Re: TCP Dump Filters
From: Matt Bing (mbing@nfr.net)Date: 12/21/01
- Previous message: Derek Walker: "Re: TCP Dump Filters"
- In reply to: Derek Walker: "Re: TCP Dump Filters"
- Next in thread: Stover, S.f.: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Dec 2001 14:20:15 -0500 From: Matt Bing <mbing@nfr.net> To: focus-ids@securityfocus.com
Derek Walker said:
> TCP dump can be given arguments as to how much of each packet to capture.
> With a snaplen of 1500 for instance, you will always capture pretty much
> the whole packet.
While this is true, I think the original poster was refering to writing
pattern matching syntaxes with tcpdump. tcpdump's BPF compiler (actually
libpcap's) is fairly limited and is mostly used for dealing with packet
headers, ie: "tcp[13] & 3 != 0".
The full BPF syntax itself is not useful for advanced pattern matching (think
regex), as all of this is done in the kernel with an assembly-like syntax.
See the bpf manpage for more info.
For more advanced filtering, use a program that grabs all packets (or at
least those you might be interested in) and does more intelligent filtering
in user-space. ngrep is a good example:
http://www.packetfactory.net/projects/ngrep/
-- Matt Bing NFR Security Rapid Response Team
- Previous message: Derek Walker: "Re: TCP Dump Filters"
- In reply to: Derek Walker: "Re: TCP Dump Filters"
- Next in thread: Stover, S.f.: "Re: TCP Dump Filters"
- Next in thread: Turner, Elliot: "RE: TCP Dump Filters"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
