On Thu, Jan 08, 2004 at 10:28:03AM -0600, Leonard Miller wrote:
> what about tcpdump?
Tcpdump and Ethereal both use libpcap to capture; the only time when
tcpdump with a filter of, for example, "icmp and dst 135" would capture
traffic that Ethereal doesn't would be if there was so much traffic that
Ethereal (with its GUI) couldn't keep up with it but tcpdump could, or
if tcpdump were capturing with a short snapshot length, so that less
data per packet were saved, but Ethereal wasn't.
The command
> tcpdump icmp and dst 135
will just produce printed output, which might make tcpdump able to
capture less traffic.
The command
> tcpdump -w welcia.cap icmp and dst 135
would save to a capture file, just as Ethereal does - but it captures
with the default snapshot length of 68 (if tcpdump wasn't built with
IPv6 support) or 96 (if it was).
So that might capture more traffic - but
1) you could do the same with Ethereal, using the "Limit each
packet to [] bytes" option;
2) if you capture with that short a snapshot length, you won't
` get much, if any, of the packet data, so while you might see
traffic to port 135, you might not get enough data to see
whether it's valid or invalid traffic (i.e., you won't get
enough of the packet data to get all the DCE RPC request
contents).
On the other hand, if somebody wants to look for a particular intrusion
on their network, perhaps they should use an intrusion detection system,
such as Snort:
http://www.snort.org/
or Prelude:
http://www.prelude-ids.org/
There are probably Welchia rules for Snort out there, and there might be
rules for Prelude as well.
However, neither tcpdump nor Ethereal nor Snort nor Prelude nor any
other piece of software for capturing traffic will work if the machine
doing the capturing can't see all the traffic on the network:
http://www.ethereal.com/faq.html#q5.1
(part of the Ethereal FAQ, but it applies to *all* software or hardware
that captures traffic).