|Request Tracker for Incident Response||Not exactly NSM related, but close enough. Quick build guide.|
|Misc Bro Notes|
|Network Traffic Analysis with Bro||Quick overview and howto using some customized scripts and customized version of bro|
|Run series of PCAPs||PCAP file format: http://wiki.wireshark.org/Development/LibpcapFileFormat. Thought: might be able to skip the first 24 bytes of each PCAP file and concatenate together (something like what mergecap probably does) without killing RAM.
Yes, it does work, w/ fol cmd:
dd if=cap-3of8.pcap bs=1 skip=24 | cat >> /tmp/cap-2of8.pcap
Best way to use it is probably with a named pipe:
mkfifo p cat cap-1of8.pcap > p && dd if=cap-2of8.pcap of=p bs=1 skip=24And then in another window, read 'p' as if it's a PCAP file.
|Carleton CSL NetADHICT|
|SANCP||Has proven unreliable for large pcap file analysis. Messes up direction too often to provide good results. Bro connection logger may do better?|
|Bro Script - Seth Hall||Just grabbed these into my directory|