ttmap 0.1 review
Downloadttmap passively analyzes values of TCP Timestamps in captured IP packets
|
|
ttmap passively analyzes values of TCP Timestamps in captured IP packets. After collecting enough data, it computes characteristic remote machine parameters.
These values let it guess remote operating systems and identify unique machines behind a single IP address. For example, it can analyze remote IP load-balanced clusters.
After successful initialization, ttmap starts analysis of packets received on selected network interface. For this, it uses the libpcap library, which injects captured packets to the ttmap_callback() function.
Next, the program checks if received packet is a TCP one and whether it has TCP Timestamps Option. If yes, then ttmap reads essential data from it and passes it to the process_packet() function. However, if the packet has RST or FIN flag set, then a special procedure is called, which removes any data regarding the connection being closed, if any.
The process_packet() function matches a single packet to a TCP connection. It checks whether number of packets collected in a single connection is enough, and if it is, the control is passed to the identify_connection() function.
Now, ttmap has enough sample of packets which were received from a single remote machine to find the proportionality factor (the jiffy), let it be the a parameter, and system start-up time, let it be the b parameter. For best results, the program uses linear regression method from the GNU Scientific Library. Provided that the quality of obtained values is good enough, what is discussed later, an internal database holding information about already identified machines is queried for calculated remote system characteristics. If nothing matches, a new remote machine is detected; if there is a match, then machine's a and b parameters are corrected by mean value.
Due to various delays and fluctuations that packets traversing the Internet might be subject of, the obtained data might be of low quality, ie. there will not be any linear function matching collected (time, TCP timestamp) points. So, for best results, only the points lying close enough to the best-fit line should be accepted as meaningful. The ttmap program checks whether ratio of covariance (returned from GSL) and obtained a parameter is small enough. A similar situation appears when querying the internal database for matching machines - here the program user may configure acceptable "delta" for a and b parameters.
When a new remote machine is detected, an informational message is printed to the standard output. Such message contains machine's a parameter, with a corresponding remote operating system guess, and b parameter, with probable time when remote machine was turned on (in local timezone).
ttmap 0.1 search tags