Parse TCPDump file


tcpdump is an excellent program for figuring out where your network traffic is coming from and going to. And Wireshark gives a nice GUI front end to do your searches. However, the one thing I was not able to figure out (and it may be there) is how to get a summary: How much traffic through one port, or which are my high hitting target IP addresses. It may be there, but I could not find it. So, I wrote a Perl script to do the summary (attached).

 

Scenario:

 

We mirrored a port on our HP Procurve switches at the site. The port that is being mirrored the the one that goes to the router, which takes us to "the world", so we are capturing all the data going out and coming in. We then attached a computer with a base copy of Debian on it. The computer rally has nothing more than tcpdump, and that is started in such a way as to grab all information off of the port and store it to a series of files. NOTE: installed a second port on the computer to allow external access to those files via scp.

 

So, we have 100G of pcap files generated by tcpdump. During a past issue, our internet connection became saturated, and I needed to know what machine(s) and what protocols were causing the problem.

 

ASCII output from tcpdump capture files can be generated with the -r flag, ie tcpdump -r somePcapFileName. This can then be directly piped to parseTCPDump.pl which will summarize the input and send the summary to STDOUT as a tab delimited stream (just put it into a file and load in a spreadsheet program).

 

Script is fairly well commented. I could really use a better output format (ports and IP's are stored as separate lists). What it does is, every time it finds a line, it parses source and target IP, and source and target port, then adds the length of that packet to each of the counters associated with the those four items. The first few lines of the output contain file information: start/end time, total packets, total packets processed, total bytes processed. NOTE: since we add bytes and packets for source and target, the total number of these is twice the actual traffic.

 

There is a little bit of documentation in the header comments. Basically, assuming you have a file tcpdump.pcap725 and want to see all traffic to/from IP 10.111.115.125, you could run the following:

 

tcpdump -n -r tcpdump.pcap725 | ./parseTCPDump.pl 10.111.115.125 > tcpdump.pcap725.csv

 

OR, use grep and say

 

tcpdump -n -r tcpdump.pcap725 | grep 10.111.115.125 | ./parseTCPDump.pl > tcpdump.pcap725.csv

 

Feel free to use the comments section to ask for help and/or suggest improvements.

Attached files: parseTCPDump.pl

Tags: perl, summary, tcpdump
Last update:
2013-10-22 22:14
Author:
Rod
Revision:
1.2
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.

Records in this category

Tags