windows version of tcpflow?

[Dan Brandsma]

I was very happy to find tcpflow, and I especially appreciate the
fixes included in release 1.1. However, my data collection
environment is windows based, and am looking for a capability that can
run natively and not require execution in a linux VM.

Before I proceeded with a windows port, I wanted to see if:
1. Someone else was already working or it, and
2. There was broader interest in it if it became available.

My apologies for wasting your time if I'm missing something
elementary.

[Simson Garfinkel]

Nobody has ported it, but it should compile pretty easily with either cygwin or mingw.

[AMM]

I'd love to get tcpflow on win7.  I am trying the cygwin route now, but can't get it to compile following these instructions:

http://sourceforge.net/mailarchive/forum.php?thread_name=200404152144.i3FLih24016589%40cambot.lecs.cs.ucla.edu&forum_name=tcpflow-devel

[Simson Garfinkel]

You are referencing instructions that are more than 9 years old.  Try these:

New versions of tcpflow32.exe and tcpflow64.exe:

http://digitalcorpora.org/downloads/tcpflow/tcpflow-1.4.0a3_dev.zip

Can you give them a try and let me know what you think?

--
You received this message because you are subscribed to the Google Groups "tcpflow-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tcpflow-user...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[mla_ca520]

Here is a port I found. I haven't tested it, but did scan it with MS Security essentials, Malwarebytes free, and McAffee, it is clean (as of Jan 10, 2013)

https://github.com/simsong/tcpflow/downloads

[Simson Garfinkel]

tcpflow compiles to windows with mingw.

[mla_ca520]

Hey SLG,

I think that was a link to your work that I posted. I couldn't get that to work, it won't flow some t-shark pcap files I have. Says it can't decode the header:

D:\...\tcpflow-win-1.3.0>tcpflow32.exe -r 2014-01-06_120600.pcap

tcpflow32.exe[7980]: Cannot decode pcap header 0xa0d0d0a; swapped=0

So I'm going to take your advice and try to compile the source myself. but I can't find the source to download :-(

I'll keep trying though.

[Simson Garfinkel]

On Jan 13, 2014, at 4:37 PM, mla_ca520 <mlada...@gmail.com> wrote:

Hey SLG,

I think that was a link to your work that I posted. I couldn't get that to work, it won't flow some t-shark pcap files I have. Says it can't decode the header:

D:\...\tcpflow-win-1.3.0>tcpflow32.exe -r 2014-01-06_120600.pcap

tcpflow32.exe[7980]: Cannot decode pcap header 0xa0d0d0a; swapped=0

That’s a pcap NG header. 

http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html

Currently tcpflow doesn’t support pcap ng.

If you want to adopt tcpflow to support pcap ng, that would be great!

[mla_ca520]

I'm a decent python coder, but haven't done much with C or C++. I'll be happy to look and see if I can wrap my head around modifying tcpflow to support pcap NG. Are there folks you can put me in touch with, who can assist with explanations and such? I have dyslexia, and only a few good hours of reading each day, before I'm too exhausted to continue.

--ma

[Simson Garfinkel]

Thanks for the email.

You need to read the standard and adopt all of the packet readers to handle the packet types in the standard.

This probably is not the right project for you.  But you are welcome to give it a try and see how far you get. In the meantime, you can probably use a tool like tcpflow to transform from the pcap-ng format to pcap.

Simson