On Wed, Nov 01, 2000 at 10:10:18AM +1100, Jesus M. Salvo Jr. wrote:
> Okay, I have done a few scripts that does the following:
oops. i wish i had read this list yesterday, might have saved you
some time. a few years ago we wrote a package called review that
reads tcpdump logs and displays the contents (primarily for incident
response type work, rather than network monitoring or protocol
debugging).
review is written in perl, part of the code already implements what
you're looking for (i think) - the cache system pulls packets from
"interesting" tcp/udp "session" (note the quotes) into separate
tcpdump log files for faster processing (e.g. if you're reviewing the
contents of 100 smtp sessions in a 250 mb tcpdump log, you'd much
rather read 100 short tcpdump files than reread the same 250 mb log
100 times pulling out a few packets here and there). you would
probably need to dust the code off and certainly update it for modern
versions of tcpdump - i've been meaning to do that, haven't had the
need (or the time). you can pick the whole package up from
ftp.net.ohio-state.edu/users/romig/review.
also, john bashinski (used to be jbash@xxxxxxxxx, don't know whether
he's still there or not - john, are you out there?) wrote a similar
program in c that he called tcpshatter. its much faster, since (if i
remember right) it reads through the file once, rather than once for
each session (like 'review -cache' does). you can pick that up in
ftp.net.ohio-state.edu/users/romig/other-software.
--- steve