The website is designed. I need someone at an hourlr rate to help me implement the design. Feel free to respond directly to me. All leads are apprecuated.
Scott Howard Kivel & Howard LLP P. O. Box 40044 Portland, Oregon 97240 Telephone 503.796.0909 Fax 503.802.4757 -------- Original message -------- From: [email protected] Date: 02/25/2016 7:38 PM (GMT-08:00) To: [email protected] Subject: PLUG Digest, Vol 137, Issue 28 Send PLUG mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://cp.mcafee.com/d/5fHCNEq6x0SyM-UM-ed7dTztPqdNPP9EVphhudET7fcCzAsed7bVJ6UVVAQsIEECzASzsQsIcK6zCWbVKxeFzoE0EGn9DWoVsSlbAPZcsKrp8fmtIU_R-d7b3PNEV7tuVtdAsNO9EVvjhd7afbnhIyyHssNOEuvkzaT0QSyrjhdTVx-W9EVosuKqejtPo0c-l9QVp0ffB1IfU03wCHIcfBisEeRNoZIyrmfr8BO5mUm-wafBitemg3PVgr3-00CQn3hOqem3om2Ej2hEw3F4vFc0Ph06qDCy15As0pEw3qkrYQg9L6SrCRMc617pE or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of PLUG digest..." Today's Topics: 1. tcpdump whiz? (Michael Rasmussen) 2. Re: tcpdump whiz? (Atom Powers) 3. Re: tcpdump whiz? (Ishak Micheil) 4. Re: tcpdump whiz? (Michael Rasmussen) 5. Re: tcpdump whiz? (Louis Kowolowski) 6. Re: proxy.pac (Robert Citek) 7. Re: proxy.pac (Louis Kowolowski) 8. Re: tcpdump whiz? (Michael Rasmussen) ---------------------------------------------------------------------- Message: 1 Date: Thu, 25 Feb 2016 16:08:28 -0800 From: Michael Rasmussen <[email protected]> Subject: [PLUG] tcpdump whiz? To: "Portland Linux User's Group" <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii I have a group of systems that I need to monitor for use of approved SSL cipher suites. Wireshark is not available on them. tcpdump is the tool I need to use. Do you know, or know someone who would know, how to contruct a tcpdump filter that matches only packets for the SSL handshake? Due to the volume of traffic on the systems I cannot capture everything and filter later. The most useful hint found so far is at: http://cp.mcafee.com/d/k-Kr6gUi3zqb3Xz3UUQsTudTdET7fcCzBB55USzssYOqehMUQsLCQrzDCjhOOyyqejqdPhOMOUqerELCW4WCdyw2yFsCvFzBPpkKjfQNOVJAwZpSPz_nUQsIff6zAtRXBQShP78CzBZd4QsEYJt6OaaJNP7axVZicHs3jqpJd4TvC7XECzBxNWVEVdTdw0Wv4PYntrfDO-2PvQDaIao-eooK_AXb8dGH5Wv4PYiVfPPWBXv6sDpmSvBTp7P-9JoZIyn8lrxrW0E-l9QVp0ffB1IfU02rhsd79EVodxoaxc96y0eAh-AM3d40pGuq84mhM1Cy0dFhLPh0CYrpKrGq8H -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity People play badly for various reasons; the most common one is failure to judge what they currently produce as inadequate. ~ Tony Pay (on a Clarinet discussion list) ------------------------------ Message: 2 Date: Fri, 26 Feb 2016 00:18:34 +0000 From: Atom Powers <[email protected]> Subject: Re: [PLUG] tcpdump whiz? To: "Portland Linux/Unix Group" <[email protected]> Message-ID: <CAF-H=Ome_rbY8T0Z6TLovby_=p=eqj6kjcn9xjlxglvjlsf...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Shameless Promotion Alert: The best person I know to answer that is Mike Pennacchi, who is teaching "Deep Packet Inspection" at CasITConf next month. http://cp.mcafee.com/d/avndxNJ5xZNxYsqerL6XCQrzDCjhOOyyYrhKeupd78UsqenPqdNPP9EVphhd79J6VEVopsd7dQnPt2tj6Ng1hkKjfQNOVIGn9DWoVsSOguIXpN_HYqem7DzhOeWZOWr8VzAjhO-CyqekumKzp55mUVzBgY-F6lK1FJASCyrLP3ZQjhOMUZsQsCXCM0tJFatGMtU03BJFatGMthsOrsWNBFZcdH7JAiV2Hsbvg57OFeDb81VYEdx_00jqbxEVd7b1Ib1k9x8Qg1QyfQC0pEw3djPh0yOe0cQg1Jad-q84TzrdPqaL8 On Thu, Feb 25, 2016 at 4:11 PM Michael Rasmussen <[email protected]> wrote: > I have a group of systems that I need to monitor for use of approved SSL > cipher suites. > Wireshark is not available on them. tcpdump is the tool I need to use. > > Do you know, or know someone who would know, how to contruct a tcpdump > filter that matches > only packets for the SSL handshake? > > Due to the volume of traffic on the systems I cannot capture everything > and filter later. > > The most useful hint found so far is at: > > http://cp.mcafee.com/d/FZsS86Qm7T67NNEVKYrKrhKeupd7baabNJ6UVVAQszxNEVvdET7fcCzBB54QsCQrCzBxBMQsThvdQ9Rcr5055iVc_j7bCOFsCvFzBPr91WPJD7-LNEVouud78XHTbFIzCehd7bWq9EVhVqWdAklrzCel3PWApmU6CS3qq9K_cfThd7b3zRPhOrKr01Q-9DUKWSvfBY5C_FelokNYsMNt_9SmgrlmbQ-9DUBOvDDRbS-cVeOJI_bKOfDYjqNXp4KgGT2TQ1hYGjFOO0uva3ovM04SyUqejhOMr2Ml2oid40t8zZ9w6q80PkYQg8Izw3d40rizvCy1dUSPsSLK- > > > > -- > Michael Rasmussen, Portland Oregon > Be Appropriate && Follow Your Curiosity > People play badly for various reasons; the most common one is failure > to judge what they currently produce as inadequate. > ~ Tony Pay (on a Clarinet discussion list) > _______________________________________________ > PLUG mailing list > [email protected] > http://cp.mcafee.com/d/FZsS738Ocy1J5xZNxYsqerL6XCQrzDCjhOOyyYrhKeupd78UsqenPqdNPP9EVphhd79J6VEVopsd7dQnPt2tj6Ng1hkKjfQNOVIGn9DWoVsSOguIXpN_HYqem7DzhOeWZOWr8VzAjhO-CyqekumKzp55mUVzBgY-F6lK1FJYSCyrLP3ZQjhOMUZsQsCXCM0pYGjFOO0uva3ovM071dnoovaAVgtHyNXp4SIuShbAaJMJZ0kvaAWsIw7DOwS7Y01dEK6zAQsI6MI5gC4zh07i8_io1Cy0cRfd42b8U0Ph06QETVEwjudITdIU_VKbzZplj2 > -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ------------------------------ Message: 3 Date: Thu, 25 Feb 2016 16:24:34 -0800 From: Ishak Micheil <[email protected]> Subject: Re: [PLUG] tcpdump whiz? To: "General Linux/UNIX discussion and help civil and on-topic" <[email protected]> Message-ID: <CABiMUpgQvGpiHy+EUHjxnDxZGcYLK=a0drrq3g9qdkvf7+m...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Jim Hassing knows. On Feb 25, 2016 16:11, "Michael Rasmussen" <[email protected]> wrote: > I have a group of systems that I need to monitor for use of approved SSL > cipher suites. > Wireshark is not available on them. tcpdump is the tool I need to use. > > Do you know, or know someone who would know, how to contruct a tcpdump > filter that matches > only packets for the SSL handshake? > > Due to the volume of traffic on the systems I cannot capture everything > and filter later. > > The most useful hint found so far is at: > > http://cp.mcafee.com/d/avndz9J5xZNxYsqerL6XCQrzDCjhOOyyYrhKeupd78UsqenPqdNPP9EVphhd79J6VEVopsd7dQnPt2tj6Ng1hkKjfQNOVIGn9DWoVsSOguIXpN_HYqem7DzhOeWZOWr8VzAjhO-CyqekumKzp55mUVzBgY-F6lK1FJMSCyrLP3ZQjhOMUZsQsCXCM0tfyp-bKJDPVv1pLWjBm5cv7ccnvOtBA6RlyZfyp-9sDVVZiZLzejIHrfOXIzV_4SIuShbAaJMJZ0kvaAWsIw7DOwS7Y01dEK6zAQsI6MI5gC4zh07i8_io1Cy0cRfd42b8U0Ph06QETVEwjudITdV7zNPi5M7QoF > > > > -- > Michael Rasmussen, Portland Oregon > Be Appropriate && Follow Your Curiosity > People play badly for various reasons; the most common one is failure > to judge what they currently produce as inadequate. > ~ Tony Pay (on a Clarinet discussion list) > _______________________________________________ > PLUG mailing list > [email protected] > http://cp.mcafee.com/d/FZsSd2gOrhovsov76zCXNKVJ6UVVAQsIEEL6QrzDCjhOe76zBYSzssYOqemkkjhOrhKqem6n3hPt5YTgDkNIk0klbAPZcsKraBOp-CendIA7HeSsvW_6zBxVUQszKLsKCOeoV4QsLFECzB7BHEShhlKeoVkffGhBrwqr76QQjt-ovKyqem77HCzATsS03fBitemg3PVgr3-00U9GX33VkDa3Jsmfr8CRzSO9sxlK5LE2zVkDjBA0Y-k6M_w09J5MQsCzBwS5wG4MAq80Wh7Wj0cQg1CFVEwhp706q80SB6_d42rNJCVLAGr-WKftw-K > ------------------------------ Message: 4 Date: Thu, 25 Feb 2016 16:27:24 -0800 From: Michael Rasmussen <[email protected]> Subject: Re: [PLUG] tcpdump whiz? To: Portland Linux/Unix Group <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii On Thu, Feb 25, 2016 at 04:24:34PM -0800, Ishak Micheil wrote: > Jim Hassing knows. No he doesn't. We've already chatted about it. For those of you scratching your heads over that exchange, Jim, Ishak, and I share a common employer. > On Feb 25, 2016 16:11, "Michael Rasmussen" <[email protected]> wrote: > > > I have a group of systems that I need to monitor for use of approved SSL > > cipher suites. > > Wireshark is not available on them. tcpdump is the tool I need to use. > > > > Do you know, or know someone who would know, how to contruct a tcpdump > > filter that matches > > only packets for the SSL handshake? > > > > Due to the volume of traffic on the systems I cannot capture everything > > and filter later. > > > > The most useful hint found so far is at: > > > > http://cp.mcafee.com/d/2DRPoOcz8wrhovsov76zCXNKVJ6UVVAQsIEEL6QrzDCjhOe76zBYSzssYOqemkkjhOrhKqem6n3hPt5YTgDkNIk0klbAPZcsKraBOp-CendIA7HeSsvW_6zBxVUQszKLsKCOeoV4QsLFECzB7BHEShhlKeoVkffGhBrwqrudFECXYM_t4QsIefnd79KVI07jUCvyXHpY-nMmr-AVlxj7NP35TYDpp1JloLjUCvyn9-uvkLrUPAXaSPYKX8-vNdH7JAiV2Hsbvg57OFeDb81VYEdx_00jqbxEVd7b1Ib1k9x8Qg1QyfQC0pEw3djPh0yOe0cQg1Jad-q84TzrdPu7HP > > > > > > > > -- > > Michael Rasmussen, Portland Oregon > > Be Appropriate && Follow Your Curiosity > > People play badly for various reasons; the most common one is failure > > to judge what they currently produce as inadequate. > > ~ Tony Pay (on a Clarinet discussion list) > > _______________________________________________ > > PLUG mailing list > > [email protected] > > http://cp.mcafee.com/d/FZsScCQm7T67NNEVKYrKrhKeupd7baabNJ6UVVAQszxNEVvdET7fcCzBB54QsCQrCzBxBMQsThvdQ9Rcr5055iVc_j7bCOFsCvFzBPr91WPJD7-LNEVouud78XHTbFIzCehd7bWq9EVhVqWdAklrzCel3PWApmU6CPhOrjhdTVx-W9EVosuKqejtPo0c-l9QVp0ffB1IfU03wCHIcfBisEeRNoZIyrmfr8BO5mUm-wafBitemg3PVgr3-00CQn3hOqem3om2Ej2hEw3F4vFc0Ph06qDCy15As0pEw3qkrYQg9L6SrCObYxFQ68Qdjh > > > _______________________________________________ > PLUG mailing list > [email protected] > http://cp.mcafee.com/d/k-Kr4xASyM-UM-ed7dTztPqdNPP9EVphhudET7fcCzAsed7bVJ6UVVAQsIEECzASzsQsIcK6zCWbVKxeFzoE0EGn9DWoVsSlbAPZcsKrp8fmtIU_R-d7b3PNEV7tuVtdAsNO9EVvjhd7afbnhIyyHssNOEuvkzaT0QSzsSCyrLP3ZQjhOMUZsQsCXCM0pYGjFOO0uva3ovM071dnoovaAVgtHyNXp4SIuShbAaJMJZ0kvaAWsIw7DOwS7Y01dEK6zAQsI6MI5gC4zh07i8_io1Cy0cRfd42b8U0Ph06QETVEwjudITdPbZGHPtbGWIu > -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity Too often we enjoy the comfort of opinion without the discomfort of thought. ~ John F. Kennedy ------------------------------ Message: 5 Date: Thu, 25 Feb 2016 19:15:50 -0600 From: Louis Kowolowski <[email protected]> Subject: Re: [PLUG] tcpdump whiz? To: Portland Linux/Unix Group <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" >From the link you posted: tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) This captures the SSL handshake (0x16), and the hello (0x01). Seems reasonable that you could delete the expression for hello and end up with: tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) Does this not work? > On Feb 25, 2016, at 6:08 PM, Michael Rasmussen <[email protected]> wrote: > > I have a group of systems that I need to monitor for use of approved SSL > cipher suites. > Wireshark is not available on them. tcpdump is the tool I need to use. > > Do you know, or know someone who would know, how to contruct a tcpdump filter > that matches > only packets for the SSL handshake? > > Due to the volume of traffic on the systems I cannot capture everything and > filter later. > > The most useful hint found so far is at: > http://cp.mcafee.com/d/k-Kr6jqb3Xz3UUQsTudTdET7fcCzBB55USzssYOqehMUQsLCQrzDCjhOOyyqejqdPhOMOUqerELCW4WCdyw2yFsCvFzBPpkKjfQNOVJAwZpSPz_nUQsIff6zAtRXBQShP78CzBZd4QsEYJt6OaaJNP7axVZicHs3jqa9Jd4TvC7XECzBxNWVEVdTdw0Wv4PYntrfDO-2PvQDaIao-eooK_AXb8dGH5Wv4PYiVfPPWBXv6sDpmSvBTp7P-9JoZIyn8lrxrW0E-l9QVp0ffB1IfU02rhsd79EVodxoaxc96y0eAh-AM3d40pGuq84mhM1Cy0dFhLPh0CYrpKr2QdzY267 > > > > -- > Michael Rasmussen, Portland Oregon > Be Appropriate && Follow Your Curiosity > People play badly for various reasons; the most common one is failure > to judge what they currently produce as inadequate. > ~ Tony Pay (on a Clarinet discussion list) > _______________________________________________ > PLUG mailing list > [email protected] > http://cp.mcafee.com/d/5fHCMUe3x0gdEIfKcfzzhPtUTsSzssYOqemkknzqdNPP9EV73zhO-rhKeupd7baa9EVdETd7b3bxEVKy-rEjGoSa0aaBOp-CendBiVc_j7bCSi3RDrefZvzhOMYYqehTnKnjp7csyqenQQjhOzORQr8EGT7csG7DR8OJMddEFCQQjt-ovKyqem77HCzATsS03fBitemg3PVgr3-00U9GX33VkDa3Jsmfr8CRzSO9sxlK5LE2zVkDjBA0Y-k6M_w09J5MQsCzBwS5wG4MAq80Wh7Wj0cQg1CFVEwhp706q80SB6_d42rNJCVJFONPd3Te48r -- Louis Kowolowski [email protected] Cryptomonkeys: http://cp.mcafee.com/d/5fHCN8SyM-UM-ed7dTztPqdNPP9EVphhudET7fcCzAsed7bVJ6UVVAQsIEECzASzsQsIcK6zCWbVKxeFzoE0EGn9DWoVsSlbAPZcsKrp8fmtIU_R-d7b3PNEV7tuVtdAsNO9EVvjhd7afbnhIyyHssNOEuvkzaT0QSyOrjhdTVx-W9EVosuKqejtPo0aQiOQWGRwlYJjBYdH7JAiV2Hsbvg57OFeDb81VYEdx_00jqbxEVd7b1Ib1k9x8Qg1QyfQC0pEw3djPh0yOe0cQg1Jad-q84TzrdPrz1K-S4CRbCt Making life more interesting for people since 1977 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://cp.mcafee.com/d/5fHCNEg4xASyM-UM-ed7dTztPqdNPP9EVphhudET7fcCzAsed7bVJ6UVVAQsIEECzASzsQsIcK6zCWbVKxeFzoE0EGn9DWoVsSlbAPZcsKrp8fmtIU_R-d7b3PNEV7tuVtdAsNO9EVvjhd7afbnhIyyHssNOEuvkzaT0QSyMrjhdTVx-W9EVosuKqejtPo0c-l9QVp0ffB1IfU03yQBLy9UIuShPpPSNdnUjFytQnbFFLUgu73A6bAcSsZIjl-4OZXThUxa1JoZIyn8lrxrW0E-l9QVp0ffB1IfU02rhsd79EVodxoaxc96y0eAh-AM3d40pGuq84mhM1Cy0dFhLPh0CYrpKrT1sgma-pYOVo ------------------------------ Message: 6 Date: Thu, 25 Feb 2016 18:48:34 -0800 From: Robert Citek <[email protected]> Subject: Re: [PLUG] proxy.pac To: "Portland Linux/Unix Group" <[email protected]> Message-ID: <cakfjdm7ir-iiyhauymudmwoeth+mbm5+s9xmoupjl9tikaj...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 On Thu, Feb 25, 2016 at 1:14 AM, Louis Kowolowski <[email protected]> wrote: > I?m making some assumptions here, and if they?re not true, you can either > correct me, or if the functionality i describe is what you want, take a look > at > http://cp.mcafee.com/d/avndzgQrhovsov76zCXNKVJ6UVVAQsIEEL6QrzDCjhOe76zBYSzssYOqemkkjhOrhKqem6n3hPt5YTgDkNIk0klbAPZcsKraBOp-CendIA7HeSsvW_6zBxVUQszKLsKCOeoV4QsLFECzB7BHEShhlKeoVkffGhBrwqrhvdFECXYM_t4QsIefnd79KVIDeqR4IMFREBBFRlH0HVqDbUDt5zbzIRKtltDaNsDeqNtqdgYJxJoZIyn8lrxrW0E-l9QVp0ffB1IfU02rhsd79EVodxoaxc96y0eAh-AM3d40pGuq84mhM1Cy0dFhLPh0CYrpKrZ_n20tbK > where I detail how to set this up. > > Presumably you have: > a) a web server that is passing the proxy.pac file out, and generating logs > b) configured the browser?s proxy settings to ?auto? > > When you start/load the browser, you should be able to see in the webserver?s > logs that its pulling a copy of the proxy.pac file. If this isn?t the case, > that?s likely to be your problem. The site you mention is a little light on > details for all this, so I?m not sure if you only have a partial setup, or if > you?ve misconfigured something. A bit more detail: I recently got a Chromebook (nope, I haven't installed Linux/Crouton on it, yet). So this system does not have a web server on it, which is what I would normally use. And I don't want to set up a remote webserver. Instead, my hope it to have the proxy.pac file reside locally on the Chromebook itself. So the URL to the proxy.pac file would be something like file:///home/chronos/.../proxy.pac. But thus far, that does not seem to be working. Thanks for the feedback thus far. Regards, - Robert ------------------------------ Message: 7 Date: Thu, 25 Feb 2016 21:04:48 -0600 From: Louis Kowolowski <[email protected]> Subject: Re: [PLUG] proxy.pac To: Portland Linux/Unix Group <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" I don?t know if browsers support a local file for a proxy.pac or not. That would be the first thing I would investigate. > On Feb 25, 2016, at 8:48 PM, Robert Citek <[email protected]> wrote: > > On Thu, Feb 25, 2016 at 1:14 AM, Louis Kowolowski > <[email protected]> wrote: >> I?m making some assumptions here, and if they?re not true, you can either >> correct me, or if the functionality i describe is what you want, take a look >> at >> http://cp.mcafee.com/d/2DRPosrhovsov76zCXNKVJ6UVVAQsIEEL6QrzDCjhOe76zBYSzssYOqemkkjhOrhKqem6n3hPt5YTgDkNIk0klbAPZcsKraBOp-CendIA7HeSsvW_6zBxVUQszKLsKCOeoV4QsLFECzB7BHEShhlKeoVkffGhBrwqrhsdFECXYM_t4QsIefnd79KVIDeqR4IMFREBBFRlH0HVqDbUDt5zbzIRKtltDaNsDeqNtqdgYJxJoZIyn8lrxrW0E-l9QVp0ffB1IfU02rhsd79EVodxoaxc96y0eAh-AM3d40pGuq84mhM1Cy0dFhLPh0CYrpKrIGWW5-at >> where I detail how to set this up. >> >> Presumably you have: >> a) a web server that is passing the proxy.pac file out, and generating logs >> b) configured the browser?s proxy settings to ?auto? >> >> When you start/load the browser, you should be able to see in the >> webserver?s logs that its pulling a copy of the proxy.pac file. If this >> isn?t the case, that?s likely to be your problem. The site you mention is a >> little light on details for all this, so I?m not sure if you only have a >> partial setup, or if you?ve misconfigured something. > > A bit more detail: I recently got a Chromebook (nope, I haven't > installed Linux/Crouton on it, yet). So this system does not have a > web server on it, which is what I would normally use. And I don't > want to set up a remote webserver. Instead, my hope it to have the > proxy.pac file reside locally on the Chromebook itself. So the URL to > the proxy.pac file would be something like > file:///home/chronos/.../proxy.pac. But thus far, that does not seem > to be working. > > Thanks for the feedback thus far. > > Regards, > - Robert > _______________________________________________ > PLUG mailing list > [email protected] > http://cp.mcafee.com/d/FZsSd2gw921J5xZNxYsqerL6XCQrzDCjhOOyyYrhKeupd78UsqenPqdNPP9EVphhd79J6VEVopsd7dQnPt2tj6Ng1hkKjfQNOVIGn9DWoVsSOguIXpN_HYqem7DzhOeWZOWr8VzAjhO-CyqekumKzp55mUVzBgY-F6lK1FJ4srjhdTVx-W9EVosuKqejtPo0c-l9QVp0ffB1IfU03wCHIcfBisEeRNoZIyrmfr8BO5mUm-wafBitemg3PVgr3-00CQn3hOqem3om2Ej2hEw3F4vFc0Ph06qDCy15As0pEw3qkrYQg9L6SrC-IFHmXjVic9G -- Louis Kowolowski [email protected] Cryptomonkeys: