Security-related question
Matt Graham
danceswithcrows at usa.net
Tue Feb 22 10:20:58 MST 2011
From: Jim March <1.jim.march at gmail.com>
> According to ifconfig the interface I'm trying to monitor is:
> wlan0 Link encap:Ethernet HWaddr 00:14:d1:c8:b4:bf
> inet addr:10.0.1.4 Bcast:10.0.1.255 Mask:255.255.255.0
Are you sure? That looks like the IP of the Linux box. The Doze VM you're
trying to monitor will have a different IP, unless you're using bridging in
virtualbox. Are you using bridging/shared networking there? That may cause
things to be different. Can't tell for sure; my virtualbox setup's at home.
> jim at jim-lappy:~$ sudo tcpdump -s 0 -w file.pca 10.0.1.4
> tcpdump: WARNING: eth0: no IPv4 address assigned
> tcpdump: syntax error
Yeah, you didn't get the syntax right. Take a look at what you posted
previously:
>>> jim at jim-lappy:~$ tcpdump -s 0 -w file.pcap host 127.0.0.1
..."host 127.0.0.1" means "capture all packets that have a source or
destination address of 127.0.0.1". Just putting in an IP without a
host/src/dst keyword won't get anything but an error. So, try again, make
sure you've got the correct IP in the host file, or if you're not sure where
the VM's IP is, then you can do something like 10.0.1.0/24 and retrieve
packets from the whole subnet. It's better to be as specific as possible when
doing the capture, so you have as few packets you're not interested in as you
can. That makes subsequent analysis easier.
--
Matt G / Dances With Crows
The Crow202 Blog: http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see
More information about the PLUG-discuss
mailing list