Greetings. As a disclaimer, I should say that I'm on the board of Sandstorm Enterprises. With that said... If you are interested in doing network forensics, you should really take a look at Sandstorm's NetIntercept --- especially if you like Ethereal. Like Ethereal, NetIntercept runs a version of pcap to capture packets onto a computer's disk, and then has some reasonable tools for automatically starting new files and purging out old ones. but unlike Ethereal, NI allows you to select a region of time and reassemble all of the TCP/IP streams and UDP sessions within that region. The assembled streams are then run through parsers (written in C) and the results are stored in a database (MySQL). The GUI then allows you to view the results of the parsers, do database selections, view individual streams, view individual packets, and more. For somebody working with a tight budget, Ethereal has the advantage that it is free. NI is a commercial product, sold with bundled hardware. But for professionals who are doing forensics, NI has a lot to offer. Other products in this space of Network Forensics are Silent Runner, NFR and Niksun. The folks at Sandstorm wrote a technical, peer-reviewed article on Network Forensic Analysis Tools and recently had it published in IEEE Internet Computing. You can download the article from http://www.sandstorm.net/downloads/netintercept/ni-ieee.pdf . It's not an advertisement for NetIntercept. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 13:56:04 PST