[93475] in North American Network Operators' Group
RE: analyse tcpdump output
daemon@ATHENA.MIT.EDU (Brock, Anthony - NET)
Wed Nov 22 11:16:20 2006
Date: Wed, 22 Nov 2006 08:14:00 -0800
In-Reply-To: <200611221634.13338.Stefan.Hegger@lycos-europe.com>
From: "Brock, Anthony - NET" <Anthony.Brock@oregonstate.edu>
To: "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
> -----Original Message-----
> I wonder if someone knows a tool to use a tcpdump output for anomaly=20
> dedection. It is sometimes really time consuming when looking=20
> for identical=20
> patterns in the tcpdump output.
>=20
> It would be helpful to get a diff between SYN and ACK's e.g.=20
> Or look for a=20
> pattern in a URL. Or just get some timediffs e.g. when an ACK=20
> is send but=20
> client is waiting for data etc.
For anomaly detection there is Ourmon. It can be downloaded at:
http://jerry.cat.pdx.edu/ourmon/download.html
You can preview it running at Portland State University at:
http://jerry.cat.pdx.edu/ourmon/
However, I believe this isn't as detailed or low-level as what you're
looking for. In any case, it's a great tool for seeing unusual patterns
or strange behavior on your network.
Tony
