[SATLUG] help with tcpdump (grab a beer its a long post)

Don Davis dondavis at reglue.org
Sun Feb 21 08:31:15 CST 2010

This is an interesting thread.

What are you checking for? RST packets received right after syn packets? 
not receipt of ack packages after syn-ack packages?

What approach will you take?
Would keeping a list of received syn packets on the stack and removing 
them when ack packets are received or tracking all the syn-ack packets 
you send and waiting for the ack packets work?

Which tcpdump switches did he not need?

Channing wrote:
> redpill wrote:
>> Update: Before I sent the out the last post, I forgot to check the test
>> file, which was empty.
>> I have changed the script as such:
>> sudo tcpdump -nXSe -C 256 -G 30 -i wlan0 -W 120 'tcp[13]==18 ||
>> tcp[13]==16 || tcp[13]=4 || tcp[13]==2 || tcp[13]=1'| tee
>> tcpdump/text/tcpdump.021910.
>> problem is that the text files are still not written sequentially and
>> packets are all in one text file.  Is it possible to output directly to
>> awk is some way? 
>> Thanks
>> Todd
> Hi Todd,
> First off - Drop the use of tee(1), I think you are confusing what you 
> feel like you need to /see/ versus what you need to feed to your packet 
> interrogator. (ie - tcpdump {switches} {either pipe to packet 
> interrogator, or look below for another option}
> The file size issue is only an issue if you write to files that grow.  
> Write a script that does the following:
>   1) create a named pipe
>   2) start your dump redirecting the output to the named pipe and run it 
> in the background
>   3) start reading from the named pipe with your packet interrogator
>       Here is a hint ... interrogator < {named pipe}  (if you use cat(1) 
> here, the "gray beards" will come and knee-cap you for UUOC ;) )
>   4) send the annonomolies from your packet interrogator to standard out 
> (in other words, don't redirect it)
>   5) when you run this new program, you can then take the output and let 
> it continue to go to the screen (STDOUT), or redirect it to somewhere else
>   *) extra credit - use trap(1) to remove the named pipe upon program 
> termination
> Sequencing and parsing of the packets is another venture.  My preference 
> would be PERL, but everyone has their favorite X for doing Y. :)
> HTH,
> Channing

More information about the SATLUG mailing list