Hi guys,
Further to what Carlos wrote. He is quite right in that you would be best in
stripping off traffic that you don't need. Whether that be port 80 or whatever.
There is no tool that I am aware off which will parse files of that size. The
largest files I was able to parse myself were in the 200MB range.
Regards,
Don
--------------------------------------------------------------
Don Parker, GCIA GCIH
Intrusion Detection & Incident Handling Specialist
Bridon Security & Training Services
http://www.bridonsecurity.com
voice: 1-613-302-2910
--------------------------------------------------------------
On Fri, 19 Nov 2004 15:58 , Carlos Henrique P C Chaves <cae@lac.inpe.br> sent:
Hy Tom,
i'm a brazilian msc candidate and may research is about detecting backdoors
and
covert channels (tunnels) analysing the network traffic. We have some dump files
of over than 700MB and the TCP/IP reconstructing tool takes a lot of time to
do
the job. When i say a lot of time, i'm talking about more than one day, and this
dump file is related to one hour of traffic of our institution, and we just
use
the header information for this. Imagine a full-package reconstruction.
We are focusing on analysing C Class traffics separately, and just some
protocols.
The point is: i don't think that is feasable to reconstruct such amount of
traffic. I don't know
a open-source/free tool tha would do this. Maybe someone in this list can
clear
my mind.
One nice step is trying to remove the noise from the dump to reduce its size.
You can use a flow analysis tool, such as Argus, but it won't give you all the
information you want.
Best regards,
Carlos Henrique.
On Thu, Nov 18, 2004 at 06:29:32PM -0500, Tom wrote:
moderator: sorry if this is vague. My requirements are not fixed yet and
will
probably change from case to case, therefore I am just looking for generic info
now.
I was wondering if anyone on this list can recommend some tools (Opensource
or
commercial) to automate the parsing of very large (many GB) tcpdump files. I
am
trying to put together a generic toolset but in general some things I'd like to
do
are:
1. Filter out traffic to/from a specific IP address or range
2. Reconstruct all reconstructable sessions in an easy to parse way: emails,
web sites visited (and content uploaded/downloaded), voip, anything else
imaginable.
3. Be able to search all of this data for keywords.
This may seem like a tall order. I know of a few tools to do individual
tasks
on a small scale, such as mailsnarf, vomit, ethereal, etc. but it's not
practical
to use ethereal to parse these by hand. I've tried chaosreader.pl but it bogs
down
on files as small as 200 MB.
I'd appreciate any input.
Thanks.
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
