Permalink
Browse files

added the user-submitted afterglow module, added a TODO item also

  • Loading branch information...
1 parent 6fffc6f commit fad5ce302cb5313cce2d7dd879e83e841a721aaf @dakrone committed Oct 10, 2008
View
1 TODO
@@ -53,6 +53,7 @@ DONE - "dump" command supports directories
- Allow "dump -f" to dump packets regardless of supported protocol or not
DONE - "iplist" command needs to support directories of pcap files
- Rewrite pcapparser to use Ruby's builtin BinData so it's easier to extend
+- Expand ~ for modload command
IDEAS:
@@ -0,0 +1,2 @@
+tcpdump -vttttnnelr ${PCAP_FILE} | ${AFTERGLOW_HOME}/tcpdump2csv.pl "sip dip sport" > ${OUTPUT_DIR}/${PCAP_BASE}.csv
+perl ${AFTERGLOW_HOME}/afterglow.pl -c ${AFTERGLOW_HOME}/tcpdump.properties < ${OUTPUT_DIR}/${PCAP_BASE}.csv | neato -Tgif -o ${OUTPUT_DIR}/${PCAP_BASE}.gif

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -0,0 +1,32 @@
+# AfterGlow Color Property File
+#
+# @fields is the array containing the parsed values
+# color.source is the color for source nodes
+# color.event is the color for event nodes
+# color.target is the color for target nodes
+#
+# The first match wins
+#
+color.source="yellow" if ($fields[0]=~/^192\.168\..*/);
+color.source="greenyellow" if ($fields[0]=~/^10\..*/);
+color.source="lightyellow4" if ($fields[0]=~/^172\.16\..*/);
+color.source="red"
+color.event="yellow" if ($fields[1]=~/^192\.168\..*/)
+color.event="greenyellow" if ($fields[1]=~/^10\..*/)
+color.event="lightyellow4" if ($fields[1]=~/^172\.16\..*/)
+color.event="green"
+color.target="blue" if ($fields[2]<1024)
+color.target="lightblue"
+color.sourcetarget="pink"
+
+# Changing node labels:
+#label=substr(field(),0,10)
+
+# URL for nodes (used for graphviz to enable image map functionality)
+# This is an exampel of how to use AfterGlow with Splunk
+url=http://localhost:8000/?q=\N%20starthoursago%3A%3A24
+
+# Using node sizes:
+#size.source=1;
+#size.target=200
+#maxNodeSize=0.2
@@ -0,0 +1,207 @@
+#!/usr/bin/perl
+#
+# Copyright (c) 2006 by Raffael Marty
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Title: TCPdump 2 CSV
+#
+# File: tcpdump2csv.pl
+#
+# Version: 1.5
+#
+# Description: Takes a tcpdump pcap file and parses it into a csv output.
+#
+# Usage: tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl ["field list"]
+#
+# Running in conjunction with afterglow:
+# tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" |
+# perl ../graph/afterglow.pl | neato -Tgif -o test.gif
+#
+# Possible fields:
+# timestamp dip sip ttl tos id offset flags len
+# sourcemac destmac ipflags sport dport
+#
+# Known Issues:
+# Does not parse ARP packets
+# Does not parse SAP packets
+# Does not parse multi-line DNS packets
+#
+# ATTENTION: SHOULD work with tcpdump 3.8.x
+# ATTENTION: ONLY works with tcpdump 3.9.x
+#
+# URL: http://afterglow.sourceforge.net
+#
+# Changes:
+#
+# 06/13/05 Initial Version by ram
+# 06/25/05 ram's birthday: taking care of source and target swapping
