[93482] in North American Network Operators' Group
Re: analyse tcpdump output
daemon@ATHENA.MIT.EDU (Jason Chambers)
Sat Nov 25 09:19:31 2006
In-Reply-To: <200611221634.13338.Stefan.Hegger@lycos-europe.com>
Cc: NANOG <nanog@merit.edu>
From: Jason Chambers <jchambers@ucla.edu>
Date: Sat, 25 Nov 2006 06:17:29 -0800
To: Stefan Hegger <Stefan.Hegger@lycos-europe.com>
Errors-To: owner-nanog@merit.edu
On Nov 22, 2006, at 7:34 AM, Stefan Hegger wrote:
>
> Hi,
>
> I wonder if someone knows a tool to use a tcpdump output for anomaly
> dedection. It is sometimes really time consuming when looking for
> identical
> patterns in the tcpdump output.
SiLK is a powerful toolset for analyzing netflow and pcap data
generated from TCPDUMP. It's a slight learning curve, but worth it
IMHO. Fairly good documentation too.
http://tools.netsa.cert.org/silk/silk_docs.html
http://tools.netsa.cert.org/silk/analysis-handbook.pdf
From that toolset, you can use "rwptoflow" to generate flow records
from TCPDUMP to SiLK format.
http://tools.netsa.cert.org/silk/rwptoflow.html
You might also look at "softflowd" [1] or similar tool to export
netflow records from whatever box your using TCPDUMP to capture
data. Then you can output netflow records directly to most of the
aforementioned netflow packages. Having the actual packet data is
useful later once you've found something suspicious, or for snort.. etc.
[1] http://www.mindrot.org/projects/softflowd/
--Jason
