pacapana — a tool suite to analyse protocol streams

About

Pacapana is a tool suite to analyse protocol streams and prepare flow characteristics. Understand protocol interaction due to explicit exchanged information (e.g. TCP options) or detect inconsiderable protocol properties based on stream causalities are one potential use case of pacapana.

On the other hand, the tool suite can be used to gather information about network infrastructures and detect potential bottlenecks (think about superfluous timeouts et cetera). Pacapana parses PCAP data files - saved in the well known data format for capturing network traffic - and run the selected routines and let it up to you to interpret the results. Realtime analysis isn't supported, cause this isn't the main use case of pacapana, it's an offline tool.

Provided Functionality

Core Functionality:

All conceivably register and unregister functionality (absolute, relative, ...)
Distribution algorithms for time handling (e.g. normal-, standard distribution)
Data output formats (based on analysis method):
- ASCII output (cli - command line interface)
- Gnuplot
- Libcairo (PNG, PDF, PS, SVG)

Supported Protocols:

DCCP
UDPLite
UDP
TCP
SCTP

TIPC
ARP
RARP
ETHERNET
IPv4

Download

Subversion

svn co http://pacapana.svn.sourceforge.net/svnroot/pacapana

Git

SF_NAME=your-sourceforge-name

# svn co
git svn clone https://$SF_NAME@pacapana.svn.sourceforge.net/svnroot/pacapana
[...]

# svn up
git svn rebase

# svn commit
git svn dcommit

Installation

./waf configure --prefix=/usr
./waf build
su -c './waf install'

Handy PCAP Filter Expressions

# filter only packets comming from web (port 80)
tcp src port 80

# filter for packets comming from host 192.168.0.1
src host 192.168.0.1

# to filter packets received from and send to 192.168.0.1
host 192.168.0.1

# filter only SYN packets
tcp[13] = 2

# filter for SYN or SYN/ACK
tcp[13] & 2 = 2

# filter ARP packets
arp

Here are two worthwhile resources with useful examples: