I'm hacker hunting. I have some hackers playing around in my network
and I'm observing their activity. I use etheral to dig through my
traffic for telnet sessions, then "Follow TCP Stream" to see what the
bad guys are up to. It's a pain to sift through many legitimate
packets, filter a whole dump for one stream, then filter it again to
get the "full" view. I need to cut down the number of lines of
output.
I'd like to list traffic by connections rather than individual
packets. One row per tcp connection with start and end times, who
started it, total bytes (in/out), etc. Connections like ftp should
also group their ftp-data sub-requests. I'd also like to search for
strings within connections. Eventually, all this should go into a
database.
Anyone else working on this?
I see that there is a "conversation" structure. Looks like I want to
track a conversation for each TCP connection. I think I'll try adding
conversation_new() and conversation_find() to packet-tcp.c. Does that
sound good or crazy? How does one terminate a conversation? I can't
find anything like conversation_close().
--Noel
