Re: How do you use TCPDump?
On Wed, Mar 2, 2011 at 11:00 PM, Jason Hsu <firstname.lastname@example.org>
I have it installed, and I can look up the parameters in the command.
What I don't understand is how I use it to investigate intrusions. Can someone shed some light on this?
look at snort. it's pretty much the industry standard when it comes to ids.
also, you can either use the new snort format (which is a pita to convert to pcap format) or you can have it log 'interesting' things to a flat file and directly look it with tshark or tcpdump or scapy or whatever else you'd like.
now, what's cool, is if you see something that starts to make you wonder, you go into scapy, modify the packets and replay. fun :)
one last thing, learn how to write 'good' rules. just because you've got a bunch of data doesn't make it good data. in fact, too much data is bad data because someone has to look through it all, after a while complacency sets in and your analysis guy becomes useless. in this case, i suppose the analysis guy would be you :)