From: Don Parker (dparker@rigelksecurity.com)
Date: Tue Jan 13 2004 - 16:48:19 EST
Agreed, using a binary format will allow you to replay this file through whichever medium
you choose which supports it. You would want however as much info as possible which is
why I suggest using the -vX switch, as well as what was already mentioned. The bpf filter
I quoted does not drop the traffic to console. You can then dictate on replay what your
snaplength will be, as well as throwing in a bitmask if so desired. I trust this clarifies
my intent.
Cheers
-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------
On Jan 13, Steve Shah <sshah@planetoid.org> wrote:
On Tue, Jan 13, 2004 at 03:32:42PM -0500, Don Parker wrote:
> tcpdump -i eth0 -nXvs 0 ip and host xxx.xxx.xxx.xxx -w some_file
>
> This way you will get verbose logging as well as both hex and ascii o/p
Indeed, however, the purpose of captuing the whole packet and
dropping it to disk is that it allows you go back and replay
as much or as little of the traffic as you like with whatever
kind of output you like. Dumping the traffic to console in
addition to a file will slow the capture down and run you the
risk of dropping packets.
-Steve
-- Steve Shah sshah@planetoid.org - <a href='http://www.planetoid.org/'>http://www.planetoid.org/> Beating code into submission, one OS at a time... --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT