Thanks all!! > What other constraints do you have?
Non really, I am root on the machine on my side. I was thinking of starting a snooper, running ftp, stopping ftp and then seeing what was transferred over the ftp control channel. > Can you change the configuration, temporarily, of the tools you > wish to spy on the network connections of? I don't think it's possible. > The man page for tcpdump ... Uhm yes, but I did say that the man page doesn't necessarily help, nor that tcpdump does the job at hand. About http://www.ethereal.com/docs/user-guide/chap03.html, quote "Ethereal uses the libpcap filter language for capture filters. This is explained in the tcpdump man page. If you can understand it, you are a better man that I am, Gunga Din!" Well said. But I have seen worse that man tcpdump. > Alternatively, capture everything, click on one of the early TCP data > packets, look under tools for a TCP stream analysis option. That gives > you a dump of the conversation, colour-coded by direction. Thanks Theuns, looks like it's what I'm after (content only, to /dev/null with the headers). Should try that. > It has been a while since I used it but from memory I think ngrep does what > you want. [click click install] Great! It still displays some header info and doesn't assemble packet content seamlessly, but it's a very good start. However, I can't get this expression %&@U&#%^&&!. I can spell regexp and primitives and token etc, but this is a headache. man ngrep: port port True if either the source or destination port of the packet is port. host host True if either the IP source or destination of the packet is host. Plus some and/or/not stuff. Ok, tcp traffic with 1.2.3.4 port 21: > ngrep -d eth0 . tcp port ftp and host ftp.orcon.net.nz interface: eth0 (1.1.1.1/255.255.255.0) filter: ip and ( tcp port ftp and host ftp.orcon.net.nz ) match: . # U 1.1.1.1:1068 -> 203.96.152.4:53 }............ftp.orcon.net.nz..... # U 203.96.152.4:53 -> 1.1.1.1:1068 }............ftp.orcon.net.nz........ Great. Not. Why the f****** does it print the udp DNS lookup? I assume the grep is performed on data of packets matching the expression, although the man page doesn't say that. It would be extremely useful if the expression was printed after it has been parsed, instead of blurting back the command line. And regardless of what error is in the expression, the error message is always "pcap compile: illegal char '.'", very informative. It's the same PITA as with tcpdump... Somewhere I must be missing something essential... Volker -- Volker Kuhlmann, list0570 at paradise dot net dot nz http://volker.orcon.net.nz/ Please do not CC list postings to me.
