• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Packet Reassembly

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking

View previous topic :: View next topic  
Author Message
[[Merlin]]
Just Arrived
Just Arrived


Joined: 16 Dec 2003
Posts: 3
Location: United Kingdom

Offline

PostPosted: Thu Jan 19, 2006 3:42 am    Post subject: Packet Reassembly Reply with quote

Hi everyone,

How can fragmented packets in a tcpdump file be reassembled? Can it be accomplished using Snort?

Any help would be appreciated as I need to solve this problem very quickly as my project has now ground to a halt.

Thanks Smile
Back to top
View user's profile Send private message
Sh4d0w
Just Arrived
Just Arrived


Joined: 19 Jun 2005
Posts: 0


Offline

PostPosted: Fri Jan 20, 2006 6:25 am    Post subject: Reply with quote

I dont' know for sure, but nemesis might be able to do that..

Do you just want the data reassembled for analysis?
Back to top
View user's profile Send private message
skiddieleet
Just Arrived
Just Arrived


Joined: 21 Aug 2004
Posts: 1
Location: Texas

Offline

PostPosted: Fri Jan 20, 2006 6:51 am    Post subject: Reply with quote

tcpflow will take a snort log file and based on command line parameters get you different "flows" from it. So if you were downloading a file from an ftp site, you could give the proper parameters to dump that flow and it should be the actual file.
http://www.circlemud.org/~jelson/software/tcpflow/
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
[[Merlin]]
Just Arrived
Just Arrived


Joined: 16 Dec 2003
Posts: 3
Location: United Kingdom

Offline

PostPosted: Fri Jan 20, 2006 2:48 pm    Post subject: Reply with quote

Hi guys,

My project is on network intrusion detection and I'm analysing data taken 1999 DARPA Intrusion Detection Evaluation data set:

http://www.ll.mit.edu/IST/ideval/data/data_index.html

For some of the attacks in the data the packets are fragmented and I need them to be sequentially ordered so that my classifer isn't beaten. For example, an attack could be an old apache denial of service attack where massive amounts of forward or blacklashes are sent to the server. Looking at the tcpdump files with ethereal the packets for this attack are obviously spread out so I need to recombine them, hope that makes sense.

I've taken I look at tcpflow but I don't think it likes large tcpdump files.

Thanks for the help.


Last edited by [[Merlin]] on Fri Jan 20, 2006 3:12 pm; edited 1 time in total
Back to top
View user's profile Send private message
MattA
Trusted SF Member
Trusted SF Member


Joined: 13 Jun 2003
Posts: 16777193
Location: Eastbourne + London

Offline

PostPosted: Fri Jan 20, 2006 3:09 pm    Post subject: Reply with quote

IIRc chaos reader would help perhaps asking on the honeynet project list might help too....
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Networking All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register