While there are a large number of monitoring tools that capture and decode known TCP/IP and application layer protocols, there are very few tools for analyzing unknown and underdocumented protocols or building abstract representations of their traffic. It is difficult to analyze command-and-control communication between bots and zombies, open protocols that may not be supported by sniffers such as Wireshark, or protocols that are tunneled inside existing protocols and cannot be properly decoded. Not only is the ability to analyze such protocols a requirement for doing network forensics, quickly characterising a "new" protocol is also useful for security testing. While there are quite a few tools out there for analyzing system binaries, I haven't found much for analyzing network traffic that don't fit into the garden-variety sniffer/analyzer category.
To address these issues, tattoo will provide a set of command-line scripts for analyzing tcpdump files to identify format (headers and payload), function (how the protocol works), and communication model (1-n, 1-1, n-n, etc.) For more details on how and what I'm trying to do see some random thoughts on traffic analysis.
Tattoo scripts will most likely be implemented in Ruby, since it provides most of the high level data structures (hashes, lists, etc.) and operators and operators as Perl or Python, but has a much better interface to libpcap for conducting packet analysis. Python is a second option, but I'm looking for an excuse to learn/use Ruby. However, if folks want to contribute perl, python, or even C-code that is fine, too.
tools with (*) are included in the tattoo tarball [to downloads]
Although I'm starting to write some code, Tattoo is still very much in the brainstorming/requirements gathering stage. Join the mailing list and drop me a note to get involved.
We're especially looking for folks with this sort of background. (Just kidding!)
Initially the goal will be hack together a number of relatively simple standalone proof of concept scripts and then develop a set of libaries that contain general purpose functions that are useful for building a more complex set of tools, possibly that use a mysql backend, produce dataplots (gnuplot?) or maybe even some sort of gui/web frontend (God forbid)