[93477] in North American Network Operators' Group
Re: analyse tcpdump output
daemon@ATHENA.MIT.EDU (William Waites)
Wed Nov 22 14:53:28 2006
From: William Waites <ww@styx.org>
To: Stefan Hegger <Stefan.Hegger@lycos-europe.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <200611221634.13338.Stefan.Hegger@lycos-europe.com>
Date: Wed, 22 Nov 2006 20:50:32 +0100
Errors-To: owner-nanog@merit.edu
Do people still use snort for this? snort -r filename, IIRC
-w
Le mercredi 22 novembre 2006 =C3=A0 16:34 +0100, Stefan Hegger a =C3=A9crit=
:
> Hi,
>=20
> I wonder if someone knows a tool to use a tcpdump output for anomaly=20
> dedection. It is sometimes really time consuming when looking for identic=
al=20
> patterns in the tcpdump output.
>=20
> It would be helpful to get a diff between SYN and ACK's e.g. Or look for=
a=20
> pattern in a URL. Or just get some timediffs e.g. when an ACK is send but=
=20
> client is waiting for data etc.
>=20
> We would like to decrease time to investigate the cause for an unusual ne=
twork=20
> behaviour.
>=20
> Best Stefan=20
