analyse tcpdump output

• Previous message (by thread): analyse tcpdump output
• Next message (by thread): analyse tcpdump output
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday 22 November 2006 09:34, Stefan Hegger wrote:
> Hi,
>
> I wonder if someone knows a tool to use a tcpdump output for anomaly
> dedection. It is sometimes really time consuming when looking for identical
> patterns in the tcpdump output.
>
> It would be helpful to get  a diff between SYN and ACK's e.g. Or look for 
> a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but
> client is waiting for data etc.
>
> We would like to decrease time to investigate the cause for an unusual
> network behaviour.
>
> Best Stefan

Here are my suggestions:

1. [NOTE: I am biased toward this one, for some personal reasons ;)] I would 
highly recommend you to read some of the papers of the gold certified SANS 
people - start here:

http://www.giac.org/certified_professionals/listing/gcia_100_781.php

2. Another option is getting Richard Bejtlich's books "Intrusion 
Detection ..." & "Extrusion Detection ..." and getting some ideas from that 
material.

Regards,
[another] Stefan

• Previous message (by thread): analyse tcpdump output
• Next message (by thread): analyse tcpdump output
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]