Security-related question

Matt Graham danceswithcrows at usa.net
Tue Feb 22 15:32:30 MST 2011 

From: Jim March <1.jim.march at gmail.com>
> I've looked the manual over for tcpdump:
> http://www.tcpdump.org/tcpdump_man.html
 
tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
        [ -C file_size ] [ -F file ]
        [ -i interface ] [ -w file ]

...does that make it any clearer?

> jim at jim-lappy:~$ sudo tcpdump -s 0 -w -i file.pca host 10.0.1.4
> tcpdump: syntax error

"-w file.pcap -i wlan0" != "-w -i file.pcap".  Order of args matters when
options take args, as -w and -i do.  I thought this was common knowledge.

> jim at jim-lappy:~$ sudo tcpdump -s 0 -w -i any file.pca host 10.0.1.4
> tcpdump: syntax error

Yeah, because there's no filename for -w.

> jim at jim-lappy:~$ sudo tcpdump -s 0 -w -i any file.pca
> tcpdump: syntax error

Same again, and file.pca isn't a valid expression for "which packets to
capture".

> The man page doesn't give enough examples to tell me how to do this.
> Dangit...any idea what the exact syntax might be?

Most man pages don't have enough examples.  The command you want is "tcpdump
-s 0 -w file.pca -i wlan0 host 10.0.1.4", and I was *trying* to get you to
figure that out for yourself, but I thought you knew more about using
command-line programs than you did.  I'm still not convinced that that IP is
correct, since I don't know how you've set up your virtualbox, but you may be
able to narrow it down.  Just start a capture with no filter, then in the VM,
ping pingable.host on the wide Net, then stop the capture and look for where
those ICMP packets directed to pingable.host are coming from.  It *should*
work.

> I tried using Wireshark with sudo.  Bingo.

Well, except for the lack of a host filter causing you to find a bunch of
other stuff (other user going to facebook) that didn't relate to your malware
question.  This was a win... *this* time.  The thing is, when I'm doing work
with tcpdump, I have to filter by host and port, or I get far too many useless
packets mixed in with the stuff I'm actually looking for.

-- 
Matt G / Dances With Crows
The Crow202 Blog:  http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see

More information about the PLUG-discuss mailing list