> wojtek@tensor.3miasto.net (Wojciech Puchar) writes:
> > full tcpdump is started for this port.
> >
> > all i need is to wait for attacker or (or RAM/CPU error).
>
> Make sure you run it with '-s 1500' to get the full packets, and it
> wouldn't hurt to run it with '-w /tmp/telnet.tcpdump' so you can play
> back the data if you snag something interesting.

i'm doing it just like that!

>
> I often run with full packet logging on the internet side, and it
> doesn't seem to slow the machine or network code down enough to matter
> (at least not on a consumer DSL line).
>
> /etc/rc.local:
>
>     (
> 	while :
> 	do
> 	    roll-logs /v/pktlogs/tcpdump.raw
> 	    tcpdump -s 1500 -c 5000 -w /v/pktlogs/tcpdump.raw
> 	done
>     ) &
>
> Roll-logs just does the obvious "file -> file.0.gz" rolling.
>
> -wolfgang
> --
> Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/
>
> spider food: http://www.wsrcc.com/baddream/usenet/
> (NOTE: The email address above is valid.  Edit it at your own peril.)
>