TCPDUMP

**10Dedfish** · 02-20-2003, 03:41 PM

Ok guys, heres one for all you brains out there.

I was reading a post on WWW.antionline.com about forensics. They mention several times about tcpdump and its uses in packet analysis. Now, if I understand the man page correctly :-\ then as root " tcpdump -i any -vv -X will start tcpdump on any interface with extended information and will print both hex and ascii format. Now, How do i bring this info up in an xterm window where i can view it in real time? Or do i have to pipe it to a log file and view it like the /var/log/messages?

10Ded

02-20-2003, 06:01 PM

hey i found this on the tcpdump man page.

Code:

 
-w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.

Dont know if this will help you.if not you could always use a redirector to pipe it into a file.

**tolstoy** · 02-20-2003, 06:32 PM

On a box with only one interface, I usually just run

Code:

tcpdump &gt; packetlog

Then I go back later and open the file in an editor or grep it for certain events. You only want to use the -w option if you want to run tcpdump for any length of time (the -w option will help compress the output if you are on a very noisy network). However, it will need to be read back into tcpdump with the -r option to display the captured data. -X will dump the packet contants to the file. Not specifying the -X option will only show you the basic conversation between two hosts.

In all honesty, you will do far better using something like eatherreal or any other sniffer that allows you to reassemble a collected stream.

**kenshi** · 02-20-2003, 08:16 PM

I'm pretty sure that command by itself should print the output to whatever terminal it is being ran from in real time.

**tolstoy** · 02-20-2003, 10:01 PM

I just remembered, if you are using the -X option, increase your snaplen to 1500 (Ethernet's MTU) to dump the full contents of packets. If anyone is using plain text authentication for anything at all, you should be able to glean out passwords and usernames from the output.

I've been waisting time on my IDS all day with this one -->

> tcpdump -i eth1 -s 1500 -X -w packetlog

Have fun

**10Dedfish** · 02-21-2003, 11:40 AM

thanx guys. i would love to make alonger post but i havent been home from work since yesterday morning and im kinda tired. 8). unluckily, i got to go back to work

10Ded

**Tyr_7BE** · 02-21-2003, 11:59 AM

I dunno if it's possible, but if you direct it to a file you can use tail -f to see its changes in realtime.

02-21-2003, 12:30 PM

yeah if you dumped the output to a file, tail -f should show the new lines everytime it changed, but if you had a constant internet connection (cable or dsl) it would just show a bunch of line scrolling across the screen, as you would almost constantly be sending and recieving information.