since
you know the source and destination, you can use this
command
$original_file = binary dump file
$ip1 =
your machine
$ip2 =
web server
$outfile is new binary containing your just the traffic from your client
machine t and the web server
tethereal -r $original_file -R '(ip.src == $ip1 && ip.dst ==
$ip2) || (ip.src == $ip2 && ip.dst == $ip1)' -w
$output
just
remember if $ip1 or $ip2 is a name and not a number you have to use eq
instead of ==. That is if your ip address is www.server.com instead of
10.0.0.1
Hope
this helps. Also, you should read the man page on tethereal. Also
Snort can separate your large dump file into more manageable dump files.
You should look at Snort and do a man on that also
"print" the
capture to a text file with full details enabled. Search the text file for
your string. Find the packet of interest and then refer to that packet in
Ethereal.
There is no
search-at-unknown-offset facility in Ethereal.
-- Richard Urwin, Private "No 9000 series computer has
ever made a mitsake or corrubiteddatatato."
I have a fairly large capture file with http
requests from a large number of users. I'm trying to debug a problem where a
particular cookie is missing from the http get
request. Unfortunately, the cookie is not a a fixed offset from
the beginning of the http request.
Ideally, I'd like to create a display filter
that searches for all http get requests where the http request contains
(anywhere) a particular string. (Something like "http.request eq 1 and
http[?] eq 'xyz'"). I've read the documentation a couple of
times, but I can figure out how to do this. Can anybody
help?
If you can't do it with a display filter, can
anyone suggest an
alternative? ________________________________________________________________________ This
email has been scanned for all viruses by the MessageLabs SkyScan service.
For more information on a proactive anti-virus service working around the
clock, around the globe, visit
http://www.messagelabs.com ________________________________________________________________________
|