Re: Classifying pcap data



Howard,

Something I have done before is to write a php script that runs tshark over all the pcap files in a directory and then puts the results into a MySQL database (built on a LAMP system).

You can get TShark to just look at the protocols and generate stats and a protocol heirarchy, instead of looking at all the packet contents and you can get php to capture the output and database it with only a few lines of code.

Once the information is in a database it's easy to use SQL queries and a php based website to display stats and allow searching of the information.

Of course you don't have to use php and mysql but I have used them before and the concept works. I'm sure it is just as easy to use perl/python/ruby or some other scripting language to script the Tshark commands and parse the output. Equally any number of databases could be used based on your development environment and there are a number of options for displaying the output from a web front end (php/asp/cgi) to any good scripting language.

Hope this helps

Andy

-----Original Message----- From: Howard Howard
Sent: Monday, January 31, 2011 9:41 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Classifying pcap data

Hi List,

I am working on analyzing large amount of pcap files.

I am trying to classify the captured data to
- find out the ratio of used internet protocols at application layer
(e.g. filesharing / chat / ssh)
- find out what kind of http traffic was happening

I am not too curious about the details of every package but want to
know about the general usage.

To classify the web traffic I would like to correlate my pcaps with
maybe content filter blacklists.

Can you suggest me tools to perform such tasks? Can you point me to
any more ways to analyze large amount of traffic?

Many thanks in advance!

Howard

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • PHP SCRIPT
    ... php classified script ... guestbook ardguest free php guestbook script ... php file upload script ...
    (sci.chem.labware)
  • Re: [PHP] PHP console script vs C/C++/C#
    ... My script is taking a longer time to execute than I want. ... I prefer to write in PHP because that is what I know best. ... This is why I am thinking about rewriting my whole script in a C language. ... Perhaps there are different methods I could be using to speed up execution. ...
    (php.general)
  • Re: How to Add a Feeback Form
    ... I saw nothing in that script that indicates where the form is e-mailed to so ... Greg Maxey/Word MVP ... PHP or not. ... have the support available yet. ...
    (microsoft.public.frontpage.programming)
  • How best to show PHP source? (was: One page, multiple submit buttons)
    ... script to add to the top of a PHP script to enable showing its ... Maybe anybody submitting their own PHP code for critique here ... Anything posted to a newsgroup is a "snapshot" of what the ... there ought to be a FAQ for this ...
    (comp.lang.php)
  • Email form script
    ... I have a web form that posts to a .php ... who cannot run .php on their server. ... Or does anyone have a .asp script that will ... Thank you for choosing FormToEmail by FormToEmail.com ...
    (microsoft.public.scripting.jscript)