IsleSec meeting
2 views
Skip to first unread message
Kees Leune
Dec 17, 2009, 8:16:53 AM12/17/09
to Long Island Information Security Group
Thank you to all who came out to Farmingdale yesterday! It was a pleasure meeting you all.
--
Kees Leune
Blog at http://www.leune.org
On twitter as @leune
PGP Key 0xE80D8F7F
--
Kees Leune
Blog at http://www.leune.org
On twitter as @leune
PGP Key 0xE80D8F7F
Ryan Behan
Dec 17, 2009, 2:08:33 PM12/17/09
to Kees Leune, Long Island Information Security Group
All,
So last night I posed this question about finding payloads in pcap files and determining top talkers. Well I have some of this solved without the aid of wireshark because quite frankly, it takes too long.
Excerpt from http://www.yousicurity.com/2009/10/how-to-find-top-talkers-in-pcap-file.html
tcpdump -tnr PCAPFILE | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail -n 5
Now interestingly enough when I was running this I was getting the format I wanted and I felt that things seemed off. So I modified it slightly. Here's how I grab a set of data to work with.
root@bt:/mnt/hda1/captures# yesterday = $(ls -l | grep 12-16 | awk {' print $8 '} | xargs)
root@bt:/mnt/hda1/captures# for pcapFile in $yesterday
> do
> tcpdump -tnr $pcapFile | awk -F '.' '{print $ $1"."$2"."$3"."$4}' | sort | uniq -c | sort -rn | head -n 10
> echo "****Processed $pcapFile at $(date)****"
> done
I reverse the sort and grab the first 10 off the output so that they are listed in a decending order for count. I liked this much better. Anyways, hope this can help you some time! I'll report back with any other tricks.
-Ryan
So last night I posed this question about finding payloads in pcap files and determining top talkers. Well I have some of this solved without the aid of wireshark because quite frankly, it takes too long.
Excerpt from http://www.yousicurity.com/2009/10/how-to-find-top-talkers-in-pcap-file.html
tcpdump -tnr PCAPFILE | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail -n 5
Now interestingly enough when I was running this I was getting the format I wanted and I felt that things seemed off. So I modified it slightly. Here's how I grab a set of data to work with.
root@bt:/mnt/hda1/captures# yesterday = $(ls -l | grep 12-16 | awk {' print $8 '} | xargs)
root@bt:/mnt/hda1/captures# for pcapFile in $yesterday
> do
> tcpdump -tnr $pcapFile | awk -F '.' '{print $ $1"."$2"."$3"."$4}' | sort | uniq -c | sort -rn | head -n 10
> echo "****Processed $pcapFile at $(date)****"
> done
I reverse the sort and grab the first 10 off the output so that they are listed in a decending order for count. I liked this much better. Anyways, hope this can help you some time! I'll report back with any other tricks.
-Ryan
Ray McClure
Dec 17, 2009, 3:06:27 PM12/17/09
to Long Island Information Security Group
Sorry I didn’t make it. I was stuck at work late.
I will be out for the next 2 weeks also.
Happy Holidays everyone!
~R
Reply all
Reply to author
Forward
0 new messages