ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring, and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
FTimes is a system baselining and evidence collection tool. Its primary purpose is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis. It was designed to support the following initiatives: content integrity monitoring, incident response, intrusion analysis, and computer forensics.
WebJob downloads a program over HTTP/HTTPS and executes it in one unified operation. The output, if any, may be directed to stdout/stderr or a WebJob server. WebJob may be useful in incident response and intrusion analysis as it provides a mechanism to run known good diagnostic programs on a potentially compromised system. WebJob also provides a framework that is conducive to centralized management. Therefore, it can support and help automate a large number of common administrative tasks and host-based monitoring scenarios.
nefu (network fidelity utility) is a Unix daemon that monitors services over the network. It uses a "no false alarms" fault verification algorithm, and understands network dependancies. Natively-monitored protocols include ICMP echo (ping), SSH, IPP, DNS, HTTP, POP, NTP, IMAP, SMTP, and LDAP, as well as having facilities to execute external programs. Status pages are available via finger or the Web.
softflowd is a software flow-based network monitor. It tracks network traffic flows, reports aggregate statistics, and optionally exports Cisco Netflow compatible datagrams (to unicast hosts or multicast groups). It can listen on a promiscuous network interface or read store pcap capture files, and includes a sophisticated control interface.
ShoStats is a reimplementation of phpSysInfo in Perl, useful for running from crontab and outputting the stats to a PHP include file, which can then be displayed on a hosting account. It is modular and configurable, including modules to support both Linux, OpenBSD, and NetBSD, an output module for PHP include files, and transfer modules for output to stdout (which can be redirected or piped) and uploading to an FTP server.
Netdisco is a Web-based network management tool. Users can locate the switch port of an end-user system by IP or MAC address. Data is stored using a SQL database. Cisco Discovery Protocol (CDP) optionally provides automatic discovery of the network topology. The network is inventoried by both device model and operating system (like IOS). It uses router ARP tables and L2 switch MAC forwarding tables to locate nodes on physical ports and track them by their IP addresses. For each node, a time stamped history of the ports it has visited and the IP addresses it has used is maintained. It gets all its data, including CDP topology information, with SNMP polls and DNS queries. Security features include a wire-side Wireless Access Point (AP) locator.