tcpdump/snort to capture chat sessions
John-Mark Gurney
jmg at funkthat.com
Fri Jun 13 23:49:35 UTC 2008
Tom Judge wrote this message on Wed, Jun 11, 2008 at 15:01 -0500:
> Bill Moran wrote:
> >In response to R J <rjohanne at wnk.hamline.edu>:
> >
> >>I am trying to use tcpdump (or snort, but they are both behaving the same
> >>in this case) to capture all the lines or contents of an msn
> >>chat session, the actual conversation. I am getting partial output; i.e,
> >>I'll only get half of a sentence, and I don't see the rest of the lines.
> >>And ofcourse, alot of it seems to be hex or obfuscated html?
> >>
> >>What switches do I need to capture the entire lines of text?
> >
> >Don't know about snort, but with tcpdump use -s0
> >
> This is a good start however you are not guaranteed to see the whole
> chat message in a single TCP packet. If you are looking for something
> more advanced you will have to write a program around pcap/bpf or
> similar to read the TCP stream.
such as tcpflow which read tcpdump streams and outputs each TCP byte
stream...
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the freebsd-net
mailing list