This is going to be a quick post, mostly because I’m tired from working on that other site and I really need to get some sleep.

I’ve been doing some serious pcap analysis lately. You know the type…where you’ve dumped numerous pcap’s with tcpdump and the wonderful -C parameter. Being the type of guy that I am, I wanted to visualize the traffic I’d captured to identify what was going on. Here’s a few argus commands I used to get the job done. Note I’ve used back slashes () to separate the commands onto multiple lines

1
2
3
4
5

# Extract specific src mac addresses I'm interested in
for i in `ls ~/captures/pcap*`; do
  /usr/local/sbin/argus -mAJZRU 256 -r $i -w src_macs.argus - \
  ether src 00:00:00:11:22:33 or ether src 00:00:00:33:22:11;
done

Fantastic - now I’ve got an argus data stream that contains traffic solely from a mac or two I was interested in.

1
2
3

# Now let's take a look at top usage for each IP address
racluster -r src_macs.argus -m proto saddr dport -w - | \
  rasort -m saddr pkts -s saddr dport pkts | more

Now that we’ve manually looked through that data and found the top ports (argus used to have a -topN option, but I couldn’t seem to find it) let’s draw some nice-looking graphs. This splits the graph out into directories by date and generates graphs in each directory representing traffic for each particular mac address.

1
2
3
4
5
6
7
8
9
10
11
12

# For each mac address, generate daily usage for the "interesting" ports we saw above
macs="00:00:00:11:22:33 00:00:00:33:22:11"
ports="23 53 80 139 389 443 445 3389 1521"
filter_string=`echo $ports | sed 's/[[:digit:]]*/dst port & or/g' | sed 's/ or$//'`

for mac in ${macs}; do
  rasplit -r src_macs.argus -M time 1d -w "archive/%Y_%m_%d/${mac}.arg" - \
    "(${filter_string}) and (ether src ${mac})";
done

find archive -name *.arg | xargs -I {} \
  ragraph pkts dport -M 1m -r {} -fill -stack -w $(dirname {})/`basename {} .arg`.png

It’s not perfect and it took me quite a while to understand the intricacies of argus (-w - is different from just not specifying an output file, for example), but it’s definitely a start down the road.