Wireshark-users: Re: [Wireshark-users] Good tools for pcap summary info, etc.?

From: "James Talbut" <James.Talbut@xxxxxxxxx>
Date: Thu, 25 Sep 2008 20:16:47 +0100
It's not, and it's kinda specific to my environment so I won't be making the whole thing available - but I'll post most of it here so you can have a look (I'm out of the office until next week, so it'll be a few days).
It just uses popen to run tshark, using a nasty hack of changing the column format to use %Rt as a delimiter, then parses the output line by line and adds what it sees to a couple of internal tables (dictionaries).
It's pretty rigid about doing everything on a minute-by-minute analysis (i.e. it doesn't convert the time fields to times, it just truncates the strings to whole minutes - nice and lazy).
At the end it dumps the tables as tab delimited files and runs a couple of instances of gnuplot to generate the plots.
 
There isn't much very clever in there, but it could serve as the basis for your own tool.
 
I'd be much happier with it as a solution if it wasn't for the nasty hack to get semi reliable delimiters out of tshark (which will need https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2892 to fix).
 
Jim


From: Jim Balo [mailto:jimbalo22@xxxxxxxxx]
Sent: Thu 25/09/2008 19:56
To: Community support list for Wireshark; James Talbut
Subject: RE: [Wireshark-users] Good tools for pcap summary info, etc.?

Hi James,
 
I'd like to look at your tool - is it downloadable from somewhere ?
 
Thanks,
JB


--- On Thu, 9/25/08, James Talbut <James.Talbut@xxxxxxxxx> wrote:
From: James Talbut <James.Talbut@xxxxxxxxx>
Subject: RE: [Wireshark-users] Good tools for pcap summary info, etc.?
To: jimbalo22@xxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Thursday, September 25, 2008, 10:04 AM

I wrote myself a python program to take the output from tshark and carry out a
number of operations on it.
I break it down into four end products:
1. Chart of incoming and outgoing bytes per second (calculated per minute).
2. Chart of each of incoming and outgoing bytes per second as a stacked
histogram of protocols.
3. Table of conversations that can be loaded into a spreadsheet to find the big
users.
4. Table of protocols I don't like to see.
 
I tried a load of other tools, but found them all lacking in some way.
 
Jim

________________________________

From: wireshark-users-bounces@xxxxxxxxxxxxx on behalf of Jim Balo
Sent: Thu 25/09/2008 18:00
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Good tools for pcap summary info, etc.?


Hello,
 
I am capturing all traffic leaving our network in order to determine what
traffic should be allowed and what traffic should be blocked (by egress
filtering).  Last time I did this, it was quite painful and took a long time.  
 
I know there are some built in tools in Wireshark for displaying summaries of
pcap traffic, but I am interested in finding out what other tools are out there
for anylyzing big pcap files and displaying summaries / statistics in various
ways (like end-point communications w/ easy access to whois and/or other details
for each node).  
 
Any help on this would be great!
 
Thanks,
JB
 


________________________________________________________________________
This e-mail, and any attachment, is confidential. If you have received it in
error, do not use or disclose the information in any way, notify me immediately,
and please delete it from your system.
________________________________________________________________________


________________________________________________________________________
This e-mail, and any attachment, is confidential. If you have received it in error, do not use or disclose the information in any way, notify me immediately, and please delete it from your system.
________________________________________________________________________