Re: Tracking tools?

[mouse () Holo Rodents Montreal QC CA (der Mouse)]

> I've got a tcpdump of the network while a hacker broke into a
> machine.  I created it on a FreeBSD system with tcpdump -w ....
> (filters omitted).

> I can read the file back just fine with a tcpdump -r, and dump the
> raw data with a -x, but that's less than real useful.

> Can anyone point out some tools I might apply to this dump file in
> order to track the session which actually hacked root?  I'd most like
> to see one of the monitoring programs which can be fed from the dump
> file, but I'd be happy with something which would give me an ascii
> dump of the data portions of selected packets.

I have a packet-unpacker program which may be of use.  It's designed to
parse Sun etherfind output, not tcpdump -x output, but with one caveat
it's fairly easy to massage tcpdump -x output into acceptable form.  (I
really must fix the parser to understand tcpdump format too.)  The
caveat is that tcpdump is very annoyingly inconsistent about printing
the link-level header; for example, it prints it for arp packets but
not for IP packets.  My program can handle it either way, but not both
in the same run.

I'll be glad to send out what I've got, but it hasn't been cleaned up
for distribution and therefore is likely to, at present, depend on
local include files and/or library routines.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu
                    01 EE 31 F6 BB 0C 34 36  00 F3 7C 5A C1 A0 67 1D