Date: Wed, 17 Jan 1996 03:16:59 -0700 (MST) From: Phillip White <philw@megasoft.tic.ab.ca> To: Michael Smith <msmith@atrad.adelaide.edu.au> Cc: msmith@atrad.adelaide.edu.au, freebsd-questions@freebsd.org Subject: Re: ethernet packet sniffer. Message-ID: <Pine.BSF.3.91.960117030452.14808A-100000@megasoft.tic.ab.ca> In-Reply-To: <199601170940.UAA02308@genesis.atrad.adelaide.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 17 Jan 1996, Michael Smith wrote: > Phillip White stands accused of saying: > > > > what I'm looking for but rather the same funtionality that is in > > > > Solaris's "snoop" command. > > > > > > Can you be more specific about what it is that tcpdump doesn't do? > > > > > Sure.. From the way I see it function, it only shows packets not what is > > in the packets. Like if someone is on your machine entering information > > at any prompt ie. telnet, ftp, bash, etc you actually see what they are > > typing, typically in a line going down the screen because it is streaming. > > Tcpdump just shows the whole packet and what type the packet is, ie. > > netbeui, tcp etc.. and where it is going or coming from etc.. > > So what you want isn't an Ethernet packet sniffer at all, but a tty > watcher. Look at the 'snp' device and the 'watch' command. No, not at all. I use the watch command though and even made a suggestion towards it's functionality. > Tcpdump will tell you (in exhaustive detail) exactly what's in a packet. > Read the manpage and pay particular attention to the '-s' and '-x' options. > > As an example, 'tcpdump -vv -l -s 1600 -x' is pretty exhaustive. You will > want a fast nameserver for this to be useful, try adding '-n' if you > have problems with lost packets. I've tried this and it does not show everything. On Solaris I can actually watch the data being received from the news pull to INN, meaning if I was fast enough (impossible) I could read the news as it comes through the feed. The same with people logging into our Livingston portmaster, I can see that they are messing around with commands that they have no access to cause I can see that they are attempting passwd hacks cause I can see the passwds they are entering at the password: prompt(normally not seen any other way) or that they are entering enable commands etc that they have no right to access. There is no watch command for this hence, the need for a Solaris type "snoop" so I can sit here and analize the data to a specific host and in raw format. I'm not professed at analizing TCP packets so if there is a peticular byte range to be watching so you see raw data receive (as said with being able to see the data received in newsgroups) and can it be specified to "tcpdump". I hope I am being clear? :-) I may be doing something wrong? All I did with Solaris was (I believe) "snoop hostname" than it would say "promiscuous mode" than off we go... Phil...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960117030452.14808A-100000>