6 comments

[ 4.3 ms ] story [ 60.7 ms ] thread
This is gold. Straight to my pinboard.
If you are planning on poking around with captures in Wireshark, keep in mind that there have been quite a lot of exploits for that app, particularly in the various protocol dissectors.

You should avoid working on captures with unknown content on an important machine.

http://wiki.wireshark.org/Security

I love Daniel's site - he's written a ton of great tutorials and overviews of useful tools.

tcpdump is definitely one of the "must know" tools.

One thing I haven't been able to with tcpdump is just dump the data stream (payload) without any protocol bits. I presume it's possible with the right command line option incantation.

Instead, for this purpose, I have used tcpflow. This is useful for listening in on data streams, potentially piping a binary message stream to a decoder for human-readable output.

Tip: sudo to root.

I am ignorant as dirt on this subject. Maybe this was obvious to everyone else. I read this at work and decided to log into one of our main web servers. I tried following the directions but I got the error:

tcpdump could not find a suitable device

However this:

which tcpdump

showed me that tcpdump was on the machine.

I look back at the examples in the article and saw he was root. Luckily, where I work, all of the engineers are given root access on most of the machines. So I could sudo to root. And then the examples worked.

Don't get tripped up like I did.