On 2009-05-15 18:20, Guy Harris wrote:
On May 15, 2009, at 12:43 AM, Jefferson Ogata wrote:
This has come up before, back when we were talking about the NG format.
I guess I got confused by the current context; if pcap files are
natively UTC (which I had thought they were until this thread
be recorded when pcap timestamps are UTC, as they always
should have been. I'd like to find the person who decided to store
localtime instead of gmtime in the pcap timestamp field and smack him or
her with a large sock filled with horse manure.
--
Jefferson Ogata jefferson.og...@noaa.gov
NOAA
-i ra0 port bootps -vvv
tcpdump: listening on ra0, link-type EN10MB (Ethernet), capture size 96
bytes
Try bumping up your snapshot size with the -s option.
--
Jefferson Ogata jefferson.og...@noaa.gov
NOAA Computer Incident Response Team (N-CIRT) nc...@noaa.gov
Never try to retrieve anything
using ng for some time, we may well be
looking at yet another version. Using ng as a notation doesn't help us
then. Numbered, or at least absolutely named, versions indicate forethought.
But, you know, whatever. I'll be moderately surprised if ng ever comes
to fruition, frankly.
--
Jefferson
On 2008-12-13 01:17, Guy Harris wrote:
On Dec 12, 2008, at 5:02 PM, Jefferson Ogata wrote:
I still think current and ng pcap formats should be distinguished in
MIME type name.
So do I, which is why I said it'd be something such as
application/pcap-ng-capture.
I was responding, however
for
filter specifications. It is not sufficient to describe a capture file
as simply pcap.
But what I think is missing is a version number. Given the talk in
recent years about implementing the next version, I think the type
should be application/pcap-capture-v1.
--
Jefferson Ogata jefferson.og
, use:
tcp[((tcp[12:1] 0xf0) 2):4 + 4] = 0xdeadbeef
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca
On 2008-01-17 18:37, Jefferson Ogata wrote:
To get the next four octets, use:
tcp[((tcp[12:1] 0xf0) 2):4 + 4] = 0xdeadbeef
Sorry, that latter case should have been:
tcp[(((tcp[12:1] 0xf0) 2) + 4):4] = 0xdeadbeef
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team
Gb NICs (Endace or nPulse) and dual quad-core
processors could come to 4Gb/s aggregate capture speed, while writing
some packets to disk. Has anyone out there put together such a box and
come up with some performance statistics?
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response
Stephen Donnelly wrote:
On Wed, 2007-06-27 at 22:00 +, Jefferson Ogata wrote:
some packets to disk. Has anyone out there put together such a box and
come up with some performance statistics?
[snip]
Endace also offers disk capture appliances which provide this level of
performance
-captured-traffic. Or just start wireshark with no
arguments and go to the file menu to open your capture file.
You don't need a virtual NIC. RTFM.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National
, but turning off that behavior now is possibly
dangerous.
So, having said all that, I'll stay on the fence on this one.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
there is a potential problem.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
On 2006-12-04 15:03, Harley Stenzel wrote:
On 12/1/06, Jefferson Ogata [EMAIL PROTECTED] wrote:
Is it possible they were the result of combining multiple pcaps via
something like mergecap?
It would seem that for something like this to be generally usefull, a
capture station identifier would
they were the result of combining multiple pcaps via
something like mergecap?
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit https
it yourself.
-
libtrace from our research group might be able to help:
http://research.wand.net.nz/software/libtrace.php
Um, gee, is no one going to suggest wireshark?
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything
bound, but
the default value is much lower.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
me the urge to quote Steven Wright: I'm having deja vu
and amnesia at the same time. :^)
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit
be used with link level.
Which tcpdump expression solves the problem?
Have you tried
left window: not ether src mac:addr:of:eth0
right window: not ether src mac:addr:of:eth1
?
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try
root root 1000531 Sep 13 11:36 test.cap
[EMAIL PROTECTED] test]#
Any ideas ?
The directory needs to be writable by the local tcpdump user, which may
be pcap.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve
with root
privlidges?
AFAIK on Linux this is not possible.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca
.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
09:56 UTC?
