Firewall Wizards mailing list archives
Re: [OT] tcpdump parsing
From: Damian Gerow <damian () sentex net>
Date: Wed, 8 Oct 2003 16:32:34 -0400
Thus spake Devdas Bhagat (devdas () dvb homelinux org) [08/10/03 15:58]:
tcpslice(8). From the manual: Tcpslice is a program for extracting portions of packet- trace files generated using tcpdump(1)'s -w flag. It can also be used to glue together several such files, as dis- cussed below. The basic operation of tcpslice is to copy to stdout all packets from its input file(s) whose timestamps fall within a given range. The starting and ending times of the range may be specified on the command line. All ranges are inclusive. <snip>
Someone else suggested it to me, and this is what I see: [damian]@[pegmatite]:[~]% tcpslice -dr -w dump.out 99y10m07d +24h dump.refined.out dump.out Mon Oct 6 15:47:49 2003 Wed Oct 8 10:03:23 2003 start Wed Oct 6 19:00:00 1999 stop Thu Oct 7 14:00:00 1999 [damian]@[pegmatite]:[~]% tcpslice -dr -w dump.out 100y10m07d +24h dump.refined.out dump.out Mon Oct 6 15:47:49 2003 Wed Oct 8 10:03:23 2003 start Tue Oct 6 19:00:00 1970 stop Wed Oct 7 14:00:00 1970 [damian]@[pegmatite]:[~]% It looks like either I've completely misunderstood their date formatting, or else the version of tcpslice I have installed (from the base system on a FreeBSD 5.1 install) is not Y2K compliant. I've done some other digging, and have found out that about 99% of my dump is between ports 25 and 32101. Now I just have to figure out why/how people are connecting to 32101, as a full port scan of the computer has turned up nothing but the standard Windows ports listening, three different times. Since this has moved far and beyond the scope of the list, I'll refrain from posting anything else. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Devdas Bhagat (Oct 08)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Paul Robertson (Oct 11)
- Spamming, 'hidden' mail server Damian Gerow (Oct 08)
- Re: Spamming, 'hidden' mail server Jeff Bollinger (Oct 15)
- Re: Spamming, 'hidden' mail server Damian Gerow (Oct 17)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 11)
- Re: [OT] tcpdump parsing hermit921 (Oct 13)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- Re: [OT] tcpdump parsing Devdas Bhagat (Oct 08)
- Re: [OT] tcpdump parsing Damian Gerow (Oct 08)
- <Possible follow-ups>
- RE: [OT] tcpdump parsing Austin, Greg (Oct 08)
- Mail server security (Was: Re: [OT] tcpdump parsing) Damian Gerow (Oct 11)