http://cp.mcafee.com/d/k-Kr4zqb3Xz3UUQsTudTdET7fcCzBB55USzssYOqehMUQsLCQrzDCjhOOyyqejqdPhOMOUqerELCW4WCdyw2yFsCvFzBPpkKjfQNOVJAwZpSPz_nUQsIff6zAtRXBQShP78CzBZd4QsEYJt6OaaJNP7axVZicHs3jqbNJd4TvC7XECzBxNWVEVdTdw0HhbbjGHm1nORenMSIuShbAaJMJZ0kvaAWsIw7DOwS7Y01dEK6zAQsI6MI5gC4zh07i8_io1Cy0cRfd42b8U0Ph06QETVEwjudITdH8DacByleYX Making life more interesting for people since 1977 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://cp.mcafee.com/d/FZsS96Qm7T67NNEVKYrKrhKeupd7baabNJ6UVVAQszxNEVvdET7fcCzBB54QsCQrCzBxBMQsThvdQ9Rcr5055iVc_j7bCOFsCvFzBPr91WPJD7-LNEVouud78XHTbFIzCehd7bWq9EVhVqWdAklrzCel3PWApmU6CQjhOrjhdTVx-W9EVosuKqejtPo0c-l9QVp0ffB1IfU03yQBLy9UIuShPpPSNdnUjFytQnbFFLUMZqVEVsZzdDfr4RvxcLuZQu8iwrmfr8BO5mUm-wafBitemg3PVgr3-00CQn3hOqem3om2Ej2hEw3F4vFc0Ph06qDCy15As0pEw3qkrYQg9L6SrCXXgFREFf ------------------------------ Message: 8 Date: Thu, 25 Feb 2016 19:37:00 -0800 From: Michael Rasmussen <[email protected]> Subject: Re: [PLUG] tcpdump whiz? To: Portland Linux/Unix Group <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii On Thu, Feb 25, 2016 at 07:15:50PM -0600, Louis Kowolowski wrote: > From the link you posted: > > tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and > (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) > > This captures the SSL handshake (0x16), and the hello (0x01). Seems > reasonable that you could delete the expression for hello and end up with: > > tcpdump -i any -s 1500 (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16) > > Does this not work? No, it's too promiscuous. -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity When man invented the bicycle he reached the peak of his attainments. Here was a machine of precision and balance for the convenience of man. And (unlike subsequent inventions for man's convenience) the more he used it, the fitter his body became. Here, for once, was a product of man's brain that was entirely beneficial to those who used it, and of no harm or irritation to others. Progress should have stopped when man invented the bicycle. ~ Elizabeth West, Hovel ------------------------------ _______________________________________________ PLUG: http://cp.mcafee.com/d/2DRPoOcygOrhovsov76zCXNKVJ6UVVAQsIEEL6QrzDCjhOe76zBYSzssYOqemkkjhOrhKqem6n3hPt5YTgDkNIk0klbAPZcsKraBOp-CendIA7HeSsvW_6zBxVUQszKLsKCOeoV4QsLFECzB7BHEShhlKeoVkffGhBrwqrjKrjhdTVx-W9EVosuKqejtPo0dp0ffB1IfU02rmfr8BO5mUm-wafBitemg3PVgr3-00CQn3hOqem3om2Ej2hEw3F4vFc0Ph06qDCy15As0pEw3qkrYQg9L6SrCWXObVy2y PLUG mailing list [email protected] http://cp.mcafee.com/d/avndzgQ839J5xZNxYsqerL6XCQrzDCjhOOyyYrhKeupd78UsqenPqdNPP9EVphhd79J6VEVopsd7dQnPt2tj6Ng1hkKjfQNOVIGn9DWoVsSOguIXpN_HYqem7DzhOeWZOWr8VzAjhO-CyqekumKzp55mUVzBgY-F6lK1FJd4SCyrLP3ZQjhOMUZsQsCXCM0pYGjFOO0uva3ovM071dnoovaAVgtHyNXp4SIuShbAaJMJZ0kvaAWsIw7DOwS7Y01dEK6zAQsI6MI5gC4zh07i8_io1Cy0cRfd42b8U0Ph06QETVEwjudITdyHPQ7Ca- End of PLUG Digest, Vol 137, Issue 28 ************************************* _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
