analyse tcpdump output

Brock, Anthony - NET Anthony.Brock at oregonstate.edu
Wed Nov 22 16:14:00 UTC 2006


> -----Original Message-----
> I wonder if someone knows a tool to use a tcpdump output for anomaly 
> dedection. It is sometimes really time consuming when looking 
> for identical 
> patterns in the tcpdump output.
> 
> It would be helpful to get  a diff between SYN and ACK's e.g. 
> Or look for  a 
> pattern in a URL. Or just get some timediffs e.g. when an ACK 
> is send but 
> client is waiting for data etc.

For anomaly detection there is Ourmon. It can be downloaded at:

http://jerry.cat.pdx.edu/ourmon/download.html

You can preview it running at Portland State University at:

http://jerry.cat.pdx.edu/ourmon/

However, I believe this isn't as detailed or low-level as what you're
looking for. In any case, it's a great tool for seeing unusual patterns
or strange behavior on your network.

Tony



More information about the NANOG mailing list