Tcpdump: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
No edit summary |
No edit summary |
||
| Line 24: | Line 24: | ||
shorten tcpdump or snoop files by time via wireshark example | shorten tcpdump or snoop files by time via wireshark example | ||
"\Program Files\Wireshark\editcap" -A "2013-08-24 18:18:21" -B "2013-08-24 18:18:22" linuxbaremetal_to_nexenta-nexenta_pov.snoop linuxbaremetal_to_nexenta-nexenta_pov-1sec.snoop | "\Program Files\Wireshark\editcap" -A "2013-08-24 18:18:21" -B "2013-08-24 18:18:22" linuxbaremetal_to_nexenta-nexenta_pov.snoop linuxbaremetal_to_nexenta-nexenta_pov-1sec.snoop | ||
== Chrooting in Gentoo == | |||
Wut? | |||
<pre> | |||
04:45:39 athena@athena /var/lib/tcpdump # ls -la /tmp/curl.out | |||
ls: cannot access /tmp/curl.out: No such file or directory | |||
04:45:42 athena@athena /var/lib/tcpdump # tcpdump -i lo -w /tmp/curl.out | |||
tcpdump: /tmp/curl.out: No such file or directory | |||
04:45:46 athena@athena /var/lib/tcpdump # | |||
04:53:02 athena@athena /var/lib/tcpdump # strace tcpdump -i lo -w /tmp/curl.out | |||
chroot("/var/lib/tcpdump") = 0 | |||
chdir("/") = 0 | |||
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory) | |||
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) | |||
setgroups32(1, [116]) = 0 | |||
setgid32(116) = 0 | |||
setuid32(106) = 0 | |||
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0DcZ\267", 8) = 0 | |||
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) | |||
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 | |||
recv(3, 0xbfa9742f, 1, MSG_TRUNC) = -1 EAGAIN (Resource temporarily unavailable) | |||
fcntl64(3, F_SETFL, O_RDWR) = 0 | |||
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0w\267\340\300\35\10", 8) = 0 | |||
open("/tmp/curl.out", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 ENOENT (No such file or directory) | |||
write(2, "tcpdump: ", 9tcpdump: ) = 9 | |||
write(2, "/tmp/curl.out: No such file or d"..., 40/tmp/curl.out: No such file or directory) = 40 | |||
write(2, "\n", 1 | |||
) = 1 | |||
exit_group(1) = ? | |||
</pre> | |||
Revision as of 21:53, 25 March 2014
also Wireshark
Dump Syslog packets (tcp)
tcpdump -XSs 0 host 192.168.1.20 and tcp dst port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:02:40.666403 IP mummu.52726 > cydonia.shell: P 2549598918:2549598957(39) ack 2091700838 win 2920
0x0000: 4500 004f 8c6c 4000 4006 2a98 c0a8 0114 E..O.l@.@.*.....
0x0010: c0a8 0140 cdf6 0202 97f7 cac6 7cac d266 ...@........|..f
0x0020: 5018 0b68 bf60 0000 3c31 333e 4e6f 7620 P..h.`..<13>Nov.
0x0030: 3231 2030 303a 3032 3a31 3020 4f70 656e 21.00:02:10.Open
0x0040: 5772 7420 726f 6f74 3a20 7465 7374 0a Wrt.root:.test.
ip.dst == 98.158.95.104 and tcp.dstport == 993
Wireshark
shorten tcpdump or snoop files by time via wireshark example
"\Program Files\Wireshark\editcap" -A "2013-08-24 18:18:21" -B "2013-08-24 18:18:22" linuxbaremetal_to_nexenta-nexenta_pov.snoop linuxbaremetal_to_nexenta-nexenta_pov-1sec.snoop
Chrooting in Gentoo
Wut?
04:45:39 athena@athena /var/lib/tcpdump # ls -la /tmp/curl.out
ls: cannot access /tmp/curl.out: No such file or directory
04:45:42 athena@athena /var/lib/tcpdump # tcpdump -i lo -w /tmp/curl.out
tcpdump: /tmp/curl.out: No such file or directory
04:45:46 athena@athena /var/lib/tcpdump #
04:53:02 athena@athena /var/lib/tcpdump # strace tcpdump -i lo -w /tmp/curl.out
chroot("/var/lib/tcpdump") = 0
chdir("/") = 0
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/group", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
setgroups32(1, [116]) = 0
setgid32(116) = 0
setuid32(106) = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0\0\0DcZ\267", 8) = 0
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
recv(3, 0xbfa9742f, 1, MSG_TRUNC) = -1 EAGAIN (Resource temporarily unavailable)
fcntl64(3, F_SETFL, O_RDWR) = 0
setsockopt(3, SOL_SOCKET, SO_ATTACH_FILTER, "\1\0w\267\340\300\35\10", 8) = 0
open("/tmp/curl.out", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = -1 ENOENT (No such file or directory)
write(2, "tcpdump: ", 9tcpdump: ) = 9
write(2, "/tmp/curl.out: No such file or d"..., 40/tmp/curl.out: No such file or directory) = 40
write(2, "\n", 1
) = 1
exit_group(1) = ?
