Actually you can get all the payload data with tcpdump by setting the snaplen to max mtu size. You can also query much of that info from tcpdump dump binary files. Another solution is to use snort and log everything. There is an excellent snort configuration from the Honeynet project for logging everything in binary format as well as breaking out sessions. It works great for forensic use. Here is the link. http://project.honeynet.org/papers/honeynet/tools/snort.conf Kevin ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 19:02:19 PST