Smudo
asked on
tcpdump-file analysing -> html output
Hi all,
I'm looking for a tool that can passively analyse the traffic collected in a tcpdump file. The tool should give me at least informations about line utilisation, protocol usage (% tcp, %udp, and so on), bytes summary (how many bytes per dest-port IN and OUT) in graphs or formatted plain text.
Answers like "search on freshmeat, sourceforge" or similars are NOT accepted. Nstreams or tcpstat doesn't provide the informations I need.
Smudo
I'm looking for a tool that can passively analyse the traffic collected in a tcpdump file. The tool should give me at least informations about line utilisation, protocol usage (% tcp, %udp, and so on), bytes summary (how many bytes per dest-port IN and OUT) in graphs or formatted plain text.
Answers like "search on freshmeat, sourceforge" or similars are NOT accepted. Nstreams or tcpstat doesn't provide the informations I need.
Smudo
It sounds like the tool you want is ntop (http://www.ntop.org/. It will generate those statistics and more.
ASKER
Nope, sorry, I tryed ntop a few weeks ago. It provides many informations, but it's not scalable. I'm now creating tcpdump output files with snort and would like to analyse these files with a command line utility and also creating reports with it.
If you're using snort and need something that scales that much, I suggest dropping your snort info into mysql instead of into tcpdump logs. You can then report on them to your hearts content.
I'm not sure I understand what you mean by "it's not scalable". Could you elaborate?
ASKER
@chris_calabrese: Jup, I'm already logging some of the traffic to a MySQL-DB for IDS purposes. I use it with Acid. Unfortunately, I'm too stupid, so I don't know how to execute SQL strings on a webpage and fill the information into correct fields... That's why I'm looking for a little tool, that could do the job for me.
@jlevie: With "not scalable" I mean, I cannot format the output of ntop by myself. I really don't need the whole functionality of ntop, just a few of them. The more important thing is, that I cannot archive ntop reports on a daily base automatically to review them in future.
@jlevie: With "not scalable" I mean, I cannot format the output of ntop by myself. I really don't need the whole functionality of ntop, just a few of them. The more important thing is, that I cannot archive ntop reports on a daily base automatically to review them in future.
How abt the IP cop http://www.zpdee.net/~joecat/ipcoptraffic.html
ASKER
@paullamhkg: Sorry, I'm not looking for a firewall. I'm just looking for a little program that analyzes the traffic I captured in a tcpdump-file (or in a MySQL-db) and gives me an output with informaion of bandwidth used, protocol usage and byte summary (broke down to ports if possible).
what about the iptraf?
IPTraf is console-based network statistics utility for Linux. It a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
http://www.zpdee.net/~joecat/iptraf.html
IPTraf is console-based network statistics utility for Linux. It a variety of figures such as TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts.
http://www.zpdee.net/~joecat/iptraf.html
ASKER
Iptraf looks good, but there's neither a way to open tcpdump files for analysing purposes nor a possibility of an acsii output of a statistic summary into a file...
How abt Snort http://www.snort.org/
Snort is able to analyse IP traffic and provides very strong logging.
It relies on rules scripts, that is you can monitor what you want to. Even more, the snort site provides you with a rules database.
Also have a look here to see this can give you some idea http://www.tldp.org/linuxfocus/English/January2001/article180.shtml#lfindex0
Snort is able to analyse IP traffic and provides very strong logging.
It relies on rules scripts, that is you can monitor what you want to. Even more, the snort site provides you with a rules database.
Also have a look here to see this can give you some idea http://www.tldp.org/linuxfocus/English/January2001/article180.shtml#lfindex0
I can't understand the problem . Every tool have some pross&cons , and if you don't realy like the most popular ones , you can write down something really usefull in your situation .
I believe all your needed information can be sorted from some basic bash script using iptables , tcpdump , etc. and reported to mrtg , mysql , text , etc .
I believe all your needed information can be sorted from some basic bash script using iptables , tcpdump , etc. and reported to mrtg , mysql , text , etc .
How can I read tcpdump files (tdump.dat) files provided by my instructor and prepare intrusion dectection reports on the data int he tcpdum files?
I there any way that I can convert these tdump files into mysql and use ACID or something?
s
I there any way that I can convert these tdump files into mysql and use ACID or something?
s
Hi , sarahbassram ,
I found this old question , did you solve your problem ?
I found this old question , did you solve your problem ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.