« Previous Next »

• 11-21-2006, 3:23 PM

  libpcap => editcap => netmon v2 => log parser 2.2 => sql 2000/2005 Reply Contact We are working on a project to place internal firewalls between very busy segement of our network. We have captured several hundred gb's worth of traffic using ethereal/wireshark. We use editcap to save the file as a netmon v2 file and then use log parser 2.2 to push the converted files into SQL 2000/2005. Once the data exists within a database we right summary reports to group the traffic by sites (several). Example (not checked for this post)- site01: lt-tcp/1023 <=> site02: gt-tcp/1023 site01: gt-tcp/1023 <=> site02: lt-tcp/1023 site01: gt-tcp/1023 <=> site02: gt-tcp/1023 site01: lt-tcp/1023 <=> site02: lt-tcp/1023 site01: lt-tcp/1023 <=> site02: lt-tcp/1023 site01: tcp/123 <=> site02: tcp/123 gt = > lt = < Once we have identified all permitted traffic we then write nested acl's to have sql 2005 reporting generate our acl's automagically. The reason I am asking this question in the forum is we have noticed that log parser does not have a protocol column. All non-tcp packets are dropped when log parser pipes the netmonv2 logs into SQL. Txt output from capture file that includes frame/packet number 123: o. Time Source Destination Protocol Info 123 11.394410 10.10.100.1 10.10.24.101 Syslog LOCAL4.NOTICE: %REMOVED-5-111008: User 'REMOVED' executed the 'REMOVED' command.\n Frame 123 (116 bytes on wire, 116 bytes captured) Ethernet II, Src: ExtremeN_10:ef:c0 (00:01:30:10:ef:c0), Dst: HewlettP_cf:b7:5b (00:13:21:cf:b7:5b) Internet Protocol, Src: 10.10.100.1 (10.10.100.1), Dst: 10.10.24.101 (10.10.24.101) User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514) Source port: syslog (514) Destination port: syslog (514) Length: 82 Checksum: 0xd094 [correct] Syslog message: LOCAL4.NOTICE: %REMOVED-5-111008: User 'REMOVED' executed the 'REMOVED' command.\n Here is the exported data after doing "C:\Program Files\Log Parser 2.2>logparser -i:NETMON -o:CSV "select * INTO NetMonOutput.csv from testing.cap" C:\Program Files\Log Parser 2.2\testing.cap 122 11/21/2006 14:18 106 00013010EFC0 10.10.removed.removed 22 001321CFB75B 10.10.24.101 2251 4 253 AP 955091222 2910384781 8192 52 .ch.u.E{...3.....S.^.k..6x]....o...vv.o'..HR....o.N_ 1 C:\Program Files\Log Parser 2.2\testing.cap 124 11/21/2006 14:18 54 001321CFB75B 10.10.removed.removed 2251 00013010EFC0 10.10.100.1 22 4 128 A 2910384781 955091274 15732 0 1 As you can see the logparser drops any non-tcp packets when doing the output to any format when using netmon v2 (tested v1 as well with same results) Anyone?

  Tags: NETMON input format

• 03-12-2008, 5:50 PM

  In reply to

  marcosanzai Joined on 03-12-2008, 5:37 PM Posts 2

  Re: libpcap => editcap => netmon v2 => log parser 2.2 => sql 2000/2005 Mark as Not AnswerMark as Answer... Reply Contact Hi, Moreover, I have noticed that LogParser v 2.2. does not support VLAN protocol. See below: Frame 1 (1518 bytes on wire, 1518 bytes captured) Ethernet II, Src: 00:00:00_00:00:02 (00:00:00:00:00:02), Dst: Ibm_9c:2b:1d (00:02:55:9c:2b:1d)     Destination: Ibm_9c:2b:1d (00:02:55:9c:2b:1d)     Source: 00:00:00_00:00:02 (00:00:00:00:00:02)     Type: 802.1Q Virtual LAN (0x8100) 802.1Q Virtual LAN     000. .... .... .... = Priority: 0     ...0 .... .... .... = CFI: 0     .... 0000 0000 0100 = ID: 4     Type: IP (0x0800) Internet Protocol, Src: 172.26.0.2 (172.26.0.2), Dst: 172.26.0.8 (172.26.0.8) Transmission Control Protocol, Src Port: 4585 (4585), Dst Port: 4533 (4533), Seq: 0, Ack: 0, Len: 1460 Data (1460 bytes)   That was a legitimate TCP/IP packet, but LogParser dropped away all traffic captured: Statistics: ----------- Elements processed: 0 Elements output:    0   Regards.