TCP Reassembly
For each dataset, composed by one or more PCAP files, CapAnalysis collects informations for each stream or flow of packets UDP and TCP. For the TCP flows it is able to identify the number of bytes lost, for each direction, and the total bytes exchanged removing from the count the retransmitted packets. This last feature it is possible because CapAnalysis it is able to reassemble the TCP streams to make its analysis.
A good example of this feature can be the analysis, with CapAnalysis, of the PCAP file hptcp.pcap . The PCAP comes from the “Capture the hacker 2013 competition” (by Dr. David Day of Sheffield Hallam University)
http://www.snaketrap.co.uk/. Inside the PCAP there are many flows, by filtering the flows in base to the protocol (ssh) and also ordering they in base to the “bytes missing” we can obtain the data in the image below.
You can experience this functionality freely downloading CapAnalysis.
Copyright © 2012-2019 Gianluca Costa
All rights reserved.