[OT] tcpdump parsing

[Damian Gerow <damian () sentex net>]

First off, apologies for the off-topic post.  But I have no idea where to
turn for tcpdump help, and I figured most of the folks here have used it at
least moderately, if not extensively.

I've been spending the past week or so trying to track down what seems to be
a trojan that has been affecting our customers, that seems to come and go.
To give myself a little more to work with, I've nabbed 550MB worth of
network traffic from one of their links, spanning a couple of days.

The problem is, I can't open this up in ethereal.  The file is just too
large.  I've tried trimming the fat down (POP3 sessions, web browsing
sessions, ICMP echo request/reply, certain gaming sites, etc.), but I'm
still sitting here with 500MB of traffic.

Is there a way to take a tcpdump binary file, and pull a date range from it?
The tcpdump man page leads me to believe no, and a fair bit of Google
searching has provided no leads.

I'd also be willing to try various other GUIs that understand tcpdump output
(so long as they run on X).  Yes, I'm fully aware that I can do this all on
the commandline, but I find the GUI a bit easier to work with in this case.

Any pointers or suggestions are very welcomed at this point.  It's
frustrating to be sitting with the culprit on disk, but not be able to find
out who or what the culprit /is/.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards