On Sun, Dec 22, 2002 at 04:32:48PM -0500, Jerry Shenk wrote: > I captured traffic between these two boxes using tcpdump (tcpdump -s 4000 -w > test.dump host 10.1.1.12 and host 10.1.1.3).
Why use a snaplen of 4000? If you want the whole packet do '-s 0', as it takes the whole packet which-ever the size it has. > I think reviewed the traffic > after nessus was done. Initially, I used just looked at it all (tcpdump -r > test.dump | less). Then I used grep to pull out only packets with the SYN > flag set going from 10.1.1.3 (NW6 box). What a cumbersome way to do these things.. read the manpage to tcpdump and you will learn that you can do something like: tcpdump -r test.dump 'src host 10.1.1.3 and tcp[13] = 2' (need to be single-quoted because of the '[' and ']') Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com
msg03138/pgp00000.pgp
Description: PGP signature
