analyse tcpdump output

Hegger_Stefan · November 22, 2006, 3:34pm

Hi,

I wonder if someone knows a tool to use a tcpdump output for anomaly
dedection. It is sometimes really time consuming when looking for identical
patterns in the tcpdump output.

It would be helpful to get a diff between SYN and ACK's e.g. Or look for a
pattern in a URL. Or just get some timediffs e.g. when an ACK is send but
client is waiting for data etc.

We would like to decrease time to investigate the cause for an unusual network
behaviour.

Best Stefan

Rodrick_Brown · November 22, 2006, 3:50pm

http://www.wireshark.org

Brock_Anthony_NET · November 22, 2006, 4:14pm

For anomaly detection there is Ourmon. It can be downloaded at:

http://jerry.cat.pdx.edu/ourmon/download.html

You can preview it running at Portland State University at:

http://jerry.cat.pdx.edu/ourmon/

However, I believe this isn't as detailed or low-level as what you're
looking for. In any case, it's a great tool for seeing unusual patterns
or strange behavior on your network.

Tony

William_Waites · November 22, 2006, 7:50pm

Do people still use snort for this? snort -r filename, IIRC

-w

Netfortius · November 22, 2006, 8:37pm

Here are my suggestions:

1. [NOTE: I am biased toward this one, for some personal reasons ;)] I would
highly recommend you to read some of the papers of the gold certified SANS
people - start here:

http://www.giac.org/certified_professionals/listing/gcia_100_781.php

2. Another option is getting Richard Bejtlich's books "Intrusion
Detection ..." & "Extrusion Detection ..." and getting some ideas from that
material.

Regards,
[another] Stefan

Roland_Dobbins1 · November 22, 2006, 8:42pm

For this sort of thing, you can do it far more scalably with NetFlow. There are several good commercial NetFlow-based anomaly-detection systems (Arbor, Lancope, Narus, Q1, etc.) and even an open-source project (currently fallow) called Panoptis.

David_Nolan · November 24, 2006, 11:06pm

Check out Argus, <http://www.qosient.com/argus/>. (I recommend still using version 2, version 3 is not quite production quality yet...)

Argus is a stream analyzer, instead of a packet analyzer. You can search argus data by tcp flags, by regular expression on the data (if you enable stream data logging, which is optional), or several other options. See the argus site for more information.

-David

Jason_Chambers1 · November 25, 2006, 2:17pm

SiLK is a powerful toolset for analyzing netflow and pcap data generated from TCPDUMP. It's a slight learning curve, but worth it IMHO. Fairly good documentation too.

http://tools.netsa.cert.org/silk/silk_docs.html
http://tools.netsa.cert.org/silk/analysis-handbook.pdf

From that toolset, you can use "rwptoflow" to generate flow records from TCPDUMP to SiLK format.

http://tools.netsa.cert.org/silk/rwptoflow.html

You might also look at "softflowd" [1] or similar tool to export netflow records from whatever box your using TCPDUMP to capture data. Then you can output netflow records directly to most of the aforementioned netflow packages. Having the actual packet data is useful later once you've found something suspicious, or for snort.. etc.

[1] http://www.mindrot.org/projects/softflowd/

--Jason

Jason_Chambers1 · November 25, 2006, 2:37pm

Of course exporting flow records from routers is preferable..

--Jason

Payam · November 27, 2006, 7:33pm

Hey Everyone,

I've noticed an increased interest for Panoptis so I thought id send this email out:
Panoptis has been updated so that it compiles/runs with newer systems. It works on Debian Sarge for sure, should do the same on any system with GCC 3.3.5 and CommonC++2 1.5.3 at the very least.
It is still rough around the edges and no new features; Just an update to get it working.

http://panoptis.sourceforge.net/

Cheers,
--Payam

Jason Chambers wrote: