wojtek@tensor.3miasto.net (Wojciech Puchar) writes:
> full tcpdump is started for this port.
> 
> all i need is to wait for attacker or (or RAM/CPU error).

Make sure you run it with '-s 1500' to get the full packets, and it
wouldn't hurt to run it with '-w /tmp/telnet.tcpdump' so you can play
back the data if you snag something interesting.

I often run with full packet logging on the internet side, and it
doesn't seem to slow the machine or network code down enough to matter
(at least not on a consumer DSL line).

/etc/rc.local:

    (
	while :
	do
	    roll-logs /v/pktlogs/tcpdump.raw
	    tcpdump -s 1500 -c 5000 -w /v/pktlogs/tcpdump.raw
	done
    ) &

Roll-logs just does the obvious "file -> file.0.gz" rolling.

-wolfgang
-- 
Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/

spider food: http://www.wsrcc.com/baddream/usenet/
(NOTE: The email address above is valid.  Edit it at your own peril.)