PCAPRUNNER
==========
Runs through PCAP files and statistically analyzes IP packets. Other packets are ignored.
Adresses, ports, oldest timestamp, youngest timestamp (first seen / last seen), the quantity
of packets and the sum of the packet volumes (as given in the PCAP file as orig_len) are listed.
PCAPRUNNER uses only the C standard library, no LIBPCAP is needed.
Compile:
$ gcc -o pcaprunner pcaprunner_vX.Y.Z.c
or use:
$ make
Usage:
pcaprunner [--help] [-h] [-r] [-s] [-l] [-b] [-p] [-v] [-a DELIMITER ] [-d DELIMITER] [-w PCNF-FILE] [-j JSON-FILE] INFILE1 [INFILE2 ...]
Input file format ist PCAP or PCNF.
Options:
--help, -h Print help text.
-r Print timestamps and traffic volumes in human readable format.
The time stamps are taken from the PCAP files without any validation or adjustment.
-s Print statistics about single addresses (default if not -w or -j).
The list starts with the address of largest traffic volume. In most scenarios this should be
the observed address.
-l Print statistics about links (traffica from source to destination address).
-b Print statistics about bidirectional links (traffic inbetween addresses, both directions).
-p Print statistics about ports per address (one address, one port).
-v Verbose print netflow data. This will give the traffic inbetween same addresses and ports
(logical "and" = "&&" - this is the most differentiated statistic).
-c Print a head line with the meaning of the columns as first line before the data sets.
ADDR, SRC_ADDR, DST_ADDR - IP address (source / destination)
PORT, SRC_PORT, DST_PORT - port number on TCP or UDP
FIRST_TS, LAST_TS - time stamps (first seen, last seen)
TCP_PACKETS, TCP_IN_PACKETS, TCP_OUT_PACKETS - number of TCP packets (incomming / outgoing)
UDP_PACKETS, UDP_IN_PACKETS, UDP_OUT_PACKETS - number of UDP packets
OTHER_PACKETS, OTHER_IN_PACKETS, OTHER_OUT_PACKETS - other IP protocols
OTHER_PACKETS, OTHER_IN_PACKETS, OTHER_OUT_PACKETS - other IP protocols
ALL_PACKETS, ALL_IN_PACKETS, ALL_OUT_PACKETS - all IP packets (TCP+UDP+OTHER)
TCP_VOLUME, UDP_VOLUME... - same as PACKETS but the summed data volume (orig_len)
-a DELIMITER Sets the delimiter character inbetween IP address and port number. Default is ':'.
-d DELIMITER Sets the delimiter character inbetween other data. Default is tab stop.
-w PCNF-FILE Write output to file. The file format is PCNF. You should name it 'FILENAME.pcnf'.
PCNF is the native binary file format. It is effective for large PCAP files to do this first.
-j JSON-FILE Write output to file. The file format is JSON. You should name it 'FILENAME.json'.
Only one statistic / output at a time. Best choice for big data is to use -w on the first run.
Example: pcaprunner -w neflow.pcnf dump1.pcap dump2.pcap
Development and License
=======================
The use, development, distribution, etc. of the script is subject to the restrictions of GPL Version 3.
The tools are in alpha state. The developer is not responsible for the use of the tools. Accuracy is not garanteed.
You are welcome to participate or donate to the development. Feel free to report bugs or give suggestions by email to:
markus.thilo@gmail.com
Project page:
https://github.com/markusthilo/netflower
Download Latest Version
pcaprunner_w64_v0.8.zip (7.8 MB)
