Firewall Wizards mailing list archives
Re: [OT] tcpdump parsing
From: Damian Gerow <damian () sentex net>
Date: Wed, 8 Oct 2003 15:12:58 -0400
Thus spake R. DuFresne (dufresne () sysinfo com) [08/10/03 14:51]:
Better yet, perhaps defining what you are trying to 'locate' in the traffic dumps might well lead to answers quicker then folks trying to help port a huge file into other apps that are gui sensitive?
Erm.....
To give myself a little more to work with, I've nabbed 550MB worth of network traffic from one of their links, spanning a couple of days.
<snip>
Is there a way to take a tcpdump binary file, and pull a date range from it? The tcpdump man page leads me to believe no, and a fair bit of Google searching has provided no leads.
I have five days worth of traffic (about). I need one day only -- well, I only really need one evening, but I'm willing to settle for an entire day. That's what I'm trying to 'locate' -- traffic from yesterday (October 7th).
Of course, if you have a preconception of what you are looking for, then a raw dump of all traffic is not required, you can filter down the dumps to avoid huge file syndrome.
Specifically what I'm looking for is why these hosts are spewing spam. Virus and trojan scans have turned up negative (in five of six cases), and I'm puzzled. So I'm watching network traffic. (Yes, we've directed them to the virus scans, and they /have/ had updated AV databases.) Unfortunately, we're looking at about 50% SMTP traffic in the dump. And I need that all in there at least at the start, so I can correlate link activity. It does me no good to pull out all outbound SMTP, if that's my trigger. I would venture a guess that by pulling yesterday (October 7th) out of this dump, I could easily cut it to 30% of its size. And I would be very surprised if ethereal couldn't handle a dump that large -- although it /is/ currently eating 70MB of RAM for a 22MB dump. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Devdas Bhagat (Oct 08)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Paul Robertson (Oct 11)
- Spamming, 'hidden' mail server Damian Gerow (Oct 08)
- Re: Spamming, 'hidden' mail server Jeff Bollinger (Oct 15)
- Re: Spamming, 'hidden' mail server Damian Gerow (Oct 17)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 11)
- Re: [OT] tcpdump parsing hermit921 (Oct 13)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Devdas Bhagat (Oct 08)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- <Possible follow-ups>
- RE: [OT] tcpdump parsing Austin, Greg (Oct 08)
- Mail server security (Was: Re: [OT] tcpdump parsing) Damian Gerow (Oct 11)