LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-29-2007, 04:39 AM   #1
LinuxGeek
Member
 
Registered: Jun 2002
Posts: 302

Rep: Reputation: 31
Traffic Analysis of pcap files


Hi,
I was currently thinking of setting up some type of traffic analysis setup using tcpdump to capture packets in raw forum to a pcap file. I then want to do the following:

* analyze the pcap files at the end of the end
* filter amount of traffic + which hosts are sending it
* provide detailed (aka 5 minute) intervals and static information

I know I can set up ntop but I would prefer to just use tcpdump with raw pcap files and then run a script on it at the end of the day. Any ideas on how to go about doing so? Thanks for your help.

PS. I know I can use Ethereal for analysis, but if I have a ton of packets - 100 MBs worth of even gigs worth, what would I do?
 
Old 03-29-2007, 07:13 AM   #2
Nick_Battle
Member
 
Registered: Dec 2006
Location: Bracknell, UK
Distribution: SUSE 13.1
Posts: 159

Rep: Reputation: 32
There is a command line interface to ethereal called tethereal. You can use this to perform very powerful automatic filtering of the pcap file (ie. like ethereal does on the display, not like tcpdump does on the interface). So if you know the networks and hosts involved, you can write tethereal scripts to process the bulk input, and select just what you want and write smaller pcap files out if needed. Output in text form (rather than GUI) is relatively easy to post-process into other forms.

OTOH, I don't think tethereal will do the analysis that the graphical version will - like tracing a TCP conversation, for example.

HTH
 
Old 03-29-2007, 07:45 AM   #3
slzckboy
Member
 
Registered: May 2005
Location: uk - Reading
Distribution: slack 10.2 kde 3.4.2 kernel 2.6.15
Posts: 452

Rep: Reputation: 30
fyi

tethereal is called tshark now.
 
Old 03-30-2007, 02:37 AM   #4
LinuxGeek
Member
 
Registered: Jun 2002
Posts: 302

Original Poster
Rep: Reputation: 31
Thanks a lot for your input. Do you know of any scripts that will do the above automatically and give me statistics such as host A to host B on port 8008 saw 150 packets and so on?
 
Old 03-30-2007, 03:16 AM   #5
Nick_Battle
Member
 
Registered: Dec 2006
Location: Bracknell, UK
Distribution: SUSE 13.1
Posts: 159

Rep: Reputation: 32
Quote:
Originally Posted by LinuxGeek
Do you know of any scripts that will do the above automatically and give me statistics such as host A to host B on port 8008 saw 150 packets and so on?
If you know the identity of A and B beforehand, filtering out the number of packets from A to B:8008 is a one-line tshark command, I believe. Check the man page.

You can either just let it print out the selected packet details (and count them with wc), or use the -w option (from memory) to write the selected packets to a new pcap file for further processing.

If you don't know the identity of the hosts beforehand, it would be slightly more involved, but you can imagine one command to select (say) packets including a source IP addresses, and then pass that through sort/uniq to get a list of (source) hosts. Then you do the above for the hosts you've found talking to the server you want.

HTH,
-nick
 
Old 03-30-2007, 08:07 AM   #6
LinuxGeek
Member
 
Registered: Jun 2002
Posts: 302

Original Poster
Rep: Reputation: 31
Thanks a lot Nick_Battle. I'll have a deeper look into tshark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Any Network Traffic Analysis Program for LINUX? seow_ming Linux - Software 6 12-25-2012 07:04 AM
LXer: AfrISPA releases Internet traffic analysis tools LXer Syndicated Linux News 0 01-31-2006 02:46 PM
traffic analysis assistance request Strider22 Linux - Networking 0 11-14-2005 02:20 PM
Pcap Files OriDagan Linux - Networking 0 07-15-2005 04:20 AM
splitting pcap dump files captgoodnight Linux - Security 4 07-27-2004 12:12 AM


All times are GMT -5. The time now is 06:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration