-----Original Message----- I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc.
For anomaly detection there is Ourmon. It can be downloaded at: http://jerry.cat.pdx.edu/ourmon/download.html You can preview it running at Portland State University at: http://jerry.cat.pdx.edu/ourmon/ However, I believe this isn't as detailed or low-level as what you're looking for. In any case, it's a great tool for seeing unusual patterns or strange behavior on your network. Tony