If you are planning on poking around with captures in Wireshark, keep in mind that there have been quite a lot of exploits for that app, particularly in the various protocol dissectors.
You should avoid working on captures with unknown content on an important machine.
One thing I haven't been able to with tcpdump is just dump the data stream (payload) without any protocol bits. I presume it's possible with the right command line option incantation.
Instead, for this purpose, I have used tcpflow. This is useful for listening in on data streams, potentially piping a binary message stream to a decoder for human-readable output.
I am ignorant as dirt on this subject. Maybe this was obvious to everyone else. I read this at work and decided to log into one of our main web servers. I tried following the directions but I got the error:
tcpdump could not find a suitable device
However this:
which tcpdump
showed me that tcpdump was on the machine.
I look back at the examples in the article and saw he was root. Luckily, where I work, all of the engineers are given root access on most of the machines. So I could sudo to root. And then the examples worked.
6 comments
[ 4.3 ms ] story [ 60.7 ms ] threadYou should avoid working on captures with unknown content on an important machine.
http://wiki.wireshark.org/Security
tcpdump is definitely one of the "must know" tools.
Instead, for this purpose, I have used tcpflow. This is useful for listening in on data streams, potentially piping a binary message stream to a decoder for human-readable output.
I am ignorant as dirt on this subject. Maybe this was obvious to everyone else. I read this at work and decided to log into one of our main web servers. I tried following the directions but I got the error:
tcpdump could not find a suitable device
However this:
which tcpdump
showed me that tcpdump was on the machine.
I look back at the examples in the article and saw he was root. Luckily, where I work, all of the engineers are given root access on most of the machines. So I could sudo to root. And then the examples worked.
Don't get tripped up like I did.