ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: RE: [Ethereal-dev] SQL Patch for ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Michael Cohen <michael.cohen@xxxxxxxxxxxxxxx>
Date: Tue, 18 Mar 2003 20:52:50 +1100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>I have been seeing some emails on Ethereal interfacing with a database. It
>sounds really neat. What would be some applications for interfacing ethereal
>to a database. Do you use it for analyzing packets?
>
>Regards,
>Sal

The application I have written for my employer does some really neat things 
with the data... For example suppose you wanted to know the distribution of 
tcp port connections (syns) in the dumps: (cool for finding trojan 
connections on unusual ports at a glance).

select tcp_dstport as "Destination Port", count(tcp_dstport ) as "Packet 
Count" from tcp where tcp_flags =2 group by tcp_dstport

You can also reassemble tcp streams by using some complex queries from the 
database (somewhere along the lines of:)

insert into connection_cache select 
$con_id,ip.key_id,\">\",1+frame_pkt_len-ip_len+ ip_hdr_len+ tcp_hdr_len from 
frame,ip,tcp,data, connection_table where frame.key_id=ip.key_id and 
tcp.key_id=ip.key_id and ip.key_id = data.key_id and src_ip= ip_src and 
dest_ip= ip_dst and src_port = tcp_srcport and dest_port = tcp_dstport and 
con_id = $con_id

and 
select id,substring(data.data,size),direction from connection_cache,data where 
connection_cache.id=data.key_id and con_id=$con_id group by id order by id 
limit $limit

This is extracted from the app source code (perl). (This app caches the 
reassembled streams in the first step to speed up reassembly some more).

For example suppose you wanted to know the number of unique mac addresses on 
the network and their relationship to ip addresses - you could then deduce a 
virtual network map from this and use something like graphviz to actually 
draw it. Potentially this can produce a network diagram from a quick dump 
file for easy visualisation of the network. 

Another thing we are doing is building a "knowledge base" of the capture, for 
example suppose we see pop3 connections from IP addresses we can associate 
usernames from the pop3 dissector with the IP address - so we can determine 
who is sitting on which machine, same thing with the NTLM stuff.

Im still convincing my employer to release the other app under gpl, but so far 
only the patch is available (which does most of the hard work anyway).

Michael.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+duxyZMnBgI6aclcRAj80AKDyhVpNlW+a+U9bCUxYQ9Uo6EbXNQCggmRj
MTf8yti6oTtVoSJw6qCZaxQ=
=q/7Q
-----END PGP SIGNATURE-----
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube