BLOG     |     FORUM
TCP Analyzer

TCP Congestion    Analyzer plugin for Unsniff

The TCP Analyzer is a free plugin that adds advanced TCP stream analysis capabilities to Unsniff Network Analyzer. The plugin installs as a new context menu item to each TCP stream. You can simply right click on a TCP Session and pull up various TCP charts.


  • Overview shows packets, retransmissions, out of order, duplicate acks in each direction
  • Sequence number chart, bandwidth, advertised window, inflight data
  • Congestion charts RTT (Round Trip Time) estimate, CWND, SSTHRESH estimate
  • Packet wise analysis
  • Export to PDF, XPS, print
  • Supports SACK
Working with SNMPv3 INFORMs in Unbrowse

Unbrowse SNMP has the ability to both receive and respond to SNMPv3 INFORM messages. So lets see what the issues are and how to make it work.

Whats the big deal with INFORMs ?

SNMP INFORMs are increasingly being used by network devices to guarantee reception of trap messages. Without INFORMs your devices would just fire off a TRAP(or NOTIFY) message and be blissfully unaware of whether the management station received it. Now with INFORMs, your device would send an INFORM message but will expect a RESPONSE message from the management station. If it does not get a RESPONSE back it will retry for a few times before logging an error. SNMPv2 INFORMS are easy to setup and Unbrowse SNMP can display them out of the box. No configuration is necessary. SNMPv3 INFORMS need a tiny bit of setup to get it working. Let see how to set it up.


What happens if a device sends SNMPv3 INFORMs and nothing is configured

If you are not using authPriv mode, tools like Unbrowse SNMP will simply show you the INFORM message (as shown in the screenshot below). However, they do not respond to these messages because nothing is configured yet.

Unbrowse Trap Console shot

In the figure below, the device ( sends an INFORM message to Unbrowse at Unbrowse dutifully shows the message but does not send a response back. Typically, the device will retry the INFORM for a few times before throwing in the towel.


Send emails on receiving SNMP Traps

This article explains how you can send an email  when SNMP traps are received by Unbrowse SNMP. We use Unbrowse Scripting and the Ruby programming language for this purpose.

Here's what we are going to do:

  1. Open the server and listen for traps (SNMP v1, v2, v3 supported as well as IPv4, IPv6 and all security models)
  2. Every 30 seconds get a list of traps received, format them into an email message
  3. Send the email message to an address (also supports cc)
  4. Remove processed traps so the server memory is freed up


Export plain text pcap after SSL/TLS decryption

Welcome the the first article in the new Unsniff Network Analyzer Tips section.

In this article we look at a common problem many network analysts face when dealing with SSL/TLS decryption.

  • You got the server admin to enter the private key
  • You were able to decrypt the traffic you wanted
  • The server admin now leaves the room and takes the key with him

With Unsniff there are two options :

  • Simple save the result. The USNF file format stores the decrypted result and you do not need the key anymore.
  • If you want to use Wireshark, you need a libpcap format file. Unsniff allows you to copy the plain text TCP streams and paste them as libpcap files. You can then fire up Wireshark to examine the plaintext pcap file.

Let us look at how you can export the plain text into libpcap format.

Analyze Protocol Buffers
Protocol Buffers (protobuf) is a serialization scheme recently open sourced by Google.  This article is a simple tutorial on how to analyze protobuf messages using Unsniff 1.8 Beta. You just have to drop the proto files in a specific folder. Unsniff then creates a decoder on the fly using the information in the file.

We built support for protocol buffers as a project to test the dynamic decoder framework for Unsniff 2.0. It is now in a shape that many might be of practical use to a lot of people.
<< Start < Prev 1 2 3 4 Next > End >>

Page 1 of 4