From owner-freebsd-net@FreeBSD.ORG Fri Jun 13 23:49:35 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95384106567E for ; Fri, 13 Jun 2008 23:49:35 +0000 (UTC) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (gate.funkthat.com [69.17.45.168]) by mx1.freebsd.org (Postfix) with ESMTP id E83968FC2C for ; Fri, 13 Jun 2008 23:49:34 +0000 (UTC) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (jqkh1yj7aic21f0s@localhost.funkthat.com [127.0.0.1]) by hydrogen.funkthat.com (8.13.6/8.13.3) with ESMTP id m5DNEgdd014681; Fri, 13 Jun 2008 16:14:42 -0700 (PDT) (envelope-from jmg@hydrogen.funkthat.com) Received: (from jmg@localhost) by hydrogen.funkthat.com (8.13.6/8.13.3/Submit) id m5DNEe88014680; Fri, 13 Jun 2008 16:14:40 -0700 (PDT) (envelope-from jmg) Date: Fri, 13 Jun 2008 16:14:40 -0700 From: John-Mark Gurney To: Tom Judge Message-ID: <20080613231440.GH3767@funkthat.com> Mail-Followup-To: Tom Judge , Bill Moran , R J , freebsd-net@freebsd.org References: <20080610120222.9e2760fe.wmoran@collaborativefusion.com> <48502F2C.7090505@tomjudge.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48502F2C.7090505@tomjudge.com> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 5.4-RELEASE-p6 i386 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (hydrogen.funkthat.com [127.0.0.1]); Fri, 13 Jun 2008 16:14:43 -0700 (PDT) Cc: R J , Bill Moran , freebsd-net@freebsd.org Subject: Re: tcpdump/snort to capture chat sessions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 23:49:35 -0000 Tom Judge wrote this message on Wed, Jun 11, 2008 at 15:01 -0500: > Bill Moran wrote: > >In response to R J : > > > >>I am trying to use tcpdump (or snort, but they are both behaving the same > >>in this case) to capture all the lines or contents of an msn > >>chat session, the actual conversation. I am getting partial output; i.e, > >>I'll only get half of a sentence, and I don't see the rest of the lines. > >>And ofcourse, alot of it seems to be hex or obfuscated html? > >> > >>What switches do I need to capture the entire lines of text? > > > >Don't know about snort, but with tcpdump use -s0 > > > This is a good start however you are not guaranteed to see the whole > chat message in a single TCP packet. If you are looking for something > more advanced you will have to write a program around pcap/bpf or > similar to read the TCP stream. such as tcpflow which read tcpdump streams and outputs each TCP byte stream... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."