From owner-freebsd-net@FreeBSD.ORG Fri Aug 29 10:53:36 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 509BD1065671 for ; Fri, 29 Aug 2008 10:53:36 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id C93738FC0C for ; Fri, 29 Aug 2008 10:53:35 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: by ey-out-2122.google.com with SMTP id 6so242239eyi.7 for ; Fri, 29 Aug 2008 03:53:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:date:from:to:subject :message-id:mime-version:content-type:content-disposition:user-agent :sender; bh=ASyh2yA0Zr5+tYQHu40NWo6OOaKX76eZjkbLyjeWM5k=; b=Gx5Ltb50ibeYwNunUg7KH0umCdGs+8ukh9s4njhUCGx+XtJUAb9Px8fb+1XdglRYl6 K0ZJFrhiQHs/dkwLXXEHuQti0IAbizgd+/qmGcNLDV6ZMMz4gewz3Ee6LmIPnpUDZUw7 5qvn0ayJbV2J0kH53RLiiHU+VQx8YdehlUoag= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent:sender; b=Y9luuWUPDw61nU5Bztp6aZo4HHEyXDQHG6jOUTCVe67t8H80l2C/dc3u+szcZjhSQs ITAUD3rsHtDSN8oM5ptr1AxIL/2V8pchNlCBfIyZabWFTpLHTdgEZYgNbY2kd9xXtMOz tPv3z1dSgRVCC71ho+umaxgOukM9v0Itgh5qU= Received: by 10.210.144.3 with SMTP id r3mr1438971ebd.56.1220007215471; Fri, 29 Aug 2008 03:53:35 -0700 (PDT) Received: from alpha.local ( [83.144.140.92]) by mx.google.com with ESMTPS id 7sm2098592eyb.1.2008.08.29.03.53.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 29 Aug 2008 03:53:34 -0700 (PDT) Received: by alpha.local (Postfix, from userid 1001) id 7BA50D4E; Fri, 29 Aug 2008 11:52:28 +0100 (WEST) Date: Fri, 29 Aug 2008 11:52:28 +0100 From: Rui Paulo To: freebsd-net@freebsd.org Message-ID: <20080829105228.GD1468@alpha.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: Rui Paulo Subject: TCP Anomaly Detector project X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 10:53:36 -0000 Hi, Now that tcpad (TCP Anomaly Detector) is, at least, barely usable, I decided to talk about it. First of all, the wiki page http://wiki.freebsd.org/RuiPaulo/TCPAnomaly talks all about the rationale behind it and how it works. For your convenience, I'll post it here too: "tcpad listens for TCP packets on the wire and builds a virtual TCP stack for each TCP endpoint. This means that, for example, if you run tcpad on a gateway, tcpad will monitor every connection between the hosts behind the gateway, the hosts reachable by the gateway (usually the Internet) and the connections to/from the gateway itself. After the initial packets, tcpad has built a virtual TCP stack for each endpoint. [...] Along with this virtual TCP stack, tcpad monitors for abnormalities within the transmitted packets. For further inspection, tcpad keeps every TCP packet in memory and then dumps it into a pcap file. If you suspect a bug in a TCP stack or tcpad itself, you can boot tcpdump(1) or wireshark(1) and see the packet stream for yourself." Now, a warning about it: tcpad is still in pre-beta phase, so if you want to try it out, please be aware that it may crash, may hurt a butterfly or just make your life miserable. In other words, no warranty ;-) If you have great interest in TCP, this is the project you've been looking for to help. ;-) I'm pretty sure that I need a couple more hands to make this project rock solid in the short term, so your help is very appreciated. On the wiki page you should find every information to get you working with tcpad. If you need more help, you can contact me. Thanks for reading. -- Rui Paulo