This is going to be a quick post, mostly because I’m tired from working on that other site and I really need to get some sleep.
I’ve been doing some serious pcap analysis lately. You know the type…where you’ve dumped numerous pcap’s with tcpdump and the wonderful -C parameter. Being the type of guy that I am, I wanted to visualize the traffic I’d captured to identify what was going on. Here’s a few argus commands I used to get the job done. Note I’ve used back slashes () to separate the commands onto multiple lines
{% codeblock %}
Extract specific src mac addresses I’m interested in
for i in ls ~/captures/pcap*; do
/usr/local/sbin/argus -mAJZRU 256 -r $i -w src_macs.argus -
ether src 00:00:00:11:22:33 or ether src 00:00:00:33:22:11;
done
{% endcodeblock %}
Fantastic - now I’ve got an argus data stream that contains traffic solely from a mac or two I was interested in.
{% codeblock %}
Now let’s take a look at top usage for each IP address
racluster -r src_macs.argus -m proto saddr dport -w - |
rasort -m saddr pkts -s saddr dport pkts | more
{% endcodeblock %}
Now that we’ve manually looked through that data and found the top ports (argus used to have a -topN option, but I couldn’t seem to find it) let’s draw some nice-looking graphs. This splits the graph out into directories by date and generates graphs in each directory representing traffic for each particular mac address.
{% codeblock %}
For each mac address, generate daily usage for the “interesting” ports we saw above
macs=“00:00:00:11:22:33 00:00:00:33:22:11”
ports=“23 53 80 139 389 443 445 3389 1521”
filter_string=echo $ports | sed 's/[[:digit:]]*/dst port & or/g' | sed 's/ or$//'
for mac in ${macs}; do
rasplit -r src_macs.argus -M time 1d -w “archive/%Y_%m_%d/${mac}.arg” -
“(${filter_string}) and (ether src ${mac})”;
done
find archive -name *.arg | xargs -I {}
ragraph pkts dport -M 1m -r {} -fill -stack -w $(dirname {})/basename {} .arg.png
{% endcodeblock %}
It’s not perfect and it took me quite a while to understand the intricacies of argus (-w - is different from just not specifying an output file, for example), but it’s definitely a start down the road.