Ethereal-users: Re: [ethereal-users] dissecting traffic by type...
> Is there a utility I can use to create reports such as traffic by host,
> by protocol etc, from an Ethereal capture file? thanks,
I suspect there might be, because Ethereal capture files are in libpcap
format, the same format that tcpdump uses, and I could easily believe
that such utilities exist for tcpdump output.
However, I don't happen to know what utilities there are of that type.
One could, I guess, run Tethereal or tcpdump on the capture file, and
pipe the output to something that produces such a report, e.g. a Perl
script.
An AltaVista search for
perl NEAR (libpcap OR tcpdump)
found:
http://vtopus.cs.vt.edu/~chitra/WWWTrafficTools.html
which mentions a Perl script that "[takes] output from tcpdump,
[filters] it, and [generates] a Common Log Format file", so it
may have tcpdump-reading code you could steal
as well as some stuff referring to "Net::Pcap" which is "a SWIG
generated interface to Van Jacobson's libpcap packet capture library.
It permits a perl sub to be passed as a callback which will process each
packet caught by libpcap so that Perl pattern matching can be used. The
module was developed to automatically maintain status information about
Cranfield University's network." Assuming it includes an interface to
"pcap_open_offline()" as well as "pcap_open_live()", it could be used to
read saved capture files from tcpdump or Ethereal.
The stuff in question referred to CPAN, which is the Comprehensive Perl
Archive Network at
http://www.cpan.org/
and which has a search engine at
http://search.cpan.org/
which does, indeed, find a module "Net::Pcap" - the search results are
at
http://search.cpan.org/search?dist=Net-Pcap
and the README file says
Net::Pcap version 0.03 contains the following improvements over
previous versions:
- all pcap library functions fully implemented
which I assume means it supports "pcap_open_offline()" and thus lets you
read saved capture files.
However, using the data you read is a bit more work, as you then have to
extract the source and destination addresses of packets, and the
protocol types at the various protocol layers, yourself.
You may want to search some more and see if somebody already has done
that work, or has done it the lazy person's way by having tcpdump do it
(i.e., reading the output of tcpdump).