Re: Scan for IRC

[Harry Hoffman <hhoffman () ip-solutions net>]

Use ngrep to look for signs of irc (i.e. PRIVMSG) instead of just 
looking for the ports irc (ususally, but not always) runs on.

something like: "ngrep -qitd eth0 'privmsg'" will probably get you much 
better results.

HTH,
Harry

ALD, Aditya, Aditya Lalit Deshmukh wrote:
> How do u know that you are looking for the irc traffic ? Somewhere you must
> have see connections going out to some host or some connection attempts. You
> could always try sniffing using that ip address on all ports if you have set
> up everthing else correctly... 
>
> How ever if something is not setup correctly then you would have trouble
> shoot this. Maybe posting some more info will help us all diagnose this for
> you and help u out - maybe offlist ? 
>
> -aditya
>
>
> > -----Original Message-----
> > From: full-disclosure-bounces () lists netsys com 
> > [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of RandallM
> > Sent: Saturday, January 22, 2005 05:04 AM
> > To: full-disclosure () lists netsys com
> > Subject: [Full-disclosure] Scan for IRC
> >
> > I am so sorry for interrupting the list. I'm trying to pick up IRC
> > communications on the network. I've made some filters for Ethereal and
> > Observer but can't seem to pick it up. I'm doing something 
> > wrong. Used the
> > 6668-6669 ports. Any help? 
> >
> > thank you
> > Randall M
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
> ________________________________________________________________________
> Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html