Skip to topic | Skip to bottom
Note: Included topic Gulli.WebTopBar? does not exist yet
Gulli.OscSniffr1.1 - 02 Jun 2005 - 21:11 - TWikiGuesttopic end

Start of topic | Skip to actions
a collection of scripts that collect all sorts of information from different sources in a networked world.

preliminary but current listing goes like this:



fetch a website, grep for all digits in it and output them as a sequence.


CommonLogfileFormat? (clf) to OSC translator, can be used in a pipe with either urlsnarf (from dsniff) or tail -f /var/log/apache/*.log


port: 5154

translates tcpdump output to OSC, has some additional capabilities such as discovering unique new hosts, new connections between those hosts.

parses tcpdump output and could theoretically send out data for every single packet, practice has shown, especially on remote links, that this can easily kill, or slow down, resources on both the connection and the receiving end(s). so i m trying to put some pre-intelligence into this module, like detecting new hosts (unique IP addresses), new connections and wether this host are in direct correspondence with ourselves (localhost) or not.

tcpdump2OSC commands

answers on 5251

command params description
/ none list commands
/shutdown passwd shutdown the sniffer
/flushuhosts none flush internal hostlist
/version none guess
/uhosts none number of internal hosts
/uhostscount none number of internal hosts
/packetcount none number of packets received
/filter action (add, del), what (host, port), data (5151,, ...) add or remove item from filterlist
/filter/ none list current filters

tcpdump2OSC outgoing

  • /new/host IP-adress localflag
    new host has appeared on the ethernet. is it local to our subnet?.
  • /new/connection sourcehost sourcport desthost destport protocol timestamp packet-count byte-count *subtype*
    protocol-id, 0 = ICMP, 1 = TCP, 2 = UDP, 3 = ARP (missing: IPX, SMB, ...)
    subtype of simpler protocols live icmp, arp
  • /host update status of this host already known
  • /connection update status of this connection already known: new byte-count, new packet-count
  • /delete/host remove host from network: host, localflag, timestamp
  • /delete/connection remove connection: shost, sport, dhost, dport, protocol, time, pkt_cnt, byte_cnt
  • /tcpdump proto sip1 sip2 sip3 sip4 sport dip1 dip2 dip3 dip4 dport len ymd h m s us (ni)

ping any host and feed pingtime into OSC/gulli server. non-functional.

get weather info for various sites (airport codes). wishful thinking. is in non-usable state.

stat.rb: syslog, /proc

feed load-average, cpu usage, interrupt occurence, logevents and network load of given host into server.

check out RubyOSC.


rather fetch directly from cvs, see XdvCVS for info on how to do that.

translate syslog events (ssh, telnet, www, imap, etc as well as local stuff).

to top

I Attachment Action Size Date Who Comment
OSC_sniff-2003051701.tgz manage 12.0 K 17 May 2003 - 17:24 JuanChanson miscellaneous sniffers that convert stuff into OSC

You are here: Gulli > OscSniff

to top

Copyright © 1999-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback