On Thu, Mar 3, 2011 at 09:43, Mike Viau <vi...@sheridanc.on.ca> wrote:
> > > On Wed, 2 Mar 2011 22:00:41 -0600 <jhsu802...@jasonhsu.com> wrote: > > > > I have it installed, and I can look up the parameters in the command. > > > > What I don't understand is how I use it to investigate intrusions. Can > someone shed some light on this? > > > > What kind of intrusions are you looking for? TCPDump is a packet analyze so > what is analyzed is based on what filters you are looking for. TCPDump uses > the libpcap library to capture packets. You can receive the packets based on > the protocol type. You can specify > one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet, > tcp and udp. > > You may also specify a port number to monitor which is nice if you are > investigating a particular service. Or an IP address if you are interested > in a specific host. > > The filter may be used in combinations with and'ing / or'ing them together. > I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n > 'tcp and port 80 and dst 10.0.0.1' > > One tip is to pass the -n switch when running because DNS queries slow down > captures. > > Hope that helps :) > > > -M > > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/bay148-w174ae84d50a7f526d341e4ef...@phx.gbl > > Tcpdump and Ethereal are very similar in terms of capture filters. They both use libpcap.