RE: TCP Dump Filters

From: Turner, Elliot (
Date: 12/21/01

From: "Turner, Elliot" <>
To: "'Mark Coleman'" <>,,
Date: Fri, 21 Dec 2001 10:44:21 -0600

Actually, TCPDump is capable of grabbing full frames.

You can control the amount of header+payload data that TCPDump captures
using the 'snaplen' command-line parameter.


Elliot Turner

-----Original Message-----
From: Mark Coleman []
Sent: Thursday, December 20, 2001 1:28 PM
Subject: Re: TCP Dump Filters

I believe that TCPDump just grabs packet headers, so it can't watch for
anything in the payload, thus making it a poor choice for IDS beyond layer

I have seen it used to detect connections to boxen that should never happen
for example, but NOT to see that an email attachment is called README.EXE.

I may be wrong on this one, but I don't think I am. You need something like
Snort for any good payload monitoring.


----- Original Message -----
From: <>
To: <>
Sent: Wednesday, December 19, 2001 4:25 PM
Subject: TCP Dump Filters

> Does anyone know a good web site that explains how
> to create TCPDUMP or windump filters to detect all sorts of
> attack signatures ?
> Thanks,
> Jaime