North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: analyse tcpdump output

  • From: Brock, Anthony - NET
  • Date: Wed Nov 22 11:20:11 2006

> -----Original Message-----
> I wonder if someone knows a tool to use a tcpdump output for anomaly 
> dedection. It is sometimes really time consuming when looking 
> for identical 
> patterns in the tcpdump output.
> It would be helpful to get  a diff between SYN and ACK's e.g. 
> Or look for  a 
> pattern in a URL. Or just get some timediffs e.g. when an ACK 
> is send but 
> client is waiting for data etc.

For anomaly detection there is Ourmon. It can be downloaded at:

You can preview it running at Portland State University at:

However, I believe this isn't as detailed or low-level as what you're
looking for. In any case, it's a great tool for seeing unusual patterns
or strange behavior on your network.