D 2010-12-02T04:22:49
L dvessey
P 9a81396238530aac799fab3601257d697a2b32cd
U dvessey
W 1578
<h3>Misc Notes</h3>
<table border=1>
<tr>
 <td>[dvessey-rtir|Request Tracker for Incident Response]</td>
 <td>Not exactly NSM related, but close enough. Quick build guide.</td>
</tr>
<tr>
 <td>[dvessey-misc-bro|Misc Bro Notes]</td>
 <td></td>
</tr>
<tr>
 <td>[dvessey-bro-analysis-howto|Network Traffic Analysis with Bro]</td>
 <td>Quick overview and howto using some customized scripts and customized version of bro</td>
<tr>
 <td>Run series of PCAPs</td>
 <td>PCAP file format: [http://wiki.wireshark.org/Development/LibpcapFileFormat]. Thought: might be able to skip the first 24 bytes of each PCAP file and concatenate together (something like what mergecap probably does) without killing RAM.
<p>Yes, it does work, w/ fol cmd: <verbatim>dd if=cap-3of8.pcap bs=1 skip=24 | cat >> /tmp/cap-2of8.pcap </verbatim>
<p>Best way to use it is probably with a named pipe:
<verbatim>
mkfifo p
cat cap-1of8.pcap > p && dd if=cap-2of8.pcap of=p bs=1 skip=24
</verbatim>
And then in another window, read 'p' as if it's a PCAP file.
</td>
</tr>
</table>

</ul>
<h3>Other tools</h3>
<table border=1>
<tr><th>Tool</th><th>Brief note</th></tr>
<tr>
  <td>[dvessey-netadhict|Carleton CSL NetADHICT]</td>
  <td></td>
</tr>
<tr>
  <td>SANCP</td>
  <td>Has proven unreliable for large pcap file analysis. Messes up direction too often to provide good results. Bro connection logger may do better?</td>
</tr>
<tr>
 <td>[https://github.com/sethhall/bro_scripts|Bro Script - Seth Hall]</td>
 <td>Just grabbed these into my directory</td>

</tr>
</table>
Z c7116f93a3c330bd61132ea1ae481486