Reporting on pcaps




Reporting on Pcaps

These scripts walk through a directory of pcaps, parsing them and reporting on what they see, using both text files and charts (typically frequency against time). They require Perl & tshark, run under both Windows and *nix, and require gnuplot if you want charts. See the beginning of each script for install and operating instructions.


Count-Duplicate-Frames parses a directory of pcaps, builds a hash of IP Ident numbers, both per pcap and globally. It produces two reports:

The script also produces a data file, gnuplot config file, and, if gnuplot is installed, a png illustrating the frequency of IP Ident numbers across the entire data set. This by itself does not necessarily demonstrate the presence of a loop -- after all, in a large collection of pcaps, we would expect a particular IP Ident number to appear many times. That being said, if a particular IP Ident number appears tens of thousands or hundreds of thousands of times in a given day, perhaps that frequency suggests a larger problem.

Typically, one sees duplicate IP ident numbers, but at a low rate. During loop events, one sees bursts of duplicates -- this script is aimed at identifying when this happens.

./count-duplicate-frames --help
count-duplicate-frames v1.5.1

    Usage:  count-duplicate-frames [-c {chart title}] [-d {integer}] [-g {location of gnuplot binary] [-h] [-p {pcap directory}] [-r {report file}] [-t {duplicate threshold}] [-v]

      -c specifies the gnuplot chart title.  The default is 
         'IP Ident Frequencies Across All pcaps'

      -d specifies debug level.  The default is 0

      -g specifies the location of the gnuplot binary.  The default is

      -h tell us to report IP Ident numbers in hex, instead of converting 
         them to decimal.  The default is 0

      -l specifies the 'duplicate threshold' -- the number of repeats for an 
         IP address / IP Ident number tuple before we claim evidence of a loop.
         In other words, if you set this value to '1', you will claim that 
         every time we see an IP Ident number occur more than once in a pcap 
         that we have seen evidence of a loop.

      -p specifies the pcap directory.  The default is ./

      -r specifies the name of the report file.  The default is

      -t specifies the location of the tshark binary.  The default is

      -v specifies verbosity.  The default is 0



Prepared by:
Stuart Kendrick

Last modified: 29-November-2016