Doug Vitale Tech Blog

GoToManage tcpindex

Update: GoToAssist, formerly known as GoToManage, seems to have abandoned tcpindex as well as two other utilities, RogueScanner and Packetyzer.

Tcpindex, one of the free open source tools from GoToManage, is a command line tool that captures packets and then indexes them for searching purposes. It appears to only have been released to one version in Sep. 2008.

Tcpindex’s READMe files states, “Tcpindex captures packets from a LAN and indexes all of the strings from those packets in an inverted index so they can be efficiently searched using keywords.” In all fairness the README also admits, “It is not clear that it is useful for anything, or that it will even work correctly.” Alrighty then, thanks for the heads up. Moving right along…

You download the tcpindex.zip file and extract it to a folder such as C:\Users\username\Software\tcpindex. There you will find three folders: COPYING (license text file), README (text file), and tcpindex.exe. Note that Winpcap must also be installed to use tcpindex. If you have installed Wireshark previously, you already have Winpcap.


The first step is to run tcpindex with the -D flag to see which network interfaces are available.

PS C:\Users\LocalUser\Software\TCPindex> .\tcpindex.exe -D

1: \Device\NPF_{46CC3D22-1882-403D-BF91-07DE7F8F3AEA}
    Microsoft
2: \Device\NPF_{0227B266-C1B4-4022-8433-88A989718B64}
    USB2.0 to Fast Ethernet Adapter
3: \Device\NPF_{7373D174-03D1-42CB-9A3F-1AD4E0E96BA3}
4: \Device\NPF_{64138A93-A15C-4F9C-AC3D-FA3946A1152C}
    Microsoft
No interface specified.

.

Next choose an interface from that list and use it for packet capture with the -i option followed by the number of the desired interface. If the-s flag is also specified then the readable strings will also be saved in separate files for each session.

PS C:\Users\LocalUser\Software\TCPindex> .\tcpindex.exe -i 2

.
After running this command you will notice a folder named index_data in your tcpindex folder. When you feel that enough packets have been captured, break the packet capture session by pressing Ctrl+C. There will be several new files in the tcpindex folder named with the following naming convention: <protocol>-<your IP address>_<your port number>-<remote IP address>_<remote port>. An example packet capture file name would be: TCP-10.50.25.14_4341-96.17.149.42_80.

Now you can search your packet captures for keywords with the -q option. For example, to search for HTTP POST requests the command would be:

tcpindex -q +HTTP +POST

.
The full range of tcpindex options is as follows.
Usage: tcpindex [OPTIONS] [QUERY STRING]

Capture packets on a network interface and index packets containing so they can be rapidly searched for keywords.

-D, --list-interfaces - list the available network interfaces.
-i, --interface=INDEX - specify index of the interface to capture packets on.
-l, --index-dir=DIR - specify the directory for the search index (default is 'index_data').
-h, --help - give this help.
-q, --query - specify a keyword query to perform against the index.
-s, --save-data - whether to save session data to individual files as well as the index.
-v, --verbose - output verbose debugging messages.

Example usage to capture and index data:

tcpindex -i 1

Example usage to query:

tcpindex -q +referer +aol

Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems on Amazon Practical Packet Analysis w/Wireshark Wireshark 101 on Amazon Wireshark 101

Wireshark Network Analysis on Amazon Wireshark Network Analysis Wireshark Exam Prep Guide on Amazon Wireshark Exam Prep Guide

Wireshark Starter on Amazon Wireshark Starter

Written by Doug Vitale

November 14, 2011 at 12:30 PM

%d bloggers like this: