Bugtraq mailing list archives

Re: Tracking tools?

From: gmiller () dey-systems com (Greg Miller)
Date: Thu, 15 Aug 1996 22:53:43 GMT


On Wed, 14 Aug 1996 23:56:41 -0400, you wrote:

Can anyone point out some tools I might apply to this dump file in order
to track the session which actually hacked root?  I'd most like to see
one of the monitoring programs which can be fed from the dump file, but
I'd be happy with something which would give me an ascii dump of the
data portions of selected packets.


        I've written a program just for this.  It's in perl, and isn't the
prettiest or fastest code in the world, but it works (for the most part).  It
will retrieve the IP, TCP, UDP, and ICMP headers from the dump and print the
headers (labeled).  It then prints any remaining data in both hex and ascii.
        The program is on my web page in the "misc" section.  You can download
it directly at http://grendel.ius.indiana.edu/~gmiller/network/tcpformat.pl.

.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯
enum MicrosoftBoolean {TRUE, FALSE, MAYBE};
Greg Miller: Programmer/Analyst (gmiller () dey-systems com)
http://grendel.ius.indiana.edu/~gmiller/
´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._.·´¯´·._

Current thread:

CERT Advisory CA-96.18 - Vulnerability in fm_fls, (continued)
- - - CERT Advisory CA-96.18 - Vulnerability in fm_fls CERT Advisory (Aug 14)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Ficus Kirkpatrick (Aug 13)
    - Re: Possible bufferoverflow condition in lpr, xterm and xload Alexander O. Yuriev (Aug 14)
    - Tracking tools? David Miller (Aug 14)
    - Re: Tracking tools? Gene Titus (Aug 15)
    - Re: Tracking tools? neill (Aug 15)
    - Re: Tracking tools? Tracy R. Reed (Aug 15)
    - SGI Security Advisory 19960801-01-PX, SGI Security Coordinator (Aug 17)
    - CERT Advisory CA-96.19 - Vulnerability in expreserve Pete Ashdown (Aug 15)
    - Re: CERT Advisory CA-96.19 - Vulnerability in expreserve Casper Dik (Aug 18)
    - Re: Tracking tools? Greg Miller (Aug 15)
    - Re: mail storm Valdis.Kletnieks () vt edu (Aug 13)
    - Re: mail storm Darrell Fuhriman (Aug 13)
    - Re: mail storm Ed Arnold (Aug 14)
    - list mail meta-question der Mouse (Aug 13)
- Re: IRIX 5.3 chost Bill Nickless (Aug 12)
- Re: IRIX 5.3 chost Vern Hart (Aug 12)
- Re: IRIX 5.3 chost Bill Nickless (Aug 12)
- Re: IRIX 5.3 chost Bill Nickless (Aug 13)
- Re: IRIX 5.3 chost Bill Nickless (Aug 14)
  - Re: IRIX 5.3 chost Neil J Long (Aug 16)

(Thread continues...)