After capturing network traffic using TCPDUMP, how can the basic and derived features e.g protocol type, src_bytes, dst_bytes be extracted.
If you are dealing with .pcap files, try having a look at Netmate: http://dan.arndt.ca/nims/calculating-flow-statistics-using-netmate/
and Argus : www.qosient.com/argus/
I also wrote some pcap parser and feature extractions scripts. They are available at my Github page: github.com/pratiknarang/
Hope it helps.
tcpdump writes a human readable file with the hex values and other ascii representation of the data you capture, depending on the options you give to tcpdump.
You can use a scripting language with a regular expression to parse out the data you're interested in or use library like dpkt using Python.
There are also numerous number of tools for manipulating tcpdump files.
Wireshark can view a dump file if you give the correct options. I believe it is something like: tcpdump -i ${interface} -s 65535 -w ${file}
I would suggest going to http://www.tcpdump.org for more information.
If you are dealing with .pcap files, try having a look at Netmate: http://dan.arndt.ca/nims/calculating-flow-statistics-using-netmate/
and Argus : www.qosient.com/argus/
I also wrote some pcap parser and feature extractions scripts. They are available at my Github page: github.com/pratiknarang/
Hope it helps.
You can use PERL scripts to extract information and compute throughput for example.
It depends what you want to do.
If you want to look at traffic, doing an ad-hoc analysis of the content you captured, wireshark is a pretty good choice, allowing to see higher-level protocols, such as HTTP, or to see the entire TCP session in one piece. When you have very large capture files (like 50 MB or more), loading them into wireshark takes quite an amount of time and memory.
In case you just want to do statistics with very large capture files, such as measuring performance or to see the percentage of various traffic types, a Perl script or tool like netmate is a better choice.
Please see this tool from professor at Ohio University: http://www.tcptrace.org/
I usually netmat for these purpose but if you are looking for packet inter arrival time, packet length and packet size then you can also use TIE:
http://tie.comics.unina.it/doku.php?id=sections:documentation:features
- Badges
- Science topic