NSM Console

UPDATE: NSM-Console has a new home on my new website!

NSM Console (Network Security Monitoring Console) is a framework for performing analysis on packat capture files. It implements a modular structure to allow for an analyst to quickly write modules of their own without any programming language experience. Using these modules a large amount of pcap analysis can be performed quickly using a set of global (as well as per-module) options.

NSM Console also aims to be simple to run and easy to understand without lots
of learning time.

It is highly recommended that you visit the wiki page, as it stays up to date better.

You can watch a screencast of nsm-console at this post.
You can watch another screencast on how to create a module for NSM-Console here.

The latest version of nsm-console can be downloaded from:

http://navi.eight7.org/~hinmanm/files/nsm-console-0.5.tar.gz [release notes] [mirror]

You can see all the posts tagged with the ‘nsm-console’ category tag here.

If you want more information about what it is (and what it does), check out this introductory post.

A list of projected and completed modules is in this post.

NSM-Console changes pretty quickly, since I’m the only developer. I will try to keep a log of what I have added here. NSM console is released as an included tool in the Hex 1.0.3 release, the included version is 0.6-DEVEL.

If you want to check out the code from svn, use the following:

svn co http://svn.security.org.my/trunk/rawpacket-root/usr/home/analyzt/rp-NSM/nsm-console nsm-console

Last added features:

28 Responses to NSM Console

  1. Pingback: NSM-console version 0.2 release « :wq

  2. Pingback: NSM Console - A framework for running things « :wq

  3. Pingback: NSM Console projected module list « :wq

  4. Pingback: Development version of nsm-console (0.3-DEVEL) « :wq

  5. Pingback: Screencast: An introduction to NSM-Console « :wq

  6. Pingback: NSM-Console version 0.3 release « :wq

  7. Pingback: Hex and NSM-Console source now browsable « :wq

  8. Pingback: Decoding the SANS Christmas packet challenge using only NSM-Console « :wq

  9. Pingback: Hypography Science Forums - Rescuing articles from a friend's web site...

  10. Pingback: NSM-Console version 0.4 release « :wq

  11. Pingback: NSM-Console (Network Security Monitoring) | Morally Corrupted

  12. Pingback: Morally Corrupted » Blog Archive » NSM-Console(Creating a Module Screencast)

  13. Pingback: Morally Corrupted » Blog Archive » NSM-Console(Network Security Monitoring)

  14. Pingback: Flowtime - Create a timeline for packet flow « :wq

  15. Pingback: Morally Corrupted Security » Blog Archive » NSM-Console (Network Security Monitoring)

  16. Bubba
    January 28, 2008 at 3:30 pm

    When running the chaosreader module it errors out. This is what I get

    –> cd output5.pcap-output/chaosreader;chaosreader -v /home/socanalyst/output5.pcap
    sh: chaosreader: command not found

    Is there someone that can help with this?
    BTW…nsm-console is a great tool!

    Reply
  17. Lee Hinman
    January 28, 2008 at 3:39 pm

    @Bubba
    It looks like you don’t have chaosreader installed, in order for the chaosreader module to work you have to have chaosreader installed.

    You should be able to download and install chaosreader from: http://www.brendangregg.com/chaosreader.html

    I’m glad you like NSM-Console :)

    Reply
  18. Bubba
    January 29, 2008 at 10:07 am

    Hi Lee,

    I do have the chaosreader script installed (and can use it by itself to read pcap files), but unsure of where nsm is trying to call it from so it can run. Is there a certain directory that nsm console is trying to call the chaosreader script from?

    Reply
  19. Lee Hinman
    January 29, 2008 at 10:09 am

    @Bubba
    As long as chaosreader is in your path, NSM-Console should be able to find it, it just calls it as “chaosreader”, so if it’s something like /usr/local/bin or /bin (the normal path places), it should find it alright.

    Reply

  20. Pingback: Switching from fluxbox to wmii on Hex « :wq

  21. Pingback: Hex and NSM-Console writeup in February ISSA Journal « :wq

  22. Pingback: NSM-Console version 0.5 release « :wq

  23. Pingback: User-submitted modules: flowtag and clamscan « :wq

  24. Pingback: Hex 1.0.3 released! « :wq

  25. rsc
    March 4, 2008 at 11:28 am

    Trying to create a module and wondering if there is any way to have the module (within the modules/module_config_file) have it source either a perl or bash script. Like for example run tcpflow once that’s done have it source a script to do something else with the flow files?

    Thanks, this is a great tool!!

    Reply
  26. Lee Hinman
    March 4, 2008 at 11:36 am

    @rsc: Sure, there is a way to do that, take a look at the Harimau module for instance, here’s the command line:

    ruby -I ${MODULE_DIR}/${MODULE_NAME}.module/ ${MODULE_DIR}/${MODULE_NAME}.module/${MODULE_NAME}.rb ${PCAP_FILE} > ${OUTPUT_DIR}/${OUTPUT_FILE}

    Which runs the harimau.rb file inside the harimau.module directory. If you wanted a module to do something similar, you could do this:

    tcpflow
    perl ${MODULE_DIR}/${MODULE_NAME}.module/perl_script_for_analysis.pl

    in the file listing the commands. Does that make sense?

    Reply
  27. Yaz Okulu
    March 22, 2008 at 2:57 am

    does anyone knows if there is any other information about this subject in other languages?

    Reply

  28. Pingback: :wq - blog » Blog Archive » Flowtime - Create a timeline for packet flow

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s