Index of /ttmap
NAME
ttmap - a TCP timestamp mapper
SYNOPSIS
ttmap [-i <iface>] [--no-promisc] [-p <num>] [--min-int=<ms>]
[--delta-a=<pcnt>] [--delta-b=<pcnt>] [--verbose] [--debug=<num>] [--]
[<pcap filter>]
ttmap --help|-h
ttmap --version|-v
DESCRIPTION
ttmap is a tool which passively analyzes TCP/IP packets. It collects values
of TCP Timestamp option TSVal field, and after collect- ing enough TSVal-time
points, it uses linear regression to find the slope (a) and y-intercept (b)
parameters of the linear function the TCP Timestamp values belong to.
These parameters let it guess remote operating system (basing on the a
parameter) and identify unique machines behind single IP address (NAT) and TCP
port (PAT) (using the b parameter).
The tool has basic abilities to compute statistical information about remote
IP load balancers, eg. percentage load of each of the detected machines.
OPTIONS
-i <iface> Choose interface to listen on [eth0].
--no-promisc Don't put network interface into promiscuous mode.
-p <num> Number of packets to collect in a single TCP connection
before trying to detect new machine behind NAT/PAT [5].
--min-int=<ms> Minimal time interval (in miliseconds, max 1 sec) between
two consecutive packets to count them for -p option [150].
--delta-a=<pcnt> Maximal delta (in %) for TCP timestamp function slope to
consider connection as belonging to already indentified
machine [30].
--delta-b=<pcnt> As above, for y-intercept [25].
--debug=<num> Set debugging level.
--verbose Be verbose (short for --debug=10).
--help,-h Show usage help screen.
--version,-v Show version and copying information.
The <pcap filter> is a filter text recognized by libpcap, as described in
tcpdump(8). It may be used to select packets which should be analyzed. By
default, it's just "tcp".
USAGE
After successfully binding to selected network interface, ttmap will start
receiving packets. Each packet will be analyzed and mapped on connections
list. When there is enough number of packets collected, ttmap will calculate
the "a" and "b" parameters and try to map them on machines list. If ttmap
finds a new machine on new IP address, then message similar to below will be
printed to standard output:
New machine found behind 212.77.101.1 port 25 (1 so far)
a=100 (OS guess: UNIX, eg. Linux 2.4)
b=61995137 (up since +- Wed Apr 12 12:46:42 2006)
However, if ttmap then detects more machines behind single IP address, it will
print messages similar to below one:
New machine found behind 212.77.101.1 port 25 (2 so far)
a=100 (OS guess: UNIX, eg. Linux 2.4)
b=533194017 (up since +- Thu Feb 16 23:20:01 2006)
What may sometimes later lead even to such results:
New machine found behind 212.77.101.1 port 25 (14 so far)
a=100 (OS guess: UNIX, eg. Linux 2.4)
b=1055995717 (up since +- Sun Dec 18 21:59:31 2005)
If it turns out that a particular machine is already known, then stored "a"
and "b" parameters will be silently corrected using mean value.
Program may be stopped by sending it the SIGINT signal (Ctrl+C on interactive
terminals). Before exiting, a summary like the following one will be printed
to standard output:
Analyzed IP addresses:
212.77.101.1 - 14 machines, 74 connections
machine #1:
a=100, b=70042908
OS guess: UNIX, eg. Linux 2.4
probably up since: Tue Apr 11 14:31:19 2006
percentage load: 9.46% (7 connections)
handling ports:
25 (100.00%, 7 connections)
machine #2:
a=100, b=533193975
OS guess: UNIX, eg. Linux 2.4
probably up since: Fri Feb 17 00:05:44 2006
percentage load: 12.16% (9 connections)
handling ports:
25 (100.00%, 9 connections)
(report truncated for clarity)
machine #13:
a=100, b=1281371552
OS guess: UNIX, eg. Linux 2.4
probably up since: Tue Nov 22 10:27:23 2005
percentage load: 6.76% (5 connections)
handling ports:
25 (100.00%, 5 connections)
machine #14:
a=100, b=1089815413
OS guess: UNIX, eg. Linux 2.4
probably up since: Wed Dec 14 15:41:37 2005
percentage load: 5.41% (4 connections)
handling ports:
25 (100.00%, 4 connections)
Average uptime: 12850573 sec = 3569.60 h = 148.73 days
Same results will be printed to standard output if ttmap process receives
SIGUSR1 signal, but the program will keep running.
EXAMPLES
Below are a few examples of using ttmap.
Example 1, low network latency, fast detection, interface eth1.
ttmap -i eth1 -p 3 --min-int=100 --delta-a=25 --delta-b=15
Example 2, high network latency, single remote host.
ttmap -p 8 --min-int=250 "src www.microsoft.com"
DIAGNOSTICS
Normally, ttmap will exit with error code 0, which means success. If something
goes wrong, it will exit with error code 1 and print an error message to
standard error output.
Below common errors with probable reasons are listed:
ttmap: invalid option -- <option>
Passed command line option is not valid (see OPTIONS).
pcap_open_live(): socket: Operation not permitted
User running ttmap has no privileges to sniff on selected network interface.
pcap_open_live(): ioctl: No such device
Selected network interface does not exit.
pcap_open_live(): bind: Network is down
Selected network interface's link layer is not up.
libpcap error: pcap_compile(): syntax error
Passed <pcap filter> is not valid and has syntax errors.
BUGS AND TODO LIST
1. Probably runs only on GNU/Linux.
2. Only Ethernet network interfaces are supported.
3. Does not support IPv6.
4. Does not do full tracking of TCP/IP connections, thus a remote attacker
may "close" monitored connections by sending forged TCP/IP packets with
FIN or RST flags, giving any sequence numbers.
5. Should detect same machines running on different IP addresses.
6. Algorithm deciding when to run the linear regression could probably be
improved to detect remote machines faster.
LEGAL INFORMATION
Copyright (C) 2006 by Pawel Foremski <pjf@asn.pl>.
The ttmap source code along with whole documentation is licensed under GNU GPL
version 2 and GNU FDL, respectively.
![[ICO]](/icons/blank.gif){kind=icon}
![[DIR]](/icons/back.gif){kind=icon}
![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/folder.gif){kind=icon}
![[ ]](/icons/unknown.gif){kind=icon}
![[ ]](/icons/compressed.gif){kind=icon}