Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [OT] tcpdump parsing --> editcap

From: "Sloane, David" <DSloane () vfa com>
Date: Wed, 8 Oct 2003 14:40:00 -0400
editcap is your friend.

It will break up the log file for you in a quick, memory-efficient way.

See http://www.ethereal.com/editcap.1.html

-David

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Damian
Gerow
Sent: October 08, 2003 2:20 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] [OT] tcpdump parsing


First off, apologies for the off-topic post.  But I have no idea where
to turn for tcpdump help, and I figured most of the folks here have used
it at least moderately, if not extensively.

I've been spending the past week or so trying to track down what seems
to be a trojan that has been affecting our customers, that seems to come
and go. To give myself a little more to work with, I've nabbed 550MB
worth of network traffic from one of their links, spanning a couple of
days.

The problem is, I can't open this up in ethereal.  The file is just too
large.  I've tried trimming the fat down (POP3 sessions, web browsing
sessions, ICMP echo request/reply, certain gaming sites, etc.), but I'm
still sitting here with 500MB of traffic.

Is there a way to take a tcpdump binary file, and pull a date range from
it? The tcpdump man page leads me to believe no, and a fair bit of
Google searching has provided no leads.

I'd also be willing to try various other GUIs that understand tcpdump
output (so long as they run on X).  Yes, I'm fully aware that I can do
this all on the commandline, but I find the GUI a bit easier to work
with in this case.

Any pointers or suggestions are very welcomed at this point.  It's
frustrating to be sitting with the culprit on disk, but not be able to
find out who or what the culprit /is/.
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: