Grok is a web-based Internet Protocol (IP) search tool designed to help
the user find and analyze network sessions in close to real time (5
minute). It relies on the output generated by a packet capture and
session summary tool called bag.
The bag program runs on a Linux system, and continuously generates
5-minute full packet capture libpcap files, Internet session summary
files, and interface statistic files, round-robin, over a period limited
to the amount of disc storage available to the system. In the LANL
case, an 8-terabyte file system accomodates seven days of data (most of
the time).
Summary information, such as top 20 outgoing and incoming network services (such as www/tcp or 161/udp), along with network interface statistics which indicated the health of the capture system, are plotted every 5 minutes for display by the Grok web server.
The Grok web interface presents the analyst with a set of search
criteria used to query the information being collected by the bag
program. Since the information ultimately resides in pcap files,
other pcap aware programs, such as bro, wireshark, nosehair,
smacqq, snort, and tcpdump have been incorporated into Grok's web
interface. Clickable documentation is avaliable for each search
criteria.
We are still working on making a nice package for grok; in the meantime, here's what we have.
The current HEAD in git is probably the best place to start. You may browse the code online, or clone the tree:
$ git clone http://dirtbags.net/projects/grok
$ git clone http://dirtbags.net/projects/bag
Tarballs of the latest official release (December 2007) are also here, but are by now pretty out of date.