Well, tcp is "easy" just capture the SYN and SYNACK packets. Others - you'll be screwed IMHO.
If this is for a firewall, if it were me I would configure said firewall to permit everything and log. Then you can grep the log files using all sorts of nifty expressions / filters. Ntop COULD do this, but you would need to enable high ports or something like that - it typically doesn't record info about apps that listen above 1024. I COULD be wrong here, I'll need to follow up. I just recall some of my traffic isn't being recorded and there's a build/configure/some switch for this. Lastly, if you know WireShark, stick with it. It automatically build tables on conversations at all layers. You can sort them by most bytes Tx or Rx, most packets Tx or RX, etc. Set the capture size to 64 bytes can it should give you everything you need. Perhaps set it to dump to files every 100MB or something. I've learned that capturing packets for extended periods and then trying to process 100,000,000 packets TAKES A LONG TIME. I THINK the statistics are cumulative though, and that's what you really need. I'd stick with letting the firewall do the "discovery" process for you. ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Melnik, Gregory Sent: Wednesday, October 19, 2011 2:51 PM To: [email protected] Subject: [Ntop] FW: Packets that initiate connection Yes, it is weird requirement, but it is what it is. I have a task to find initial packets for connection pairs to make a list of ports used to establish connection. Eventually it will be used for configuring firewall. We can capture data over time as needed. I am trying to figure out if there is mark that screams I am the first packet or something similar. I also understand that for UDP and ICMP it is worse. I may be way over my head in understanding of this process so do not laugh too hard, please. If you know way with tools other than ntop, please share. Greg From: [email protected] [mailto:[email protected]] On Behalf Of Gary Gatten Sent: Wednesday, October 19, 2011 12:38 PM To: '[email protected]' Subject: Re: [Ntop] Packets that initiate connection Wow - that's a weird requirement - JUST the initial packets? TCP is obviously way more easy than the others - which I'm not sure how you would consistently and accurately do that with sessionless protocols. What do you mean "find"? As in capture/store the packets themselves or just record the session info? Ntop / libpcap supports BPF filters, so maybe you could build a filter to only capture the packets you want. Again, not sure how you will accomplish this with ICMP and UDP; even with a temporal operative it's unlikely to be very accurate. But I could be wrong, so maybe post your thoughts? G ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Melnik, Gregory Sent: Wednesday, October 19, 2011 2:08 PM To: [email protected] Subject: [Ntop] Packets that initiate connection I need to find packets that initiate a session (TCP, UDP, ICMP) between pair of hosts. It does not have to be in real time. Does anybody know if ntop has such feature, and if yes, how to do so? The output I am looking for should include hosts' IP/names and port numbers involved in establishing of session. I am new to ntop, but have some experience with WireShark. Thanks, Greg "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
