Re: [fw-wiz] [OT] tcpdump parsing

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Firewall log analysis tools"
• In reply to: Devdas Bhagat: "Re: [fw-wiz] [OT] tcpdump parsing"
• Next in thread: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
• Reply: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 8 Oct 2003 16:32:34 -0400

Thus spake Devdas Bhagat (devdas@dvb.homelinux.org) [08/10/03 15:58]:
> tcpslice(8).
> From the manual:
> Tcpslice is a program for extracting portions of packet-
> trace files generated using tcpdump(1)'s -w flag. It can
> also be used to glue together several such files, as dis-
> cussed below.
>
> The basic operation of tcpslice is to copy to stdout all
> packets from its input file(s) whose timestamps fall
> within a given range. The starting and ending times of
> the range may be specified on the command line. All
> ranges are inclusive.
> <snip>

Someone else suggested it to me, and this is what I see:

    [damian]@[pegmatite]:[~]% tcpslice -dr -w dump.out 99y10m07d +24h dump.refined.out
    dump.out Mon Oct 6 15:47:49 2003 Wed Oct 8 10:03:23 2003
    start Wed Oct 6 19:00:00 1999
    stop Thu Oct 7 14:00:00 1999
    [damian]@[pegmatite]:[~]% tcpslice -dr -w dump.out 100y10m07d +24h dump.refined.out
    dump.out Mon Oct 6 15:47:49 2003 Wed Oct 8 10:03:23 2003
    start Tue Oct 6 19:00:00 1970
    stop Wed Oct 7 14:00:00 1970
    [damian]@[pegmatite]:[~]%

It looks like either I've completely misunderstood their date formatting, or
else the version of tcpslice I have installed (from the base system on a
FreeBSD 5.1 install) is not Y2K compliant.

I've done some other digging, and have found out that about 99% of my dump
is between ports 25 and 32101. Now I just have to figure out why/how people
are connecting to 32101, as a full port scan of the computer has turned up
nothing but the standard Windows ports listening, three different times.

Since this has moved far and beyond the scope of the list, I'll refrain from
posting anything else.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Marcus J. Ranum: "Re: [fw-wiz] Firewall log analysis tools"
• In reply to: Devdas Bhagat: "Re: [fw-wiz] [OT] tcpdump parsing"
• Next in thread: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
• Reply: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: subversion on FreeBSD 4.10 ... I've upgraded all the ports including perl. ... # CFLAGS controls the compiler settings used when compiling C code. ... # or supported for compiling the world or the kernel - please revert any ... # To avoid running MAKEDEV all on /dev during install: ... (freebsd-questions) Re: newest PHP port upgrade broke php5-mbstring-5.0.1 ? ... # CFLAGS controls the compiler settings used when compiling C code. ... # or supported for compiling the world or the kernel - please revert any ... # certain ports. ... # To avoid running MAKEDEV all on /dev during install: ... (freebsd-questions) Re: mfi freebsd7 ... i did update my ports and install the 1.01.40 version... ... A RAID1 config shoudl suit a busy webserver well. ... To unsubscribe, send any mail to ... (freebsd-questions) Re: what do you think of these instructions for install & hardening? ... > adding some ports. ... % the core install. ... % between FreeBSD 5.4 and FreeBSD 6.0. ... interface addresses that match a network where I have absolutely no ... (comp.unix.bsd.freebsd.misc) Re: Newbie help! ... At some point does this automatically get run after ports are ... command ... install emacs on your own. ... more comfortable with lynx than links, so I'll show you how to get ... (freebsd-questions)