On Fri, 31 Dec 1999, Jordan Ritter wrote: > # Programs like "ngrep" do not process ICMP packets, so you will not as > # easily (at this point in time) be able to watch for strings in the data > # portion of the ICMP packets (except using the patches to tcpshow from > # Appendix C and patches to sniffit provided in the analysis of TFN). > > The latest version of ngrep (1.35) does in fact match ICMP, and has been out > for some time now. Jordan, Sweet! I updated the analysis to use ngrep in preference to tcpdump/tcpshow for most stuff: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis ngrep is *way* more convenient to use, but I had to note that it doesn't run on as many systems as tcpdump/tcpshow (e.g., Digital Unix 4.x) and it doesn't seem to read tcpdump files, so if you want to caputure the raw packets for later analysis (timing, flags, etc.) you need to stick to tcpdump/tcpshow. If only I'd sent the analysis out *before* Christmas... ;) -- Dave Dittrich Client Services dittrichat_private Computing & Communications University of Washington <a href="http://www.washington.edu/People/dad/"> Dave Dittrich / dittrichat_private [PGP Key]</a> PGP 6.5.1 key fingerprint: FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:22 PDT