Update of "dvessey"
Not logged in

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview

Artifact ID: 5afd4dad20832eaf8965a584c7d02a7d8cae6ebd
Page Name:dvessey
Date: 2010-12-02 04:22:49
Original User: dvessey
Parent: 9a81396238530aac799fab3601257d697a2b32cd
Content

Misc Notes

Request Tracker for Incident Response Not exactly NSM related, but close enough. Quick build guide.
Misc Bro Notes
Network Traffic Analysis with Bro Quick overview and howto using some customized scripts and customized version of bro
Run series of PCAPs PCAP file format: http://wiki.wireshark.org/Development/LibpcapFileFormat. Thought: might be able to skip the first 24 bytes of each PCAP file and concatenate together (something like what mergecap probably does) without killing RAM.

Yes, it does work, w/ fol cmd:

dd if=cap-3of8.pcap bs=1 skip=24 | cat >> /tmp/cap-2of8.pcap 

Best way to use it is probably with a named pipe:

mkfifo p
cat cap-1of8.pcap > p && dd if=cap-2of8.pcap of=p bs=1 skip=24
And then in another window, read 'p' as if it's a PCAP file.

Other tools

ToolBrief note
Carleton CSL NetADHICT
SANCP Has proven unreliable for large pcap file analysis. Messes up direction too often to provide good results. Bro connection logger may do better?
Bro Script - Seth Hall Just grabbed these into my directory