LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Traffic Analysis of pcap files (https://www.linuxquestions.org/questions/linux-networking-3/traffic-analysis-of-pcap-files-541561/)

LinuxGeek 03-29-2007 04:39 AM
Traffic Analysis of pcap files
 
Hi,
I was currently thinking of setting up some type of traffic analysis setup using tcpdump to capture packets in raw forum to a pcap file. I then want to do the following:

* analyze the pcap files at the end of the end
* filter amount of traffic + which hosts are sending it
* provide detailed (aka 5 minute) intervals and static information

I know I can set up ntop but I would prefer to just use tcpdump with raw pcap files and then run a script on it at the end of the day. Any ideas on how to go about doing so? Thanks for your help.

PS. I know I can use Ethereal for analysis, but if I have a ton of packets - 100 MBs worth of even gigs worth, what would I do?

Nick_Battle 03-29-2007 07:13 AM
There is a command line interface to ethereal called tethereal. You can use this to perform very powerful automatic filtering of the pcap file (ie. like ethereal does on the display, not like tcpdump does on the interface). So if you know the networks and hosts involved, you can write tethereal scripts to process the bulk input, and select just what you want and write smaller pcap files out if needed. Output in text form (rather than GUI) is relatively easy to post-process into other forms.

OTOH, I don't think tethereal will do the analysis that the graphical version will - like tracing a TCP conversation, for example.

HTH

slzckboy 03-29-2007 07:45 AM
fyi

tethereal is called tshark now.

LinuxGeek 03-30-2007 02:37 AM
Thanks a lot for your input. Do you know of any scripts that will do the above automatically and give me statistics such as host A to host B on port 8008 saw 150 packets and so on?

Nick_Battle 03-30-2007 03:16 AM
Quote:
Originally Posted by LinuxGeek
Do you know of any scripts that will do the above automatically and give me statistics such as host A to host B on port 8008 saw 150 packets and so on?
If you know the identity of A and B beforehand, filtering out the number of packets from A to B:8008 is a one-line tshark command, I believe. Check the man page.

You can either just let it print out the selected packet details (and count them with wc), or use the -w option (from memory) to write the selected packets to a new pcap file for further processing.

If you don't know the identity of the hosts beforehand, it would be slightly more involved, but you can imagine one command to select (say) packets including a source IP addresses, and then pass that through sort/uniq to get a list of (source) hosts. Then you do the above for the hosts you've found talking to the server you want.

HTH,
-nick

LinuxGeek 03-30-2007 08:07 AM
Thanks a lot Nick_Battle. I'll have a deeper look into tshark :)


All times are GMT -5. The time now is 07:39 PM.