Hack of the Whenever I Get Around to It

January 2, 2008

rtrafmon – Remote Traffic Monitoring without remote software

Filed under: Uncategorized — Chris Merck @ 7:05 am

A New Year’s gift: monitor the upload traffic of any Windows machine remotely, without ever touching the remote machine.

rtrafmon may be downloaded here

Here is screencap of typicall usage (showing VNC traffic to another machine):

Just so it is totally clear what is going on here, let me explain: There are three different machines, A, B, and X. B connects to A over VNC. X then uses rtrafmon with A as its target. X sees the plot above showing the amount of VNC traffic from A to B.

From the README file:

WARNING: this tool is in an alpha stage and so may crash, lag your machine, lag your network, or piss off network administrators. Use it at your own risk.

What is rtrafmon?

rtrafmon is a tool for monitoring a remote host’s network traffic without any software on the remote end. The tool displays packets per second and latency of the remote host on a scrolling plot. The packet rate is a green or red bar graph and the latency is shown with a white line graph superimposed on the packet rate graph.

What is required on the remote side?

The remote host must be reachable on some TCP port (open or closed), and it’s TCP/IP stack must use incremental IPIDs (This is true of Windows systems, but not of most UNIX varieties).
Put simply, an unfirewalled (or partially-unfirewalled) Windows machine.

How does rtrafmon work?

This tool works by sending unsolicited TCP packets to a remote host and gathering information from the responding packets. The packets sent to the remote host have their SYN flag set indicating that we intend to establish a connection on the specified port. If the port is open, the host *must* respond with a SYN-ACK packet. All required information is gathered from the IPID and round-trip-time fields of these SYN-ACK packets. Since the IPID field is incremented once for every outgoing packet, we can tell how many packets were sent by the remote host in between the sending of SYN probes.

Local requirements:

– Linux box with root access
– the hping3 network tool (try “apt-get install hping3” on Debian or Ubuntu)
– SDL development libraries (“apt-get install libSDL-dev“)
– a C compiler (“apt-get install build-essential“)

Building:

To build rtrafmon, just type “make” in this directory.

Using:

rtrafmon works by parsing the output of the hping tool. So a typical usage would be as follows (run as root):

hping3 -i u100000 -S -p 22 216.4.223.98 | ./rtrafmon

This means: send a SYN packet on port 22 to 216.4.223.98 every 100000 microseconds (10 times per second), and send the responces to rtrafmon. The resulting traffic analysis will be displayed in a window.

NOTE: the scroll rate (and thus the resolution of the monitoring) may be changed by decreasing the interval (hping’s -i option). But beware, probing too fast can cause undesirable effects on both the local and remote host. Sending SYN packets too fast can confound some TCP/IP stacks (called SYN-flooding) and results in a Denial of Service.

NAT

Multiple machines behind a single NAT-box (which have their own privite IPs within a LAN) can be monitored (even simultaniously), so long as there is at least one port forwarded through the firewall to each machine. Hping can help you work out the firewall rules (ask Google for more).

Create a free website or blog at WordPress.com.