From: Don Parker (dparker@rigelksecurity.com)
Date: Tue Jan 13 2004 - 15:32:42 EST
I would suggest the following bpf filter;
tcpdump -i eth0 -nXvs 0 ip and host xxx.xxx.xxx.xxx -w some_file
This way you will get verbose logging as well as both hex and ascii o/p
Cheers
-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------
On Jan 13, Steve Shah <sshah@planetoid.org> wrote:
On Tue, Jan 13, 2004 at 05:43:21AM -0000, Travis Schack wrote:
> When I am testing, I capture all network traffic using TCPdump (in
> binary) and I use the script command to capture all terminal activity.
Be sure to set the -s option ("snaplen") to zero so that you capture
all of the activity. Many people forget this and only capture the
headers a few bytes of the payload itself. Under Linux and a stock
ethernet card, you'd want:
tcpdump -i eth0 -s 0 -n -w dumpfile.pcap
If you are doing this on a gateway, you may want to specify some
filters so that only your attack network is captured. e.g. if my
attack network is 200.100.50.0/24,
tcpdump -i eth0 -s 0 -n -w dumpfile.pcap net 200.100.50.0/24
-Steve
-- Steve Shah sshah@planetoid.org - <a href='http://www.planetoid.org/'>http://www.planetoid.org/> Beating code into submission, one OS at a time... --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT