1.7. Analysis Tools

1.7.1. Perf

Available for: Linux

The Perf agent responds to object type PERF

srctaps

list of ip address where the agent group should place source taps

dsttaps

list of ip address where the agent group should place victim taps

src

set to restrict tap and analysis to a specific source net

dst

set to restrict tap and analysis to a specific destination net

proto

set to restrict tap to a specific protocol

When a START event is received, the perf agent will start tcpdump on the specified interfaces with the specified traffic filters. When the STOP event is received, the agent will stop all tcpdump instances. Once stopped, you can send a COMPUTE event. This will cause the group of agents to collect all the tcpdump files on one node (transfered via ssh over the control plane) and perform its analysis with each src/dst combination. For example, if srctaps=(1.2.3.4, 5.6.7.8) and dsttaps=(5.5.5.5), it will run perf with the combinations

• 1.2.3.4 and 5.5.5.5
• 5.6.7.8 and 5.5.5.5

The results are placed on the control node and then retrieved via the GUI which displays them in a small window. You can also send the events ATTACK_START and ATTACK_STOP to note the start and end of an attack, perf will then only perform computations on packets during that time period.

1.7.2. TCPDump

Available for: Linux, BSD, Windows

The TCPDump agent responds to object type TCPDUMP

taps

list of ip address where the agent group should run tcpdump instances

filter

bpf filter passed on to tcpdump

caplen

packet capture length in bytes

file

prefix to use for tcpdump file, default is ‘default’

The TCPDump agent is a direct interface to tcpdump. It simply starts tcpdump on the selected interfaces and saves the dump files in /space on each node. You do not need to use this interface if using the perf agent as the perf agent will start a tcpdump instance for you.