Ummm...it ain't working. I get: --- jim@jim-lappy:~$ tcpdump -s 0 -w file.pcap host 127.0.0.1 tcpdump: no suitable device found jim@jim-lappy:~$ --- So I ran Wireshark and it doesn't see an interface it can use. I've tried two different WiFi cards, one a Broadcom and one Ralink I think. Dangit. I think I have an Atheros mini-PCI-express I can bolt into this Dell I'm using at the moment...will that help? Jim On Tue, Feb 22, 2011 at 8:45 AM, Matt Graham wrote: > > Jim March <1.jim.march@gmail.com> wrote: > >> I'm trying to figure out what a particular Windows piece of malware > >> does. To that end I built a brand new WinXP virtual machine via > >> Virtualbox (Linux host of course) and then infected the virtual > >> machine, which has Internet connectivity via a NAT router off of > >> the Linux host...in other words, guest OS traffic will be visible > >> in the host Linux system. > > So, the 'Doze VM has an IP of 10.x.y.z according to the Linux box? And you > can run "tcpdump -s 0 -w file.pcap host 10.x.y.z" on the Linux box, right? > And then have a look at file.pcap with wireshark or your favorite packet > analyzer? This seems fairly obvious to me, but there could be something > I'm > missing. It's been a while since I played with virtualbox to any great > extent, and it depends on how the thing does networking. > > From: Jordan Aberle > > Sysinternals can do everything you need, take a look specifically > > at Procmon http://technet.microsoft.com/en-us/sysinternals > > TCPVIEW also. > > You'd trust a compromised machine to report on the traffic that some known > malware is sending out? I have this great deal on Florida swampland for > you.... :-) Also, Jim wanted to do the monitoring from the Linux side. > But > if you're stuck on a Doze box, sysinternals is a reasonable substitute for > standard tools. > > -- > Matt G / Dances With Crows > The Crow202 Blog: http://crow202.org/wordpress/ > There is no Darkness in Eternity/But only Light too dim for us to see > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >