And that's a huge, massively compatible arsenal. From tcpdump to ethereal (ok, "wireshark"), ngrep, p0f, snort, scapy, tcpreplay, the list goes on and on.

Typically, for analytical work, though, I tend to grab packets either with tcpdump (and crafted BPF filters) or snort (with rules). The pro of the former are that you get context, and the con is that it can be a huge volume. The pro of the latter is that you get a targeted capture, but the con is that you just get the packet that tripped the trigger. So I try to use them in depth, in concert, in a way that I can correlate the data.

Then, of course, I use the rest of the libpcap tools to dig though, winnow, analyze, winnow, etc.

 

July 12, 2007, 6:51pm

Some are easier to use than others. Both tcpdump and ngrep are pretty trivial commandline utils, but *can* be as complex as you want. They all support the BPF filter language, and that alone can be wonderously complex, filtering down to the individual byte or even bit (with bit masking).

Snort can be extremely complex, as the rule language is remarkably flexible and powerful.

But the bottom line, legally, is that you have to have permission. Sniffing traffic without permission is a *bad thing*. IANAL, but I'm diligent to cover my bases (and I have a really good attorney at hand who understands these issues well, reviews all my contracts, statements of work, etc.).

 

July 12, 2007, 7:53pm

“Some of those tools are pretty impressive!”

/jonathan