Remember when using tcpdump to filter down your pcaps to a smaller segment of traffic, that if you
don’t specify the fields when you read the traffic, it won’t be in the new pcap. I know that sounds
obvious to the point of being silly, but it’s easier to forget than you think. If you need to see Ethernet
headers, use -e. If you need to see length, TTL, etc., use -v.
If you want both hex and ASCII displayed, use -X. And don’t forget to use -nn so you’re not flooding
your DNS (or tipping off your attacker you’re investigating) and to make sure you see the actual
port in use, not what nmap’s services file thinks it is…
No comments:
Post a Comment