Yes, it is weird requirement, but it is what it is. I have a task to find initial packets for connection pairs to make a list of ports used to establish connection. Eventually it will be used for configuring firewall. We can capture data over time as needed. I am trying to figure out if there is mark that screams I am the first packet or something similar. I also understand that for UDP and ICMP it is worse.
I may be way over my head in understanding of this process so do not laugh too hard, please. If you know way with tools other than ntop, please share. Greg From: [email protected] [mailto:[email protected]] On Behalf Of Gary Gatten Sent: Wednesday, October 19, 2011 12:38 PM To: '[email protected]' Subject: Re: [Ntop] Packets that initiate connection Wow - that's a weird requirement - JUST the initial packets? TCP is obviously way more easy than the others - which I'm not sure how you would consistently and accurately do that with sessionless protocols. What do you mean "find"? As in capture/store the packets themselves or just record the session info? Ntop / libpcap supports BPF filters, so maybe you could build a filter to only capture the packets you want. Again, not sure how you will accomplish this with ICMP and UDP; even with a temporal operative it's unlikely to be very accurate. But I could be wrong, so maybe post your thoughts? G ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Melnik, Gregory Sent: Wednesday, October 19, 2011 2:08 PM To: [email protected] Subject: [Ntop] Packets that initiate connection I need to find packets that initiate a session (TCP, UDP, ICMP) between pair of hosts. It does not have to be in real time. Does anybody know if ntop has such feature, and if yes, how to do so? The output I am looking for should include hosts' IP/names and port numbers involved in establishing of session. I am new to ntop, but have some experience with WireShark. Thanks, Greg "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
