what is tattoo?

While there are a large number of monitoring tools that capture and decode known TCP/IP and application layer protocols, there are very few tools for analyzing unknown and underdocumented protocols or building abstract representations of their traffic. It is difficult to analyze command-and-control communication between bots and zombies, open protocols that may not be supported by sniffers such as Wireshark, or protocols that are tunneled inside existing protocols and cannot be properly decoded. Not only is the ability to analyze such protocols a requirement for doing network forensics, quickly characterising a "new" protocol is also useful for security testing. While there are quite a few tools out there for analyzing system binaries, I haven't found much for analyzing network traffic that don't fit into the garden-variety sniffer/analyzer category.

To address these issues, tattoo will provide a set of command-line scripts for analyzing tcpdump files to identify format (headers and payload), function (how the protocol works), and communication model (1-n, 1-1, n-n, etc.) For more details on how and what I'm trying to do see some random thoughts on traffic analysis.

Tattoo scripts will most likely be implemented in Ruby, since it provides most of the high level data structures (hashes, lists, etc.) and operators and operators as Perl or Python, but has a much better interface to libpcap for conducting packet analysis. Python is a second option, but I'm looking for an excuse to learn/use Ruby. However, if folks want to contribute perl, python, or even C-code that is fine, too.

current tools

• iplayer - IP-layer a stripped down version of Mike Borella's ipgrab that is useful for build quick packets from the command line.
• nstruct* - crude network reconstruction
• nodecode* - incomplete port of a python script for analyzing binary streams that became too hideous.
• sanicap - a small C Pcap tool for manipulating captures: 1) coverts Prism II captured frames (from Kismet) or 802.11 frames into standard Ethernet captures 2) sanitizes L2/L3 address information

tools with (*) are included in the tattoo tarball [to downloads]

getting involved

Although I'm starting to write some code, Tattoo is still very much in the brainstorming/requirements gathering stage. Join the mailing list and drop me a note to get involved.

We're especially looking for folks with this sort of background. (Just kidding!)

development process

Initially the goal will be hack together a number of relatively simple standalone proof of concept scripts and then develop a set of libaries that contain general purpose functions that are useful for building a more complex set of tools, possibly that use a mysql backend, produce dataplots (gnuplot?) or maybe even some sort of gui/web frontend (God forbid)

project links

• Downloads
• Sample Packet Dumps - these are some proprietary protocols that have no decodes.
• Some Random Thoughts on Traffic Analysis
• Tattoo Sourceforge Project Page

other useful links

• Ruby/Pcap extension library
• tcpdump.org
• Ruby Home
• Wiretapped Packet Capture Tools - contains software for collecting, analysing, displaying and logging packetised data captured on a network.
• Stan - a stream analyzer
• Analysis Tools - courtesy of http://lcamtuf.coredump.cx/