[SATLUG] help with tcpdump (grab a beer its a long post)

redpill toddwbucy at grandecom.net
Sat Feb 20 07:58:36 CST 2010


> Hi Todd,
> 
> First off - Drop the use of tee(1), I think you are confusing what you 
> feel like you need to /see/ versus what you need to feed to your packet 
> interrogator. (ie - tcpdump {switches} {either pipe to packet 
> interrogator, or look below for another option}
> 
> The file size issue is only an issue if you write to files that grow.  
> Write a script that does the following:
>    1) create a named pipe
>    2) start your dump redirecting the output to the named pipe and run 
> it in the background
>    3) start reading from the named pipe with your packet interrogator
>        Here is a hint ... interrogator < {named pipe}  (if you use 
> cat(1) here, the "gray beards" will come and knee-cap you for UUOC ;) )
>    4) send the annonomolies from your packet interrogator to standard 
> out (in other words, don't redirect it)
>    5) when you run this new program, you can then take the output and 
> let it continue to go to the screen (STDOUT), or redirect it to 
> somewhere else
>    *) extra credit - use trap(1) to remove the named pipe upon program 
> termination
> 
> Sequencing and parsing of the packets is another venture.  My preference 
> would be PERL, but everyone has their favorite X for doing Y. :)
> 
> HTH,
> Channing
> 
> 
>  
thanks for the advice I will give it more thought.  I like the idea of a
named pipe.  I will experiment some more today to see what I come up
with.

Thanks
Todd



More information about the SATLUG mailing list