Ask Your Question

Revision history [back]

Hi Penguin1024,

You may run Wireshark in the background of your Linux distro but it may end up capturing a lot of traffic for nothing if you just start capturing traffic blindly.

You could use the circular buffer feature to keep only the last hour of traffic or the last X gigabytes of traffic. You'll need to figure out what works best for you depending on available storage and also on how often you'll be on the box to actually notice the attempted hack.

That being said, Wireshark will capture raw packets so you'll to go through the capture to figure out what IP address or addresses the hacker used. In other words, you'll need to filter out the good packets from the bad packets.

Hope this helps.