Penetration Testing mailing list archives
Re: Auditing / Logging
From: Steve Shah <sshah () planetoid org>
Date: Tue, 13 Jan 2004 21:39:57 -0800
Hi Don, On Tue, Jan 13, 2004 at 04:48:19PM -0500, Don Parker wrote:
You would want however as much info as possible which is why I suggest using the -vX switch, as well as what was already mentioned.
This data is captured in the binary format (pcap). It is not necessary to explicitly set these values and capture the text output seperately.
The bpf filter I quoted does not drop the traffic to console. You can then dictate on replay what your snaplength will be, as well as throwing in a bitmask if so desired. I trust this clarifies my intent.
We're almost on the same wavelength. ;-) The key is that dumping anything to console or making tcpdump generate text data in addition to dropping the binary data to disk is not necessary during the time of capture. It is, as you indicated, useful during replay. During capture, it is important that tcpdump get as much time as it wants in order to capture full packets, save them to disk, and go back to fetch more packet's from the packet buffers. If tcpdump doesn't go back and get those packets soon enough, they will get dropped in order to pull new packets in. For admins/security guys out there watching traffic, if you need to capture a lot of traffic, don't echo it to your screen as the capture happens. Your screen (be it an xterm or console) is a blocking device that will hold up tcpdump from going back and reading another packet. Thus, it becomes possible to lose packets in the process. This situation is made worse when the output console is a serial port because it is extremely slow and (at least on PCs), generates a lot of interrupt traffic. If you do need to see the traffic in real time, do as Don suggested and write the binary data to disk in addition to the -vX parameter for lots of data. Be sure to set a tight filter so you aren't overwhelmed. If you're ssh'd into the machine where you're capturing packets, don't forget to set a filter to drop your ssh packets. I would also suggest doing a -n so that tcpdump doesn't generate DNS packets when trying to resolve IP addresses. -Steve -- Steve Shah sshah () planetoid org - http://www.planetoid.org/ Beating code into submission, one OS at a time... --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Auditing / Logging, (continued)
- Re: Auditing / Logging Frank Knobbe (Jan 13)
- RE: Auditing / Logging Rob Shein (Jan 18)
- RE: Auditing / Logging Steve Armstrong (Jan 20)
- RE: Auditing / Logging Rob Shein (Jan 20)
- Re: Auditing / Logging Travis Schack (Jan 12)
- Re: Auditing / Logging Steve Shah (Jan 13)
- Re: Auditing / Logging cdowns (Jan 13)
- Re: Auditing / Logging Steve Shah (Jan 13)
- Re: Auditing / Logging Don Parker (Jan 13)
- Re: Auditing / Logging Steve Shah (Jan 13)
- Re: Auditing / Logging Don Parker (Jan 13)
- Re: Auditing / Logging Steve Shah (Jan 14)