Difference between pages "Ngrep" and "Tcpflow"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Link to fragment reassembly patch)
 
m (Vulnerabilities)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = ngrep |
+
   name = tcpflow |
   maintainer = Jordan Ritter |
+
   maintainer = Jeremy Elson |
 
   os = {{Linux}} |
 
   os = {{Linux}} |
 
   genre = Network forensics |
 
   genre = Network forensics |
 
   license = {{GPL}} |
 
   license = {{GPL}} |
   website = [http://ngrep.sourceforge.net/ ngrep.sourceforge.net] |
+
   website = [http://www.circlemud.org/~jelson/software/tcpflow/ www.circlemud.org/~jelson/software/tcpflow/] |
 
}}
 
}}
  
'''Ngrep''' is a tool that provides GNU [[grep]]'s features applying them to the network layer.
+
'''tcpflow''' is a tool that captures data transmitted as part of TCP connections, and stores the data in a way that is convenient for protocol analysis, keyword searching, etc.
  
 
== Overview ==
 
== Overview ==
  
Ngrep recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces.
+
tcpflow stores all captured data in files that have names of the form
 
+
: 128.129.130.131.02345-010.011.012.013.45103
== Examples ==
+
where the contents of the above file would be data transmitted from host ''128.129.131.131'' port ''2345'', to host ''10.11.12.13'' port ''45103''.
 
+
Example 1: dump all common HTTP requests on a live network (eth0):
+
 
+
: ngrep -qd eth0 '^(GET|POST|HEAD|CONNECT)' 'tcp'
+
 
+
Example 2: the same, but from a network dump (out.pcap):
+
 
+
: ngrep -qI out.pcap '^(GET|POST|HEAD|CONNECT)' 'tcp'
+
  
 
== Limitations ==
 
== Limitations ==
  
Ngrep cannot reconstruct data streams, it has no ability to match a string that is broken across two or more packets.
+
* tcpflow does not understand IP fragments;
 +
* tcpflow does not understand 802.11 headers.
  
== Patches ==
+
== Vulnerabilities ==
  
* [http://sourceforge.net/tracker/index.php?func=detail&aid=1738954&group_id=10752&atid=310752 IPv4 and IPv6 fragment reassembly patch]
+
* tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty.
  
 
[[Category:Network Forensics]]
 
[[Category:Network Forensics]]

Revision as of 14:41, 13 September 2008

tcpflow
Maintainer: Jeremy Elson
OS: Linux
Genre: Network forensics
License: GPL
Website: www.circlemud.org/~jelson/software/tcpflow/

tcpflow is a tool that captures data transmitted as part of TCP connections, and stores the data in a way that is convenient for protocol analysis, keyword searching, etc.

Overview

tcpflow stores all captured data in files that have names of the form

128.129.130.131.02345-010.011.012.013.45103

where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.

Limitations

  • tcpflow does not understand IP fragments;
  • tcpflow does not understand 802.11 headers.

Vulnerabilities

  • tcpflow uses sequence numbers for resizing files, so a reconstruction of the sessions may create 600 megabyte files more or less empty.