Playing With the DB
Let's start:
let's get have a look at some sockets first: mysql> select * from sockets limit 30; of note is that the starttime column is only populated if we find a SYN (signifying the start of a conversation) otherwise it defaults to -1. Choose the idsock (18 is chosen for the example) of one of the sockets and we'll use it to pull the equivalent of "follow socket conversation" from a tool like Ethereal: mysql> select idpack, srcip, dstip, srcport, dstport, packetsize,
ttl, winsz, flags, seqnum, acknum,
from_unixtime(timestamp), idtrace, idsocket
from packets
where idsocket = 18; Ooooh.... ahhh, huh?
let's get have a look at some sockets first: mysql> select * from sockets limit 30; of note is that the starttime column is only populated if we find a SYN (signifying the start of a conversation) otherwise it defaults to -1. Choose the idsock (18 is chosen for the example) of one of the sockets and we'll use it to pull the equivalent of "follow socket conversation" from a tool like Ethereal: mysql> select idpack, srcip, dstip, srcport, dstport, packetsize,
ttl, winsz, flags, seqnum, acknum,
from_unixtime(timestamp), idtrace, idsocket
from packets
where idsocket = 18; Ooooh.... ahhh, huh?
So, just with the rollups in socket, you can answer all kinds of questions. What sockets ran longer than N? What sockets passed very little data? What sockets passed data over a certain threshold and to what host? What conversations were carried on to a certain host?