Results 1 to 8 of 8

Thread: TCPDUMP

  1. #1

    TCPDUMP

    Ok guys, heres one for all you brains out there.

    I was reading a post on WWW.antionline.com about forensics. They mention several times about tcpdump and its uses in packet analysis. Now, if I understand the man page correctly :-\ then as root " tcpdump -i any -vv -X will start tcpdump on any interface with extended information and will print both hex and ascii format. Now, How do i bring this info up in an xterm window where i can view it in real time? Or do i have to pipe it to a log file and view it like the /var/log/messages?

    10Ded

  2. #2
    Guest

    Re:TCPDUMP

    hey i found this on the tcpdump man page.
    Code:
     
    -w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''.
    Dont know if this will help you.if not you could always use a redirector to pipe it into a file.

  3. #3

    Re:TCPDUMP

    On a box with only one interface, I usually just run

    Code:
    tcpdump > packetlog
    Then I go back later and open the file in an editor or grep it for certain events. You only want to use the -w option if you want to run tcpdump for any length of time (the -w option will help compress the output if you are on a very noisy network). However, it will need to be read back into tcpdump with the -r option to display the captured data. -X will dump the packet contants to the file. Not specifying the -X option will only show you the basic conversation between two hosts.

    In all honesty, you will do far better using something like eatherreal or any other sniffer that allows you to reassemble a collected stream.

  4. #4

    Re:TCPDUMP

    I'm pretty sure that command by itself should print the output to whatever terminal it is being ran from in real time.

  5. #5

    Re:TCPDUMP

    I just remembered, if you are using the -X option, increase your snaplen to 1500 (Ethernet's MTU) to dump the full contents of packets. If anyone is using plain text authentication for anything at all, you should be able to glean out passwords and usernames from the output.

    I've been waisting time on my IDS all day with this one -->

    > tcpdump -i eth1 -s 1500 -X -w packetlog

    Have fun

  6. #6

    Re:TCPDUMP

    thanx guys. i would love to make alonger post but i havent been home from work since yesterday morning and im kinda tired. 8). unluckily, i got to go back to work

    10Ded

  7. #7

    Re:TCPDUMP

    I dunno if it's possible, but if you direct it to a file you can use tail -f to see its changes in realtime.

  8. #8
    Guest

    Re:TCPDUMP

    yeah if you dumped the output to a file, tail -f should show the new lines everytime it changed, but if you had a constant internet connection (cable or dsl) it would just show a bunch of line scrolling across the screen, as you would almost constantly be sending and recieving information.

Similar Threads

  1. NFS & tcpdump error in CentOS
    By nishith in forum Redhat / Fedora
    Replies: 5
    Last Post: 08-10-2010, 06:33 PM
  2. libpcap and tcpdump trojaned
    By tolstoy in forum Linux - Software, Applications & Programming
    Replies: 0
    Last Post: 12-16-2002, 06:37 PM
  3. My tcpdump post...
    By in forum Linux - Software, Applications & Programming
    Replies: 6
    Last Post: 04-04-2002, 04:48 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •