tcpdump-file analysing -> html output

Hi all,

I'm looking for a tool that can passively analyse the traffic collected in a tcpdump file. The tool should give me at least informations about line utilisation, protocol usage (% tcp, %udp, and so on), bytes summary (how many bytes per dest-port IN and OUT) in graphs or formatted plain text.

Answers like "search on freshmeat, sourceforge" or similars are NOT accepted. Nstreams or tcpstat doesn't provide the informations I need.

Smudo
LVL 1
SmudoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jlevieCommented:
It sounds like the tool you want is ntop (http://www.ntop.org/. It will generate those statistics and more.
0
SmudoAuthor Commented:
Nope, sorry, I tryed ntop a few weeks ago. It provides many informations, but it's not scalable. I'm now creating tcpdump output files with snort and would like to analyse these files with a command line utility and also creating reports with it.
0
chris_calabreseCommented:
If you're using snort and need something that scales that much, I suggest dropping your snort info into mysql instead of into tcpdump logs. You can then report on them to your hearts content.
0
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

jlevieCommented:
I'm not sure I understand what you mean by "it's not scalable". Could you elaborate?
0
SmudoAuthor Commented:
@chris_calabrese: Jup, I'm already logging some of the traffic to a MySQL-DB for IDS purposes. I use it with Acid. Unfortunately, I'm too stupid, so I don't know how to execute SQL strings on a webpage and fill the information into correct fields... That's why I'm looking for a little tool, that could do the job for me.

@jlevie: With "not scalable" I mean, I cannot format the output of ntop by myself. I really don't need the whole functionality of ntop, just a few of them. The more important thing is, that I cannot archive ntop reports on a daily base automatically to review them in future.
0
paullamhkgCommented:
0
SmudoAuthor Commented:
@paullamhkg: Sorry, I'm not looking for a firewall. I'm just looking for a little program that analyzes the traffic I captured in a tcpdump-file (or in a MySQL-db) and gives me an output with informaion of bandwidth used, protocol usage and byte summary (broke down to ports if possible).
0
paullamhkgCommented:
what about the iptraf?

IPTraf is console-based network statistics utility for Linux. It a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.

http://www.zpdee.net/~joecat/iptraf.html
0
SmudoAuthor Commented:
Iptraf looks good, but there's neither a way to open tcpdump files for analysing purposes nor a possibility of an acsii output of a statistic summary into a file...
0
paullamhkgCommented:
How abt Snort http://www.snort.org/

Snort is able to analyse IP traffic and provides very strong logging.
It relies on rules scripts, that is you can monitor what you want to. Even more, the snort site provides you with a rules database.

Also have a look here to see this can give you some idea http://www.tldp.org/linuxfocus/English/January2001/article180.shtml#lfindex0
0
brabardCommented:
I can't understand the problem . Every tool have some pross&cons , and if you don't realy like the most popular ones , you can write down something really usefull in your situation .
I believe all your needed information can be sorted from some basic bash script using iptables , tcpdump , etc. and reported to mrtg , mysql , text , etc .

0
sarahbassramCommented:
How can I read tcpdump files (tdump.dat) files provided by my instructor and prepare intrusion dectection reports on the data int he tcpdum files?

I there any way that I can convert these tdump files into mysql and use ACID or something?

s
0
brabardCommented:
Hi , sarahbassram ,
I found this old question , did you solve your problem ?
0
moduloCommented:
PAQed with no points refunded (of 125)

modulo
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.