nanog mailing list archives
RE: analyse tcpdump output
From: "Brock, Anthony - NET" <Anthony.Brock () oregonstate edu>
Date: Wed, 22 Nov 2006 08:14:00 -0800
-----Original Message----- I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc.
For anomaly detection there is Ourmon. It can be downloaded at: http://jerry.cat.pdx.edu/ourmon/download.html You can preview it running at Portland State University at: http://jerry.cat.pdx.edu/ourmon/ However, I believe this isn't as detailed or low-level as what you're looking for. In any case, it's a great tool for seeing unusual patterns or strange behavior on your network. Tony
Current thread:
- analyse tcpdump output Stefan Hegger (Nov 22)
- Re: analyse tcpdump output Rodrick Brown (Nov 22)
- RE: analyse tcpdump output Brock, Anthony - NET (Nov 22)
- Re: analyse tcpdump output William Waites (Nov 22)
- Re: analyse tcpdump output Netfortius (Nov 22)
- Re: analyse tcpdump output Roland Dobbins (Nov 22)
- Re: analyse tcpdump output David Nolan (Nov 24)
- Re: analyse tcpdump output Jason Chambers (Nov 25)
- Re: analyse tcpdump output Jason Chambers (Nov 25)
- Re: analyse tcpdump output Payam (Nov 27)
- Re: analyse tcpdump output Jason Chambers (Nov 25)