[Openpacket-devel] OpenPacket ideas
Brought to you by:
crazy_j,
taosecurity
Menu
▾
▴
[Openpacket-devel] OpenPacket ideas
|
From: Richard B. <tao...@gm...> - 2007-03-12 19:46:14
|
OpenPacket.org fans, I just had a conversation with a volunteer Web architect for OpenPacket.org. She's BCC'd on this email because I'm not sure if she wants any attention yet. I decided to send this message to the openpacket-devel list so others could potentially reply to this post with their thoughts. One of the problems we just discussed was pcap trace classification. How do people do searches on traces in an efficient manner? One option I considered would be to run a trace through Tshark to produce statistics, then use the output to create tags. For example, the Wireshark sample captures Wiki http://wiki.wireshark.org/SampleCaptures includes a trace http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=dssetup_DsRoleUpgradeDownlevelServer_MS04-011_exploit.cap that looks like this when run through Tshark statistics: $ tshark -n -q -r dssetup_DsRoleUpgradeDownlevelServer_MS04-011_exploit.cap -z io,phs =================================================================== Protocol Hierarchy Statistics Filter: frame frame frames:16 bytes:4962 eth frames:16 bytes:4962 ip frames:16 bytes:4962 tcp frames:16 bytes:4962 nbss frames:8 bytes:4418 smb frames:6 bytes:2414 pipe frames:3 bytes:1934 dcerpc frames:3 bytes:1934 dssetup frames:1 bytes:1514 dcerpc.cn_deseg_req frames:1 bytes:1514 =================================================================== The protocol name (eth, ip, tcp, nbss, etc.) could be used to create tags. Someone could query OpenPacket for all traffic involving "dcerpc" and find this trace. We might be able to do something similar with Argus if we wanted to create classifications for IP protocols and/or TCP/UDP ports. I appreciate any thoughts. Sincerely, Richard |
