semi real time packet analysis

[Red Squirrel]

What is a best way to record packets in a way I can pretty much see them in real time?

Right now I have this tcp dump loop that writes to file, but problem is, it's just a rotation between 10 files. I would like something that would write files by date, and 1 file per hour or something, so that the files are not in use requiring me to stop the process so I can look at it. Anyway to make tcp dump write to file by date? (and change automatically when the date/hour changes)

 

[Crusty]

Pipe the output of tcpdump to cronolog. Cronolog takes a parameter string that defines the output file/directory format so you can specify it however you please and it will automatically take care of rotating the log files. I use that to store Apache logs just rsync them to the backup servers.

 

[Red Squirrel]

hmm I'll have to look into that, sounds just like what I need. thanks.

 

[Scarpozzi]

This isn't what you're asking for, using cronolog sounds like the best option...but have you checked out Wireshark? (formerly known as Ethereal) It's like tcpdump, but gives you a nice GUI and due to the color coded logs, you can train yourself to read the output easier.

You can get it for Linux and Windows, but due to device driver limitations with wireless networks, the Linux version will be slightly more feature-rich. If you want to download the windows version to check it out, you can get it at http://www.wireshark.org/

 

[Red Squirrel]

Yeah I actually use wireshark to look at the packet logs once I download them, but this is actually on an online server with no GUI. I just packet sniff everything so I can try to catch cheaters (it hosts a game VM) or people doing other malicious activities. Eventually I want to write a program that can read through the logs and analyze weird patterns, though that's a totally different project, and not sure if I'll actually do it, or how hard it would be.

 

[n0cmonkey]

tshark and daemonlogger are made for the first purpose.

bro and snort are made for the second.

 

[Scarpozzi]

Originally posted by: RedSquirrel
Yeah I actually use wireshark to look at the packet logs once I download them, but this is actually on an online server with no GUI. I just packet sniff everything so I can try to catch cheaters (it hosts a game VM) or people doing other malicious activities. Eventually I want to write a program that can read through the logs and analyze weird patterns, though that's a totally different project, and not sure if I'll actually do it, or how hard it would be.

Look into setting up a snort box. It's open source and skills learned there can be used in the real world if you do systems administration as a profession. You can write rules that will notify you if they're violated or script actions... There are already a ton of rules setup for various applications that would be easy to deploy quickly. It makes it easy to run because of the large userbase and developmental work already done.