tcpdump/snort to capture chat sessions
Tom Judge
tom at tomjudge.com
Wed Jun 11 20:20:43 UTC 2008
Bill Moran wrote:
> In response to R J <rjohanne at wnk.hamline.edu>:
>
>> I am trying to use tcpdump (or snort, but they are both behaving the same
>> in this case) to capture all the lines or contents of an msn
>> chat session, the actual conversation. I am getting partial output; i.e,
>> I'll only get half of a sentence, and I don't see the rest of the lines.
>> And ofcourse, alot of it seems to be hex or obfuscated html?
>>
>> What switches do I need to capture the entire lines of text?
>
> Don't know about snort, but with tcpdump use -s0
>
This is a good start however you are not guaranteed to see the whole
chat message in a single TCP packet. If you are looking for something
more advanced you will have to write a program around pcap/bpf or
similar to read the TCP stream.
Tom J
More information about the freebsd-net
mailing list