I thought so. Judging by all of the editing he was doing to previous posts and making them the longest forum post you had ever seen, i was kind of expecting something.

You on the other hand Unix, have been a tremendous help and for that i thank you a ton!

Much thanks for those compliments!

Thanks for the report. I've moved all the OT posts here.

Hopefully this thread can get back on topic now.

Thank you very much Win for bothing moving them, and locking that post! Super thanks!

Now! Back on topic! My friend was telling me that he found a GREAT site for tcpdump. Sadly he forgot to mention the name of that site! Any ideas of one? I have found the man page for it which by the way, is like you said huge!

Here's an interesting site about tcpdump:
http://danielmiessler.com/study/tcpdump/

To verify, this is for educational purposes ONLY.

Josh

2 members found this post helpful.

hahah. Funny you should mention that site because yesterday I came across it. Then today my friend was telling me about a site that had a wealth of knowledge on it for tcpdump. He failed to tell me the name of the site so i sent him a message and he told me it was that one haha! I haven't looked into a whole lot but i have a little. Will definitely check it out if two people recommend it. Which they do haha.

Check out packetstormsecurity on the web, they have lots of information too, just so you know.

This is a pretty good tutorial/howto/help page for tcpdump. Thanks for sharing!

Oh, and BTW, you aren't going to damage anything with tcpdump...no need for a disclaimer, IMO. On a properly configured system, a normal user won't be able to run it (I believe it'll put the sniffed interface within promisc mode...that would require escalated privs).

Oh I know but I would rather be safe than sorry, especially with the normally strict rules on LQ.

Indeed a nice one.


I know you meant "damaging" in other ways (not the fault of the tool but the intention of the user) but still, from the obvious-PEBCAK-department: . OTOH running seems innocuous until one day one finds services refuse to run and one can no longer log in (as in filled up /var partition) :-]

Haha!

You'd have to be root to run it, though...I see the hash prompt. Or use sudo. Usually people that already have root access or can run it via sudo are trusted enough to have those types of permissions. The only other way would be to crack the system or apply social engineering. I've not heard of people purposely using tcpdump to fill up a drive slice. It can be done, but there are more direct ways of purposely borking a system, IMO. I have heard of coworkers leaving a tcpdump recording session going until the system's drive slice fills, though...these were by accident. These were security engineers who did this...these guys typically have escalated privileges to troubleshoot system errors and such. The 'lessons learned' from those instances were to cap the recording process (collect only 1 gig worth of logs, for instance, which tcpdump will allow you to do, or to create elaborate filters such as only looking for a certain protocol [tcp port 21 to a certain destination, for instance]).

From a malicious user standpoint, its a bit difficult to abuse tcpdump. If you've access to tcpdump, you probably have access to more potentially destructive commands. The combination of destructive potential of certain commands and escalated permissions along with intent can be deadly, but I think intent has the greatest weight in the above cases.

1 members found this post helpful.

Yeah, I never heard of anyone using tcpdump in a malicious way. I always thought you really couldn't do much, unless you were trying to fill up useless space, like said before.

True. I did state PEBCAK though but never mind, it appears I'll have to have a look at my humor lexer again. Or avoid attempts at injecting humor altogether. Yeah, that prolly works best for me :-]

I'd say let's get back to the topic.

1 members found this post helpful.

For the snaplen, I've found that the parameter requirements change according to platform... I'll have to check again, but I'd thought that OBSD's parameters were different than Linux's. Of all the options, -s is probably the most crucial, IMO. Without a full view, whatever you're looking for could be missed.

Also, whatever you record in tcpdump can also be viewed via snort (and the reverse also applies).

Yeah, I caught the humor.