analyse tcpdump output

Hi,

I wonder if someone knows a tool to use a tcpdump output for
anomaly 
dedection. It is sometimes really time consuming when
looking for identical 
patterns in the tcpdump output.

It would be helpful to get  a diff between SYN and ACK's
e.g. Or look for  a 
pattern in a URL. Or just get some timediffs e.g. when an
ACK is send but 
client is waiting for data etc.

We would like to decrease time to investigate the cause for
an unusual network 
behaviour.

Best Stefan 
-- 
Stefan Hegger
Internet System Engineer
Stefan.Heggerlycos-europe.com
Tel: +49 5241 8071 334

Lycos Europe GmbH
Carl-Bertelsmann Str. 29
Postfach 315
33311 Gütersloh

On 11/22/06, Stefan Hegger <Stefan.Heggerlycos-europe.com> wrote:
>
> Hi,
>
> I wonder if someone knows a tool to use a tcpdump
output for anomaly
> dedection. It is sometimes really time consuming when
looking for identical
> patterns in the tcpdump output.
>
> It would be helpful to get  a diff between SYN and
ACK's e.g. Or look for  a
> pattern in a URL. Or just get some timediffs e.g. when
an ACK is send but
> client is waiting for data etc.
>
> We would like to decrease time to investigate the cause
for an unusual network
> behaviour.
>
> Best Stefan
> --
> Stefan Hegger
> Internet System Engineer
> Stefan.Heggerlycos-europe.com
> Tel: +49 5241 8071 334
>
> Lycos Europe GmbH
> Carl-Bertelsmann Str. 29
> Postfach 315
> 33311 Gütersloh
>

http://www.wireshark.org

-- 
Rodrick R. Brown
http://gr
oups.yahoo.com/group/wallstandtech

> -----Original Message-----
> I wonder if someone knows a tool to use a tcpdump
output for anomaly 
> dedection. It is sometimes really time consuming when
looking 
> for identical 
> patterns in the tcpdump output.
> 
> It would be helpful to get  a diff between SYN and
ACK's e.g. 
> Or look for  a 
> pattern in a URL. Or just get some timediffs e.g. when
an ACK 
> is send but 
> client is waiting for data etc.

For anomaly detection there is Ourmon. It can be downloaded
at:

http://
jerry.cat.pdx.edu/ourmon/download.html

You can preview it running at Portland State University at:

http://jerry.cat.pdx
.edu/ourmon/

However, I believe this isn't as detailed or low-level as
what you're
looking for. In any case, it's a great tool for seeing
unusual patterns
or strange behavior on your network.

Tony

Do people still use snort for this? snort -r filename, IIRC

-w

Le mercredi 22 novembre 2006 à 16:34 +0100, Stefan Hegger a
écrit :
> Hi,
> 
> I wonder if someone knows a tool to use a tcpdump
output for anomaly 
> dedection. It is sometimes really time consuming when
looking for identical 
> patterns in the tcpdump output.
> 
> It would be helpful to get  a diff between SYN and
ACK's e.g. Or look for  a 
> pattern in a URL. Or just get some timediffs e.g. when
an ACK is send but 
> client is waiting for data etc.
> 
> We would like to decrease time to investigate the cause
for an unusual network 
> behaviour.
> 
> Best Stefan 

--On November 22, 2006 4:34:13 PM +0100 Stefan Hegger 
<Stefan.Heggerlycos-europe.com> wrote:

>
> Hi,
>
> I wonder if someone knows a tool to use a tcpdump
output for anomaly
> dedection. It is sometimes really time consuming when
looking for
> identical  patterns in the tcpdump output.
>

Check out Argus, <http://www.qosient
.com/argus/>.  (I recommend still using 
version 2, version 3 is not quite production quality yet...)

Argus is a stream analyzer, instead of a packet analyzer. 
You can search 
argus data by tcp flags, by regular expression on the data
(if you enable 
stream data logging, which is optional), or several other
options.  See the 
argus site for more information.

-David

On Nov 22, 2006, at 7:34 AM, Stefan Hegger wrote:
>
> Hi,
>
> I wonder if someone knows a tool to use a tcpdump
output for anomaly
> dedection. It is sometimes really time consuming when
looking for  
> identical
> patterns in the tcpdump output.


SiLK is a powerful toolset for analyzing netflow and pcap
data  
generated from TCPDUMP.  It's a slight learning curve, but
worth it  
IMHO.  Fairly good documentation too.

	http:
//tools.netsa.cert.org/silk/silk_docs.html
	http://tools.netsa.cert.org/silk/analysis-handbook.pdf


 From that toolset, you can use "rwptoflow" to
generate flow records  
from TCPDUMP to SiLK format.

	http:
//tools.netsa.cert.org/silk/rwptoflow.html

You might also look at "softflowd" [1] or similar
tool to export  
netflow records from whatever box your using TCPDUMP to
capture  
data.  Then you can output netflow records directly to most
of the  
aforementioned netflow packages.  Having the actual packet
data is  
useful later once you've found something suspicious, or for
snort.. etc.

[1] http://www
.mindrot.org/projects/softflowd/

--Jason

On Nov 25, 2006, at 6:17 AM, Jason Chambers wrote:

> You might also look at "softflowd" [1] or
similar tool to export  
> netflow records from whatever box your using TCPDUMP to
capture data.

Of course exporting flow records from routers is
preferable..

--Jason

Hey Everyone,

I've noticed an increased interest for Panoptis so I thought
id send 
this email out:
Panoptis has been updated so that it compiles/runs with
newer systems. 
It works on Debian Sarge for sure, should do the same on any
system with 
GCC 3.3.5 and CommonC++2 1.5.3 at the very least.
It is still rough around the edges and no new features; Just
an update 
to get it working.

http://panoptis.sour
ceforge.net/

Cheers,
--Payam



Jason Chambers wrote:
>
> On Nov 25, 2006, at 6:17 AM, Jason Chambers wrote:
>
>> You might also look at "softflowd" [1] or
similar tool to export 
>> netflow records from whatever box your using
TCPDUMP to capture data.
>
> Of course exporting flow records from routers is
preferable..
>
> --Jason
>