Tools from SANSFIRE
I love finding new tools. Maybe the functionality they provide is simply a shortcut to something I can do with other tools, eliminating a step or two and saving time, or else they might provide a way to do something I hadn't considered before. I came across a good number of new ones at SANSFIRE. I'll post the ones that caught my interest as I review my notes and books, in case one might fill a niche for you.
The first one is pcapcat. This is a perl script which parses through a packet capture, identifies and displays all the sessions by source IP and port and destination IP and port and displays them for you. You then supply a filename and pcapcat writes out the session to a new capture file. Not only does this save some keystrokes and time over using tcpdump, but it's also a handy way to see all off the sessions quickly and determine which ones are of interest. The tool was written by Kristinn Guojonsson to help answer a challenge on forensicscontest.com, which is found here. The actual code can be found here to paste into a new script on you analysis box.
Try it out and see if it'll help save you a little time (or if you're new to network security and aren't sure about all the tcpdump syntax yet, use this until you get up to speed)
The first one is pcapcat. This is a perl script which parses through a packet capture, identifies and displays all the sessions by source IP and port and destination IP and port and displays them for you. You then supply a filename and pcapcat writes out the session to a new capture file. Not only does this save some keystrokes and time over using tcpdump, but it's also a handy way to see all off the sessions quickly and determine which ones are of interest. The tool was written by Kristinn Guojonsson to help answer a challenge on forensicscontest.com, which is found here. The actual code can be found here to paste into a new script on you analysis box.
Try it out and see if it'll help save you a little time (or if you're new to network security and aren't sure about all the tcpdump syntax yet, use this until you get up to speed)