TPCAT README



Overview: 

The purpose of TPCAT is to take two packet captures from two different points in the network and check for dropped or injected packets. Its fast, easy to use and simple. Requires Winpcap. 


Using TPCAT:

To use TPCAT you simply pick a flow between two IP addresses, add those to your Source IP field and Destination IP field. Once you have entered in your IP addresses you load the two packet captures. Note: These packet captures *Must* be in .pcap format. If you have a file in .cap open it up in wireshark and save as Wireshark/Tcpdump. 


TPCAT will then analyze the two packet captures and display and dropped/forged packets. 


Here is an example output of the default output:

Source File: C:\Documents and Settings\tle4729\Desktop\TPCAT\1.pcap
Destination File: C:\Documents and Settings\tle4729\Desktop\TPCAT\2.pcap
Analyzing traffic between 10.10.10.10 and 192.168.1.123



Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  20925 
Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  20929 
Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  20942 
Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  20950 
Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  20956 
Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  21004 
Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  26031 
Packet Dropped - Source: 10.10.10.10  Destination:  192.168.1.123  IPID:  26147 


Number of Packets in the Source Capture : 23
Number of Packets in the Destination Capture : 15

From the data above it looks like we dropped 8 packets. Those 8 packets are listed above with the IPID. If you want more information on the missing packets try to increase the verbosity.



Latency Monitoring:

If you want to check the network for possible latency issues you can check that with TPCAT. Just check the Use Timestamps field and enter in all the same information as you normally would. TPCAT will then check the latency on all packets that were successfully seen on both sides of the capture.

One minor note: Latency numbers will be artificially skewed if the time on the two capturing devices does not match. It is highly recommended to use NTP to minimize this. 

Here is the output from the same packet capture above. 

Calculating latency between the two packet captures:

IPID: 0 Packet Type: 40 () Time Delta (Latency): 0.0479938983917 
IPID: 19529 Packet Type: 40 () Time Delta (Latency): 0.0480301380157 
IPID: 19530 Packet Type: 40 () Time Delta (Latency): 0.0480329990387 
IPID: 2035 Packet Type: 40 () Time Delta (Latency): 0.0479941368103 
IPID: 2036 Packet Type: 40 () Time Delta (Latency): 0.0479938983917 
IPID: 19531 Packet Type: 40 () Time Delta (Latency): 0.0480308532715 
IPID: 19532 Packet Type: 40 () Time Delta (Latency): 0.048045873642 
IPID: 2037 Packet Type: 40 () Time Delta (Latency): 0.0479850769043 
IPID: 2038 Packet Type: 40 () Time Delta (Latency): 0.0479860305786 
IPID: 19533 Packet Type: 40 () Time Delta (Latency): 0.0480301380157 
IPID: 19534 Packet Type: 40 () Time Delta (Latency): 0.0480308532715 
IPID: 19550 Packet Type: 40 () Time Delta (Latency): 0.0373919010162 
IPID: 2039 Packet Type: 40 () Time Delta (Latency): 0.0373318195343 
IPID: 2040 Packet Type: 40 () Time Delta (Latency): 0.0373358726501 
IPID: 19551 Packet Type: 40 () Time Delta (Latency): 0.0373771190643 

Average Latency Seen: 0.0373771190643 
Max Latency Seen: 0.048045873642 
Min Latency Seen: 0.0373318195343

Going off the info above it looks like latency is not a problem here. 

Change log:

############Known issues########################
#If you encounter the error below you will need to install winpcap. This comes bundled with wireshark or you can download it manually.
#
"""
Traceback (most recent call last):
  File "TPCAT.pyw", line 12, in <module>
  File "zipextimporter.pyc", line 91, in load_module
ImportError: MemoryLoadLibrary failed loading pcapy.pyd
"""
#
###########################################

#######Change log##############
#06/06/2009- Version 2.2 Greatly improved the debug feature. Added a few minor features to improve things and added the ability to record how long tpcat takes. 
#06/07/2009- Version 2.1 Fixed the matt bug with the check boxes. Added the capture sync option and a couple of dummy checks
#06/06/2009- Version 2.0 Updated the core code of the analyzing engine. Speed improvements are huge when using files over a couple of meg
#11/24/2008 - Version 1.3 fixed several bugs found by my  peers with the GUI. Also made the options more straight forward. Added different levels of verbosity. 
#                                       Added latency Average/Min/Max
#11/24/2008 - Version 1.2 Added latency calculation and forged packet awareness. 
#11/23/2008 - Version 1.1 Fixed a few issues with reporting and false positives
#11/22/2008 - Version 1.0 Re-wrote the pcapdiff back end, or at least a large part of it. What was there just wasn't working for me. This way I have something from the ground up.
#11/20/2008 - Version 0.7 Fixed a bug with the timestamps. It was set to the wrong default causing false positives.
#11/20/2008 - Version 0.6 TPCAT is now working and can do base comparisons. . All bugs resolved that I am aware of. I need to go back and add some additional features such as:
#			ignore clock, verbosity, ignore checksums..etc. These features exists in pcapdiff they might as well be here.
#11/15/2008 - Version 0.5 Fixed a few bugs with my modules, fixed the bug that caused the same file to be loaded as local and remote. Small typo = major problem
#11/10/2008 - Version 0.4 improvements to GUI made. Also fixed a bug with it crashing upon loading files
# 11/7/2008 - Version 0.3 Pcapdiff code has lots of issues. Mostly with calling vairbles since we're not working out of a class. Fixed a majority of them.
# 11/6/2008 - Version 0.2 Pcapdiff code added and smashed. 
# 11/5/2008 - Version 0.1 Base GUI built. Starting to port over pcapdiff code
############################
