Tcpflow development - Merging Flows
Abhishek Sharma
I have been testing tcpflow for some time and I must say its mighty
efficient. Its clean, fast and accurate.
I do have one small problem regarding the flow reconstruction. The
trouble is tcpflow always gives me TWO separate flows for one single
session. For instance if we have a session b/w IP-A:Port B and IP-
C:Port-D. Tcpflow will give me two sessions -
1). IP-A PT B -> IPC PT D
2). IPC PT D - > IP-A PT B
Now if I use the wireshark's follow tcp stream functionality I get ONE
stream for the entire sesison. Also the session is totally accurate.
It would be really helpful if this change can be done to tcpflow.
Help guys!
Cheers!
Abhi
Simson Garfinkel
The program creates two session files because there are two different TCP flows, one in each direction. If you put them in the same file, you need to have a way of distinguishing the two flows. WireShark's behavior here (as many other places) is technically wrong.
With that being said, how would you propose to put the two flows together? Just pack all of the bytes? What do you do when there are TCP retransmits with different windows?
Are you just interested in visualizing the flows in two different directions? In that case, would you prefer HTML output that shows the raw packets, perhaps with color and a hexl display, rather than just the raw bytes?
Simson
> --
> You received this message because you are subscribed to the Google Groups "aff-discuss" group.
> To post to this group, send email to aff-d...@googlegroups.com.
> To unsubscribe from this group, send email to aff-discuss...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/aff-discuss?hl=en.
>