Ethereal-users: Re: [Ethereal-users] Traffic burst detector.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: 12 Dec 2004 02:25:34 +0200
Rob Miller wrote at 10 Dec 2004 08:30:12 -0700:

> We are trying to detect where burst of traffic is coming from.

Don't forget the possibility of something behaving like a DDoS attack
(even if it not really is one). Means many different senders sending
something at the same time. So it's not necessarily one evil sender
address you are looking for. Actually if you have a problem with your
network load, I'd say it should be more than 1 sender. 1 sender should
not be able to bring your network into trouble. To make it more
complicated it's not even necessary that these different senders send
to the same common address... You could assume that for a while,
but don't exclude it completely.


> We've used Ethereal to view all traffic over a period of time and 
> find that there are 15 second bursts of traffic...
> Unfortunately There is no way to tell where the traffic is coming 
> from as it is buried among thousands of other packets. 

So if I understand you right you have captured the data already. It's
just so much that you don't know how to analyse it. So please excuse
that I don't answer your question, but try to suggest how to solve
your original problem by analysing the masses of data you have.  

AFAIK you cannot do such analysis with Ethereal. So you have to export
the data and do the analysis. One way would be to apply some
statistics, something like which address sent the most packets or
bytes during the shortest interval.

Maybe easier is to use some visualization tool to see (in the true
sense of the word) where the anomaly occurs. ("Where" is referring to
the visualization, so the information you get could as well be an
network adress or a protocol or whatever you visualize)

2 tools come to my mind

- Microsoft Excel
- Data Explorer

Myself I have successfully used Microsoft Excel to create very
informative charts from Ethereal data. However, Excel has limitations
when it comes to thousands and tens of thousands of data events. If
you hit those you might consider the next one...

Data Explorer might be better suited for the amounts of data you seem
to be talking about. I haven't used it for more than 10 years. Back
then it was still a commercial IBM product. It used to be a great
tool, but I wouldn't expect to be able to productively use it in under
a week's time. The problem is that you probably need only 1% of the
functionality of the tool for your problem, and it will take some time
to locate the right 1%. And you will need to understand a lot of the
other 99% in order to know that it's not applicable. Anyway,
http://www.opendx.org

So how to export the data from Ethereal? Probably the only data you
need to find the culprit is the frame number, the time stamp, src and
dest adresses and probably the packet length. (to be able to calculate
data volumes)

1. The packet length is not shown in the Packet List by default. Add it
under Edit -> Preferences... User Interface / Columns. (Restart needed)

2. Export the data to a plain text file by File -> Export... Select
only the sumary line, not the packet details

Now you have 1 row per packet. This format can either be imported
directly to the visualization tool or you first use a little script,
e.g. to convert all adresses into integer numbers that the
visualisation tool can handle.  In Excel you could do also all kind of
sorting, counting, filtering, and calculation of time deltas and
averages before drawing any charts. There are powerful functions
available, which you could use to lookup the previous packet from/to
the same address etc. (well probably you can do even more in
data explorer. I've just become an Excel user...)

Good luck! I think it's doable, but I would not necessarily expect to
see the solution in 1 day. Of course it's faster if you are or know a
guru of your visualisation tool ;);)

Regards,

Uwe


P.S. Sorry, this was not the simple answer you expected, I know... 
But the triggering solution won't be that easy either and once you have it
working you might still have some analysis to do.