Following is a stupid gawk script that converts the hex output of
tcpdump into ASCII.
All parameters are passed as filters to tcpdump:
netdump host _client_ and _server_ and port 23
There are much better ways to do this: some versions of tcpdump have a
"dump in ASCII format" flag.
Also, snort (http://www.snort.org/) and dsniff
(http://www.monkey.org/~dugsong/dsniff/) can write the content of
sessions and/or account/passwords.
My script is inefficient and clumsy, but it can be pasted in a terminal
on a cracked host containing tcpdump, even if there is no simple way to
transfer a file or there is no compiler available on that platform.
Andre
--- cut here ---
#! /bin/sh
tcpdump -lnqxs 2000 "$@" | \
gawk '
BEGIN {
hexstr= "0123456789abcdef"
line= ""
}
! /^ / {
line= substr( line, length( line ) - line_len )
if ( line != "." )
print line
print "\n" $0
close ( "/dev/stdout" )
line= ""
line_len= $6
}
/^ / {
for ( i= 1 ; i <= NF ; i++ ) {
for ( j= 0 ; j < 2 ; j++ ) {
ch= substr( $i, j * 2 + 1, 2 )
ch_val= ( index( hexstr, substr( ch, 1, 1 ) ) - 1 ) * 16 \
+ ( index( hexstr, substr( ch, 2, 1 ) ) - 1 )
if ( ch_val < 31 || ch_val >= 127 )
{
line= line "."
} else {
line= line sprintf( "%c", ch_val )
}
}
}
}
'
--- cut here ---
Cats are smarter than dogs. You can't make eight cats pull a sled
through
the snow.
andre.delafontaine at echostar.com
F20 DSS: BD75 66D9 5B2C 66CE 9158 BB27 B199 59CE D117 4E9F
F16 RSA: F8 04 FE 50 02 B5 03 02 F6 87 C7 8D F9 2E B8 58
Received on Nov 30 2000
Intro
