DaCoPAn Analyzer

Configuration and installation

1. Unpack the archive.
2. Run the configure script to check your system configuration.
3. If the configure script complains about missing libraries or header files, install the required packages to satisfy the dependencies and run configure again. To compile the program you will need make, gcc ≥ 3.2 and libpcap ≥ 0.7.1 (earlier versions may work as well, but was not tested).
4. Run make command to build the program.
5. Run make install command to install the software.

The DaCoPAn Analyzer was only tested under Linux 2.4 and (most probably) will not compile for other operating systems.

For more details see the INSTALL file included with the source distribution.

Synopsis

Description

Options

Protocol events file

Examples

Analyzer usage

• dacopan-analyzer -v --- print version of the Analyzer
• dacopan-analyzer -i 10.0.0.1,10.0.0.2 dump1 dump2 --- create PEF file from the dump1 and dump2 files.
• dacopan-analyzer -i 192.168.0.1 dump1 -i 192.168.0.2 dump2 --dns=36255 -t 0.130000 --- create PEF file, specify DNS port and time alignment.
• dacopan-analyzer -i 192.168.0.1 dump1 -i 192.168.0.2 dump2 --http=3625 --- create PEF file, specify HTTP ports.
• dacopan-analyzer -i 192.168.0.1 dump1 -i 192.168.0.2 dump2 -o out.pef --- create PEF file with out.pef name.

tcpdump log files and PEF file

16:37:33.673745 10.0.0.1 > 10.0.0.2: (frag 40657:532@976) (ttl 64, len 552)
16:37:33.874760 10.0.0.1.36568 > 10.0.0.2.36264: [bad udp cksum 2f1!] udp 1500 (frag 40657:976@0+) (ttl 64, len 996)
16:37:35.676990 10.0.0.1 > 10.0.0.2: (frag 40658:556@1952) (ttl 64, len 576)
16:37:35.878496 10.0.0.1 > 10.0.0.2: (frag 40658:976@976+) (ttl 64, len 996)
16:37:35.879481 10.0.0.1.36569 > 10.0.0.2.36265: [bad udp cksum 404a!] udp 2500 (frag 40658:976@0+) (ttl 64, len 996)

16:37:33.567000 10.0.0.1 > 10.0.0.2: (frag 40657:532@976) (ttl 64, len 552)
16:37:33.567006 10.0.0.1.36568 > 10.0.0.2.36264: [bad udp cksum 2f1!] udp 1500 (frag 40657:976@0+) (ttl 64, len 996)
16:37:35.569742 10.0.0.1 > 10.0.0.2: (frag 40658:556@1952) (ttl 64, len 576)
16:37:35.569748 10.0.0.1 > 10.0.0.2: (frag 40658:976@976+) (ttl 64, len 996)
16:37:35.569892 10.0.0.1.36569 > 10.0.0.2.36265: [bad udp cksum 404a!] udp 2500 (frag 40658:976@0+) (ttl 64, len 996)

<?xml version="1.0"?>
<!DOCTYPE protocol_events SYSTEM "http://www.cs.helsinki.fi/group/dacopan/events.dtd">

<!--
    Created by: dacopan-analyzer version 1.0rc1.
    Tue May 25 18:33:03 2004
-->

<protocol_events>

    <hosts>
        <host id="H1" ip="10.0.0.2"/>
        <host id="H2" ip="10.0.0.1"/>
    </hosts>

    <flows>
        <flow id="F1" host1="H1" port1="36568" host2="H2" port2="36264"/>
        <flow id="F2" host1="H1" port1="36569" host2="H2" port2="36265"/>
    </flows>

    <links>
        <link id="K1" host1="H1" host2="H2"/>
    </links>

    <layers>
        <layer id="L1" name="network">
            <protocol id="P2" name="net_unknown"/>
            <protocol id="P0" name="ipv4"/>
        </layer>
        <layer id="L2" name="transport">
            <protocol id="P5" name="trans_unknown"/>
            <protocol id="P3" name="tcp"/>
            <protocol id="P4" name="udp"/>
        </layer>
        <layer id="L3" name="application">
            <protocol id="P8" name="application_unknown"/>
            <protocol id="P7" name="http"/>
            <protocol id="P6" name="dns"/>
        </layer>
    </layers>

