LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-09-2009, 07:08 PM   #1
narcos
LQ Newbie
 
Registered: Jul 2009
Posts: 7

Rep: Reputation: 0
Session reconstruction from Pcap Files?


Hello,

I'm trying to perform some analysis on pcap files. I've written a script using Perl's Net::TcpDumpLog which allows me to parse each individual packet and extract header information as well as the payload. For example, here's what I'm currently printing out:

Code:
IP_SRC,IP DST, IP_LENGTH, IP_TOS, IP_TTL, IP_Offset, TCP_ACK, TCP_flags, TCP_Winsize, TCP_Chksum, TCP_URG
Now I want to look at some statistics regarding TCP sessions. I've been playing with a few tools to reconstruct flows, such as tcpflow [1]. tcpflow reconstructs sessions and dumps session data into files, but does not give much information at all on the individual packets that made up the flow.

I want to be in a position where I have, say, a flow object which consists of all the packet objects which make up the flow. Ultimately I want to create output containing stats on each flow, one flow per line. For example:

Code:
Flow_num, IP_Src, IP_Dst, TCP_SrcPort, TCP_DstPort, Flow_Duration, Packet_interarrival_mean, Number_of_packets_in_flow, Avg_packet_payload_size
I've been playing with tshark[2] and Net::Analysis[3] too, but haven't managed to get what I want. Any assistance would be greatly appreciated.

Many thanks,
Glenn

[1] http://www.circlemud.org/~jelson/software/tcpflow/
[2] http://www.wireshark.org/docs/man-pages/tshark.html
[3] http://search.cpan.org/~worrall/Net-Analysis-0.40/
 
Old 08-03-2009, 04:50 AM   #2
amadain
LQ Newbie
 
Registered: Sep 2008
Posts: 9

Rep: Reputation: 0
Try wireshark's "follow tcp stream"
 
Old 08-03-2009, 05:42 AM   #3
narcos
LQ Newbie
 
Registered: Jul 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by amadain View Post
Try wireshark's "follow tcp stream"
Yeah that's useful for following individual streams manually, but when I have 30GBs that I want to break down my hand gets tired of clicking But I managed to get it sorted in the end with a very cool tool called Netdude.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reconstruction of TCP Session from Captured IP Packets shreks Linux - Networking 3 11-15-2008 09:08 AM
Traffic Analysis of pcap files LinuxGeek Linux - Networking 5 03-30-2007 08:07 AM
Pcap Files OriDagan Linux - Networking 0 07-15-2005 04:20 AM
splitting pcap dump files captgoodnight Linux - Security 4 07-27-2004 12:12 AM


All times are GMT -5. The time now is 06:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration