Shulou(Shulou.com)06/01 Report--

Six commonly used Network Traffic feature extraction tools

In the related research of Internet user behavior analysis and abnormal behavior detection, protocol identification and feature extraction are important technical means of network traffic feature analysis. Next, this paper introduces several commonly used tools for network traffic feature extraction.

1. WireShark

WireShark is a common network packet analysis tool. The software can intercept all kinds of network packets online, display the details of network packets, and analyze the existing message data, such as those collected by tcpdump/Win Dump, WireShark and so on. WireShark provides a variety of filtering rules for packet filtering. Users can obtain a variety of network data features with the help of the analysis function of the tool.

Download address: https://www.wireshark.org/

II. Tcptrace

Tcptrace is a tool for analyzing TCP traffic data files. Its input includes a variety of files based on the output of message collection programs, such as tcpdump,snoop,etherpeek,HPNet Metrix and WinDump. Using Tcptrace, you can get a variety of information about each communication connection, including: duration, number of bytes, fragments sent and received, retransmission, round trip time, etc., and you can also generate many graphics for subsequent analysis by users.

Download address: http://www.tcptrace.org/index.shtml

III. QPA

QPA is an open source real-time traffic analysis software based on process capture packages. Based on the advantage of process packet capture, it can accurately determine the process to which each packet belongs in real time. Based on regular expression writing rules, it can extract dimensional features such as IP, port, message length and content. QPA is automatically classified according to traffic type, easy to analyze, and superior to the analysis mode based on session by session.

Download address: http://git.oschina.net/qielige/openQPA

IV. Tstat

Tstat is further developed on the basis of the third software Tcptrace, which can collect message data online in ordinary PC hardware or data acquisition card. In addition, Tstat can also analyze existing data packets and support various dump formats, such as those supported by the libpcap library. Two-way TCP flow analysis can get new statistical features, such as blocking window size, out-of-order fragments, etc., these information can be distinguished between the server and the client, and can also distinguish between the intranet host and the extranet host.

Tstat analyzes network traffic and generates three different types of measurement sets: histogram, round robin database, and log files.

Tstat supports testing on Linux systems (currently Ubuntu,Debian,RedHat and CentOS) and Mac OS X (from 10.6 Snow Leopard to the current 10.11 El Capitan).

Download URL: http://tstat.tlc.polito.it/

5. CapAnalysis

CapAnalysis is an effective network traffic analysis tool for information security experts, system administrators and others who need to analyze a large number of captured network traffic. By indexing the dataset of PCAP files, CapAnalysis performs and converts its contents in a variety of forms, from lists containing TCP,UDP or ESP streams to geographically representing their connections. Can be installed and deployed to debian32/64-bit, Ubuntu32/ 64-bit system.

Download address: http://www.capanalysis.net/ca/

VI. Xplico

The goal of Xplico is to extract Internet traffic and capture information contained in application data. The decoding controller, IP/ network, assembly and visualization system constitute a complete Xplico system. The system supports the analysis of HTTP,SIP,IMAP,POP,SMTP,TCP,UDP,IPv6 and other protocols.

Download address: http://www.xplico.org/archives/14

The following is a comparison of the functions and use of the seven tools, which can be applied to the actual analysis according to the characteristics of the tools.

Functional comparison WireSharkTcptraceQPATstatCapAnalysisXplico can analyze offline messages √ supports real-time data processing √ × √√ × √ traffic visual analysis √√ × √√√ viewable content features √ can identify the geographical location of the target IP × × √√ monitor specific media traffic × × √√ × √ filter message function √ interface style window application command line interface window application WebWebWeb real-time data acquisition Source PC hardware or data acquisition card x process-based PC hardware or data acquisition card × PC hardware or data acquisition card running environment Windows/LinuxLinuxWindowsLinux/Mac OS/AndroidLinuxLinux

reference

[1] http://www.capanalysis.net/ca/

[2] http://www.xplico.org/archives/1472

[3] http://www.doc88.com/p-4971548572002.html

[4] http://git.oschina.net/qielige/openQPA

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.