http://www.forensicswiki.org/w/index.php?title=TCP_timestamps&feed=atom&action=historyTCP timestamps - Revision history2013-05-24T00:06:50ZRevision history for this page on the wikiMediaWiki 1.20.3http://www.forensicswiki.org/w/index.php?title=TCP_timestamps&diff=8305&oldid=prev.FUF: added Category:Network Forensics2008-07-20T18:54:25Z<p>added Category:Network Forensics</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 18:54, 20 July 2008</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 30:</td>
<td colspan="2" class="diff-lineno">Line 30:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* [http://rfc.net/rfc1323.html RFC 1323]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* [http://rfc.net/rfc1323.html RFC 1323]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* http://uptime.netcraft.com/</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* http://uptime.netcraft.com/</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[Category:Network Forensics]]</ins></div></td></tr>
</table>.FUFhttp://www.forensicswiki.org/w/index.php?title=TCP_timestamps&diff=8304&oldid=prev.FUF: New page: '''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below). Th...2008-07-20T17:58:30Z<p>New page: '''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below). Th...</p>
<p><b>New page</b></p><div>'''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below).<br />
<br />
These calculated uptimes (and boot times) can help in detecting hidden network-enabled operating systems (see [[TrueCrypt]]), linking spoofed [[IP]] and [[MAC]] addresses together, linking [[IP]] addresses with Ad-Hoc wireless APs, etc.<br />
<br />
== Supported Operating Systems ==<br />
<br />
* BSD/OS<br />
* [[FreeBSD]], but not the default configuration in versions 3 to 4.3<br />
* HP-UX, recent versions<br />
* IRIX<br />
* [[Linux]], kernel 2.1 and later<br />
* NetApp NetCache<br />
* Solaris 2.6 and later<br />
* [[Windows]] 2000, 2003, XP and Vista<br />
<br />
== Limitations ==<br />
<br />
Some operating systems do not send TCP timestamps unless incoming TCP SYN packets will have this option enabled.<br />
<br />
== Method ==<br />
<br />
* Find all TCP packets with timestamp option (in [[Wireshark]] use following display filter: ''tcp.options.time_stamp'');<br />
* Calculate target's clock frequency (e.g. 100 Hz or 1000 Hz) by analyzing two (or more) TCP timestamps in a certain period of time;<br />
* Use this frequency to calculate uptime.<br />
<br />
Following tools can automate this process:<br />
* [[Nmap]] (only active scan)<br />
<br />
== Links ==<br />
* [http://rfc.net/rfc1323.html RFC 1323]<br />
* http://uptime.netcraft.com/</div>.FUF