RE: TCP Dump Filters

From: Turner, Elliot (eturner@intrusion.com)
Date: 12/21/01


From: "Turner, Elliot" <eturner@intrusion.com>
To: "'Mark Coleman'" <mcoleman@uniontown.com>, JCFontelera@SolanoCounty.com, focus-ids@securityfocus.com
Date: Fri, 21 Dec 2001 10:44:21 -0600

Actually, TCPDump is capable of grabbing full frames.

You can control the amount of header+payload data that TCPDump captures
using the 'snaplen' command-line parameter.

Regards,

Elliot Turner

-----Original Message-----
From: Mark Coleman [mailto:mcoleman@uniontown.com]
Sent: Thursday, December 20, 2001 1:28 PM
To: JCFontelera@SolanoCounty.com; focus-ids@securityfocus.com
Subject: Re: TCP Dump Filters

I believe that TCPDump just grabs packet headers, so it can't watch for
anything in the payload, thus making it a poor choice for IDS beyond layer
4.

I have seen it used to detect connections to boxen that should never happen
for example, but NOT to see that an email attachment is called README.EXE.

I may be wrong on this one, but I don't think I am. You need something like
Snort for any good payload monitoring.

-Mark

----- Original Message -----
From: <JCFontelera@SolanoCounty.com>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, December 19, 2001 4:25 PM
Subject: TCP Dump Filters

> Does anyone know a good web site that explains how
> to create TCPDUMP or windump filters to detect all sorts of
> attack signatures ?
>
> Thanks,
> Jaime



Relevant Pages

  • Re: TCP Dump Filters
    ... I believe that TCPDump just grabs packet headers, ... thus making it a poor choice for IDS beyond layer ... Snort for any good payload monitoring. ... Subject: TCP Dump Filters ...
    (Focus-IDS)
  • Re: VPN client cannot receive packets
    ... It is my router/firewall with internet connection. ... tcpdump: verbose output suppressed, use -v or -vv for full protocol decode ... Best regards, ... My problem is that the connected clients cannot receive packets, however, sending is okay. ...
    (freebsd-questions)
  • Re: VPN client cannot receive packets
    ... My problem is that the connected clients cannot receive packets, however, sending is okay. ... Here are the tcpdump results if I tried to ping 8.8.8.8: ... Best regards, ...
    (freebsd-questions)