I am looking for a #!/bin/sh script (to be run on Linux/Debian)
similar to "sanitize-syn-fin" from
http://ita.ee.lbl.gov/html/contrib/sanitize.html which when executed
returns an ascii output of a tcpdump ,dmp file with the following
results:
"timestamp" "sourceip:souceport" "destinationip:destinationport"
"tcpflag" "[totat session time]" (if successful connection) or "[no
ack]" (if connection was not successful)
I am looking for the output to be specifically in that order, and as with
"sanitize-syn-fin" I am only interested in a script which outputs TCP
flags SYN or FIN or RST.
Thanks for your help! |
Request for Question Clarification by
webadept-ga
on
06 Apr 2005 17:23 PDT
Hi, there are several Perl scripts, which would do this; I see you are
asking for a shell script, but would Perl be acceptable?
webadept-ga
|
Clarification of Question by
tcpvegas-ga
on
06 Apr 2005 17:53 PDT
sure perl would be fine!
|
Request for Question Clarification by
webadept-ga
on
21 Apr 2005 06:59 PDT
Hi again,
can you give me the tcpdump command line you want run in the script
(what switches you are using). There are many many ways to run
tcpdump, you appear to be looking for a single output type.
webadept-ga
|
Clarification of Question by
tcpvegas-ga
on
21 Apr 2005 13:41 PDT
webadept,
I have a found a script which does most of what I am looking for.
The script is named: Chaosreader and was written by Brendan Gregg
http://users.tpg.com.au/adsln4yb/chaosreader.html Chaos reader has a
nice html output, and a text output (index.text), but the text output
is missing the main aspect I am looking for which is individual TCP
session time, like the html outout (index.html).
What I am actually looking for is a script (preferably now, perl)
that actually reads an already converted tcpdump text file (extracted
from custom database on machine running tcpdump) with the following
entries:
Example 1
------------------
2005-04-11 19:23:14.933548 IP 64.236.16.84.80 > 10.0.0.16.32893: S
822043145:822 043145(0) ack 682853409 win 5840 <mss 1460>
2005-04-11 19:23:14.962256 IP 64.236.16.84.80 > 10.0.0.16.32873: F
2726:2726(0) ack 3560 win 16384
2005-04-11 19:23:14.962272 IP 10.0.0.16.32873 > 64.236.16.84.80: R
680129692:68 0129692(0) win 0
and produces a text outputfile similar to this:
Example 2
------------------
2005-04-11 19:23:14.933548 IP 64.236.16.84.80 > 10.0.0.16.32893:S [TCP session1]
2005-04-11 19:23:14.962256 IP 64.236.16.84.80 > 10.0.0.16.32873:F
2005-04-11 19:23:14.962272 IP 10.0.0.16.32873 > 64.236.16.84.80:R [session1=2ms]
Or any other text output which includes the following:
"timestamp" "sourceip:souceport" "destinationip:destinationport"
"tcpflag" "[totat session time]" (if successful connection) or "[no
ack]" (if connection was not successful)
The tcpdump command used for the first example was:
tcpdump -nn -tttt 'tcp[13] & 7 != 0' -r output.dmp
which does not resolve host/port names (-nn), arranges the
date/time in a pretty format (-tttt), only captures TCP SYN/FIN/RST
flags ('tcp[13] & 7 != 0'),
But again as of this clarification I am not concerned about running
tcpdump or reading a tcpdump (.dmp or .pcap) file. I am trying to
write or find a script which converts tcpdump info extracted from a
databse which is in a custom text format (example 1), and converts
that file to another text file (or to the screen which can be
redirected to a text file) which changes the text entries as shown in
example 2.
Custom tcpdump text input file > session time (length) added &
only specific fields included ("timestamp" "sourceip:souceport"
"destinationip:destinationport""tcpflag") > new text file created
containing entries similar to example2.
Sorry for any changes, hope this helps, good luck. I may also settle for
the algorithm/specific code used in chaosreader which calculates tcp
session time (from syn to FIN/RST).
|
