Date: Mon, 16 Mar 2009 12:27:12 -0400 (EDT)
From: William Stearns <wstearns@XXXXXXXXX>
X-X-Sender: wstearns@XXXXXXXXXXXXXXXXXXX
To: William Stearns <wstearns@XXXXXXXXX>
cc: Benjamin Schweizer <2009@XXXXXXXXXXXXXXXXXXXXX>
Subject: Re: ipmap_filter.py patch for tcpdump
In-Reply-To: <alpine.LFD.1.10.0903161214331.3864@XXXXXXXXXXXXXXXXXXX>
Message-ID: <alpine.LFD.1.10.0903161224200.3864@XXXXXXXXXXXXXXXXXXX>
References: <alpine.LFD.1.10.0903161214331.3864@XXXXXXXXXXXXXXXXXXX>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

Good evening, Ben,

On Mon, 16 Mar 2009, William Stearns wrote:

> 	Thanks for writing ipmap.
>
> 	Your tcpdump filter in ipmap_filter requires a ':' after the string 
> "length".  My tcpdump doesn't print the colon, so I adjusted the filter to 
> make that optional with ':?'.  Attached, and at:
>
> http://www.stearns.org/patches/ipmap_filter_tcpdump.patch

 	Oops, almost forgot.  Your readme suggests using "tcpdump -n -v". 
While that leaves IP addresses in numeric format matching your \d in the 
regex, it tries to decode port numbers into names, which your \d won't 
match.  You might consider using "tcpdump -n -n -v" in the readme, which 
tells tcpdump to leave _both_ ip addresses and port numbers as numeric.
 	Cheers,
 	- Bill

---------------------------------------------------------------------------
 	"Windows is the answer, but only if the question was 'What is
the intellectual equivalent of being a galley slave?'"
 	-- Larry Smith, in comp.os.linux.misc
(Courtesy of Rodger Donaldson <rodgerd@XXXXXXXXXX>)
--------------------------------------------------------------------------
William Stearns (wstearns@XXXXXXXXX, tools and papers: www.stearns.org)
Top-notch computer security training at www.sans.org , www.giac.net
--------------------------------------------------------------------------