North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: analyse tcpdump output

  • From: Roland Dobbins
  • Date: Wed Nov 22 15:52:12 2006
  • Authentication-results: sj-dkim-3; [email protected]; dkim=pass (sig from cisco.com/sjdkim3002 verified; );
  • Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=705; t=1164228173; x=1165092173;c=relaxed/simple; s=sjdkim3002;h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; [email protected];z=From:=20Roland=20Dobbins=20<[email protected]>|Subject:=20Re=3A=20analyse=20tcpdump=20output|Sender:=20;bh=pA/KhZaYYr7rIs9ZojTT+FgGyHchXg8FcBPCdJSf2o8=;b=WZ/pJm5L1PLA5BaBNWz5Ukjq6LEkiTzVGxA6au6nheJnulNL8Cx83GaxGG3C52GgUOi2Gp3gpzLkvuLCUE3lhz7EfN9+6VaYgKstp53RabLGRKyk3zNZhw8B+3q9R6IQ;
On Nov 22, 2006, at 12:37 PM, Netfortius wrote:
I wonder if someone knows a tool to use a tcpdump output for anomaly
dedection. It is sometimes really time consuming when looking for identical
patterns in the tcpdump output.
For this sort of thing, you can do it far more scalably with NetFlow. There are several good commercial NetFlow-based anomaly- detection systems (Arbor, Lancope, Narus, Q1, etc.) and even an open- source project (currently fallow) called Panoptis.

-----------------------------------------------------------------------
Roland Dobbins <[email protected]> // 408.527.6376 voice

All battles are perpetual.

-- Milton Friedman