Re: tcptrace host filter

From: Manikantan Ramadas (mramadas@masaka.cs.ohiou.edu)
Date: 11/27/04

• Next message: Vaishnavi Sannidhanam: "tcptrace Time Sequence Graphs"
• Previous message: Xavier Dubois: "Re: tcptrace Strange outstanding window values"
• In reply to: Ramana Yarlagadda: "tcptrace host filter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 27 Nov 2004 01:25:55 -0500
From: Manikantan Ramadas <mramadas@masaka.cs.ohiou.edu>
Subject: Re: tcptrace host filter
Message-ID: <20041127062555.GA23869@masaka.cs.ohiou.edu>

Hi Ramana,

  Apologies for this huge turn-around time. Hoping that this
clarification could be still of some use.

> 2) About my setup: Normally I capture data in a pcap
> file with out setting any filters and then I am
> analyzing traffic to understand the flows on the LAN.
>
> Following are the problems that I cam across while
> using the tool. I just started using the tool so I am
> just wondering if sombody has the answers for the
> following
>
> a) How can I find most active hosts on the LAN using
> the Tcptrace? And how can I generate plots specific to
> a Host?
>

  tcptrace doesn't do that now. But I guess it would be fairly easy to
hack up the traffic module mod_traffic.c to keep track of the top 10
hosts in the dumpfile or something. Ofcourse, the manual way to do it
would be to write a Python/Perl script that reads the tcptrace basic
output and finds this out for us.

> b) Here, I have written a small program to find most
> active host(192.168.1.123) on the LAN and then I have
> used following command to see plots on this specific
> host using the -f option as shown below.
> tcptrace '-fhostaddr=192.168.1.123' -xtraffic"-A"
> etherdata.pcap
>
> Also I have plot for
> tcptrace -xtraffic"-A" etherdata.pcap
>
> And in the plots looks same in both the cases.
>

  The problem is that the traffic module is not aware of the filtering
options that you passed. What you want to do is to hackup the traffic
module code directly. For example, currently if you wanted to run the
traffic module to do a port-wise report, you pass arguments to the
module explicitly as in :

tcptrace -xtraffic''-p1-1024'' rubeus.dmp

Similarly, you may need to add a new "-h<hostaddr>" option to the
traffic module and make it do what you want. It shouldn't be all that
hard, I guess.

- Mani.

-- 
"'Beauty is truth, truth beauty,'--that is all
  Ye know on earth, and all ye need to know." - John Keats
____________________________________________________________________
  
* Manikantan Ramadas * IRG, OU * http://irg.cs.ohiou.edu/~mramadas *
____________________________________________________________________

----------------------------------------------------------------------------
To unsubscribe, send a message with body containing "unsubscribe tcptrace" to
majordomo@tcptrace.org.

• application/pgp-signature attachment: stored

• Next message: Vaishnavi Sannidhanam: "tcptrace Time Sequence Graphs"
• Previous message: Xavier Dubois: "Re: tcptrace Strange outstanding window values"
• In reply to: Ramana Yarlagadda: "tcptrace host filter"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : 11/27/04 EST