Re: [fw-wiz] [OT] tcpdump parsing
From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 10/08/03
- Previous message: Michael Plomer: "[fw-wiz] ISA server as network bridge?"
- In reply to: Damian Gerow: "[fw-wiz] [OT] tcpdump parsing"
- Next in thread: Damian Gerow: "Re: [fw-wiz] [OT] tcpdump parsing"
- Reply: Damian Gerow: "Re: [fw-wiz] [OT] tcpdump parsing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Damian Gerow <damian@sentex.net> Date: Wed, 8 Oct 2003 14:48:31 -0400 (EDT)
Better yet, perhaps defining what you are trying to 'locate' in the
traffic dumps might well lead to answers quicker then folks trying to help
port a huge file into other apps that are gui sensitive?
Of course, if you have a preconception of what you are looking for,
then a raw dump of all traffic is not required, you can filter down
the dumps to avoid huge file syndrome.
Thanks,
Ron DuFresne
On Wed, 8 Oct 2003, Damian Gerow wrote:
> First off, apologies for the off-topic post. But I have no idea where to
> turn for tcpdump help, and I figured most of the folks here have used it at
> least moderately, if not extensively.
>
> I've been spending the past week or so trying to track down what seems to be
> a trojan that has been affecting our customers, that seems to come and go.
> To give myself a little more to work with, I've nabbed 550MB worth of
> network traffic from one of their links, spanning a couple of days.
>
> The problem is, I can't open this up in ethereal. The file is just too
> large. I've tried trimming the fat down (POP3 sessions, web browsing
> sessions, ICMP echo request/reply, certain gaming sites, etc.), but I'm
> still sitting here with 500MB of traffic.
>
> Is there a way to take a tcpdump binary file, and pull a date range from it?
> The tcpdump man page leads me to believe no, and a fair bit of Google
> searching has provided no leads.
>
> I'd also be willing to try various other GUIs that understand tcpdump output
> (so long as they run on X). Yes, I'm fully aware that I can do this all on
> the commandline, but I find the GUI a bit easier to work with in this case.
>
> Any pointers or suggestions are very welcomed at this point. It's
> frustrating to be sitting with the culprit on disk, but not be able to find
> out who or what the culprit /is/.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Michael Plomer: "[fw-wiz] ISA server as network bridge?"
- In reply to: Damian Gerow: "[fw-wiz] [OT] tcpdump parsing"
- Next in thread: Damian Gerow: "Re: [fw-wiz] [OT] tcpdump parsing"
- Reply: Damian Gerow: "Re: [fw-wiz] [OT] tcpdump parsing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
