[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Logging packet contents



On Fri, Nov 08, 2002 at 12:16:39PM -0800, Adam Getchell wrote:
> I'd like to know if there's (a pointer to) an easy way to inspect the
> contents of the logged packets. For example, I want to find out the address
> of people sending the Pop-up spam "Get your university diploma here!"
$ tcpdump -nevvvXr /var/log/pflog udp port 135
Nov 01 15:40:25.157497 rule 7/0(match): block in on kue0: 211.239.172.33.1046 >
 62.65.145.30.135:  [udp sum ok] udp 724 (ttl 110, id 57767)
  0000: 4500 02f0 e1a7 0000 6e11 18e5 d3ef ac21  E....n..!
  0010: 3e41 911e 0416 0087 02dc 9b82 0400 0800  >A.............
  0020: 1000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 f891 7b5a 00ff d011 a9b2 00c0  .....{Z...
  0040: 4fb6 e6fc e16e be00 c13b af4d af0f 664c  On.;M.fL
  0050: 5248 bd03 0000 0000 0100 0000 0000 0000  RH.............
  0060: 0000 ffff ffff 8402 0000 0000 0900 0000  ............
  0070: 0000 0000 0900 0000 5745 4250 4f50 5550  ........WEBPOPUP
  0080: 0000 0000 0100 0000 0000 0000 0100 0000  ................
  0090: 0000 0000 4f02 0000 0000 0000 4f02 0000  ....O.......O...
  00a0: 5520 4e20 4920 5620 4520 5220 5320 4920  U N I V E R S I
  00b0: 5420 5920 2020 4420 4920 5020 4c20 4f20  T Y   D I P L O
  00c0: 4d20 4120 530d 0a0d 0a4f 6274 6169 6e20  M A S....Obtain
  00d0: 6120 7072 6f73 7065 726f 7573 2066 7574  a prosperous fut
  00e0: 7572 652c 206d 6f6e 6579 2065 6172 6e69  ure, money earni
  00f0: 6e67 2070 6f77 6572 2c0d 0a61 6e64 2074  ng power,..and t
  [...]
Note that the source address is possibly spoofed. Imagine the spammers
had picked your IP as source for a mass popup spam when you word a
complaint...
> Also, this method won't work on a transparent bridge unless there's a third
> NIC configured with an IP address, correct?
No, any packet logged with pf ends up in /var/log/pflog, and you can
tcpdump it with any options described in tcpdump(8). If you're
interested in the entire packets, see pflogd(8) and increase the snaplen
beyond the default of 96 bytes.
Daniel