A snaplen of 0 doesn't work for me - I get a "tcpdump: invalid snaplen 0".
-----Original Message----- From: Michael Boman [mailto:[EMAIL PROTECTED]] Sent: Monday, December 23, 2002 10:03 AM To: Jerry Shenk Cc: [EMAIL PROTECTED] Subject: [OT] Re: Raptor Weak ISN rule - #11057 ----=_NextPart_ST_10_05_35_Monday_December_23_2002_3087 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sun, Dec 22, 2002 at 04:32:48PM -0500, Jerry Shenk wrote: > I captured traffic between these two boxes using tcpdump (tcpdump -s 4000= -w > test.dump host 10.1.1.12 and host 10.1.1.3). =20 Why use a snaplen of 4000? If you want the whole packet do '-s 0', as it takes the whole packet which-ever the size it has. > I think reviewed the traffic > after nessus was done. Initially, I used just looked at it all (tcpdump = -r > test.dump | less). Then I used grep to pull out only packets with the SY= N > flag set going from 10.1.1.3 (NW6 box). =20 What a cumbersome way to do these things.. read the manpage to tcpdump and you will learn that you can do something like: tcpdump -r test.dump 'src host 10.1.1.3 and tcp[13] =3D 2' (need to be single-quoted because of the '[' and ']') Best regards Michael Boman --=20 Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com ----=_NextPart_ST_10_05_35_Monday_December_23_2002_3087 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+ByW0ds5fQJiraJwRAtQNAKCO0yRxI2MqjVOPoQzxNIGzQYkQIACdHs+4 3HkhTWkoax/f14a34h19xeQ= =8PaL -----END PGP SIGNATURE----- ----=_NextPart_ST_10_05_35_Monday_December_23_2002_3087 - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
