Traffic flow capture and analysis
Version: 4.5Tanal is a Unix daemon that captures traffic packet size, source, destination, and times and saves this data into a native Postgres or ODBC database in near real time, from which traffic reports may be made.
Operating System: Linux
Tanal doesn't save the actual headers or data. It works on ethX or cooked devices like ppp0. It uses Postgres embedded SQL or libodbc++ to insert the data, the pcap library to capture traffic, and pthreads to capure and write at the same time. Pcap filters can be specified on the command line. Logs go to syslog.
Under development are tools an analyse this traffic to determine the type based on flows, not packet inspection.
x dns expiry time: the time an entry lives int he dns cache
-s sleep_time: the time the write sleeps for
-p num_packets: the number of packets to collect, 0 for forever
-f filter: pcap filter argument
-d or -i: device (or interface) to capure on
-a: age of to/from packets inactivity before writing to db
-c: connection string
Flush interval flags '-F'
If a connection is maintained for a long time and there is regular traffic over this connection (for example a VPN with regular keepalive packets) this connection will not have its traffic logged until there is no more data for at least the expiry time. The flush interval flags control the mandatory flushing of these connections. A mandatory flush will flush the complete connection list. This timer is quantized on the period divider. For example if you select 60, then the flush will occur on the minute or as close to as possible.
Note that the -f filter specification is the pcap filter grammar and is described in the tcpdump manual entry.
./tcap -b -d eth1 -p 10000 -f "dst host not 172.28.11.255"