Re: [OT] tcpdump parsing

[Damian Gerow <damian () sentex net>]

Thus spake Devdas Bhagat (devdas () dvb homelinux org) [08/10/03 15:58]:
> tcpslice(8).
> From the manual:
>        Tcpslice is a program for extracting portions  of  packet-
>        trace  files generated using tcpdump(1)'s -w flag.  It can
>        also be used to glue together several such files, as  dis-
>        cussed below.
>
>        The  basic  operation of tcpslice is to copy to stdout all
>        packets from  its  input  file(s)  whose  timestamps  fall
>        within  a  given  range.  The starting and ending times of
>        the range may be  specified  on  the  command  line.   All
>        ranges  are  inclusive.
> <snip>

Someone else suggested it to me, and this is what I see:

    [damian]@[pegmatite]:[~]% tcpslice -dr -w dump.out 99y10m07d +24h dump.refined.out
    dump.out    Mon Oct  6 15:47:49 2003        Wed Oct  8 10:03:23 2003
    start   Wed Oct  6 19:00:00 1999
    stop    Thu Oct  7 14:00:00 1999
    [damian]@[pegmatite]:[~]% tcpslice -dr -w dump.out 100y10m07d +24h dump.refined.out
    dump.out    Mon Oct  6 15:47:49 2003        Wed Oct  8 10:03:23 2003
    start   Tue Oct  6 19:00:00 1970
    stop    Wed Oct  7 14:00:00 1970
    [damian]@[pegmatite]:[~]%

It looks like either I've completely misunderstood their date formatting, or
else the version of tcpslice I have installed (from the base system on a
FreeBSD 5.1 install) is not Y2K compliant.

I've done some other digging, and have found out that about 99% of my dump
is between ports 25 and 32101.  Now I just have to figure out why/how people
are connecting to 32101, as a full port scan of the computer has turned up
nothing but the standard Windows ports listening, three different times.

Since this has moved far and beyond the scope of the list, I'll refrain from
posting anything else.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards