|
Honeypots
mailing list archives
extracting syslog data out of raw pcap dumps
From: "Chris Boubalos" <boubalos () md5sa com>
Date: Thu, 5 Jun 2003 12:27:24 +0300
Hi all,
Honeynet or not, if someone has a syslog server lost or compromized, there
is always
a chance to recoved log entries from within a raw capture.
To make this easier i wrote an open source utility to extract syslog entries
from a pcap dump file ( like tcpdump's save files).
output is in the form of:
============================================================================
=
date srcMACaddr/srcIPaddr <facilityandlevel>syslogdata
i.e.
Oct 14 15:33:42 00:02:A5:9C:60:1E/10.0.0.42 <13>root: blah...
or
Oct 14 15:35:04 00:02:A5:9C:60:1E/10.0.0.42 <13>root:
blahhhhhhhhhhhhhh(incomplete) 118 bytes missing.
============================================================================
=
syslog data will be on stdout
while everything else is on stderr
i.e. warnings and a report like:
logdump-1.0 (extract syslog packets from tcpdump files)
- dump file information -
filename ANOTHERTEST-short
snaplen 96
pcap version 2.4
syslog packets 7
filter string: udp dst port 514
In case someone finds it usefull, i would be very interested in comments and
suggestions.
Its at:
http://www.md5sa.com/downloads/logdump/logdump-1.0.tgz
http://www.md5sa.com/downloads/logdump/README
___________________
Chris Boubalos
Security & Forensics Team Leader
MD5 S.A.
boubalos () md5sa com
www.md5sa.com
 By Date 
By Thread
Current thread:
- extracting syslog data out of raw pcap dumps Chris Boubalos (Jun 05)
|
Intro
