of
+#     one.one.one.one:dns)
+# -K: Do not verify checksums of packets. (I use this option because I am
+#     interested in monitoring the traffic in general, regardless of the
+#     checksum validity. Therefore, I don't bother dedicating any CPU time
+#     towards this.)
+# -i: The interface that we are monitoring (e.g., "eth0")
+# --number: Show a number next to each packet
+# -tt: Show time as seconds since the epoch (number is a floating point)
+# -U: Buffer output so whole packets are written to output
+# -vv: Second level of verbosity (2/3). Shows additional info like TTL, packet
+#     length, identification, etc. and in some cases, extra fields are
+#     displayed or packets may be fully decoded.
+# -XX: Print packet headers & data, including link-level headers, and output in
+#     both hex and ASCII. (Like hexdump's "Canonical hex+ASCII display" (-C).)
+tcpdump -A -e -n -K -i "$INTERFACE" --number -tt -U -vv -XX \
+  "(not host ${EXPECTED_IP}) and (tcp or udp or icmp)"