这篇博客介绍了多个用于远程网络抓包、分析和监控的工具,包括Ecap、Tele Traffic Tapper (TTT)、Fprobe、Zeek、Driftnet、Argus等。还提到了如何使用nprobe和ELK构建NetFlow分析平台,并讨论了tcpdump的远程捕获功能,如rpcapd。此外,还提及了Wireshark的远程抓包支持和不同平台的实现,如rpcapd-linux。
tcpdump 数据 远程发送(收集)
http://www.tcpdump.org/related.html
ECap
https://bitbucket.org/nathanj/ecap/wiki/Home
Ecap (external capture) is a distributed network sniffer with a web front-end.
Ecap was written many years ago in 2005, but a post on the tcpdump-workers mailing list requested a similar application… so here it is.
It would be fun to update it and work on it again if there’s any interest.
Tele Traffic Tapper
https://www2.sonycsl.co.jp/person/kjc/kjc/software.html#ttt
TTT: Tele Traffic Tapper
TTT is yet another descendant of tcpdump but it is capable of real-time, graphical, and remote traffic-monitoring. ttt won’t replace tcpdump, rather, it helps you find out what to look into with tcpdump. ttt monitors the network and automatically picks up the main contributors of the traffic within the time window. The graphs are updated every second by default.
https://www2.sonycsl.co.jp/person/kjc/kjc/software.html
Linux下NetFlow输出工具Fprobe
Fprobe通过libpcap监听数据并输出NetFlow格式到分析端,极大方便网络管理及监控。
Fprobe监听eth0数据并输出NetFlow到127.0.0.1:9995:
fprobe -i eth0 127.0.0.1:9995
NetFlow分析端可使用Nfsen,测试下是否有Netflow数据输出:
tcpdump -i lo -nn port 9995
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
14:49:33.004041 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 1464
14:49:43.006334 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 1464
14:49:48.003252 IP 127.0.0.1.57368 > 127.0.0.1.9995: UDP, length 264
14:49:53.002271 IP 127.0.0
最低0.47元/天 解锁文章
扫一扫
255
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
