Learn how to a build a cloud-first strategyRegister Now


TCP Connection?

Posted on 2005-05-02
Medium Priority
Last Modified: 2013-11-29
I believe that tcptrace can reconstruct the TCP connection from TCPDUMP FILE's format.

1) How to do it?
2) Why we need to reconstruct the TCP connection? what the idea behind it?
Question by:sutejok
  • 2
  • 2

Expert Comment

ID: 13914926
I was reading some about TCPDUMP to trace my TCP Packets via Internet, and I found this article is pretty neat

it may help you as it help me.

What they are:

TCPDUMP can "dump" your entire connection (every packet) to a file.
The default is just to capture a few bytes from the start of each packet,
but you can increase the number of bytes captured to grab the entire packet
(the bytes at the start of the packet give the header, source and
destination information, but not the content).

If you clean out your cache (so nothing is read from the hard disk);
start TCPDUMP and click on a link in a spamvertizing message (assuming that
the site does not send you a trojan - I Netscape without the ActiveX
plugin, for example, to protect from that);
when you reach the final site, close TCPDUMP you will have a complete
capture of everything.

TCPDUMP can read the saved file (you can also have it display the
information interactively, instead of saving to file) but just the header
info. By default it does not just display IP addresses but domain names.
DO NOT TRUST THEM. They are obtained via rDNS. Check them or have TCPDUMP
show the IP addresses instead of hostnames.

[If a connection to 111.222.333.444 is made (and I *know* that is not a
 possible IP address (grin)), to display the domain name, the programme
 does a reverse lookup on that IP address. The site responsible for
 the name server for the "host" "444.333.222.111.in-addr.arpa"
 (in-addr=Internet Address: arpa=arpa format=IPv.4), in the address
 space -that is the name server responsible for the IP address- decides
 what is returned. If the spammer controls the name server for that IP
 address, he can return anything he wants. He can return
 "www.microsoft.com" instead of the machine's real name.
 On the other hand, if you lookup (whois) "www.microsoft.com" the
 owner of the name server for "microsoft.com" decides what *that*
 returns. IF they match, then you have the correct hostname.
 If not, it may be a simple error or an intentional misdirection in
 the rDNS result.]

If you use TCPDUMP to read the file and see a connection between msn.com
and macromedia.com and adobe.com to your machine (and verify that those
host names are correct, or check the IP addresses and find those are
msn.com and macromedia.com and adobe.com) then there are such connections
made during access to the spamvertized site - BUT they may be innocent (the
spammer may simply put an [IMG SRC=""] tag on a spamvertized page and load
a tiny graphic from each of those sites so they appear when you examine the
connections made when you access the spamvertized site).

You can examine the raw TCPDUMP file to see what each connection asks for
and gets.


Expert Comment

ID: 13914939
Alos you can downlaod some tools

LVL 27

Expert Comment

ID: 13916666
2) Why we need to reconstruct the TCP connection? what the idea behind it?

You do packet trace, packet analysis, sniffs, captures to analyze what is happening at the packet level.  TCP is fairly robust and analyzing what packets are, how the flow is going, what happens can lead you to diagnosing a problem.  Packet analysis is usually done because there's a problem and all other, easier, troubleshooting has failed.  For instance, if my machine was hanging and I saw a zillion TCP "syns" coming in, I would reqalize I was under attack from a "syn flood" or a smurf attack.

Author Comment

ID: 13918437

"In our experiment on payload anomaly detection we only used the inside network traffic data which was captured
between the router and the victims. Because most public applications on the Internet use TCP (web, email, telnet, and ftp),
and to reduce the complexity of the experiment, we only examined the inbound TCP traffic to the ports 0-1023 of the hosts
172.016.xxx.xxx which contains most of the victims, and ports 0-1023 which covers the majority of the network services.
For the DARPA 99 data, we conducted experiments using each packet as the data unit and each connection as the data unit.
We used tcptrace to reconstruct the TCP connections from the network packets in the tcpdump files."

I don't understand how they use tcp trace in here...
LVL 27

Accepted Solution

pseudocyber earned 2000 total points
ID: 13918478

"tcptrace is a tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files. It can take as input the files produced by several popular packet-capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis."

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question