+# Server: receives a SYN or sends a SYN ACK
+# If no SYN or SYN ACK seen for a connection, assume the machine with
+# port < 1024 is the server
+# 12/17/05 Fixing error handling. Should not exit when an unknown packet arrives
+# Also introducing the $DEBUG variable
+# 05/24/06 Version 1.5:
+# Changing the parsing to support tcpdump 3.9.4. Rewrote parsing
+# part to be a bit more sane ;)
+#
+###############################################################################/
+
+use strict vars;
+
+
+
+my $output=$ARGV[0] || "full";
+
+my $DEBUG=0;
+
+our ($timestamp,$etherproto,$dip,$sip,$ttl,$tos,$id,$offset,$flags,$len,$sourcemac,$destmac,$ipflags,$sport,$dport,$proto,$rest, $dnshostresponse, $dnslookup, $dnsipresponse, $dnstype, $dnslookup);
+
+our %clientServerConn;
+
+while (<STDIN>) {
+ chomp;
+
+ # tcpdump 3.9.4 : 2006-05-14 11:05:58.683193 00:05:4e:44:b7:25 > 00:01:4e:00:b6:59, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 6321, offset 0, flags [DF], proto: TCP (6), length: 40) 10.69.69.13.1555 > 10.69.69.20.52912: R, cksum 0x6c1c (correct), 0:0(0) ack 368294482 win 0
+ # 2006-05-23 08:15:39.809918 00:05:4e:44:b7:25 > 00:50:59:85:1b:60, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 64, id 49494, offset 0, flags [DF], proto: UDP (17), length: 71) 10.149.3.174.35837 > 206.13.29.12.53: 19302+ A? 02.presence.userplane.com. (43)
+ # 2006-05-15 xxx 00:05:4e:44:b7:25 > 00:50:59:85:1b:60, ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 64, id 38402, offset 0, flags [DF], proto: UDP (17), length: 66) 10.149.3.174.35843 > 206.13.29.12.53: 25351+ AAAA? webmail.arcsight.com. (38)
+
+ # 2006-05-15 xxx 00:50:59:85:1b:60 > 00:05:4e:44:b7:25, ethertype IPv4 (0x0800), length 101: (tos 0x60, ttl 123, id 16394, offset 0, flags [none], proto: UDP (17), length: 87) 206.13.29.12.53 > 10.149.3.174.35843: 29873 1/0/0 02.presence.userplane.com. A 8.3.208.204 (59)
+
+ if (/(\d+-\d+-\d+ \d+:\d+:\d+\.\d+) (\S+) > (\S+), ethertype (\S+) \(\S+\), length:? (\d+):? (?:\S+ )?\((?:tos +(\S+), )?(?:ttl +(\d+), )?(?:id +(\d+), )?(?:offset +(\d+), )?(?:flags \[(\S+)\], )?(?:proto: (\S+).*?, )?(?:length: (\d+))?.*?\) (\S+?)(?:\.(\d+))? > (\S+?)(?:\.(\d+))?: +(?:(\S+),? (.*?)|\d+[\+\*\-]* \d+\/\d+\/\d+ (\S+) (\S+) (\S+) .*?|\d+[\+\*\-]* (\S+) (\S+) .*?)?/ ) {
+
+ $timestamp = $1 || "";
+ $sourcemac = $2 || "";
+ $destmac = $3 || "";
+ $etherproto = $4 || "";
+ $len = $5 || "";
+ $tos = $6 || "";
+ $ttl = $7 || "";
+ $id = $8 || "";
+ $offset = $9 || "";
+ $ipflags = $10 || "";
+ $proto = $11 || "";
+ $len = $12 || "";
+ $sip = $13 || "";
+ $sport = $14 || "";
+ $dip = $15 || "";
+ $dport = $16 || "";
+ $flags = $17 || "";
+ $rest = $18 || "";
+ $dnshostresponse = $20 || "";
+ $dnslookup = $21 || "";
+ $dnsipresponse = $22 || "";
+ $dnstype = $23 || "";
+ $dnslookup = $24 || $dnslookup;
+
+ # skip 802.3 packets:
+ next if ($etherproto eq "802.3,");
+ # skip ARP
+ next if ($etherproto eq "ARP");
+
+ $timestamp =~ s/(.*?)\.\d+$/\1/;
+ $sourcemac =~ s/,$//;
