Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Auditing / Logging
From: "Don Parker" <dparker () rigelksecurity com>
Date: Tue, 13 Jan 2004 15:32:42 -0500 (EST)

I would suggest the following bpf filter;

tcpdump -i eth0 -nXvs 0 ip and host xxx.xxx.xxx.xxx -w some_file

This way you will get verbose logging as well as both hex and ascii o/p


Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
ph :613.249.8340

On Jan 13, Steve Shah <sshah () planetoid org> wrote:

On Tue, Jan 13, 2004 at 05:43:21AM -0000, Travis Schack wrote:
When I am testing, I capture all network traffic using TCPdump (in
binary) and I use the script command to capture all terminal activity.

Be sure to set the -s option ("snaplen") to zero so that you capture
all of the activity. Many people forget this and only capture the
headers a few bytes of the payload itself. Under Linux and a stock
ethernet card, you'd want:

tcpdump -i eth0 -s 0 -n -w dumpfile.pcap 

If you are doing this on a gateway, you may want to specify some
filters so that only your attack network is captured. e.g. if my
attack network is, 

tcpdump -i eth0 -s 0 -n -w dumpfile.pcap net


Steve Shah
sshah () planetoid org - <a href='http://www.planetoid.org/&apos;>http://www.planetoid.org/</a>
Beating code into submission, one OS at a time...



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]