#!/bin/bash
# 2014-11-06 LWH
# Process pcap sniff files to get:
# Start/stop times
# Total Packets
# Top Talkers
# Top Conversations
# (Not smart enough to associate H1 -> H2 with H2 -> H1, though)
#
# requires only tcpdump, wc, awk, cut, sort, uniq and head
#
# Note that this tcpdumps the file 3.1 times - V. inefficient
# Someday I'll replace this with a perl script that takes
# tcpdump output from a single pass and parses everything
# here (and more, like total bytes/conversation) out of it.
# For now, though....
#
Today="`date +%Y-%m-%d`"
UsageInfo="Usage: Toptalkers <sniff file> \n\n"
#
# confirm input pcap file sent in as argument 1, exists
#
if [[ -z $1 ]]; then
echo -e $UsageInfo
exit 1
fi
if [ ! -f $1 ]; then
echo "$1 does not exist"
echo -e $UsageInfo
exit 1
fi
echo ""
echo "Sniff analysis for $1, $Today"
echo ""
#
# Head and last file mod for first, last timestamp
# Tcpdump first record only to grab start time
StartTime="`/usr/sbin/tcpdump -r $1 -c 1 | /bin/cut -f1 -d\" \"`"
StopTime="`stat -c%y $1`"
echo "starts at $Today $StartTime, ends at $StopTime"
#
echo ""
echo ""
echo "Top 10 Talkers"
# wc -l for packet count
TotalPackets="`/usr/sbin/tcpdump -r $1 -nn | wc -l`"
echo " $TotalPackets Total Packets "
# top talkers
#
/usr/sbin/tcpdump -nnt -r $1 | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | head
# Get conversations
echo ""
echo ""
echo " Conversations - top 25 "
echo ""
echo -e " Packets Source\t Destination"
# top 25 conversations, IP addresses, no ports,
/usr/sbin/tcpdump -nnt -r $1 | awk -F ' ' '{print $2 "." $4}' | awk -F "." '{print $1"."$2"."$3"."$4"\t - "$6"."$7"."$8"."$9}' | uniq -c | sort -nr | head -25
echo ""
Thursday, November 6, 2014
Analyze a tcpdump pcap file for top talkers & conversations
Subscribe to:
Posts (Atom)