TTMap is a software that analyzes TCP Timestamps in captured IP packets. It operates passively, making it easy to use for monitoring and analysis purposes.
The ttmap software is a passive analysis tool that gathers TCP Timestamp values from captured IP packets. Once enough data is collected, it calculates remote machine parameters which can be used to identify unique machines and guess their operating systems. The program also has the capability to analyze remote IP load-balanced clusters.
After initialization, ttmap begins analyzing packets received on the selected network interface using the libpcap library. The ttmap_callback() function injects captured packets which are checked by the program to determine whether they are TCP packets with TCP Timestamps Option. If so, essential data from the packet is read and passed to the process_packet() function.
For packets with the RST or FIN flag set, a separate procedure is called to remove any data regarding the closed connection. The process_packet() function matches a single packet to a TCP connection and, if enough packets are collected, passes control to the identify_connection() function.
Using linear regression from GNU Scientific Library, ttmap calculates the proportionality factor (the jiffy) and system start-up time from the samples of packets received from a single remote machine. If the quality of the data is good enough, the program queries an internal database holding information about already identified machines for a potential match. If a match is found, the machine's a and b parameters are corrected by the mean value. If there's no match, a new remote machine is detected.
To ensure the quality of the obtained data, only the points closely matching the best-fit line are accepted as meaningful. The program checks whether the covariance ratio is small enough, and users can configure acceptable "delta" for a and b parameters when querying the internal database for matching machines.
When a new remote machine is detected, an informational message is printed to the standard output. Such message contains machine's a parameter, with a corresponding remote operating system guess, and b parameter, with probable time when remote machine was turned on (in local timezone). Overall, ttmap is a powerful tool for analyzing and identifying remote machines behind a single IP address.
After initialization, ttmap begins analyzing packets received on the selected network interface using the libpcap library. The ttmap_callback() function injects captured packets which are checked by the program to determine whether they are TCP packets with TCP Timestamps Option. If so, essential data from the packet is read and passed to the process_packet() function.
For packets with the RST or FIN flag set, a separate procedure is called to remove any data regarding the closed connection. The process_packet() function matches a single packet to a TCP connection and, if enough packets are collected, passes control to the identify_connection() function.
Using linear regression from GNU Scientific Library, ttmap calculates the proportionality factor (the jiffy) and system start-up time from the samples of packets received from a single remote machine. If the quality of the data is good enough, the program queries an internal database holding information about already identified machines for a potential match. If a match is found, the machine's a and b parameters are corrected by the mean value. If there's no match, a new remote machine is detected.
To ensure the quality of the obtained data, only the points closely matching the best-fit line are accepted as meaningful. The program checks whether the covariance ratio is small enough, and users can configure acceptable "delta" for a and b parameters when querying the internal database for matching machines.
When a new remote machine is detected, an informational message is printed to the standard output. Such message contains machine's a parameter, with a corresponding remote operating system guess, and b parameter, with probable time when remote machine was turned on (in local timezone). Overall, ttmap is a powerful tool for analyzing and identifying remote machines behind a single IP address.
What's New
Version 0.1: N/A