Security Incidents mailing list archives

Re: 8 hours of pinging

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 22 Mar 2000 13:15:27 -0800

How do I grab the entire packet with TCPDUMP please?


tcpdump -s 1518 -w foo.tcp proto 1

This will capture all the ICMP traffic on your system and save it into a
file called "foo.tcp".

-s means "snap length". Normally, TCPDUMP only captures the headers. Since
the maxmimum size frame on Ethernet is 1518 (including CRC), this will
capture everything.

-w means "write" to the following file name.

"proto 1" means only capture those packets whose IP "protocol" field is
equal to "1", which means "ICMP" packets.

More on TCPDUMP can be found at:
http://www.tcpdump.org

More on sniffing in general can be found at:
http://www.robertgraham.com/pubs/sniffing-faq.html

Robert Graham

Current thread:

Re: 8 hours of pinging Ed Padin (Mar 21)
- Re: 8 hours of pinging spiff (Mar 22)
- Curious HTTP related probings. Scott A . McIntyre (Mar 22)
  - Re: Curious HTTP related probings. Erik Fichtner (Mar 22)
  - Re: Curious HTTP related probings. Russell Fulton (Mar 22)
  - [Fwd: [fw-wiz] Specious network performance measurements.] horio shoichi (Mar 22)
- <Possible follow-ups>
- Re: 8 hours of pinging Scott Wunsch (Mar 22)
- Re: 8 hours of pinging Robert Graham (Mar 22)
- Re: 8 hours of pinging Rainer Freis (Mar 27)
- Re: 8 hours of pinging Ed Padin (Mar 28)
  - Re: 8 hours of pinging Dragos Ruiu (Mar 29)
  - rooted by r0x - from address 212.177.241.127 Dwight Schauer (Mar 29)
    - Re: rooted by r0x - from address 212.177.241.127 Ethan King (Mar 29)
    - Re: rooted by r0x - from address 212.177.241.127 Rick Magill (Mar 30)
    - sendmail/identd attack Guido A.J. Stevens (Mar 30)
    - Re: rooted by r0x - from address 212.177.241.127 Ryan Russell (Mar 29)
    - UDP port 9200 Bobby, Paul (Mar 30)
    - Re: UDP port 9200 Robert Graham (Mar 30)

(Thread continues...)