December 19, 2007
I just had a moment of awe. I was playing around with packet captures and was wondering whether Wireshark would still ship with a command line alternative for the GUI version. I always liked Ethereal for its protocol analysis capabilities. I pretty quickly found out that the command line version was still maintained. Now called tshark. I was sort of shocked, when I realized how much protocol traffic was actually decoded:
~/tmp$ sudo tshark -ni en1
Capturing on en1
2.004403 192.168.0.12 -> 126.96.36.199 MSNMS USR 1 YYYYYYY@hotmail.com 1452999922.70216123.6471199
3.672270 188.8.131.52 -> 192.168.0.12 AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
3.673979 184.108.40.206 -> 192.168.0.12 AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
5.136301 220.127.116.11 -> 192.168.0.12 MSNMS [TCP Retransmission] USR 1 OK YYYYY@hotmail.com Raffael%20Marty
5.136735 192.168.0.12 -> 18.104.22.168 MSNMS CAL 2 XXXXXX@hotmail.com
5.174140 22.214.171.124 -> 192.168.0.12 MSNMS CAL 2 RINGING 1111111111
6.750004 126.96.36.199 -> 192.168.0.12 MSNMS JOI XXXXXXX@hotmail.com XXXX%20Buding%20in%20boston
It understands the IM protocols (above version is anonymized)! I wonder how I could exploit this for some interesting visualization.
December 10, 2007
Today I found myself researching “moving average analysis” techniques. Using moving average analysis can be fairly useful in trending risk. Plot the moving average over your risk and compare it with the actual risk numbers, much like you would analyze a stock chart. I will write more extensively about this in my book in the “Visual Security Analysis” chapter.
What I just learned and what really pointed me to write this blog post is that Excel has a data analysis add-in that lets you compute moving averages. In my Excel instance, I had to first enable the “Data Analysis” add-in by going to Tools|Add-Ins… Once enabled, I got a new menu item under Tools which is Data Analysis… There you can choose from a variety of data analysis tools, among them a moving average calculator. This blog post shows exactly to to apply the add-in.
December 7, 2007
Finally, Common Event Expression (CEE) has its Web site up!
We are working on a few initiatives right now. If you want to contribute to the discussion, join the mailing list. Send an email to firstname.lastname@example.org to subscribe.
December 3, 2007
I wanted to mention this a long time ago, I am really behind with blogging …
I started another blog. I hope this is not going to be too confusing.
Here is what goes where: