> On Wed, 2 Mar 2011 22:00:41 -0600 <[email protected]> wrote:
>
> I have it installed, and I can look up the parameters in the command.
>
> What I don't understand is how I use it to investigate intrusions. Can
> someone shed some light on this?
>
What kind of intrusions are you looking for? TCPDump is a packet analyze so
what is analyzed is based on what filters you are looking for. TCPDump uses the
libpcap library to capture packets. You can receive the packets based on the
protocol type. You can specify
one of these protocols — fddi, tr, wlan, ip, ip6, arp, rarp, decnet,
tcp and udp.
You may also specify a port number to monitor which is nice if you are
investigating a particular service. Or an IP address if you are interested in a
specific host.
The filter may be used in combinations with and'ing / or'ing them together. I
tend to wrap my filters in single quotes, for example: tcpdump -i eth0 -n 'tcp
and port 80 and dst 10.0.0.1'
One tip is to pass the -n switch when running because DNS queries slow down
captures.
Hope that helps :)
-M
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
