Penetration Testing mailing list archives

Re: Auditing / Logging

From: Steve Shah <sshah () planetoid org>
Date: Tue, 13 Jan 2004 21:39:57 -0800

Hi Don,

On Tue, Jan 13, 2004 at 04:48:19PM -0500, Don Parker wrote:

You would want however as much info as possible which is 
why I suggest using the -vX switch, as well as what was already mentioned.


This data is captured in the binary format (pcap). It is not necessary
to explicitly set these values and capture the text output seperately.

The bpf filter 
I quoted does not drop the traffic to console. You can then dictate on 
replay what your 
snaplength will be, as well as throwing in a bitmask if so desired. 
I trust this clarifies my intent.


We're almost on the same wavelength. ;-)

The key is that dumping anything to console or making tcpdump generate
text data in addition to dropping the binary data to disk is not
necessary during the time of capture. It is, as you indicated, useful
during replay. 

During capture, it is important that tcpdump get as much time as it
wants in order to capture full packets, save them to disk, and go
back to fetch more packet's from the packet buffers. If tcpdump 
doesn't go back and get those packets soon enough, they will get
dropped in order to pull new packets in. 

For admins/security guys out there watching traffic, if you need to
capture a lot of traffic, don't echo it to your screen as the capture
happens. Your screen (be it an xterm or console) is a blocking device
that will hold up tcpdump from going back and reading another packet.
Thus, it becomes possible to lose packets in the process. This 
situation is made worse when the output console is a serial port
because it is extremely slow and (at least on PCs), generates a lot
of interrupt traffic. If you do need to see the traffic in real time,
do as Don suggested and write the binary data to disk in addition to
the -vX parameter for lots of data. Be sure to set a tight filter
so you aren't overwhelmed. If you're ssh'd into the machine where
you're capturing packets, don't forget to set a filter to drop your
ssh packets. I would also suggest doing a -n so that tcpdump doesn't
generate DNS packets when trying to resolve IP addresses.

-Steve


-- 
Steve Shah
sshah () planetoid org - http://www.planetoid.org/
Beating code into submission, one OS at a time...

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Auditing / Logging, (continued)
- - Re: Auditing / Logging Frank Knobbe (Jan 13)
  - RE: Auditing / Logging Rob Shein (Jan 18)
    - RE: Auditing / Logging Steve Armstrong (Jan 20)
    - RE: Auditing / Logging Rob Shein (Jan 20)
- Re: Auditing / Logging Travis Schack (Jan 12)
  - Re: Auditing / Logging Steve Shah (Jan 13)
    - Re: Auditing / Logging cdowns (Jan 13)
- Re: Auditing / Logging Don Parker (Jan 13)
  - Re: Auditing / Logging Steve Shah (Jan 13)
- Re: Auditing / Logging Don Parker (Jan 13)
  - Re: Auditing / Logging Steve Shah (Jan 14)