This is going to be a quick post, mostly because I’m tired from working on that other site and I really need to get some sleep.
I’ve been doing some serious pcap analysis lately. You know the type…where you’ve dumped numerous pcap’s with tcpdump and the wonderful -C parameter. Being the type of guy that I am, I wanted to visualize the traffic I’d captured to identify what was going on. Here’s a few argus commands I used to get the job done. Note I’ve used back slashes () to separate the commands onto multiple lines
1 2 3 4 5
Fantastic - now I’ve got an argus data stream that contains traffic solely from a mac or two I was interested in.
1 2 3
Now that we’ve manually looked through that data and found the top ports (argus used to have a -topN option, but I couldn’t seem to find it) let’s draw some nice-looking graphs. This splits the graph out into directories by date and generates graphs in each directory representing traffic for each particular mac address.
1 2 3 4 5 6 7 8 9 10 11 12
It’s not perfect and it took me quite a while to understand the intricacies of argus (-w - is different from just not specifying an output file, for example), but it’s definitely a start down the road.