+ $destmac =~ s/,$//;
+ $len =~ s/:$//;
+
+ } else {
+
+ $DEBUG && print STDERR "ERROR: $_\n";
+ next;
+
+ }
+
+ my @fields = split (" ",$_);
+
+ # adding ACK flag as an "A"
+ if ($_ =~ / ack /) { $flags .= "A"; }
+
+ my $connId = $sip.$dip.$sport.$dport;
+ my $reverseConnId = $dip.$sip.$dport.$sport;
+
+ # trying to find the client and the server and the act opon that
+ if ($flags =~ /S.*A/) { # server to client
+
+ $clientServerConn{$reverseConnId}="1";
+ # swap source and dest:
+ ($sourcemac,$destmac) = ($destmac,$sourcemac);
+ ($sip,$dip) = ($dip,$sip);
+ ($sport,$dport) = ($dport,$sport);
+
+ } elsif ($flags =~ /S/) { # client to server
+
+ $clientServerConn{$connId}="1";
+
+ } elsif ($clientServerConn{$reverseConnId}) {
+
+ # swap source and dest:
+ ($sourcemac,$destmac) = ($destmac,$sourcemac);
+ ($sip,$dip) = ($dip,$sip);
+ ($sport,$dport) = ($dport,$sport);
+
+ } elsif ((!$clientServerConn{$reverseConnId}) && (!$clientServerConn{$connId}) && ($proto eq "tcp")) {
+
+ # we never saw a SYN or a SYN ACK and we are in TCP, let us try the port numbers
+ # This is better than not doing it :)
+
+ if (($sport < 1024) && ($dport > 1024)) {
+ $clientServerConn{$reverseConnId}="1";
+ # swap source and dest:
+ ($sourcemac,$destmac) = ($destmac,$sourcemac);
+ ($sip,$dip) = ($dip,$sip);
+ ($sport,$dport) = ($dport,$sport);
+ }
+
+ }
+
+ if ($output eq "full") {
+ print "$timestamp $sourcemac $destmac $sip $dip $sport $dport $flags $len $proto $ttl $id $offset $tos $ipflags\n";
+ } else {
+ my @tokens = split / /,$output;
+ print ${shift(@tokens)};
+ for my $token (@tokens) {
+ if (!defined($$token)) {
+ $DEBUG && print STDERR "$token is not a known field\n";
+ #exit;
+ } else {
+ print ','.$$token;
+ }
+ }
+ print "\n";
+ }
+
+}
+
+# To verify:
+# tcpdump 3.8.x : 2002-08-24 05:34:18.634488 00:00:0c:04:b2:33 > 00:03:e3:d9:26:c0, ethertype IPv4 (0x0800), length 223: IP (tos 0x0, ttl 122, id 544, offset 0, flags [DF], length: 209, bad cksum ff6b (->14ac)!) 138.97.18.88.61924 > 64.4.12.158.1863: P [bad tcp cksum 6c66 (->aca6)!] 9384:9553(169) ack 9641 win 17390
+# tcpdump 3.8.x : 2002-08-24 10:52:42.184488 00:03:e3:d9:26:c0 > 00:00:0c:04:b2:33, ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl 232, id 0, offset 8896, flags [+, DF], length: 40, bad cksum ff99 (->b4d9)!) 192.9.100.88 > 138.97.10.219: tcp
+
+# 2006-05-23 08:15:39.809918 00:50:59:85:1b:60 > 00:12:f0:b1:c7:c6, ethertype ARP (0x0806), length 64: arp reply 10.149.0.1 is-at 00:50:59:85:1b:60
+# 2006-05-23 08:54:58.278518 00:50:59:85:1b:60 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 64: arp who-has 10.149.3.187 tell 10.149.3.250
+ # 2006-05-23 08:15:35.985245 00:50:59:85:1b:60 > 00:40:96:a3:5f:58, ethertype IPv4 (0x0800), length 110: (tos 0x60, ttl 49, id 14118, offset 0, flags [none], proto: UDP (17), length: 96) 216.191.40.60.500 > 10.149.3.139.3210: isakmp 1.0 msgid : phase 2/others ? inf[E]: [encrypted hash]
+
+
+
+# To be done: (need to get the 3.9.x output for these!
