TCPRunner
TCPRunner is an excessively named perl script wrapped around tcpdump. To wit:
#!/usr/bin/perlwhile(1)
{
$now=time;
print "Listening at $now:";
`tcpdump -c 2000 -w $now.eth not host 10.17.5.38`;
}
The idea being that this script saves the majority of traffic which does not involve the listening system in manageable bite-sized chunks. Said chunks can then be examined with ethereal or something else.
The logic behind the exclusion is that usually I'm running this remotely and I don't really need to see all my ssh packets showing up in the stream. You could do whatever you like with the tcpdump filtering system; this is merely an example.
Future enhancements could include
- a reasonable front-end with command-line parsing
- a separate thread that would periodically wake up and remove any chunks older than a certain interval, or in excess of any top number of chunks.