Firewall Wizards mailing list archives
RE: [OT] tcpdump parsing --> editcap
From: "Sloane, David" <DSloane () vfa com>
Date: Wed, 8 Oct 2003 14:40:00 -0400
editcap is your friend. It will break up the log file for you in a quick, memory-efficient way. See http://www.ethereal.com/editcap.1.html -David -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Damian Gerow Sent: October 08, 2003 2:20 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] [OT] tcpdump parsing First off, apologies for the off-topic post. But I have no idea where to turn for tcpdump help, and I figured most of the folks here have used it at least moderately, if not extensively. I've been spending the past week or so trying to track down what seems to be a trojan that has been affecting our customers, that seems to come and go. To give myself a little more to work with, I've nabbed 550MB worth of network traffic from one of their links, spanning a couple of days. The problem is, I can't open this up in ethereal. The file is just too large. I've tried trimming the fat down (POP3 sessions, web browsing sessions, ICMP echo request/reply, certain gaming sites, etc.), but I'm still sitting here with 500MB of traffic. Is there a way to take a tcpdump binary file, and pull a date range from it? The tcpdump man page leads me to believe no, and a fair bit of Google searching has provided no leads. I'd also be willing to try various other GUIs that understand tcpdump output (so long as they run on X). Yes, I'm fully aware that I can do this all on the commandline, but I find the GUI a bit easier to work with in this case. Any pointers or suggestions are very welcomed at this point. It's frustrating to be sitting with the culprit on disk, but not be able to find out who or what the culprit /is/. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: [OT] tcpdump parsing --> editcap Sloane, David (Oct 08)