code-library/Network/Investigation/README.md
2022-02-14 18:44:33 +01:00

3 KiB

TCP investigation script

A bash script to get information about active TCP connections.

Some relevant key features:

  • The script lists the TCP connections established at the time it runs.
  • For each connection, it shows some statistics about the process involved, for example the bytes read and written by the process.
  • Regarding the process involved, it lists the files and folders opened by the process itself.
  • The information obtained is then processed into an HTML report, which is sent via email.
  • The script is portable and can run on any GNU/Linux system running curl.

Screenshots

Example of report displayed in Claws Mail

Example of report displayed in Claws Mail.

Install

Requirements

  • net-tools: NET-3 networking toolkit
  • lsof: Utility to list open files
  • sysstat: system performance tools for Linux
  • dos2unix: convert text file line endings between CRLF and LF
  • curl: command line tool for transferring data with URL syntax

Get the code

You can use git.

git clone https://git.lattuga.net/netico/code-library.git

and then look for the script tcp-investigation.sh.

Post installation

Fill in these configuration variables, which you can find in the very first part of the script:

# Sender
SENDER="someone@domain.tld"
# Recipient
RECIPIENT="someone.else@domain.tld"
# Mail relay URL
RELAY="smtp://powerful.mail.server:587"

If the mail server you have chosen to use requires SMTP authentication, you must enter the credentials in /root/.netrc. Read this page carefully to learn how to do this.

Usage

The script requires root privileges. Run

sudo ./tcp-investigation.sh

...and wait for the email report.

Hacking

Sending e-mail messages

Sending e-mail in a shell environment is not as easy as it sounds. It is even more complicated to send HTML instead of plain text. mutt and some versions of mailx support sending HTML, but require a working mail server.

To work around these problems, the script attempts to build a standards-compliant message so that it can be passed to a Sendmail wrapper (there are wrappers for Exim, Postfix, qmail) or sent by curl (also read Using curl to send email).

Some recommended reading on email message format: RFC822, RFC2822.

If you want to use the local email system, find the line that invokes curl

curl -s -n --ssl-reqd ...

comment it out, and add something similar

cat $MSG | /usr/lib/sendmail -t

Otherwise, use curl, which however must be configured (as explained) and requires a valid email account and an external mail server (the same one you would use in Thunderbird or other MUAs).