Re: Auditing / Logging

From: Steve Shah (sshah@planetoid.org)
Date: Wed Jan 14 2004 - 00:39:57 EST


Hi Don,

On Tue, Jan 13, 2004 at 04:48:19PM -0500, Don Parker wrote:
> You would want however as much info as possible which is
> why I suggest using the -vX switch, as well as what was already mentioned.

This data is captured in the binary format (pcap). It is not necessary
to explicitly set these values and capture the text output seperately.

> The bpf filter
> I quoted does not drop the traffic to console. You can then dictate on
> replay what your
> snaplength will be, as well as throwing in a bitmask if so desired.
> I trust this clarifies my intent.

We're almost on the same wavelength. ;-)

The key is that dumping anything to console or making tcpdump generate
text data in addition to dropping the binary data to disk is not
necessary during the time of capture. It is, as you indicated, useful
during replay.

During capture, it is important that tcpdump get as much time as it
wants in order to capture full packets, save them to disk, and go
back to fetch more packet's from the packet buffers. If tcpdump
doesn't go back and get those packets soon enough, they will get
dropped in order to pull new packets in.

For admins/security guys out there watching traffic, if you need to
capture a lot of traffic, don't echo it to your screen as the capture
happens. Your screen (be it an xterm or console) is a blocking device
that will hold up tcpdump from going back and reading another packet.
Thus, it becomes possible to lose packets in the process. This
situation is made worse when the output console is a serial port
because it is extremely slow and (at least on PCs), generates a lot
of interrupt traffic. If you do need to see the traffic in real time,
do as Don suggested and write the binary data to disk in addition to
the -vX parameter for lots of data. Be sure to set a tight filter
so you aren't overwhelmed. If you're ssh'd into the machine where
you're capturing packets, don't forget to set a filter to drop your
ssh packets. I would also suggest doing a -n so that tcpdump doesn't
generate DNS packets when trying to resolve IP addresses.

-Steve

-- 
Steve Shah
sshah@planetoid.org - http://www.planetoid.org/
Beating code into submission, one OS at a time...
---------------------------------------------------------------------------
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT