Monday, March 12, 2012

Identifying computers behind NAT with plotpcap

Following on from my last post Identifying computers behind NAT with pyflag I've made a stand alone script plotpcap that can produce similar graphs without needing to install pyflag.

The results aren't as pretty and you miss out on some of pyflag's analytical tools (such as filtering streams by user agents). On the other hand you do gain the ability to filter your output by tcpdump style filter strings and with a little bit of pcap preprocessing from tshark you can perform almost all the same comparisons.

plotpcap requires the python modules dpkt, pcap (from pypcap) and matplotlib. I used the versions available from the Ubuntu 10.04 repository but other versions are probably good too.

Here's some output generated from the same example data as the last post:
IPID versus Packet Number (note that without stream highlighting it gets a bit hard to read)
IPID versus Packet Number after excluding packets with TCP timestamp options (ipid2)
TCP Timestamps versus Packet Number
If you wanted to do some of the tricks from the last post you can apply wireshark display filters to the pcap and then run it through plotpcap. For example:

tshark -r test.pcap -w test_chrome.pcap -R "http.user_agent contains Chrome"
python plotpcap.py test_chrome.pcap number ipid


Produces something like:
IPID versus Packet Number after matching the wireshark display filter "http.user_agent contains Chrome"