|
Ipsumdump can read packets from network interfaces, from tcpdump files, and from
existing ipsumdump files. It will transparently uncompress
tcpdump or ipsumdump files when necessary. It can
randomly sample traffic, filter traffic based on its contents, anonymize IP
addresses, and sort packets from multiple dumps by timestamp. Also, it can
optionally create a tcpdump file containing actual packet
data.
Options supplied by the user determine what goes in the dump.
Possibilities include:
- Timestamp
- Source IP address
- Destination IP address
- TCP/UDP source port
- TCP/UDP destination port
- Length
- Protocol
- IP ID
|
- Fragment flag
- Fragment offset
- TCP sequence number
- TCP acknowledgement number
- TCP flags
- Payload length
- Payload (as a quoted string)
|
It's easy to add similar properties.
The companion ipaggcreate
program counts various properties of packet aggregates.
Ipaggcreate makes it easy to answer questions such as "What is
the distribution of number of packets per TCP/UDP flow in this trace?" or
"How long does it take to encounter 10000 different IP addresses in this
trace?"
Ipsumdump and Click
Ipsumdump is the first standalone program to use the Click modular
router. (You do not need Click to compile ipsumdump.)
The ipsumdump program simply constructs a Click configuration
based on options provided by the user, then runs that configuration. All
packet-related tasks, such as reading and writing tcpdump and
ipsumdump files, sampling, filtering, and anonymization, are
handled by Click elements designed for the purpose. Most of those elements
existed already and required only modest changes, which made
ipsumdump pretty easy to write. The elements we wrote from
scratch have been fed back into Click, making them available to other
projects. For example, if you'd like to read an ipsumdump file
and synthesize packets with the same characteristics, use the FromIPSummaryDump
element.
I hope people start using Click for similar analysis projects and
programs. It's more flexible than programming to libpcap
directly, and pretty easy, too.
Here's the Click configuration that corresponds to a modestly complex
ipsumdump invocation, "ipsumdump ~/largedump.gz -sdSDp
--sample 0.5 --anonymize". Use ipsumdump's
--config option to see similar configurations.
src0 :: FromDump("/Users/kohler/largedump.gz", FORCE_IP true, STOP true, SAMPLE 0.5);
collate :: { input [0] -> output; };
src0 -> [0] collate;
collate
-> anon :: AnonymizeIPAddr(CLASS 4, SEED false)
-> to_dump :: ToIPSummaryDump(-, CONTENTS "ip_src" "ip_dst" "sport" "dport" "ip_proto",
CAREFUL_TRUNC false, VERBOSE true, BAD_PACKETS false,
BANNER "ipsumdump /Users/kohler/largedump.gz -sdSDp --sample 0.5 --anonymize");
progress :: ProgressBar(src0.filepos, src0.filesize, UPDATE 0.1, DELAY 2s, CHECK_STDOUT true);
manager :: DriverManager(, pause 1, write progress.mark_done, label stop);
Script(TYPE SIGNAL HUP, write to_dump.flush);
Script(TYPE SIGNAL INT TERM, write manager.goto stop, exit);
Ipsumdump configurations can include the following
elements:
Ipaggcreate configurations can additionally include the
following elements:
Return to [Eddie Kohler].
|
![[Logo]](logo.gif){kind=logo}
