Goog Morning all! Ok I see the address for libcapUtils its' very useful! But I think that this utility work fine with more rules files, instead I wont to work with only one file and tcpdump, so I wrote a file with more rules Name of file is a normal filename "expression", on documentation of tcpdump
I read that the -F option allow to write a file like my file "expression" so that (i suppose!) if i run tcpdump -F /path/to/expression, tcpdump work with all my rules simultaneously! (or better! i hope so!). Somebody have tried to work with tcpdump on this way? My trouble it's that i trie to run tcpdump -F /path/to/expression but receive an error : [user@localhost Documents]# tcpdump -F /home/user/Documents/expression tcpdump: parse error. My rules file it's as follow: [user@localhost Documents]#vi expression22 tcpdump -i eth0 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth0 tcpdump -i eth1 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth1 tcpdump -i eth0 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth0 tcpdump -i eth1 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth1 tcpdump -i eth2 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth2 tcpdump 'tcp[13] & 2 == 2 && dst net 192.168.100.0 ' -c 5000 -s 0 -vvv -w /var/log/tcpDump/nets/100.0 tcpdump -i eth0 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth0 tcpdump -i eth1 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth1 tcpdump -i eth2 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth2 tcpdump 'tcp[13] & 2 == 2 && dst net 192.168.100.0 ' -c 5000 -s 0 -vvv -w /var/log/tcpDump/nets/100.0 tcpdump 'tcp[13] & 2 == 2 && dst net 192.168.1.0 ' -c 5000 -s 0 -vvv -w /var/lqog/tcpDump/nets/1.0 tcpdump -i eth2 'tcp[13] & 2 == 2 && ! src net 192.168.100.0 || net 192.168.1.0'-c 5000 -vvv -s 0 -w /var/log/tcpDump/nets/external tcpdump tcp host middle and server -c 5000 -s 0 -vvv -w /var/log/tcpDump/hosts/tcpbetween tcpdump ip host middle and server -c 5000 -s 0 -vvv -w /var/log/tcpDump/hosts/ipbetween tcpdump -i eth0 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply && ! src net 192.168.100.0 || 192.168.1.0' -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/external_eth0 tcpdump -i eth1 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply && ! src net 192.168.100.0 || 192.168.1.0' -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/external_eth1 tcpdump -i eth2 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply && ! src net 192.168.100.0 || 192.168.1.0' -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/external_eth2 tcpdump -i eth0 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth0 tcpdump -i eth1 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth1 tcpdump -i eth2 'tcp[13] & 2 == 2' -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/eth2 tcpdump 'tcp[13] & 2 == 2 && dst net 192.168.100.0 ' -c 5000 -s 0 -vvv -w /var/log/tcpDump/nets/100.0 tcpdump 'tcp[13] & 2 == 2 && dst net 192.168.1.0 ' -c 5000 -s 0 -vvv -w /var/log/tcpDump/nets/1.0 tcpdump -i eth2 'tcp[13] & 2 == 2 && ! src net 192.168.100.0 || net 192.168.1.0' -c 5000 -vvv -s 0 -w /var/log/tcpDump/nets/external tcpdump tcp host middle and server -c 5000 -s 0 -vvv -w /var/log/tcpDump/hosts/tcpbetween tcpdump ip host middle and server -c 5000 -s 0 -vvv -w /var/log/tcpDump/hosts/ipbetween tcpdump -i eth0 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply && ! src net 192.168.100.0 || 192.168.1.0' -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/external_eth0 tcpdump -i eth1 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply && ! src net 192.168.100.0 || 192.168.1.0' -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/external_eth1 tcpdump -i eth2 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply && ! src net 192.168.100.0 || 192.168.1.0' -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/external_eth2 tcpdump -i eth2 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 && ! src net 192.168.100.0 ' -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/established tcpdump dst port 22 -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/ssh_auth tcpdump dst port 23 -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/telnet_auth tcpdump dst port 513 -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/remote_login tcpdump tcp port 512 -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/remote_proc_exec tcpdump dst port 389 -s 0 -vvv -c 5000 -w /var/log/tcpDump/ethn/ldap_auth tcpdump -i eth2 dst port 22 -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/ssh_auth_eth2 tcpdump -i eth2 dst port 23 -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/telnet_auth_eth2 tcpdump -i eth2 dst port 513 -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/remote_login_eth2 tcpdump -i eth2 tcp port 512 -s 0 -vvv -c 5000 -w /var/log/tcpDump/nets/remote_proc_exec_eth2 tcpdump -i eth2 dst port 389 -s 0 -vvv -c5000 -w/var/log/tcpDump/nets/ldap_auth_eth2 end of file. I experienced any rule and any rule work fine alone!. Now I wont all relus work toghether in a big file, and I think of use the -F option but this don't work!. Someone it knows the motive for that this option does not work? or does not be things' that should work?. I have had to please in the to share a script that I did for the management of this file, is occupied to transform in human readable format and write in a dir under /var/log the results. Somebody can help my ? any help it's well accepted . Thanks in advance! and sorry again for my ugly english. bye all. Goffredo Saffioti. -- Messaggio Originale -- >On Tue, Jun 04, 2002 at 05:16:11PM -0700, Joe Elliott wrote: >> What is the simplest way to concatenate libpcap/tcpdump recording >> files? > >Well, there's "pcat": > > http://www.infosecalliance.com/products/pcaputils.htm > >and there's the "mergecap" program that comes with Ethereal: > > http://www.ethereal.com/ > >(free software, not a commercial product, the ".com" nonwithstanding). >- >This is the TCPDUMP workers list. It is archived at >http://www.tcpdump.org/lists/workers/index.html >To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe > __________________________________________________________________ TuttoTISCALI e' il tuo nuovo contratto di telefonia! Chiami in tutta Italia, giorno e notte, al prezzo di un'urbana Ti colleghi ad Internet e spendi meno di un'urbana http://point.tiscali.it/tuttotiscali/webmail.html - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
