Re: analyse tcpdump output

Sat, 25 Nov 2006 06:20:18 -0800 


On Nov 22, 2006, at 7:34 AM, Stefan Hegger wrote:


Hi,

I wonder if someone knows a tool to use a tcpdump output for anomaly

dedection. It is sometimes really time consuming when looking for  
identical

patterns in the tcpdump output.




SiLK is a powerful toolset for analyzing netflow and pcap data  
generated from TCPDUMP.  It's a slight learning curve, but worth it  
IMHO.  Fairly good documentation too.


        http://tools.netsa.cert.org/silk/silk_docs.html
        http://tools.netsa.cert.org/silk/analysis-handbook.pdf



From that toolset, you can use "rwptoflow" to generate flow records  
from TCPDUMP to SiLK format.


        http://tools.netsa.cert.org/silk/rwptoflow.html


You might also look at "softflowd" [1] or similar tool to export  
netflow records from whatever box your using TCPDUMP to capture  
data.  Then you can output netflow records directly to most of the  
aforementioned netflow packages.  Having the actual packet data is  
useful later once you've found something suspicious, or for snort.. etc.


[1] http://www.mindrot.org/projects/softflowd/

--Jason
























					Reply via email to