Parse

Usage: parse [ -i filename [ -z ] ] [ -o filename ] [ -c conid [ -t time ] ]
Options:
-i filename            : List connection IDs contained within a rawlog
-z                     : Skip zero sized connections in output
-o filename            : Copy tcpdump raw input to this output file
-c conid               : Watch a specific connection ID.
-u                     : Ignore user data for a watched connection
-t "MM/DD/YY HH:MM:SS" : Set time offset for a watched connection

Parse can be used to view a TCP trace, or to collect and report on live 
traffic. This can be used to record and view what an intruder is doing on 
your system. This is also useful for monitoring connections that are traveling 
over a particular network. For example, if an intruder logs into a system while
parse is running that strange connection may be noticed. Upon further 
investigation it may appear that the intruder is a hacker who seems to be 
exploring the system. By collecting a log of what they are doing, evidence 
can be gathered to prosecute the hacker; and the damage done by the intruder 
can also be assessed.

parse will take all input from the live network unless a file is specified. It 
will then collect and interpolate the data; printing out messages saying "New
connection from..." or printing information about UDP packets. If the "-o"
option is specified, the raw network data will also be placed into a pcap 
formatted output file.

If a filename is specified then parse will read packets from that file. There 
are several command line options to control the way the log file is viewed. 
"-i" prints out a list of all the connections and their related ID's within 
the log file. "-z" skips the connections that have zero length. "-c" allows 
a particular connection to be watched, in vt100 mode. "-u" used with "-c" will 
ignore all the data going from the client to the server in a particular 
connection and limit the view to server->client information. "-t" used with 
"-c" will start the playback at the moment specified. This can be helpful 
when trying to display a particular section of a connection.

The log files that are generated are libpcap files.
