Re: [fw-wiz] [OT] tcpdump parsing

From: Damian Gerow (damian_at_sentex.net)
Date: 10/08/03

Next message: Marcus J. Ranum: "Re: [fw-wiz] Firewall log analysis tools"

Previous message: Paul Robertson: "Re: [fw-wiz] Firewall log analysis tools"
In reply to: R. DuFresne: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: Austin, Greg: "RE: [fw-wiz] [OT] tcpdump parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 8 Oct 2003 15:12:58 -0400

Thus spake R. DuFresne (dufresne@sysinfo.com) [08/10/03 14:51]:
> Better yet, perhaps defining what you are trying to 'locate' in the
> traffic dumps might well lead to answers quicker then folks trying to help
> port a huge file into other apps that are gui sensitive?

Erm.....

> > To give myself a little more to work with, I've nabbed 550MB worth of
> > network traffic from one of their links, spanning a couple of days.

<snip>

> > Is there a way to take a tcpdump binary file, and pull a date range from it?
> > The tcpdump man page leads me to believe no, and a fair bit of Google
> > searching has provided no leads.

I have five days worth of traffic (about). I need one day only -- well, I
only really need one evening, but I'm willing to settle for an entire day.
That's what I'm trying to 'locate' -- traffic from yesterday (October 7th).

> Of course, if you have a preconception of what you are looking for,
> then a raw dump of all traffic is not required, you can filter down
> the dumps to avoid huge file syndrome.

Specifically what I'm looking for is why these hosts are spewing spam.
Virus and trojan scans have turned up negative (in five of six cases), and
I'm puzzled. So I'm watching network traffic. (Yes, we've directed them to
the virus scans, and they /have/ had updated AV databases.)

Unfortunately, we're looking at about 50% SMTP traffic in the dump. And I
need that all in there at least at the start, so I can correlate link
activity. It does me no good to pull out all outbound SMTP, if that's my
trigger.

I would venture a guess that by pulling yesterday (October 7th) out of this
dump, I could easily cut it to 30% of its size. And I would be very
surprised if ethereal couldn't handle a dump that large -- although it /is/
currently eating 70MB of RAM for a 22MB dump.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Marcus J. Ranum: "Re: [fw-wiz] Firewall log analysis tools"

Previous message: Paul Robertson: "Re: [fw-wiz] Firewall log analysis tools"
In reply to: R. DuFresne: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: Austin, Greg: "RE: [fw-wiz] [OT] tcpdump parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

loop in kgdb unread message buffer?
... luckily I could dump a core with 'call doadump'. ... Coffee is the path to the bouncy side. ... Coffee leads to activity. ... Moving leads to bouncing. ...
(freebsd-hackers)
Re: Question for Ryk E. Spoor
... Core temperature increases ... Perspiration increases in an attempt to dump the excess heat ... actually leads to one being *cooler*. ... and you warm him for a day. ...
(rec.arts.sf.written)
Re: Possible race in the filesystem code (softupdates) ?
... Martin Blapp wrote: ... >dangerous and leads sometimes to a panic: ... What kind of hardware are you doing this on? ... Once you have a dump, ...
(freebsd-current)
Re: Winnebago Man
... That leads to it's own set of hassles. ... Get out of my head! ... BB is the one I was trying to dump. ...
(rec.outdoors.rv-travel)
Re: Need Help Removing A Virus
... | My AVG virus scan has identified the following virus: ... If you are using any version of Sun Java that is prior to JRE Version 5.0 ... Dump the contents of the Mozilla FireFox Cache {if you use ...
(microsoft.public.security.virus)