Bugtraq mailing list archives
Re: Tracking tools?
From: mouse () Holo Rodents Montreal QC CA (der Mouse)
Date: Fri, 16 Aug 1996 07:29:21 -0400
I've got a tcpdump of the network while a hacker broke into a machine. I created it on a FreeBSD system with tcpdump -w .... (filters omitted).
I can read the file back just fine with a tcpdump -r, and dump the raw data with a -x, but that's less than real useful.
Can anyone point out some tools I might apply to this dump file in order to track the session which actually hacked root? I'd most like to see one of the monitoring programs which can be fed from the dump file, but I'd be happy with something which would give me an ascii dump of the data portions of selected packets.
I have a packet-unpacker program which may be of use. It's designed to parse Sun etherfind output, not tcpdump -x output, but with one caveat it's fairly easy to massage tcpdump -x output into acceptable form. (I really must fix the parser to understand tcpdump format too.) The caveat is that tcpdump is very annoyingly inconsistent about printing the link-level header; for example, it prints it for arp packets but not for IP packets. My program can handle it either way, but not both in the same run. I'll be glad to send out what I've got, but it hasn't been cleaned up for distribution and therefore is likely to, at present, depend on local include files and/or library routines. der Mouse mouse () collatz mcrcim mcgill edu 01 EE 31 F6 BB 0C 34 36 00 F3 7C 5A C1 A0 67 1D
Current thread:
- Re: Tracking tools? Michael Ryan (Aug 15)
- <Possible follow-ups>
- Re: Tracking tools? der Mouse (Aug 16)