Network Analyser based on tcpdump

daveyroy · 11-26-2004, 07:38 AM

Can anyone help?

I'm in my final year of a Bsc Computer Systems degree. For my final year project I have to
design and implement a simple Linux network on 3 Pc's and then design and
implement a Network Analyser based on tcpdump.
I have successfully networked 3 Pcs using Linux Red Hat 9. The network is
private and I has no Internet access. The next phase of the project is (I
quote) 'to
design and implement a network analyser based on tcpdump' is the stage I'm
up too.
I don't understand how to utilise this tcpdump to get information. Is this a
facility built into Red Hat 9? Can you output tcpdump contents to a file?
then manipulate this to extract information I require?

From the information I've gathered so far from my supervisor and reading on
this subject, I think I have to somehow direct output from the tcpdump to
file then somehow using GAWK dissect and output info to screen i.e.. say
source and destination address, protocol used etc... Could you please help
me with any information to be able to do the above if this is along the
right tracks as I'm now struggling implement this final stage of my project.

Some more info if it helps at all?

I have to simulate traffic on my private network and capture what every it
is I have sent, for example using ftp to send a file from one host to
another. I need to provide means of capturing both UDP and TCP packets so I
will need to research which protocol uses what. But its understanding and
being able to work with tcpdump which is where I'm struggling. I read the
man pages but find them a bit vague.

Any information would be appreciated!!

ferovac · 11-26-2004, 07:53 AM

write a program in c:
1. open a socket
2. bind the socket with the interface
3. manipulate sendto and recvfrom functions to catch all traffic
man pages: socket, bind, sendto, recvfrom, sockaddr, ...

blubbfish · 11-26-2004, 07:59 AM

do you have to write something like tcpdump or can you use tcpdump to dump the traffic and just "analyze" the output ... Therefore it´s nothing but a little textfile parsing you can even build a little perl or shell script to do this (btw. i think there r several ressources in the net that just parse a tcpdump output ... Shouldnt be really hard if you can use the output from tcpdump ...
if this isnt possible you really have to do some C coding ;-)

Darin · 11-26-2004, 09:35 AM

If you have an actual linux box up on a network somewhere, try out tcpdump and see what it actually does:
root@linuxbox ~# tcpdump eth0

That should help you decide what to do next for your project. Also, 'to design and implement a network analyser based on tcpdump' why not look at the source code for tcpdump?

daveyroy · 11-29-2004, 07:19 PM

I just use tcpdump to dump the traffic and just "analyze" the output

This is where I'm struggling. I read the man pages (man tcpdump) but find them a bit vague.

yes I will need to output the info for end user in a friendly/easy to
understand format. I will look into this once I have understood how to use tcpdump.