Misc Notes
Request Tracker for Incident Response | Not exactly NSM related, but close enough. Quick build guide. |
Misc Bro Notes | |
Network Traffic Analysis with Bro | Quick overview and howto using some customized scripts and customized version of bro |
Run series of PCAPs | PCAP file format: http://wiki.wireshark.org/Development/LibpcapFileFormat. Thought: might be able to skip the first 24 bytes of each PCAP file and concatenate together (something like what mergecap probably does) without killing RAM.
Yes, it does work, w/ fol cmd: dd if=cap-3of8.pcap bs=1 skip=24 | cat >> /tmp/cap-2of8.pcap Best way to use it is probably with a named pipe: mkfifo p cat cap-1of8.pcap > p && dd if=cap-2of8.pcap of=p bs=1 skip=24And then in another window, read 'p' as if it's a PCAP file. |
Other tools
Tool | Brief note |
---|---|
Carleton CSL NetADHICT | |
SANCP | Has proven unreliable for large pcap file analysis. Messes up direction too often to provide good results. Bro connection logger may do better? |
Bro Script - Seth Hall | Just grabbed these into my directory |