On Thu, Mar 3, 2011 at 09:43, Mike Viau <[email protected]> wrote:
> > > On Wed, 2 Mar 2011 22:00:41 -0600 <[email protected]> wrote: > > > > I have it installed, and I can look up the parameters in the command. > > > > What I don't understand is how I use it to investigate intrusions. Can > someone shed some light on this? > > > > What kind of intrusions are you looking for? TCPDump is a packet analyze so > what is analyzed is based on what filters you are looking for. TCPDump uses > the libpcap library to capture packets. You can receive the packets based on > the protocol type. You can specify > one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, > tcp and udp. > > You may also specify a port number to monitor which is nice if you are > investigating a particular service. Or an IP address if you are interested > in a specific host. > > The filter may be used in combinations with and'ing / or'ing them together. > I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n > 'tcp and port 80 and dst 10.0.0.1' > > One tip is to pass the -n switch when running because DNS queries slow down > captures. > > Hope that helps :) > > > -M > > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: > http://lists.debian.org/[email protected] > > Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap.
