It depends a lot on what you are looking for and how you are looking. If you are interested in examining each packet - or many of them, at least - in detail, then Ethereal would be my pick. I use it when I'm looking at crafted packets or when I'm peering into a particular, higher-level, packet format. Ethereal is particularly nice for the latter since it recognizes a variety of application layer formatting (AIM, IRC, etc.) and will display the parsing at any and all layers you like. If you are interested in finding out who is banging on your door but not so much in the anatomy of each packet, Snort will let you sort, filter, tag and store both packets and packet reports. It also has a great array of plug-ins to help you identify what's happening. If you are looking for something really specific in content, particularly text, Ngrep is a handy tool. The output format is more compact than Snort and emphasizes the display of readable text (or hex, if you want it). It takes regex expressions and BPF filters as arguments, in that order. Unlike Snort, you can do content matching from the command line. The regex can be touchy, so double-check with test cases. Finally, if you have Cisco equipment and are interested in establishing common traffic patterns and looking for large anomalies, net-flow provides tools for network management which can be used as a low-resolution (though still quite useful) NIDS. Hope this helps. Good Luck! - Andy Johnston On Thu, 20 Feb 2003, Fabien Pouget wrote: > > > Hi all, > > I collected many binary logs with tcpdump. I would like to study them > and to do so, I planned to export these files into a mysql database. > What I am doing now is simply to collect few data through perl scripts > and analyze them. But no database... > Does it exist any tools to help me fulfil this task ? Or any trick I > missed ? > > > Any help would be very appreciated > > Thanks a lot > > > Fabien > > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > ------------------------------------------------------------------------------ ** Andy Johnston (andyat_private) * pager: 410-678-8949 ** ** Manager of IT Security * PGP key:(afj2002) 4096/8448B056 ** ** Office of Information Technology, UMBC * 4A B4 96 64 D9 B6 EF E3 21 9A ** ** 410-455-2583 (v)/410-455-1065 (f) * 46 1A 37 11 F5 6C 84 48 B0 56 ** ------------------------------------------------------------------------------ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 14:43:31 PST