Snort mailing list archives

[Off topic] Traffic analysis

From: Erwin Van de Velde <erwin.vandevelde () ua ac be>
Date: Fri, 5 Dec 2003 23:20:20 +0100

Hi,

Sorry for asking this off topic question, but I hope someone here can give me 
an answer (You all seem very smart people to me ;-) ). I'm looking for a 
program that can give me stats on network traffic (preferrably on the asked 
amount of time, for example 'last minute') or that gives me the traffic 
itself, looking like this:
src_ip src_port dst_ip dst_port protocol bytes_sent bytes_received start_time 
stop_time 

The fields may of course be reordered, I can do with a little less precise 
timing (if I can timestamp when logging to the database, it would suffice), 
but I need to get this data quick (at least once a minute, I should be able 
to update. The tool should be able to output as clear text (to stdout or 
file), or should be able to log to postgresql database right away.

I already tried ntop, but it does not log as text, nor to postgresql database 
(only mysql is supported now).
I also tried ipaudit, but that can only output when the program quits. This is 
bad, as I have to quit every minute, and so I can lose a lot of traffic data.

Goal? I want to make traffic statistics, and then compare the ongoing traffic 
with it, to detect worms or DoS attacks. So I should be able to see sudden 
increases in traffic on certain ports, and I should be able to see it 
quickly. I don't want to explain afterwards what took the network down, but I 
want to be able to intervene before this happens...

Who could help me on this? Can ntop do it anyway? Or are there other tools?

Thanks in advance!

Erwin Van de Velde
Student of Antwerp University
Belgium



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

[Off topic] Traffic analysis Erwin Van de Velde (Dec 05)
- <Possible follow-ups>
- RE: [Off topic] Traffic analysis Richard Bejtlich (Dec 05)
- RE: [Off topic] Traffic analysis Richard Bejtlich (Dec 05)