RE: [fw-wiz] [OT] tcpdump parsing --> editcap

• Previous message: Bill Royds: "Re: [fw-wiz] Firewall log analysis tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Damian Gerow" <damian@sentex.net>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 8 Oct 2003 14:40:00 -0400

editcap is your friend.

It will break up the log file for you in a quick, memory-efficient way.

See http://www.ethereal.com/editcap.1.html

-David

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Damian
Gerow
Sent: October 08, 2003 2:20 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] [OT] tcpdump parsing

First off, apologies for the off-topic post. But I have no idea where
to turn for tcpdump help, and I figured most of the folks here have used
it at least moderately, if not extensively.

I've been spending the past week or so trying to track down what seems
to be a trojan that has been affecting our customers, that seems to come
and go. To give myself a little more to work with, I've nabbed 550MB
worth of network traffic from one of their links, spanning a couple of
days.

The problem is, I can't open this up in ethereal. The file is just too
large. I've tried trimming the fat down (POP3 sessions, web browsing
sessions, ICMP echo request/reply, certain gaming sites, etc.), but I'm
still sitting here with 500MB of traffic.

Is there a way to take a tcpdump binary file, and pull a date range from
it? The tcpdump man page leads me to believe no, and a fair bit of
Google searching has provided no leads.

I'd also be willing to try various other GUIs that understand tcpdump
output (so long as they run on X). Yes, I'm fully aware that I can do
this all on the commandline, but I find the GUI a bit easier to work
with in this case.

Any pointers or suggestions are very welcomed at this point. It's
frustrating to be sitting with the culprit on disk, but not be able to
find out who or what the culprit /is/.
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Bill Royds: "Re: [fw-wiz] Firewall log analysis tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] [OT] tcpdump parsing ... the dumps to avoid huge file syndrome. ... and I figured most of the folks here have used it at ... > Is there a way to take a tcpdump binary file, and pull a date range from it? ... > The tcpdump man page leads me to believe no, and a fair bit of Google ... (Firewall-Wizards) [fw-wiz] [OT] tcpdump parsing ... Is there a way to take a tcpdump binary file, and pull a date range from it? ... The tcpdump man page leads me to believe no, and a fair bit of Google ... I'd also be willing to try various other GUIs that understand tcpdump output ... out who or what the culprit /is/. ... (Firewall-Wizards)