    <variables>
        <variable name="tos" protocol="P0" scope="unit-field"/>
        <variable name="tot_len" protocol="P0" scope="unit-field"/>
        <variable name="id" protocol="P0" scope="unit-field"/>
        <variable name="flag_rf" protocol="P0" scope="unit-field"/>
        <variable name="flag_df" protocol="P0" scope="unit-field"/>
        <variable name="flag_mf" protocol="P0" scope="unit-field"/>
        <variable name="frag_off" protocol="P0" scope="unit-field"/>
        <variable name="ttl" protocol="P0" scope="unit-field"/>
        <variable name="protocol" protocol="P0" scope="unit-field"/>
        <variable name="source_addr" protocol="P0" scope="unit-field"/>
        <variable name="dest_addr" protocol="P0" scope="unit-field"/>
        <variable name="source_port" protocol="P3" scope="unit-field"/>
        <variable name="dest_port" protocol="P3" scope="unit-field"/>
        <variable name="seq" protocol="P3" scope="unit-field"/>
        <variable name="ack_seq" protocol="P3" scope="unit-field"/>
        <variable name="window" protocol="P3" scope="unit-field"/>
        <variable name="urg_pointer" protocol="P3" scope="unit-field"/>
        <variable name="flag_fin" protocol="P3" scope="unit-field"/>
        <variable name="flag_syn" protocol="P3" scope="unit-field"/>
        <variable name="flag_rst" protocol="P3" scope="unit-field"/>
        <variable name="flag_psh" protocol="P3" scope="unit-field"/>
        <variable name="flag_ack" protocol="P3" scope="unit-field"/>
        <variable name="flag_urg" protocol="P3" scope="unit-field"/>
        <variable name="data_offset" protocol="P3" scope="unit-field"/>
        <variable name="source_port" protocol="P4" scope="unit-field"/>
        <variable name="dest_port" protocol="P4" scope="unit-field"/>
        <variable name="len" protocol="P4" scope="unit-field"/>
        <variable name="method" protocol="P7" scope="unit-field"/>
        <variable name="url" protocol="P7" scope="unit-field"/>
        <variable name="version" protocol="P7" scope="unit-field"/>
        <variable name="status_code" protocol="P7" scope="unit-field"/>
        <variable name="phrase" protocol="P7" scope="unit-field"/>
        <variable name="connection" protocol="P7" scope="unit-field"/>
        <variable name="content_length" protocol="P7" scope="unit-field"/>
        <variable name="content_type" protocol="P7" scope="unit-field"/>
        <variable name="cookie" protocol="P7" scope="unit-field"/>
        <variable name="date" protocol="P7" scope="unit-field"/>
        <variable name="host" protocol="P7" scope="unit-field"/>
        <variable name="user_agent" protocol="P7" scope="unit-field"/>
        <variable name="trans_time" protocol="P2 P0 P5 P3 P4 P8 P7" scope="unit"/>
        <variable name="sent_time" protocol="P2 P0 P5 P3 P4 P8 P7" scope="unit"/>
        <variable name="data" protocol="P8 P7" scope="unit"/>
    </variables>

