# Extracted from chaosreader source code # 28-Sep-2003 Brendan Gregg Began writing this. # 08-Oct-2003 " " Released version 0.7 beta # 09-Oct-2003 " " Added telnet replays # 12-Oct-2003 " " Added IRC ports and replays # 19-Oct-2003 " " Made code more robust on different OSs # 01-Nov-2003 " " Code cleanup, complex data types, IPv6, ICMP # 03-Nov-2003 " " Added Standalone mode, standalone redo, ... # 05-Nov-2003 " " Added Image indexes, GETPOST indexes # 15-Nov-2003 " " Added HTTP proxy style log, hex dumps # 27-Jan-2004 " " Released experimental X11 & VNC processing # 30-Mar-2004 " " 802.11b, sorts, less RAM used, tun packets. # 01-May-2004 " " CLI enhanced, faster, SSH analysis. # 11-Sep-2011 " " ver 0.95 # 24-Sep 2011 " " ver 0.95b # 04-Jan 2012 " " ver 0.95c # 10-Jan 2012 " " ver 0.95d # 15-Mar 2013 " " ver 0.95e # 15-Apr 2013 " " ver 0.95f # 18-Apr 2013 " " ver 0.95g # 12-Apr 2014 " " ver 0.95h # 14-Apr 2014 " " ver 0.95i # 12-jun 2014 " " ver 0.95.10 # 15-Jun-2014 " " ver 0.96 11-Sep-2011, Jens Lechtenbörger: - Switch from GPLv2 to GPLv3 - Integrate diff from http://refrequelate.blogspot.com/2008/07/more-de-chunking-chaosreader-patch.html to reassemble chunked HTTP transfers. - Parse linux cooked captures, which result from listening on "any" interface. (Chaosreader0.94 does not produce any output for such pcap files.) - Use HTTP content-type to identify file types such as HTML, XML, Javascript, CSS; use those types for better file extensions than "data". - Uncompress gzip'ed data. - Add new command line switch to show host names in HTTPlog and to create href-links from HTTPlog rows to the corresponding rows in the table on index.html. - Several minor improvements (see comments with "JL:"). 24-Sep-2011, Jens Lechtenbörger: - More systematic Content-Type handling based on MIME types. - More image types included in Image Report based on MIME types. 4-Jan-2012, Jens Lechtenbörger: - Parsing of DNS replies to show names instead of IP addresses (new command line switch -d) and to save DNS replies as text files. 10-Feb-2012, Jens Lechtenbörger: - Use file magic (again) to detect MIME type if HTTP's Content-Type is application/octet-stream. (Some Web servers report images incorrectly.) 15-Mar-2013, Jens Lechtenbörger: - Create additional HTTP log file in text format. That file contains one line per GET request, which shows the referrer (if present) and indicates whether cookies have been sent in the request or received in the reply. 15-Apr-2013, Jens Lechtenbörger: - Link additional HTTP log file from index.html. - Also look for images in plain/text Content-Types (seen in the wild). - Extend GET/POST report to include all GETs; not only those including a question mark (with parameters). 18-Apr-2013, Jens Lechtenbörger: - Build new "External Image Report" (linked from index.html), where images are embedded from their origin servers. In contrast, the "Image Report" points to images on the local hard disk. The new report may be more suitable for publication on Web pages as it does not require to publish (potentially copyright protected) images. - Parse CNAME DNS replies to show original host names (which are hopefully more familiar than aliases). - Show also empty parts on index.html that result from cache hits. - Create directory passed after switch "-D". 12-Apr-2014, Pavel Hančar: - Optimized hexadecimal dumps to use less memory. - Modified "IP Count" to "IP and MAC Count". - Fixed a few bugs concerning output. 14-Apr-2014, Jens Lechtenbörger: - Also create HTML files for ports 8118 (polipo) and 9050 (Tor) and treat both as HTTP traffic (quick hack, works for me). - Improved handling of TCP streams with same source and destination IP address (e.g., from localhost to localhost). 12 Jun 2014 Pex - support for deflate Jens frequently calls this program with options "-vden -D ".