YATT (Yet Another Trace Tool)YATT is a project to replace the current proliferation of trace tools ( tcpTrace, proxyTrace, pcapTrace ), with a single extensible tracing tool. YATT features a new GUI built with WTL, complete with a Hex View mode, and currently ships with 2 Trace providers, one based on WinPCAP and one based on the W2K Raw sockets support. Tunneling & HTTP Proxy providers will be added in a later build.
First off, you must install WinPCAP 3.1. (Earlier versions used older versions of Winpcap, as of build 352, you need to be using winpcap 3.1)
Once installed, you can run YATT, by selecting the YATT icon from the start menu. You'll be prompted to select a trace provider, choose the WinPCAP one if you have a machine that it'll work on, as there seems to be a bug in Windows XP raw sockets provider in that you don't see outgoing traffic, only inbound traffic.
Once you've picked a provider, you be prompted to enter a name and/or port filter, you can either leave them blank, in which case there's no filters, or you can enter a name and/or port, this will filter the display based on what you enter. e.g. if you leave name blank, and enter 80 for the port you'll see all traffic thats going to/from port 80. If you leave the port blank, and enter www.pocketsoap.com as the name, you'll see all traffic to/from www.pocketsoap.com regardless of what port its is. If you enter a port and name, then you'll only see traffic to/from that particular combination.
Limitations / Todo list
- You can't capture from the loopback adapter (127.0.0.1), it can only capture from a physical NIC.
- Disk logging needs adding.
- TCP Tunnel provider needs adding.
- HTTP Proxy provider needs adding.
- Need to be able to copy text from the hex view.
Version HistoryBuild 0.3.0352, March 24, 2006
- Migrated to WinPCAP 3.1.
- A bug where the selected capture device used was ignore, and the first one found always used was fixed.
- The selected capture device is now correctly remembered between runs.
- Updated Installer to NSIS 2.0
- Migrated to WinPCAP 3.0 for all platforms.
- Friendly names for interfaces now appear on XP and W2K.
- Capture using some embeded intel NICs now works.
- Canceling at the filtering screen no longer crashes.
- Errors configuring the capture are now reported instead of just silently failing.
- Running the uninstall will actually uninstall the files.
- Added option for Show nulls (in text view mode, NULLs are shown as spaces).
- Added option for fix linefeeds, converts unix & mac linefeeds into windows linefeeds in the text view.
- show null, fix linefeeds, word wrap & hev view are now remember between starts.
- Added friendly names to WinPCAP capture device dropdown list.
- Fixed problems with scroll bars not being refreshed in hex view mode.
- Added a Clear All option to remove all traces from the list, even if the connection is still open.
- Updated the installer to NSIS 1.98