tcpdump -vttttnneli eth0 | parsers/tcpdump2csv.pl "sip dip dport"
18:46:27.849292 IP 192.168.0.1.39559 > 127.0.0.1.80: S 1440554803:1440554803(0) win 3276718:46:27.849389 IP 192.168.0.1.80 > 127.0.0.1.39559: S 1448343500:1448343500(0) ack 1440554804 win 32767
192.168.0.1,127.0.0.1,80 192.168.0.1,127.0.0.1,80
cat file.csv | perl afterglow.pl -c color.properties > file.dot
tcpdump -vttttnnelr /home/ram/defcon.tcpdump | ./tcpdump2csv.pl "sip dip dport" | \ perl afterglow.pl -c color.properties | neato -Tgif -o test.gif
tshark -r file.pcap -e ip.dst -e ip.src -e tcp.srcport -T fields -E separator=, -R "tcp and tcp.flags.syn==1 and tcp.flags.ack==1" | sort | uniq > ipdst_ipsrc_tcpsrc.csv
tshark -r file.pcap -e ip.src -e ip.dst -e tcp.dport -T fields -E separator=, -R "tcp and tcp.flags.syn==1 and tcp.flags.ack==0" | sort | uniq > ipdst_ipsrc_tcpsrc.csv
# AfterGlow Color Property File # # @fields is the array containing the parsed values # color.source is the color for source nodes # color.event is the color for event nodes # color.target is the color for target nodes # # The first match wins # color.source="yellow" if ($fields[0]=~/^192\.168\..*/); color.source="greenyellow" if ($fields[0]=~/^10\..*/); color.source="lightyellow4" if ($fields[0]=~/^172\.16\..*/); color.source="red" color.event="yellow" if ($fields[1]=~/^192\.168\..*/) color.event="greenyellow" if ($fields[1]=~/^10\..*/) color.event="lightyellow4" if ($fields[1]=~/^172\.16\..*/) color.event="red" color.target="blue" if ($fields[2]<1024) color.target="lightblue"
perl afterglow.pl [-adhnstv] [-b lines] [-c conffile] [-e length] [-f threshold ] [-g threshold] [-l lines] [-o threshold] [-p mode] [-x color] [-m maxsize]
-a : turn off labelelling of the output graph with the configuration used -b lines : number of lines to skip (e.g., 1 for header line) -c conffile : color config file -d : print node count -e length : edge length -f threshold : source fan out threshold -g threshold : event fan out threshold (only in three node mode) -h : this (help) message -l lines : the maximum number of lines to read -m : the maximum size for a node -n : don't print node labels -o threshold : omit threshold (minimum count for nodes to be displayed) Non-connected nodes will be filtered too. -p mode : split mode for predicate nodes where mode is 0 = only one unique predicate node (default) 1 = one predicate node per unique subject node. 2 = one predicate node per unique target node. 3 = one predicate node per unique source/target node. -s : split subject and object nodes -t : two node mode (skip over objects) -u : export URL tags -v : verbose output -x : text label color
"red" if (field() eq "foo");match("regex") Matches the current field and returns 0 or 1, depending on whether the regular expression (regex) matched.
match("[0-9]")regex_replace()
return ($globalField =~ /$regex/)[0];subnet()
my ($value,$value2) = @_; my @temp = split(/\./,$value); # return if not an IP address return(0) if (scalar(@temp) != 4); # very simplistic test! my $ip=unpack("N",pack("C4",@temp)); my ($network,$mask) = $value2 =~ /([^\/]+)\/(.*)/; $network=unpack("N",pack("C4",split(/\./,$network))); $mask = (((1 << $mask) - 1) << (32 - $mask)); $newNet = join(".",unpack("C4",pack("N",$ip & $mask))); $newNetwork = join(".",unpack("C4",pack("N",$network & $mask))); if ($newNetwork eq $newNet) { return 1; } else { return 0; }