North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: analyse tcpdump output

  • From: Jason Chambers
  • Date: Sat Nov 25 09:24:12 2006

On Nov 22, 2006, at 7:34 AM, Stefan Hegger wrote:

Hi,

I wonder if someone knows a tool to use a tcpdump output for anomaly
dedection. It is sometimes really time consuming when looking for identical
patterns in the tcpdump output.

SiLK is a powerful toolset for analyzing netflow and pcap data generated from TCPDUMP. It's a slight learning curve, but worth it IMHO. Fairly good documentation too.

http://tools.netsa.cert.org/silk/silk_docs.html
http://tools.netsa.cert.org/silk/analysis-handbook.pdf


From that toolset, you can use "rwptoflow" to generate flow records from TCPDUMP to SiLK format.

http://tools.netsa.cert.org/silk/rwptoflow.html

You might also look at "softflowd" [1] or similar tool to export netflow records from whatever box your using TCPDUMP to capture data. Then you can output netflow records directly to most of the aforementioned netflow packages. Having the actual packet data is useful later once you've found something suspicious, or for snort.. etc.

[1] http://www.mindrot.org/projects/softflowd/

--Jason