# Need a packet logger [solved]

## Bigun

I need a terminal packet logger that will log only specific port activity and log the information within the packets.

I looked over iplog and it doesn't seem to be a winner, it only logs the connections made, the the information the packets had.  Any suggestions?

----------

## db_404

ngrep (http://ngrep.sourceforge.net) might do, failing that Ethereal (http://www.ethereal.com) has a terminal based front end (tethereal) that works well and has all the filtering and options that the GUI version has.

----------

## Bigun

Ngrep about made me cry.

Thank.... you...

----------

## Bigun

How can I start ngrep with local.start and dump the output to a file:

Trying this:

```
ngrep >> packetlog
```

Locks the PC at local start, I guess waiting for the prompt to get freed up.

Trying this:

```
ngrep >> packetlog &
```

The machine boots... but no log.

Ideas?

----------

## db_404

I've never tried to start ngrep at startup.  You could try to nohup it (not sure if that would really help - I somehow doubt it).  Or if for some reason it's expecting to have a tty you could always start it via screen:

```

screen -d -m "ngrep >> packet.log"

```

A hack - granted, but a potentially function one.

----------

## dewke

use snort...

----------

## think4urs11

man ngrep would tell you about the -O option   :Wink: 

so

```
ngrep -O /tmp/mytraffic_dump
```

HTH

T.

----------

## Bigun

 *Think4UrS11 wrote:*   

> man ngrep would tell you about the -O option  
> 
> so
> 
> ```
> ...

 

the -O option never worked, stating something about not having proper permissions.

At any rate, I got it to work, turns out the -q option is evil.

----------

## think4urs11

-O works fine for me

does user nobody have rights to write your dump file?

----------

## Bigun

 *Think4UrS11 wrote:*   

> -O works fine for me
> 
> does user nobody have rights to write your dump file?

 

Assuming root does have access to it's own home directory... then yes it should.

----------

## think4urs11

 *bigun89 wrote:*   

> Assuming root does have access to it's own home directory... then yes it should.

 

Doesn't matter. I also started ngrep as beeing root but the dump files generated by -O are owned by user nobody, group nobody. In other words ngrep revokes it's own privileges to a safe user which is by default nobody.

 *man ngrep wrote:*   

> -R     Do not try to drop privileges to the DROPPRIVS_USER.
> 
>               ngrep  makes  no  effort  to validate input from live or offline
> 
>               sources as it is focused more on performance and handling  large
> ...

 

Please try with a file in /tmp/some_new_name (assuming everybody can access/write to your /tmp)

----------

