Ethereal-users: Re: [ethereal-users] dissecting traffic by type...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev Thread Prev
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Mon, 28 Feb 2000 23:06:38 -0800
> Is there a utility I can use to create reports such as traffic by host,
> by protocol etc, from an Ethereal capture file?  thanks,

I suspect there might be, because Ethereal capture files are in libpcap
format, the same format that tcpdump uses, and I could easily believe
that such utilities exist for tcpdump output.

However, I don't happen to know what utilities there are of that type.

One could, I guess, run Tethereal or tcpdump on the capture file, and
pipe the output to something that produces such a report, e.g. a Perl
script.

An AltaVista search for

	perl NEAR (libpcap OR tcpdump)

found:

    http://vtopus.cs.vt.edu/~chitra/WWWTrafficTools.html

	which mentions a Perl script that "[takes] output from tcpdump,
	[filters] it, and [generates] a Common Log Format file", so it
	may have tcpdump-reading code you could steal

as well as some stuff referring to "Net::Pcap" which is "a SWIG
generated interface to Van Jacobson's libpcap packet capture library. 
It permits a perl sub to be passed as a callback which will process each
packet caught by libpcap so that Perl pattern matching can be used.  The
module was developed to automatically maintain status information about
Cranfield University's network."  Assuming it includes an interface to
"pcap_open_offline()" as well as "pcap_open_live()", it could be used to
read saved capture files from tcpdump or Ethereal.

The stuff in question referred to CPAN, which is the Comprehensive Perl
Archive Network at

	http://www.cpan.org/

and which has a search engine at

	http://search.cpan.org/

which does, indeed, find a module "Net::Pcap" - the search results are
at

	http://search.cpan.org/search?dist=Net-Pcap

and the README file says

	Net::Pcap version 0.03 contains the following improvements over
	previous versions:

	        - all pcap library functions fully implemented

which I assume means it supports "pcap_open_offline()" and thus lets you
read saved capture files.

However, using the data you read is a bit more work, as you then have to
extract the source and destination addresses of packets, and the
protocol types at the various protocol layers, yourself.

You may want to search some more and see if somebody already has done
that work, or has done it the lazy person's way by having tcpdump do it
(i.e., reading the output of tcpdump).