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
On 03/20/2006 02:01 AM, Don Morrison wrote:
[top posting fixed again]
On 3/19/06, Jefferson Ogata [EMAIL PROTECTED] wrote:
The trivial way to fix a truncated pcap file:
tcpdump -r broken.pcap -w clean.pcap
I tried this method, but it hangs tcpdump.
That would be a bug in tcpdump. Why don't
to use other existing tools to analyze the traffic,
since your messages aren't IP packets.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try to retrieve anything from a bear.--National Park Service
-
This is the tcpdump-workers list.
Visit
tv_sec;/* seconds */
suseconds_ttv_usec; /* microseconds */
};
i like calculating jitter in RTP streams.
I like jittering calculators in REM dreams.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
Never try
to be generating a RST on my behalf before I can transmit the third packet
of the handshake.
Is there some reason you don't simply synthesize packets using an IP
address that doesn't belong to a box on the network (but use a little
proxy arp glue)?
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA
the loopback interface. Perhaps you
were not sniffing loopback.
Top-posting is evil.
Quoting Jefferson Ogata [EMAIL PROTECTED]:
[EMAIL PROTECTED] wrote:
Heya everyone, I'm trying to build a port knocker for fun using pcap and
basic C
sockets. I've set up 10 sockets listenning on ports 4000-4010
something's listening.
Either there's something wrong with you capture program, you have a
firewall in the way, or you're capturing on the wrong interface.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
-
This is the tcpdump-workers list.
Visit
ideas?
Escape all non-printing characters, especially anything outside [\040-\176].
If you are passing arbitrary binary data to your terminal, an attacker
may be able to instruct your terminal to insert characters into your
terminal stream to execute arbitrary commands.
--
Jefferson Ogata [EMAIL
$_\n;
}
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Jefferson Ogata wrote:
MMatos wrote:
I want to write a little program that analyses packets within a given
ip range.
My current problem is to set a filter that work with ip ranges.
For example I want to dump all traffic that arrives to my box from ips
192.168.2.15 to 192.168.2.40
I could write
MMatos wrote:
Jefferson Ogata wrote:
Jefferson Ogata wrote:
MMatos wrote:
For example I want to dump all traffic that arrives to my box from
ips 192.168.2.15 to 192.168.2.40
I could write all the ips in the range but that's not a good
solution, so how can implement that filter correctly using
be an expression itself, e.g. the data offset
in the
TCP header??
Yes.
tcp[((tcp[12:1] 0xf0) 2):4] = 0x47455420
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Robert Lowe wrote:
Jefferson Ogata wrote:
tcp[((tcp[12:1] 0xf0) 2):4] = 0x47455420
Beautiful! But wouldn't the bit-shift be for 4 bits? Thanks
It would, but then you'd have to multiply by 4 since the offset is in
multiples of 4. So 2 does the shift and multiply in one operation
. And here?
d_ip_packet-sequence_number = ntohl(tcp-th_seq); // BUG HERE!
sequence number is not correct
6. Not correct, but how? Unrelated? Byte-swapped? Shifted?
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
-
This is the tcpdump-workers list
all the text
nodes in the subtree instead of just the topmost one. When everything is marked
up as attributes, you just do xsl:value-of select='@value'/ and you're done.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
-
This is the tcpdump
/bpf*
devices and not on super user mode. Normally /dev/bpf* is only readable
by root, but you can change this.
More specifically, you can use libpcap as any user. On most systems, you have to
be root, however, to monitor traffic on a network interface.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA
, especially for captured ethernet data. The link headers are
unmistakable.
Once you've found a sync point, you just need to strip out the data from the
start of the problem area to your sync point.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED
. This is not as hard as it might seem at first.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
as a
regular user. While it's true that some OSes are sorely behind the times and
don't support capabilities, it's still useful to have the infrastructure in
place for the modern ones that do.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED
, and has many added benefits.
--
Jefferson Ogata [EMAIL PROTECTED]
NOAA Computer Incident Response Team (N-CIRT) [EMAIL PROTECTED]
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
42 matches
Mail list logo