nanog mailing list archives
Re: analyse tcpdump output
From: Jason Chambers <jchambers () ucla edu>
Date: Sat, 25 Nov 2006 06:17:29 -0800
On Nov 22, 2006, at 7:34 AM, Stefan Hegger wrote:
Hi, I wonder if someone knows a tool to use a tcpdump output for anomalydedection. It is sometimes really time consuming when looking for identicalpatterns in the tcpdump output.
SiLK is a powerful toolset for analyzing netflow and pcap data generated from TCPDUMP. It's a slight learning curve, but worth it IMHO. Fairly good documentation too.
http://tools.netsa.cert.org/silk/silk_docs.html
http://tools.netsa.cert.org/silk/analysis-handbook.pdf
From that toolset, you can use "rwptoflow" to generate flow records
from TCPDUMP to SiLK format.
http://tools.netsa.cert.org/silk/rwptoflow.html
You might also look at "softflowd" [1] or similar tool to export
netflow records from whatever box your using TCPDUMP to capture
data. Then you can output netflow records directly to most of the
aforementioned netflow packages. Having the actual packet data is
useful later once you've found something suspicious, or for snort.. etc.
[1] http://www.mindrot.org/projects/softflowd/ --Jason
Current thread:
- analyse tcpdump output Stefan Hegger (Nov 22)
- Re: analyse tcpdump output Rodrick Brown (Nov 22)
- RE: analyse tcpdump output Brock, Anthony - NET (Nov 22)
- Re: analyse tcpdump output William Waites (Nov 22)
- Re: analyse tcpdump output Netfortius (Nov 22)
- Re: analyse tcpdump output Roland Dobbins (Nov 22)
- Re: analyse tcpdump output David Nolan (Nov 24)
- Re: analyse tcpdump output Jason Chambers (Nov 25)
- Re: analyse tcpdump output Jason Chambers (Nov 25)
- Re: analyse tcpdump output Payam (Nov 27)
- Re: analyse tcpdump output Jason Chambers (Nov 25)