Wireshark · Ethereal-dev: RE: [Ethereal-dev] SQL Patch for ethereal

Ethereal-dev: RE: [Ethereal-dev] SQL Patch for ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Michael Cohen <michael.cohen@xxxxxxxxxxxxxxx>

Date: Tue, 18 Mar 2003 20:52:50 +1100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>I have been seeing some emails on Ethereal interfacing with a database. It
>sounds really neat. What would be some applications for interfacing ethereal
>to a database. Do you use it for analyzing packets?
>
>Regards,
>Sal

The application I have written for my employer does some really neat things 
with the data... For example suppose you wanted to know the distribution of 
tcp port connections (syns) in the dumps: (cool for finding trojan 
connections on unusual ports at a glance).

select tcp_dstport as "Destination Port", count(tcp_dstport ) as "Packet 
Count" from tcp where tcp_flags =2 group by tcp_dstport

You can also reassemble tcp streams by using some complex queries from the 
database (somewhere along the lines of:)

insert into connection_cache select 
$con_id,ip.key_id,\">\",1+frame_pkt_len-ip_len+ ip_hdr_len+ tcp_hdr_len from 
frame,ip,tcp,data, connection_table where frame.key_id=ip.key_id and 
tcp.key_id=ip.key_id and ip.key_id = data.key_id and src_ip= ip_src and 
dest_ip= ip_dst and src_port = tcp_srcport and dest_port = tcp_dstport and 
con_id = $con_id

and 
select id,substring(data.data,size),direction from connection_cache,data where 
connection_cache.id=data.key_id and con_id=$con_id group by id order by id 
limit $limit

This is extracted from the app source code (perl). (This app caches the 
reassembled streams in the first step to speed up reassembly some more).

For example suppose you wanted to know the number of unique mac addresses on 
the network and their relationship to ip addresses - you could then deduce a 
virtual network map from this and use something like graphviz to actually 
draw it. Potentially this can produce a network diagram from a quick dump 
file for easy visualisation of the network. 

Another thing we are doing is building a "knowledge base" of the capture, for 
example suppose we see pop3 connections from IP addresses we can associate 
usernames from the pop3 dissector with the IP address - so we can determine 
who is sitting on which machine, same thing with the NTLM stuff.

Im still convincing my employer to release the other app under gpl, but so far 
only the patch is available (which does most of the hard work anyway).

Michael.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+duxyZMnBgI6aclcRAj80AKDyhVpNlW+a+U9bCUxYQ9Uo6EbXNQCggmRj
MTf8yti6oTtVoSJw6qCZaxQ=
=q/7Q
-----END PGP SIGNATURE-----

Prev by Date: Re: [Ethereal-dev] Examples of searching on DCERPC strings and others ...
Next by Date: [Ethereal-dev] Feature request on TCP Analysis Flags
Previous by thread: Re: [Ethereal-dev] SQL Patch for ethereal
Next by thread: [Ethereal-dev] SLP Decode
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$