danielmiessler.com - Latest Comments in Capturing Traffic Once and Making That Traffic Available to Multiple Tools

Re: Capturing Traffic Once and Making That Traffic Available to Multiple Tools

Spacepacket — Wed, 07 May 2008 09:56:11 -0000

I think OmniPeek is a good example of what you are describing. It supports a plugin API, and there are lots of plugins available from the WildPackets website. WildPackets also provides tools to load packets into a database. From there, lots of other applications can use the data.

Re: Capturing Traffic Once and Making That Traffic Available to Multiple Tools

Daniel Miessler — Fri, 14 Mar 2008 09:56:10 -0000

@Adrian: I can't believe I had Elton John. FAIL

Re: Capturing Traffic Once and Making That Traffic Available to Multiple Tools

ghost16825 — Fri, 14 Mar 2008 07:51:17 -0000

Yeah, that was a good post on Richard's blog - it's a concept that everyone wants, but the implementation may get slightly tricky.

Just on Richard Bejtlich's stuff - I feel the need to point out that perhaps you're overlooking the power of session data. In fact that's one of the big things I learnt after reading one of his books. I used to think of network capture mainly in terms of full-content capture; now I think that session data alone, is highly underrated.

Re: Capturing Traffic Once and Making That Traffic Available to Multiple Tools

Adrian Bool — Fri, 14 Mar 2008 00:39:25 -0000

I think you may want John Lennon rather than Elton John for your Imagine reference...

We already have tcpdump and the .pcap file format for much of what you want in this post - except for the last section which sounds like you've taken your .pcap data, parsed it and dumped the results into a database. Not too hard to do - but could certainly be interesting.

Lots of data crosses most networks; how much of fit can we really keep? Hard drives are getting cheaper - but not that cheap!