nanog mailing list archives

RE: analyse tcpdump output

From: "Brock, Anthony - NET" <Anthony.Brock () oregonstate edu>
Date: Wed, 22 Nov 2006 08:14:00 -0800

-----Original Message-----
I wonder if someone knows a tool to use a tcpdump output for anomaly 
dedection. It is sometimes really time consuming when looking 
for identical 
patterns in the tcpdump output.

It would be helpful to get  a diff between SYN and ACK's e.g. 
Or look for  a 
pattern in a URL. Or just get some timediffs e.g. when an ACK 
is send but 
client is waiting for data etc.


For anomaly detection there is Ourmon. It can be downloaded at:

http://jerry.cat.pdx.edu/ourmon/download.html

You can preview it running at Portland State University at:

http://jerry.cat.pdx.edu/ourmon/

However, I believe this isn't as detailed or low-level as what you're
looking for. In any case, it's a great tool for seeing unusual patterns
or strange behavior on your network.

Tony

Current thread:

analyse tcpdump output Stefan Hegger (Nov 22)
- Re: analyse tcpdump output Rodrick Brown (Nov 22)
- RE: analyse tcpdump output Brock, Anthony - NET (Nov 22)
- Re: analyse tcpdump output William Waites (Nov 22)
- Re: analyse tcpdump output Netfortius (Nov 22)
  - Re: analyse tcpdump output Roland Dobbins (Nov 22)
- Re: analyse tcpdump output David Nolan (Nov 24)
- Re: analyse tcpdump output Jason Chambers (Nov 25)
  - Re: analyse tcpdump output Jason Chambers (Nov 25)
    - Re: analyse tcpdump output Payam (Nov 27)