| PA197 Labs
LAB
1
Compute the ratio of UDP packets and
flows in the traffic
nfdump -r flows.nfcapd -s proto
2 | PA197 Labs
Count the hosts actively communicating
from MU network
nfdump -r flows.nfcapd "src net
83.187.0.0/16 " -A srcip -q | wc –l
7781
3 | PA197 Labs
Find most the web server most visited by
users from MU network
nfdump –r flows.nfcapd “src net
83.187.0.0/16 and (dst port 443 or dst
port 80)” –s dstip/flows
4 | PA197 Labs
Find how many hosts from MU network
has accessed the web on 60.182.41.219:80
nfdump -r flows.nfcapd “src net
83.187.0.0/16 and dst ip 60.182.41.219
and dst port 80” –A srcip –q | wc –l
225
5 | PA197 Labs
Find a horizontal scan
nfdump –r flows.nfcapd “dst port 22” –s
srcip/flows
6 | PA197 Labs
7 | PA197 Labs
Find vertical scan
nfdump –r flows.nfcapd “flags S and not
flags F” –A srcip,dstip –s record/flows
8 | PA197 Labs
9 | PA197 Labs