Packet Capture, part 3: Analysis Tools
In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use analysis tools for sanitizing the data, reformatting the data, and for presenting and analyzing the data.
Network Troubleshooting Tools
by Joseph D. Sloan
1.5. Analysis Tools
As previously noted, one reason for using tcpdump is the wide variety of support tools that are available for use with tcpdump or files created with tcpdump. There are tools for sanitizing the data, tools for reformatting the data, and tools for presenting and analyzing the data.
If you are particularly sensitive to privacy or security concerns, you may want to consider sanitize, a collection of five Bourne shell scripts that reduce or condense tcpdump trace files and eliminate confidential information. The scripts renumber host entries and select classes of packets, eliminating all others. This has two primary uses. First, it reduces the size of the files you must deal with, hopefully focusing your attention on a subset of the original traffic that still contains the traffic of interest. Second, it gives you data that can be distributed or made public (for debugging or network analysis) without compromising individual privacy or revealing too much specific information about your network. Clearly, these scripts won't be useful for everyone. But if internal policies constrain what you can reveal, these scripts are worth looking into.
The five scripts included in sanitize are sanitize-tcp, sanitize-syn-fin, sanitize-udp, sanitize-encap, and sanitize-other. Each script filters out inappropriate traffic and reduces the remaining traffic. For example, all non-TCP packets are removed by sanitize-tcp and the remaining TCP traffic is reduced to six fields -- an unformatted timestamp, a renumbered source address, a renumbered destination address, the source port, a destination address, and the number of data bytes in the packet.
934303014.772066 184.108.40.206.1174 > 220.127.116.11.23: . ack 3259091394 win 8647 (DF) 4500 0028 b30c 4000 8006 2d84 cd99 3f1e cd99 3fee 0496 0017 00ff f9b3 c241 c9c2 5010 21c7 e869 0000 0000 0000 0000
would be reduced to 934303014.772066 1 2 1174 23 0. Notice that the IP numbers have been replaced with 1 and 2, respectively. This will be done in a consistent manner with multiple packets so you will still be able to compare addresses within a single trace. The actual data reported varies from script to script. Here is an example of the syntax:
bsd1# sanitize-tcp tracefile
This runs sanitize-tcp over the tcpdump trace file tracefile. There are no arguments.