TCP Connection?

Posted on 2005-05-02
Last Modified: 2013-11-29
I believe that tcptrace can reconstruct the TCP connection from TCPDUMP FILE's format.

1) How to do it?
2) Why we need to reconstruct the TCP connection? what the idea behind it?
Question by:sutejok
    LVL 3

    Expert Comment

    I was reading some about TCPDUMP to trace my TCP Packets via Internet, and I found this article is pretty neat

    it may help you as it help me.

    What they are:

    TCPDUMP can "dump" your entire connection (every packet) to a file.
    The default is just to capture a few bytes from the start of each packet,
    but you can increase the number of bytes captured to grab the entire packet
    (the bytes at the start of the packet give the header, source and
    destination information, but not the content).

    If you clean out your cache (so nothing is read from the hard disk);
    start TCPDUMP and click on a link in a spamvertizing message (assuming that
    the site does not send you a trojan - I Netscape without the ActiveX
    plugin, for example, to protect from that);
    when you reach the final site, close TCPDUMP you will have a complete
    capture of everything.

    TCPDUMP can read the saved file (you can also have it display the
    information interactively, instead of saving to file) but just the header
    info. By default it does not just display IP addresses but domain names.
    DO NOT TRUST THEM. They are obtained via rDNS. Check them or have TCPDUMP
    show the IP addresses instead of hostnames.

    [If a connection to 111.222.333.444 is made (and I *know* that is not a
     possible IP address (grin)), to display the domain name, the programme
     does a reverse lookup on that IP address. The site responsible for
     the name server for the "host" ""
     (in-addr=Internet Address: arpa=arpa format=IPv.4), in the address
     space -that is the name server responsible for the IP address- decides
     what is returned. If the spammer controls the name server for that IP
     address, he can return anything he wants. He can return
     "" instead of the machine's real name.
     On the other hand, if you lookup (whois) "" the
     owner of the name server for "" decides what *that*
     returns. IF they match, then you have the correct hostname.
     If not, it may be a simple error or an intentional misdirection in
     the rDNS result.]

    If you use TCPDUMP to read the file and see a connection between
    and and to your machine (and verify that those
    host names are correct, or check the IP addresses and find those are and and then there are such connections
    made during access to the spamvertized site - BUT they may be innocent (the
    spammer may simply put an [IMG SRC=""] tag on a spamvertized page and load
    a tiny graphic from each of those sites so they appear when you examine the
    connections made when you access the spamvertized site).

    You can examine the raw TCPDUMP file to see what each connection asks for
    and gets.

    LVL 3

    Expert Comment

    Alos you can downlaod some tools
    LVL 27

    Expert Comment

    2) Why we need to reconstruct the TCP connection? what the idea behind it?

    You do packet trace, packet analysis, sniffs, captures to analyze what is happening at the packet level.  TCP is fairly robust and analyzing what packets are, how the flow is going, what happens can lead you to diagnosing a problem.  Packet analysis is usually done because there's a problem and all other, easier, troubleshooting has failed.  For instance, if my machine was hanging and I saw a zillion TCP "syns" coming in, I would reqalize I was under attack from a "syn flood" or a smurf attack.

    Author Comment


    "In our experiment on payload anomaly detection we only used the inside network traffic data which was captured
    between the router and the victims. Because most public applications on the Internet use TCP (web, email, telnet, and ftp),
    and to reduce the complexity of the experiment, we only examined the inbound TCP traffic to the ports 0-1023 of the hosts which contains most of the victims, and ports 0-1023 which covers the majority of the network services.
    For the DARPA 99 data, we conducted experiments using each packet as the data unit and each connection as the data unit.
    We used tcptrace to reconstruct the TCP connections from the network packets in the tcpdump files."

    I don't understand how they use tcp trace in here...
    LVL 27

    Accepted Solution


    "tcptrace is a tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files. It can take as input the files produced by several popular packet-capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis."

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    Title # Comments Views Activity
    Cisco UC520 Call Transfer Issue 7 62
    belkin wifi stick 12 75
    PIng command and its use 9 68
    network blips every couple minutes 5 46
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now