analyse tcpdump output
Brock, Anthony - NET
Anthony.Brock at oregonstate.edu
Wed Nov 22 16:14:00 UTC 2006
> -----Original Message-----
> I wonder if someone knows a tool to use a tcpdump output for anomaly
> dedection. It is sometimes really time consuming when looking
> for identical
> patterns in the tcpdump output.
>
> It would be helpful to get a diff between SYN and ACK's e.g.
> Or look for a
> pattern in a URL. Or just get some timediffs e.g. when an ACK
> is send but
> client is waiting for data etc.
For anomaly detection there is Ourmon. It can be downloaded at:
http://jerry.cat.pdx.edu/ourmon/download.html
You can preview it running at Portland State University at:
http://jerry.cat.pdx.edu/ourmon/
However, I believe this isn't as detailed or low-level as what you're
looking for. In any case, it's a great tool for seeing unusual patterns
or strange behavior on your network.
Tony
More information about the NANOG
mailing list