Packet Analysis

From ChekMate Security Group

Training Session

Packet Capture Files Sample Captures

Additional Resources

• Snort

• Snort.org
• SourceFire
• SiliconDefense
• VRT Rule update 2006-03-29

• Sguil The analyst console for NSM
• Portsentry/Logsentry
• Shadow
• CVE
• Incidents.org

• Analyzer http://netgroup-serv.polito.it/analyzer/ is a fully configurable analyzer program. It was developed in Win32 environment. It can be used with both Windows 95/98 and Windows NT/2000 platforms. It is composed by three parts: a graphical interface, an analysis engine and a capture program.
• Argus http://www.qosient.com/argus/ the network Audit Record Generation and Utilization System. The Argus Open Project is focused on developing network activity audit strategies that can do real work for the network architect, administrator and network user. It is a Unix based Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream.
• Bro http://www.icir.org/vern/bro.html intrusion detection system contains a number of protocol analyzers that can munch on tcpdump traces (or live traffic, of course) and extract high-level application events from the reassembled TCP/UDP streams.
• Cflowd http://www.caida.org/tools/measurement/cflowd/ is an experimental tool to collect data from Cisco's netflow http://www.cisco.com/warp/public/732/netflow/index.html export feature.
• Crypto-Pan http://www.cc.gatech.edu/computing/Telecomm/cryptopan/ is a cyrptography-based sanitization tool for network trace owners to anonymize the IP addresses in their traces in a prefix-preserving manner.
• Ethereal http://ethereal.zing.org/ is a free network protocol analyzer for Unix and Windows (including Win2K). It allows you to examine data from live network or from a capture file on disk. Also Packetyzer http://www.openxtra.com/products/mrtg-xtra.htm provides a Packetyzer new Windows User Interface that will available under the terms of the GNU Public License.
• flstats http://www.ipsilon.com/staff/minshall/sw/flstats/flstats.html is program for extracting flow statistics from trace files created using the -w argument to tcpdump.
• Natas http://intex.ath.cx/ is an opensource windows 2000 network sniffer.
• NetraMet http://www.auckland.ac.nz/net/Internet/rtfm/TOP.html and other realtime flow meters designed for Internet accounting including NetraMet (a traffic meter), NeMac (a combined manager & meter_reader) and NIFTY (a traffic flow analyzer).
• PasTmon http://www.pastmon.org/ is a passive network application response time monitor utilising packet capture (via libpcap), tracking sessions maintaining transaction state and collecting metrics of server/network response times, segment size negotiation and TCP window size advertisements.
• sniffit http://sniffit.rug.ac.be/sniffit/sniffit.html
• Snoop http://www.net-security.org/text/articles/spitzner/snoop.shtml is similar to tcpdump and is bundled with the Sun/Solaris Unix operating system.
• Snuffle http://www-tkn.ee.tu-berlin.de/~hoene/snuffle/ is a measurement tool for capturing the protocol messages, internal protocol states and to measure implementation performance on networking nodes. Snuffle consists of a set of modules placed in the kernel, device driver and user space. Currently measuring probes for UDP, IP and IEEE 802.11b MAC are implemented.
• Tcpdpriv http://www.ipsilon.com/staff/minshall/sw/tcpdpriv/tcpdpriv.html is a program for eliminating confidential information from packets collected on a network interface (or, from trace files created using the -w argument to tcpdump).
• tcpdump http://www.tcpdump.org/ There is also a version for Windows 9x, NT & 2000 http://netgroup-serv.polito.it/windump/.
• TCPurify http://irg.cs.ohiou.edu/~eblanton/tcpurify/ is a packet sniffer/capture program similar to tcpdump, but with much reduced functionality. What sets TCPurify apart from other, similar programs is its focus on privacy. TCPurify is designed from the ground up to protect the privacy of users on the sniffed network as much as possible.
• TCPshow http://www.tcpshow.org/ is a Unix based program that parses the output file of TCPdump into human readable text.
• Tcptrace http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html is a TCP dump file analysis tool written by Shawn Ostermann at Ohio University.
• trafd http://www.riss-telecom.ru/dev/trafd/ is a traffic accounting daemon for Linux and FreeBSD, built on top of libpcap, with accompanying tools to manage its data.
• trafshow http://soft.risp.ru/trafshow/index_en.shtml continuously displays information regarding packet traffic on the configured network interface that match the boolean expression.
• WinPcap http://netgroup-serv.polito.it/winpcap/ is an architecture for packet capture and network analysis for the Win32 platforms, based on the model of BPF and libpcap for UNIX. See also libcap for windows http://www-serra.unipi.it/~ntop/libpcap.html and libpcap for Unix http://www.tcpdump.org/.