North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: analyse tcpdump output
On Wednesday 22 November 2006 09:34, Stefan Hegger wrote: > Hi, > > I wonder if someone knows a tool to use a tcpdump output for anomaly > dedection. It is sometimes really time consuming when looking for identical > patterns in the tcpdump output. > > It would be helpful to get a diff between SYN and ACK's e.g. Or look for > a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but > client is waiting for data etc. > > We would like to decrease time to investigate the cause for an unusual > network behaviour. > > Best Stefan Here are my suggestions: 1. [NOTE: I am biased toward this one, for some personal reasons ;)] I would highly recommend you to read some of the papers of the gold certified SANS people - start here: http://www.giac.org/certified_professionals/listing/gcia_100_781.php 2. Another option is getting Richard Bejtlich's books "Intrusion Detection ..." & "Extrusion Detection ..." and getting some ideas from that material. Regards, [another] Stefan
|