On Thu, Mar 3, 2011 at 09:43, Mike Viau <vi...@sheridanc.on.ca> wrote:

>
> > On Wed, 2 Mar 2011 22:00:41 -0600 <jhsu802...@jasonhsu.com> wrote:
> >
> > I have it installed, and I can look up the parameters in the command.
> >
> > What I don't understand is how I use it to investigate intrusions.  Can
> someone shed some light on this?
> >
>
> What kind of intrusions are you looking for? TCPDump is a packet analyze so
> what is analyzed is based on what filters you are looking for. TCPDump uses
> the libpcap library to capture packets. You can receive the packets based on
> the protocol type. You can specify
> one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,
> tcp and udp.
>
> You may also specify a port number to monitor which is nice if you are
> investigating a particular service. Or an IP address if you are interested
> in a specific host.
>
> The filter may be used in combinations with and'ing / or'ing them together.
> I tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n
> 'tcp and port 80 and dst 10.0.0.1'
>
> One tip is to pass the -n switch when running because DNS queries slow down
> captures.
>
> Hope that helps :)
>
>
> -M
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmas...@lists.debian.org
> Archive:
> http://lists.debian.org/bay148-w174ae84d50a7f526d341e4ef...@phx.gbl
>
>
Tcpdump and Ethereal are very similar in terms of capture filters.  They
both use libpcap.

Reply via email to