OpenPacket.org fans,
I just had a conversation with a volunteer Web architect for
OpenPacket.org. She's BCC'd on this email because I'm not sure if she
wants any attention yet. I decided to send this message to the
openpacket-devel list so others could potentially reply to this post
with their thoughts.
One of the problems we just discussed was pcap trace classification.
How do people do searches on traces in an efficient manner? One
option I considered would be to run a trace through Tshark to produce
statistics, then use the output to create tags. For example, the
Wireshark sample captures Wiki
http://wiki.wireshark.org/SampleCaptures
includes a trace
http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=dssetup_DsRoleUpgradeDownlevelServer_MS04-011_exploit.cap
that looks like this when run through Tshark statistics:
$ tshark -n -q -r
dssetup_DsRoleUpgradeDownlevelServer_MS04-011_exploit.cap -z io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: frame
frame frames:16 bytes:4962
eth frames:16 bytes:4962
ip frames:16 bytes:4962
tcp frames:16 bytes:4962
nbss frames:8 bytes:4418
smb frames:6 bytes:2414
pipe frames:3 bytes:1934
dcerpc frames:3 bytes:1934
dssetup frames:1 bytes:1514
dcerpc.cn_deseg_req frames:1 bytes:1514
===================================================================
The protocol name (eth, ip, tcp, nbss, etc.) could be used to create
tags. Someone could query OpenPacket for all traffic involving
"dcerpc" and find this trace.
We might be able to do something similar with Argus if we wanted to
create classifications for IP protocols and/or TCP/UDP ports.
I appreciate any thoughts.
Sincerely,
Richard
|
