LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-24-2007, 12:23 AM   #1
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Rep: Reputation: 15
Dsniff syntax for searching a pcap file?


I've been trying to play with Wireshark and dsniff to see what my machine is passing when I log on my AIM clients via Trillian and if it's passing anything different when I log on via Pidgin.

I used Wireshark on my local machine, against eth0 to capture packets as I logged on first Trillian, shut it down and then logged on Pidgin. It saved to a pcap file no problem, but I can't seem to get dsniff to to search that pcap file.

for example this is what I see

Code:
fb2:/home/jukas/downloads# dsniff -p test.pcap AIM
dsniff: nids_init: Libnids not initialized
I've also tried -t AIM, or dsniff -p test.pcap | grep AIM (the first shows the same error, the latter shows nothing).


I installed dsniff from apt on Debian and Ubuntu. I'm just wondering if it's a syntax error, or really a library problem.
 
Old 08-26-2007, 05:36 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Doesn't Dsniff use Berkely DB format instead? Maybe 'tcpreplay' the pcap and Dsniff from that?
 
Old 08-26-2007, 12:01 PM   #3
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Original Poster
Rep: Reputation: 15
I get no joy using tcpreplay, and dnsiff. I've tried piping tcpreplay to dsniff, I've tried using the tcpreplay -W option to output to a file and dnsiffing that, and I've tried running tcpreplay in verbose mode and piping a grep for a plaintext keyword I know was sent.

I figure one of three things is going on. 1) I don't know what I'm doing, and am using the wrong syntax. 2) It's balking at the pcap file because it was created via wireshark under Windows Vista 3) My library files are pooched.

I've voting for either 1 or 3.

Is what I linked in my first post the correct dsniff syntax to scan a pcap file for any packets going to the AIM service?
 
Old 08-26-2007, 05:45 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Dsniff uses a Berkely database file, not a packet capture file (as in libpcap), so they're incompatible.
 
Old 08-26-2007, 11:52 PM   #5
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Original Poster
Rep: Reputation: 15
Thumbs down

Quote:
Originally Posted by unSpawn View Post
Dsniff uses a Berkely database file, not a packet capture file (as in libpcap), so they're incompatible.

Weird, when I checked the manpage it makes it seem like it can read a pcap file.

Quote:
-p pcapfile
Rather than processing the contents of packets observed
upon the network process the given PCAP capture file.
I also tried running dsniff in a seperate screen, listening on eth0 and then using tcpreplay on the pcap file and I still can't find what I'm looking for.

I guess it's time to start searching for a new piece of software.
 
Old 08-28-2007, 12:09 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by Jukas View Post
Weird, when I checked the manpage it makes it seem like it can read a pcap file.
Hmm. Mine doesn't. Weird. Can you read the file OK with tcpdump (use -n -nn and a BPF expression if it's a large file)?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
configure: error: Header file pcap.h not found; when tried installing ethereal networ ssangeetha Linux - Software 6 05-02-2013 12:28 PM
looking for a MSN msgsnarf for pcap file metabaron Linux - Networking 0 07-13-2006 04:29 AM
looking to run ntop once daily reading from pcap file doublez Linux - Software 1 08-25-2005 05:16 PM
ntop once daily html summary from pcap file doublez Linux - Networking 0 08-25-2005 01:28 PM
How to compile a C program in Glade which is included the <pcap.h> header file. swaviswa Programming 0 03-21-2004 07:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration