Sniffing tools, and camera obscura

This Linux Journal article looks at the linux sniffing tools. It looks at the most common sniffing tool, tcpdump, but also has info on a few tools I wasn't familiar with like p0f, which attempts to do passive OS fingerprinting to see what versions of software are on your net and dsniff, which follows network traffic to look inside traffic like mail, web, etc. if you want to create your own wall of sheep.

And while I'm looking at security and unintended shared content, Schneier's blog has a post about unsecured webcams.

I never knew you could get tcpdump files from an ASA

I never knew you could get tcpdump-format files from a cisco ASA. Very cool!

The capture process is the same, but then stop the capture with the command "no capture $CAPNAME interface $INTERFACE" instead of "no capture $CAPNAME". Then you can go to the ASA's web site and find the file in "http://$FIREWALL/capture/$CAPNAME/pcap"

Download it and then you're good to open it with tcpdump or wireshark or whatever your packet capture viewer of choice is.

It doesn't look like there's a way to tftp it rather than turning on the ASA's http server for the duration of the download.

Using tcpdump to only capture SYN and FIN packets

Sometimes with a network capture, all you want to know is when a session starts and when it finishes. So you don't actually want to capture anything beyond the session start and finish handshakes. Here's how to do it:

tcpdump -w flagdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'