Re: Auditing / Logging

["Don Parker" <dparker () rigelksecurity com>]

Agreed, using a binary format will allow you to replay this file through whichever medium
you choose which supports it. You would want however as much info as possible which is 
why I suggest using the -vX switch, as well as what was already mentioned. The bpf filter 
I quoted does not drop the traffic to console. You can then dictate on replay what your 
snaplength will be, as well as throwing in a bitmask if so desired. I trust this clarifies
my intent. 

Cheers

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Jan 13, Steve Shah <sshah () planetoid org> wrote:

On Tue, Jan 13, 2004 at 03:32:42PM -0500, Don Parker wrote:
> tcpdump -i eth0 -nXvs 0 ip and host xxx.xxx.xxx.xxx -w some_file
>
> This way you will get verbose logging as well as both hex and ascii o/p

Indeed, however, the purpose of captuing the whole packet and 
dropping it to disk is that it allows you go back and replay
as much or as little of the traffic as you like with whatever
kind of output you like. Dumping the traffic to console in 
addition to a file will slow the capture down and run you the
risk of dropping packets. 

-Steve

-- 
Steve Shah
sshah () planetoid org - <a href='http://www.planetoid.org/&apos;>http://www.planetoid.org/</a>
Beating code into submission, one OS at a time...


---------------------------------------------------------------------------
----------------------------------------------------------------------------