    <events>
        <unit_sent id="U1" source="H2" destination="H1" protocol="P8" time="0.000000" children="U2" flow="F1">
            <value name="sent_time">0.000000</value>
            <value name="trans_time">0.307760</value>
            <value name="data"><![CDATA[\0x00\0x00\0x00\0x00@<\0x97\0x0d\0x00\0x08\0xa6\0xc9DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD]]></value>
        </unit_sent>
        <unit_sent id="U2" source="H2" destination="H1" protocol="P4" time="0.000000" children="U3 U4" flow="F1">
            <value name="sent_time">0.000000</value>
            <value name="trans_time">0.307760</value>
            <value name="source_port">36568</value>
            <value name="dest_port">36264</value>
            <value name="len">1508</value>
        </unit_sent>
        <unit_sent id="U4" source="H2" destination="H1" protocol="P0" time="0.000000">
            <value name="sent_time">0.000000</value>
            <value name="trans_time">0.106745</value>
            <value name="tos">0</value>
            <value name="tot_len">552</value>
            <value name="id">40657</value>
            <value name="flag_rf">0</value>
            <value name="flag_df">1</value>
            <value name="flag_mf">0</value>
            <value name="frag_off">976</value>
            <value name="ttl">64</value>
            <value name="protocol">17</value>
            <value name="check">34167</value>
            <value name="source_addr">10.0.0.1</value>
            <value name="dest_addr">10.0.0.2</value>
        </unit_sent>
        <unit_sent id="U3" source="H2" destination="H1" protocol="P0" time="0.000006">
            <value name="sent_time">0.000006</value>
            <value name="trans_time">0.307754</value>
            <value name="tos">0</value>
            <value name="tot_len">996</value>
            <value name="id">40657</value>
            <value name="flag_rf">0</value>
            <value name="flag_df">1</value>
            <value name="flag_mf">1</value>
            <value name="frag_off">0</value>
            <value name="ttl">64</value>
            <value name="protocol">17</value>
            <value name="check">25653</value>
            <value name="source_addr">10.0.0.1</value>
            <value name="dest_addr">10.0.0.2</value>
        </unit_sent>
        <unit_received id="U4" time="0.106745"/>
        <unit_received id="U3" time="0.307760"/>
        <unit_received id="U2" time="0.307760"/>
        <unit_received id="U1" time="0.307760"/>
        <unit_sent id="U5" source="H2" destination="H1" protocol="P8" time="2.002742" children="U6" flow="F2">
            <value name="sent_time">2.002742</value>
            <value name="trans_time">0.309739</value>
            <value name="data"><![CDATA[\0x00\0x00\0x00\0x00@<\0x97\0x0f\0x00\0x08\0xb1\0x83DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD]]></value>
        </unit_sent>
        <unit_sent id="U6" source="H2" destination="H1" protocol="P4" time="2.002742" children="U7 U8 U9" flow="F2">
            <value name="sent_time">2.002742</value>
            <value name="trans_time">0.309739</value>
            <value name="source_port">36569</value>
            <value name="dest_port">36265</value>
            <value name="len">2508</value>
        </unit_sent>
        <unit_sent id="U9" source="H2" destination="H1" protocol="P0" time="2.002742">
            <value name="sent_time">2.002742</value>
            <value name="trans_time">0.107248</value>
            <value name="tos">0</value>
            <value name="tot_len">576</value>
            <value name="id">40658</value>
            <value name="flag_rf">0</value>
            <value name="flag_df">1</value>
            <value name="flag_mf">0</value>
            <value name="frag_off">1952</value>
            <value name="ttl">64</value>
            <value name="protocol">17</value>
            <value name="check">34020</value>
            <value name="source_addr">10.0.0.1</value>
            <value name="dest_addr">10.0.0.2</value>
        </unit_sent>
        <unit_sent id="U8" source="H2" destination="H1" protocol="P0" time="2.002748">
            <value name="sent_time">2.002748</value>
            <value name="trans_time">0.308748</value>
            <value name="tos">0</value>
            <value name="tot_len">996</value>
            <value name="id">40658</value>
            <value name="flag_rf">0</value>
            <value name="flag_df">1</value>
            <value name="flag_mf">1</value>
            <value name="frag_off">976</value>
            <value name="ttl">64</value>
            <value name="protocol">17</value>
            <value name="check">25530</value>
            <value name="source_addr">10.0.0.1</value>
            <value name="dest_addr">10.0.0.2</value>
        </unit_sent>
        <unit_sent id="U7" source="H2" destination="H1" protocol="P0" time="2.002892">
            <value name="sent_time">2.002892</value>
            <value name="trans_time">0.309589</value>
            <value name="tos">0</value>
            <value name="tot_len">996</value>
            <value name="id">40658</value>
            <value name="flag_rf">0</value>
            <value name="flag_df">1</value>
            <value name="flag_mf">1</value>
            <value name="frag_off">0</value>
            <value name="ttl">64</value>
            <value name="protocol">17</value>
            <value name="check">25652</value>
            <value name="source_addr">10.0.0.1</value>
            <value name="dest_addr">10.0.0.2</value>
        </unit_sent>
        <unit_received id="U9" time="2.109990"/>
        <unit_received id="U8" time="2.311496"/>
        <unit_received id="U7" time="2.312481"/>
        <unit_received id="U6" time="2.312481"/>
        <unit_received id="U5" time="2.312481"/>
    </events>

</protocol_events>

Frequently Asked Questions

How can I produce PEF file?

1. first start tcpdump in each host with necessary options (for example filters unwanted data)
2. use the network between hosts (We belive that you know how)
3. stop tcpdump tools
4. using analyzer produce PEF file.

Why produced PEF files does not have events?

The hosts has a different time. How I can correct it?