From owner-freebsd-questions  Thu Apr  6 14:43: 4 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from vcnet.com (mail.vcnet.com [209.239.239.15])
	by hub.freebsd.org (Postfix) with SMTP id 3CE9937B9BC
	for <freebsd-questions@freebsd.org>; Thu,  6 Apr 2000 14:42:57 -0700 (PDT)
	(envelope-from jpr@vcnet.com)
Received: (qmail 6463 invoked from network); 6 Apr 2000 21:42:55 -0000
Received: from joff.vc.net (HELO ?209.239.239.22?) (209.239.239.22)
  by mail.vcnet.com with SMTP; 6 Apr 2000 21:42:55 -0000
Mime-Version: 1.0
Message-Id: <p043101edb512b4932ef7@[209.239.239.22]>
In-Reply-To: <p043101ecb512aea2c91f@[209.239.239.22]>
References: <p043101ecb512aea2c91f@[209.239.239.22]>
Date: Thu, 6 Apr 2000 14:42:54 -0700
To: freebsd-questions@freebsd.org
From: Jon Rust <jpr@vcnet.com>
Subject: Re: tcpdump | tcpshow, and buffering
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

The answer to my own question may be /usr/ports/ngrep which serves my 
needs perfectly. Sorry to waste list b/w. Maybe someone else will 
find it useful...

jon

At 2:19 PM -0700 4/6/00, Jon Rust wrote:
>I've been trying to use tcpdump and tcpshow to snoop my network on 
>occassion. Mostly to watch what lusers are doing when they can't get 
>into our mail server (wrong pass, username, etc). The command line 
>is:
>
>   tcpdump -enxs 1508 host blah.blah.com and port 110 | tcpshow -cooked
>
>However, it seems there's quite a bit of buffering  by tcpshow going 
>on here. I get absolutely nothing displayed until the user has 
>pushed (or pulled) a lot of traffic. Makes it tough to do things 
>like just verify a POP session.
>
>Any better way to do it?
>
>jon


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message