Date: Fri, 13 Jun 2008 16:14:40 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: Tom Judge <tom@tomjudge.com> Cc: R J <rjohanne@wnk.hamline.edu>, Bill Moran <wmoran@collaborativefusion.com>, freebsd-net@freebsd.org Subject: Re: tcpdump/snort to capture chat sessions Message-ID: <20080613231440.GH3767@funkthat.com> In-Reply-To: <48502F2C.7090505@tomjudge.com> References: <Pine.LNX.4.64.0806100940230.24255@wnk.hamline.edu> <20080610120222.9e2760fe.wmoran@collaborativefusion.com> <48502F2C.7090505@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote this message on Wed, Jun 11, 2008 at 15:01 -0500:
> Bill Moran wrote:
> >In response to R J <rjohanne@wnk.hamline.edu>:
> >
> >>I am trying to use tcpdump (or snort, but they are both behaving the same
> >>in this case) to capture all the lines or contents of an msn
> >>chat session, the actual conversation. I am getting partial output; i.e,
> >>I'll only get half of a sentence, and I don't see the rest of the lines.
> >>And ofcourse, alot of it seems to be hex or obfuscated html?
> >>
> >>What switches do I need to capture the entire lines of text?
> >
> >Don't know about snort, but with tcpdump use -s0
> >
> This is a good start however you are not guaranteed to see the whole
> chat message in a single TCP packet. If you are looking for something
> more advanced you will have to write a program around pcap/bpf or
> similar to read the TCP stream.
such as tcpflow which read tcpdump streams and outputs each TCP byte
stream...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080613231440.GH3767>