TCPdump is a powerful command-line packet analyzer, which may be used for a SIP message sniffing/analyzing. TCPdump is preinstalled on many linux distributions, or may be installed directly from debian repository:
apt-get install tcpdump
TCPdump allows write sniff to a file or display it realtime. Its usage for SIP message analysis may look like:
Author: Martin Dvorsky
Greenbone Vulnerability Manager (formerly OpenVAS) is the most popular open source vulnerability scanner.
In this tutorial we will install, configure and prepare GVM v10 for use with CLI only.
NetworkMiner is a Network forensic analysis tool (NFAT) for Windows operating systems. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. NetworkMiner’s primary purpose is collection of data regarding network hosts, rather than data regarding network traffic. In addition to direct file capture, NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. This function can be used for extraction and archiving of media files transferred through the network. Supported file extraction protocols are FTP, SMB and HTTP. Extracted user credentials (username and password) for supported protocols can be found in the Credentials tab. Other useful features include keyword search in the captured/archived data and Nmap MAC vendor lookup.
Xplico is an open-source NFAT. The goal of Xplico is the extraction of application data contained in a capture sample of Internet traffic. For example, Xplico can export all e-mails (POP, IMAP and SMTP), HTTP contents, VoIP calls, FTP and TFTP files, etc.
Elastic Stack provides reliable and safe transfer of data of any format from any source and real-time searching analysis and visualization. Elastic Stack consists of Kibana, Elasticsearch, Beats and Logstash. Elasticsearch is a search and analytics engine. Beats is a dta gathering platform. Logstash is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch.
Sguil is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, BSD, Solaris, MacOS, and Win32).
Version : 0.7.4
Nload is a console application which monitors network traffic and bandwidth usage in real time. The gathered statistics are displayed in two separate graphs (one for uplink and one for downlink). Nload also provides detailed information about the total amount of transferred data and average, minimum and maximum transfer rate. We used this application in its simplest mode – Nload interface. There are, however, many different display options and additional configuration options you can read about in the application’s man page – $ man nload.
Installation:
apt-get install nload
Use:
nload enp0s9
Abort: Ctrl+c or “q”
Version : 1.25
Iftop is an application which monitors network traffic on a specified interface or, if no interface is specified, on the first interface it manages to find. Current bandwidth usage data is displayed as a table in pairs of inbound and outbound communication. Again, it is possible to expand usage with command options found in the application’s man page – $ man iftop.
Installation:
apt-get install iftop
Use:
iftop -i enp0s9 -p
Version : 2.5.0
Bigdesk is the simplest plugin available, that can make monitoring what Elasticsearch is doing at the time, much easier.
Plugin installation consists of several steps:
cd /data/moloch/elasticsearch-2.4.0/bin
./plugin install https://github.com/lukas-vlcek/bigdesk/archive/master.zip -v -b
http://IP_adress:port_number/_plugin/bigdesk/
Graph illustration, where the allocated amount of RAM for Elasticsearch and the amount used in the past 5 minutes is displayed. This interval can be changed from the past 10 seconds up to 1 hour, the graph refresh interval can be changed from 1 second up to 30 seconds.
In the following illustration, CPU and RAM usage can be seen, in this instance, it is the overall load caused by all processes, not just the instance of Elasticsearch. Since we have turned swapping off during Moloch installation, the respective graph is empty.
The last illustration displays miscellaneous search and data indexing statistics as both numbers and time units.
Version : 0.1.3
Head is a front-end API that enables browsing and interacting with the Elasticsearch cluster. It also makes Elasticsearch status available for viewing and enables work with the individual daily index batches.
There are several alternatives for plug-in installation, two of the most common are listed down below:
git clone git://github.com/mobz/elasticsearch-head.git
cd elasticsearch-head
npm install
npm run start
http://IP_address:port_number/_plugin/head/
Alternatively:
sh /data/moloch/elasticsearch-2.4.0/bin/plugin install mobz/elasticsearch-head
http://IP_address:port_number/_plugin/head/
Bigdesk and Elasticsearch Head plugins are not working since Elasticsearch 5.x, because of change in Elasticsearch database architecture.