+# 2005-01-12 14:38:20.660616 00:0d:56:e3:44:33 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: fe80::20d:56ff:fee3:4433 > ff02::2: [icmp6 sum ok] icmp6: router solicitation (src lladdr: 00:0d:56:e3:44:33) (len 16, hlim 255)
+# 2005-05-03 18:42:31.274438 00:0d:56:74:c4:d9 > ff:ff:ff:ff:ff:ff, 802.3, length 94: LLC, dsap Global (0xff), ssap Global (0xff), cmd 0x00, (NOV-802.3) 00000000.00:0d:56:74:c4:d9.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipx-netbios 50
+# 2005-09-08 16:38:14.906293 00:14:69:1f:b3:00 > 01:00:0c:cc:cc:cc, 802.3, length 338: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, CDPv2, ttl: 180s, checksum: 692 (unverified), length 316
+# 2005-09-08 16:38:11.013187 00:03:93:ea:dc:2f > 33:33:ff:ea:dc:2f, ethertype IPv6 (0x86dd), length 86: fe80::203:93ff:feea:dc2f > ff02::1:ffea:dc2f: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] icmp6: multicast listener report max resp delay: 0 addr: ff02::1:ffea:dc2f [hlim 1] (len 32)
+# 2005-09-08 16:38:08.146159 00:03:93:ea:dc:2f > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 86: fe80::203:93ff:feea:dc2f > ff02::2: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] icmp6: multicast listener done max resp delay: 0 addr: ff02::fb [hlim 1] (len 32)
+# 2005-09-08 16:38:05.896611 00:03:93:ea:dc:2f > 33:33:00:00:00:fb, ethertype IPv6 (0x86dd), length 459: fe80::203:93ff:feea:dc2f.5353 > ff02::fb.5353: [udp sum ok] 0 [8q] [8n] ANY? Altair._ftp._tcp.local. ANY? Altair [00:03:93:d5:81:02]._workstation._tcp.local. ANY? Altair._ssh._tcp.local. ANY? Altair._sftp-ssh._tcp.local. ANY? Ari Serim._http._tcp.local. ANY? AriM-bM-^@M-^Ys Beats._daap._tcp.local. ANY? iTunes_Ctrl_AE2BB3BEAAAB7A8B._dacp._tcp.local. ANY? Altair.local. (397) (len 405, hlim 255)
+# 2005-09-08 16:38:05.696393 00:03:93:ea:dc:2f > 33:33:00:00:00:fb, ethertype IPv6 (0x86dd), length 349: fe80::203:93ff:feea:dc2f.5353 > ff02::fb.5353: [udp sum ok] 0*- [0q] 8/0/0 _services._dns-sd._udp.local. PTR _ftp._tcp.local., _services._dns-sd._udp.local. PTR _workstation._tcp.local., _services._dns-sd._udp.local. PTR _ssh._tcp.local., _services._dns-sd._udp.local. PTR _sftp-ssh._tcp.local., _services._dns-sd._udp.local. PTR _http._tcp.local., _services._dns-sd._udp.local. PTR _daap._tcp.local., _services._dns-sd._udp.local. PTR _dacp._tcp.local., F.2.C.D.A.E.E.F.F.F.3.9.3.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) PTR Altair.local. (287) (len 295, hlim 255)
+
+
+
@@ -0,0 +1 @@
+AFTERGLOW_HOME=${MODULE_DIR}/${MODULE_NAME}.module/bin
@@ -0,0 +1 @@
+Generate afterglow graph of traffic
@@ -0,0 +1,8 @@
+The afterglow module generates a graph of the traffic.
+
+Note that this module requires the perl Text::CSV module installed as well as
+neato, which can be downloaded from http://graphviz.org/ to generate the image.
+
+http://afterglow.sourceforge.net/
+
+AFTERGLOW_HOME - Path for afterglow executables (default: ${MODULE_DIR}/bin)
@@ -0,0 +1,2 @@
+afterglow
+flowtag

0 comments on commit fad5ce3

Please sign in to comment.