[3188] in bugtraq
Re: Tracking tools?
daemon@ATHENA.MIT.EDU (Michael Ryan)
Sat Aug 17 19:44:09 1996
Date: Thu, 15 Aug 1996 23:08:15 BST
Reply-To: mike@NetworX.ie
From: Michael Ryan <mike@NetworX.ie>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
On Wed, 14 Aug 1996 23:56:41 -0400 David Miller wrote:
> I've got a tcpdump of the network while a hacker broke into a machine. I
> created it on a FreeBSD system with tcpdump -w .... (filters omitted).
>
> I can read the file back just fine with a tcpdump -r, and dump the raw
> data with a -x, but that's less than real useful.
>
> Can anyone point out some tools I might apply to this dump file in order
> to track the session which actually hacked root? I'd most like to see
> one of the monitoring programs which can be fed from the dump file, but
> I'd be happy with something which would give me an ascii dump of the
> data portions of selected packets.
I wrote a utility a few months ago called "tcpshow". It provides pretty
much a complete decode of the headers and an ASCII decode of the data, in
packets collected by tcpdump. It should prove quite useful to you in
analysing your data. It doesn't decode application layer protocols, but
that's okay most of the time, because the apps transmit (mostly) ASCII.
I've currently got it stored at
http://www.cs.berkeley.edu/~daw/mike/tcpshow.c
The manpage is at
http://www.cs.berkeley.edu/~daw/mike/tcpshow.1
Check it out and I hope it's useful to you. I find it invaluable.
Mike
<mike@NetworX.ie>
---
