TCP Connection?

I believe that tcptrace can reconstruct the TCP connection from TCPDUMP FILE's format.

1) How to do it?
2) Why we need to reconstruct the TCP connection? what the idea behind it?
Who is Participating?
pseudocyberConnect With a Mentor Commented:

"tcptrace is a tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files. It can take as input the files produced by several popular packet-capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis."
I was reading some about TCPDUMP to trace my TCP Packets via Internet, and I found this article is pretty neat

it may help you as it help me.

What they are:

TCPDUMP can "dump" your entire connection (every packet) to a file.
The default is just to capture a few bytes from the start of each packet,
but you can increase the number of bytes captured to grab the entire packet
(the bytes at the start of the packet give the header, source and
destination information, but not the content).

If you clean out your cache (so nothing is read from the hard disk);
start TCPDUMP and click on a link in a spamvertizing message (assuming that
the site does not send you a trojan - I Netscape without the ActiveX
plugin, for example, to protect from that);
when you reach the final site, close TCPDUMP you will have a complete
capture of everything.

TCPDUMP can read the saved file (you can also have it display the
information interactively, instead of saving to file) but just the header
info. By default it does not just display IP addresses but domain names.
DO NOT TRUST THEM. They are obtained via rDNS. Check them or have TCPDUMP
show the IP addresses instead of hostnames.

[If a connection to 111.222.333.444 is made (and I *know* that is not a
 possible IP address (grin)), to display the domain name, the programme
 does a reverse lookup on that IP address. The site responsible for
 the name server for the "host" ""
 (in-addr=Internet Address: arpa=arpa format=IPv.4), in the address
 space -that is the name server responsible for the IP address- decides
 what is returned. If the spammer controls the name server for that IP
 address, he can return anything he wants. He can return
 "" instead of the machine's real name.
 On the other hand, if you lookup (whois) "" the
 owner of the name server for "" decides what *that*
 returns. IF they match, then you have the correct hostname.
 If not, it may be a simple error or an intentional misdirection in
 the rDNS result.]

If you use TCPDUMP to read the file and see a connection between
and and to your machine (and verify that those
host names are correct, or check the IP addresses and find those are and and then there are such connections
made during access to the spamvertized site - BUT they may be innocent (the
spammer may simply put an [IMG SRC=""] tag on a spamvertized page and load
a tiny graphic from each of those sites so they appear when you examine the
connections made when you access the spamvertized site).

You can examine the raw TCPDUMP file to see what each connection asks for
and gets.

Alos you can downlaod some tools
2) Why we need to reconstruct the TCP connection? what the idea behind it?

You do packet trace, packet analysis, sniffs, captures to analyze what is happening at the packet level.  TCP is fairly robust and analyzing what packets are, how the flow is going, what happens can lead you to diagnosing a problem.  Packet analysis is usually done because there's a problem and all other, easier, troubleshooting has failed.  For instance, if my machine was hanging and I saw a zillion TCP "syns" coming in, I would reqalize I was under attack from a "syn flood" or a smurf attack.
sutejokAuthor Commented:

"In our experiment on payload anomaly detection we only used the inside network traffic data which was captured
between the router and the victims. Because most public applications on the Internet use TCP (web, email, telnet, and ftp),
and to reduce the complexity of the experiment, we only examined the inbound TCP traffic to the ports 0-1023 of the hosts which contains most of the victims, and ports 0-1023 which covers the majority of the network services.
For the DARPA 99 data, we conducted experiments using each packet as the data unit and each connection as the data unit.
We used tcptrace to reconstruct the TCP connections from the network packets in the tcpdump files."

I don't understand how they use tcp trace in here...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.