Index of /ttmap

[ICO]NameLast modifiedSizeDescription

[DIR]Parent Directory  -  
[TXT]README.html25-Mar-2010 15:55 6.5K 
[DIR]dev/25-Mar-2010 15:55 -  
[DIR]doc/25-Mar-2010 15:55 -  
[   ]ttmap-0.0.md525-Mar-2010 15:55 53  
[   ]ttmap-0.0.tar.gz25-Mar-2010 15:55 111K 
[   ]ttmap-0.1.md525-Mar-2010 15:55 53  
[   ]ttmap-0.1.tar.gz25-Mar-2010 15:55 215K 

  ttmap - a TCP timestamp mapper

  ttmap [-i <iface>] [--no-promisc] [-p <num>] [--min-int=<ms>]
  [--delta-a=<pcnt>] [--delta-b=<pcnt>] [--verbose] [--debug=<num>] [--]
  [<pcap filter>]
  ttmap --help|-h
  ttmap --version|-v

  ttmap is a tool which passively analyzes TCP/IP packets. It collects values
  of TCP Timestamp option TSVal field, and after collect- ing enough TSVal-time
  points, it uses linear regression to find the slope (a) and y-intercept (b)
  parameters of the linear function the TCP Timestamp values belong to.

  These parameters let it guess remote operating system (basing on the a
  parameter) and identify unique machines behind single IP address (NAT) and TCP
  port (PAT) (using the b parameter).

  The tool has basic abilities to compute statistical information about remote
  IP load balancers, eg. percentage load of each of the detected machines.

  -i <iface>        Choose interface to listen on [eth0].
  --no-promisc      Don't put network interface into promiscuous mode.
  -p <num>          Number of packets to collect in a single TCP connection
                    before trying to detect new machine behind NAT/PAT [5].
  --min-int=<ms>    Minimal time interval (in miliseconds, max 1 sec) between
                    two consecutive packets to count them for -p option [150].
  --delta-a=<pcnt>  Maximal delta (in %) for TCP timestamp function slope to
                    consider connection as belonging to already indentified
                    machine [30].
  --delta-b=<pcnt>  As above, for y-intercept [25].
  --debug=<num>     Set debugging level.
  --verbose         Be verbose (short for --debug=10).
  --help,-h         Show usage help screen.
  --version,-v      Show version and copying information.

  The <pcap filter> is a filter text recognized by libpcap, as described in
  tcpdump(8). It may be used to select packets which should be analyzed. By
  default, it's just "tcp".

  After successfully binding to selected network interface, ttmap will start
  receiving packets. Each packet will be analyzed and mapped on connections
  list. When there is enough number of packets collected, ttmap will calculate
  the "a" and "b" parameters and try to map them on machines list. If ttmap
  finds a new machine on new IP address, then message similar to below will be
  printed to standard output:

    New machine found behind port 25 (1 so far)
      a=100          (OS guess: UNIX, eg. Linux 2.4)
      b=61995137     (up since +- Wed Apr 12 12:46:42 2006)

  However, if ttmap then detects more machines behind single IP address, it will
  print messages similar to below one:

    New machine found behind port 25 (2 so far)
      a=100          (OS guess: UNIX, eg. Linux 2.4)
      b=533194017    (up since +- Thu Feb 16 23:20:01 2006)

  What may sometimes later lead even to such results:

    New machine found behind port 25 (14 so far)
      a=100          (OS guess: UNIX, eg. Linux 2.4)
      b=1055995717   (up since +- Sun Dec 18 21:59:31 2005)

  If it turns out that a particular machine is already known, then stored "a"
  and "b" parameters will be silently corrected using mean value.

  Program may be stopped by sending it the SIGINT signal (Ctrl+C on interactive
  terminals). Before exiting, a summary like the following one will be printed
  to standard output:

    Analyzed IP addresses: - 14 machines, 74 connections
      machine #1:
        a=100, b=70042908
        OS guess: UNIX, eg. Linux 2.4
        probably up since: Tue Apr 11 14:31:19 2006
        percentage load: 9.46% (7 connections)
        handling ports:
          25 (100.00%, 7 connections)
      machine #2:
        a=100, b=533193975
        OS guess: UNIX, eg. Linux 2.4
        probably up since: Fri Feb 17 00:05:44 2006
        percentage load: 12.16% (9 connections)
        handling ports:
          25 (100.00%, 9 connections)

  (report truncated for clarity)

      machine #13:
        a=100, b=1281371552
        OS guess: UNIX, eg. Linux 2.4
        probably up since: Tue Nov 22 10:27:23 2005
        percentage load: 6.76% (5 connections)
        handling ports:
          25 (100.00%, 5 connections)
      machine #14:
        a=100, b=1089815413
        OS guess: UNIX, eg. Linux 2.4
        probably up since: Wed Dec 14 15:41:37 2005
        percentage load: 5.41% (4 connections)
        handling ports:
          25 (100.00%, 4 connections)
    Average uptime: 12850573 sec = 3569.60 h = 148.73 days

  Same results will be printed to standard output if ttmap process receives
  SIGUSR1 signal, but the program will keep running.

  Below are a few examples of using ttmap.

  Example 1, low network latency, fast detection, interface eth1.

    ttmap -i eth1 -p 3 --min-int=100 --delta-a=25 --delta-b=15

  Example 2, high network latency, single remote host.

    ttmap -p 8 --min-int=250 "src"

  Normally, ttmap will exit with error code 0, which means success. If something
  goes wrong, it will exit with error code 1 and print an error message to
  standard error output.

  Below common errors with probable reasons are listed:

  ttmap: invalid option -- <option>  
    Passed command line option is not valid (see OPTIONS).
  pcap_open_live(): socket: Operation not permitted  
    User running ttmap has no privileges to sniff on selected network interface.
  pcap_open_live(): ioctl: No such device  
    Selected network interface does not exit.
  pcap_open_live(): bind: Network is down  
    Selected network interface's link layer is not up.
  libpcap error: pcap_compile(): syntax error  
    Passed <pcap filter> is not valid and has syntax errors.

  1. Probably runs only on GNU/Linux.
  2. Only Ethernet network interfaces are supported.
  3. Does not support IPv6.
  4. Does not do full tracking of TCP/IP connections, thus a remote attacker
     may "close" monitored connections by sending forged TCP/IP packets with
     FIN or RST flags, giving any sequence numbers.
  5. Should detect same machines running on different IP addresses.
  6. Algorithm deciding when to run the linear regression could probably be
     improved to detect remote machines faster.

  Copyright (C) 2006 by Pawel Foremski <>.

  The ttmap source code along with whole documentation is licensed under GNU GPL
  version 2 and GNU FDL, respectively.