From owner-freebsd-net@FreeBSD.ORG Tue Jun 10 15:52:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96BF5106566B for ; Tue, 10 Jun 2008 15:52:07 +0000 (UTC) (envelope-from rjohanne@wnk.hamline.edu) Received: from wnk.hamline.edu (wnk.hamline.edu [138.192.24.100]) by mx1.freebsd.org (Postfix) with ESMTP id 5DF798FC22 for ; Tue, 10 Jun 2008 15:52:07 +0000 (UTC) (envelope-from rjohanne@wnk.hamline.edu) Received: from wnk.hamline.edu (wnk.hamline.edu [138.192.24.100]) by wnk.hamline.edu (8.13.8/8.13.8) with ESMTP id m5AEkNDY025192 for ; Tue, 10 Jun 2008 09:46:23 -0500 Date: Tue, 10 Jun 2008 09:46:23 -0500 (CDT) From: R J X-X-Sender: rjohanne@wnk.hamline.edu To: freebsd-net@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: tcpdump/snort to capture chat sessions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 15:52:07 -0000 I am trying to use tcpdump (or snort, but they are both behaving the same in this case) to capture all the lines or contents of an msn chat session, the actual conversation. I am getting partial output; i.e, I'll only get half of a sentence, and I don't see the rest of the lines. And ofcourse, alot of it seems to be hex or obfuscated html? What switches do I need to capture the entire lines of text? I am using these options with snort: snort -i hme1 -v -K None -X That's sending output to stdout, which is fine with me. Thanks for any pointers/suggestions/recommendations. Robert