Bug#155032: ITP: tcpreen -- Simple TCP re-engineering tool
Le Samedi 3 Août 2002 15:54, Hamish Moffatt a écrit :
> On Thu, Aug 01, 2002 at 12:06:57AM +0200, Oliver Kurth wrote:
> > TCPreen is a small tool for monitoring a TCP connection.
> > It works like a bridge between the server and the client in a TCP
> > connection, displays any data that is sent either way, and
> > optionnaly logs everything to a file.
> >
> > It is mainly useful if you want to understand what informations a
> > client and a server exchanges during a TCP session. It was
> > originally meant to help reverse engineering proprietary TCP-based
> > protocols or protocol extensions.
>
> What advantage does it have over a simple packet capture utility
> like tcpdump or Ethereal?
May I explain that?
I admit I don't know Ethereal, but for sure, tcpdump is not really well
suited for TCP connection tracking: it's too raw, it's quite hard to
follow one particular data stream with it.
A better packet sniffer for TCP connection monitoring is tcpflow (in
Debian too), but it is still quite incomplete and I hope it will be
improved: it doesn't support IP (de-)fragmentation, nor IPv6, and its
log files format makes it hard, if not impossible, to find
corresponding client requests and server responses, as server and
client output are totally separated, and not time stamped.
I would say tcpreen is better suited when you have control of at least
one side of a TCP connection, either the client or the server, as it is
then as reliable as your TCP/IP stack is (and GNU/Linux TCP stack is
excellent), and provides a much more user-friendly log file format.
This, of course, has a price: tcpreen is unable to monitor data that
was not sent to it explicitly; it can't use promiscuous mode and the
like.
> Hamish
Rémi
Reply to: