Image magic
-
I have tried some stream analysers on tcpdumps from my pfSense box (like chaosreader or driftnet) and found that the extracted images are corrupt. I was wondering if that could be a feature of pfSense, some tricky security thing thats going on?
$ (ssh root@pfSense tcpdump -i bridge0 -U -w - not tcp port 22 ) > /tmp/dump
$ ../chaosreader -ve /tmp/dump -
Got it. tcpdump needs -s9999.
Please respect the privacy of others!
This is only for my own education. -
-
9999 would set snaplen to 9999 bytes would it not.. Wouldn't you rather just use -s 0, this should set it to what use to be the default of 65535 bytes.
-
I have taken the -s9999 from the chaosreader script. It uses -s9999 when run in standalone mode. It seems to work fine, though -s0 seems more optimal.
