tcpstatflow v1.0


	Usually, in every medium size company Network, there's a firewall conecting the corporative LAN/WAN to the Internet with a set of rules that only allows specific traffic, such as HTTP, HTTPS. FTP or POP3 / SMTP.  A malicious internal user, could take advantage of these open ports, and use them to access other services (sending through them, other protocols).

	For example, he could set up a ssh server on the Internet, listening port 443, and configure the Intranet ssh client to access that port. Such an arrangement, makes virtually imposible for any administrator to detect tha real nature of the traffic.  The same applies if there is a proxy working to provide Internet access to the LAN. By using tools like proxytunnel, it is possible to stablish a connection to server on the Internet, without being detected.
	
	tcpstatflow is a tool design with the purpose of fighting these tecniques, by detecting traffic that is not HTTP / HTTPS / FTP / SMTP / POP3, with a reasonable margin of error.  It's based on the fact that these protocols presents a huge asymmetry in the amount of data transmitted in one way and the oposite (within a single TCP connection).

	As an example, you could consider HTTP requests, where you have the browser sending a small packet with a GET command (and same extra overhead) and as a response, receives a web page, an image, or a download.  The same asymmetry takes place in reverse, with SMTP.  Your mail client sends your composition, and a small ACK is sent back from the server.  Asymmetry.  Keep that in mind.

	tcpstatflow listens network traffic in promiscuos mode, and analize incoming and outgoing packets of each TCP connection, generating alarms when certains (configurables) thresholds are surpassed.  These thesholds refers to parameters such as: quantity of in and out packets per connection, quantity of in and out bytes per connection and connection elapsed. 


fyxar # ./tcpstatflow  -h
./tcpstatflow version 1.0 by Fryxar (thanks Jeremy Elson!)

usage: ./tcpstatflow [-hpv] [-d debug_level] [-f tcptimeout]
          [-i iface] [-t statistics_time] [-x bytes_threshold]
          [-y time_threshold] [-z packets_threshold] [expression]

        -d: debug level; default is 1
        -h: print this help message
        -i: network interface to listen
            (type "ifconfig -a" for a list of interfaces)
        -f: TCP timeout in seconds; default is 7200
        -p: don't use promiscuous mode
        -v: verbose operation equivalent to -d 10
        -t: statistics time; default is 3600, use 0 to disable
        -x: cummulative bytes in both senses threshold to report an alarm; default is 100000
        -y: duration (seconds) threshold to report an alarm; default is 86400
        -z: cummulative packets in both senses threshold to report an alarm; default is 1000000
expression: tcpdump-like filtering expression
