[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Logging packet contents



Thanks! I will try it!
> -----Original Message-----
> From: Daniel Hartmeier [mailto:[email protected]]
> Sent: Friday, November 08, 2002 12:31 PM
> To: Adam Getchell
> Cc: [email protected]
> Subject: Re: Logging packet contents
> 
> 
> On Fri, Nov 08, 2002 at 12:16:39PM -0800, Adam Getchell wrote:
> 
> > I'd like to know if there's (a pointer to) an easy way to 
> inspect the
> > contents of the logged packets. For example, I want to find 
> out the address
> > of people sending the Pop-up spam "Get your university 
> diploma here!"
> 
> $ tcpdump -nevvvXr /var/log/pflog udp port 135
> 
> Nov 01 15:40:25.157497 rule 7/0(match): block in on kue0: 
> 211.239.172.33.1046 >
>  62.65.145.30.135:  [udp sum ok] udp 724 (ttl 110, id 57767)
>   0000: 4500 02f0 e1a7 0000 6e11 18e5 d3ef ac21  E....n..!
>   0010: 3e41 911e 0416 0087 02dc 9b82 0400 0800  >A.............
>   0020: 1000 0000 0000 0000 0000 0000 0000 0000  ................
>   0030: 0000 0000 f891 7b5a 00ff d011 a9b2 00c0  .....{Z...
>   0040: 4fb6 e6fc e16e be00 c13b af4d af0f 664c  On.;M.fL
>   0050: 5248 bd03 0000 0000 0100 0000 0000 0000  RH.............
>   0060: 0000 ffff ffff 8402 0000 0000 0900 0000  ............
>   0070: 0000 0000 0900 0000 5745 4250 4f50 5550  ........WEBPOPUP
>   0080: 0000 0000 0100 0000 0000 0000 0100 0000  ................
>   0090: 0000 0000 4f02 0000 0000 0000 4f02 0000  ....O.......O...
>   00a0: 5520 4e20 4920 5620 4520 5220 5320 4920  U N I V E R S I
>   00b0: 5420 5920 2020 4420 4920 5020 4c20 4f20  T Y   D I P L O
>   00c0: 4d20 4120 530d 0a0d 0a4f 6274 6169 6e20  M A S....Obtain
>   00d0: 6120 7072 6f73 7065 726f 7573 2066 7574  a prosperous fut
>   00e0: 7572 652c 206d 6f6e 6579 2065 6172 6e69  ure, money earni
>   00f0: 6e67 2070 6f77 6572 2c0d 0a61 6e64 2074  ng power,..and t
>   [...]
> 
> Note that the source address is possibly spoofed. Imagine the spammers
> had picked your IP as source for a mass popup spam when you word a
> complaint...
> 
> > Also, this method won't work on a transparent bridge unless 
> there's a third
> > NIC configured with an IP address, correct?
> 
> No, any packet logged with pf ends up in /var/log/pflog, and you can
> tcpdump it with any options described in tcpdump(8). If you're
> interested in the entire packets, see pflogd(8) and increase 
> the snaplen
> beyond the default of 96 bytes.
> 
> Daniel
>