OnWorks favicon

chaosreader - Online in the Cloud

Run chaosreader in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command chaosreader that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator



chaosreader - trace network sessions and export it to html format



chaosreader [-aehikqrvxAHIRTUXY] [-D dir]
[-b port[,...]] [-B port[,...]]
[-j IPaddr[,...]] [-J IPaddr[,...]]
[-l port[,...]] [-L port[,...]] [-m bytes[k]]
[-M bytes[k]] [-o "time"|"size"|"type"|"ip"]
[-p port[,...]] [-P port[,...]]
infile [infile2 ...]

chaosreader -s [mins] | -S [mins[,count]]
[-z] [-f 'filter']


Chaosreader traces TCP/UDP/others sessions and fetches application data from snoop or
tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP
files, HTTP transfers (HTML, GIF, JPEG etc) and SMTP emails from the captured data inside
network traffic logs. A html index file is created to that links to all the session
details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions.
Chaosreader reports such as image reports and HTTP GET/POST content reports.

Chaosreader can also run in standalone mode, where it invokes tcpdump to create the log
files and then processes them.


-a, --application
Create application session files (default)

-e, --everything
Create HTML 2-way & hex files for everything

-h Print a brief help

--help Print verbose help (this) and version

Print massive help

-i, --info
Create info file

-q, --quiet
Quiet, no output to screen

-r, --raw
Create raw files

-v, --verbose
Verbose - Create ALL files .. (except -e)

-x, --index
Create index files (default)

-A, --noapplication
Exclude application session files

-H, --hex
Include hex dumps (slow)

-I, --noinfo
Exclude info files

-R, --noraw
Exclude raw files

-T, --notcp
Exclude TCP traffic

-U, --noudp
Exclude UDP traffic

-Y, --noicmp
Exclude ICMP traffic

-X, --noindex
Exclude index files

-k, --keydata
Create extra files for keystroke analysis

-D dir, --dir dir
Output all files to this directory

-b 25,79, --playtcp 25,79
replay these TCP ports as well (playback)

-B 36,42, --playudp 36,42
replay these UDP ports as well (playback)

-l 7,79, --htmltcp 7,79
Create HTML for these TCP ports as well

-L 7,123, --htmludp 7,123
Create HTML for these UDP ports as well

-m 1k, --min 1k
Min size of connection to save ("k" for Kb)

-M 1024k, --max 1k
Max size of connection to save ("k" for Kb)

-o size, --sort size
sort Order: time/size/type/ip (Default time)

-p 21,23, --port 21,23
Only examine these ports (TCP & UDP)

-P 80,81, --noport 80,81
Exclude these ports (TCP & UDP)

-s 5, --runonce 5
Standalone. Run tcpdump/snoop for 5 mins.

-S 5,10, --runmany 5,10
Standalone, many. 10 samples of 5 mins each.

-S 5, --runmany 5
Standalone, endless. 5 min samples forever.

-z, --runredo
Standalone, redo. Rereads last run's logs.

-j, --ipaddr
Only examine these IPs

-J, --noipaddr
Exclude these IPs

-f 'port 7', --filter 'port 7'
With standalone, use this dump filter.


Html index (full details)

Text index

File index for standalone redo mode

HTML report of images

HTML report of HTTP GET/POST requests

Info file describing TCP session #1

HTML coloured 2-way capture (time sorted)

Raw data 2-way capture (time sorted)

Raw 1-way capture (assembeled) server->client

Raw 1-way capture (assembeled) client->server

HTML coloured 2-way

HTTP portion of the above, a HTML file

HTML coloured 2-way

HTTP portion of the above, a JPEG file

HTML coloured 2-way

HTTP portion of the above, a GIF file

An FTP transfer, a gz file.


TCP Sessions

UDP Streams

icmp_* ICMP packets

HTML Index

Text Index

File Index for standalone redo mode only

HTML report of images

HTML report of HTTP GET/POST requests

*.info Info file describing the Session/Stream

*.raw Raw data 2-way capture (time sorted)

*.raw1 Raw 1-way capture (assembeled) server->client

*.raw2 Raw 1-way capture (assembeled) client->server

Session replay program (perl)

Partial capture (tcpdump/snoop were aware of drops)

2-way Hex dump, rendered in coloured HTML

2-way Hex dump in plain text

X11 replay script (talks X11)

X11 communicated text replay script (text only)

2-way text report, rendered in red/blue HTML

Keystroke delay data file. Used for SSH analysis.


Normal eg "chaosreader infile", this is where a tcpdump/snoop file was created previously
and chaosreader reads and processes it.

Standalone once
eg "chaosreader -s 10" this is where chaosreader runs tcpdump/snoop and generates
the log file, in this case for 10 i minutes, and then processes the result. Some
OS's may not have tcpdump or snoop available so this will not work (instead you may
be able to get Ethereal, run it, save to a file, then use normal mode). There is a
master index.html and the report index.html in a sub dir, which is of the format
out_YYYYMMDD-hhmm, eg "out_20031003-2221".

Standalone, many
eg "chaosreader -S 5,12", this is where chaosreader runs tcpdump/snoop and
generates many log files, in this case it samples 12 times for 5 minutes each.
While this is running, the master index.html can be viewed to watch progress, which
links to minor index.html reports in each sub directory.

Standalone, redo
eg "chaosreader -ve -z", (the -z), this is where a standalone capture was
previously performed - and now you would like to reprocess the logs - perhaps with
different options (in this case, "-ve"). It reads index.file to determine which
capture logs to read.

Standalone, endless
eg "chaosreader -S 5", like standalone many - but runs forever (if you ever had the
need?). Watch your disk space!

Note: this is a work in progress, some of the code is a little unpolished.


· Run chaosreader in an empty directory.

· Create small packet dumps. Chaosreader uses around 5x the dump size in memory. A 100Mb
file could need 500Mb of RAM to process.

· Your tcpdump may allow "-s0" (entire packet) instead of "-s9000".

· Beware of using too much disk space, especially standalone mode.

· If you capture too many small connections giving a huge index.html, try using the -m
option to ignore small connections. eg "-m 1k".

· snoop logs may actually work better. Snoop logs are based on RFC1761, however there are
many varients of tcpdump/libpcap and this program cannot read them all. If you have
Ethereal you can create snoop logs during the "save as" option. On Solaris use "snoop
-o logfile".

· tcpdump logs may not be portable between OSs that use different sized timestamps or

· Logs are best created in a memory filesystem for speed, usually /tmp.

· For X11 or VNC playbacks, first practise by replaying a recent captured session of your
own. The biggest problem is colour depth, your screen must match the capture. For X11
check authentication (xhost +), for VNC check the viewers options (-8bit, "Hextile",

· SSH analysis can be performed with the "sshkeydata" program as demonstrated on
http://www.brendangregg.com/sshanalysis.html . chaosreader provides the input files
(*.keydata) that sshkeydata analyses.

Use chaosreader online using onworks.net services

Free Servers & Workstations

Download Windows & Linux apps

  • 1
    VBA-M (Archived - Now on Github)
    VBA-M (Archived - Now on Github)
    Project has moved to
    Features:Cheat creationsave statesmulti
    system, supports gba, gbc, gb, sgb,
    Download VBA-M (Archived - Now on Github)
  • 2
    Linux System Optimizer and Monitoring
    Github Repository:
    Audience: End Users/Desktop. User
    interface: Qt. Programming La...
    Download Stacer
  • 3
    Fork of TeamWinRecoveryProject(TWRP)
    with many additional functions, redesign
    and more Features:Supports Treble and
    non-Treble ROMsUp-to-date Oreo kernel,
    Download OrangeFox
  • 4
    itop - ITSM  CMDB OpenSource
    itop - ITSM CMDB OpenSource
    IT Operations Portal: a complete open
    source, ITIL, web based service
    management tool including a fully
    customizable CMDB, a helpdesk system and
    a document man...
    Download itop - ITSM CMDB OpenSource
  • 5
    Clementine is a multi-platform music
    player and library organizer inspired by
    Amarok 1.4. It has a fast and
    easy-to-use interface, and allows you to
    search and ...
    Download Clementine
  • 6
    ATTENTION: Cumulative update 2.4.3 has
    been released!! The update works for any
    previous 2.x.x version. If upgrading
    from version v1.x.x, please download and
    Download XISMuS
  • 7
    Modular headtracking program that
    supports multiple face-trackers, filters
    and game-protocols. Among the trackers
    are the SM FaceAPI, AIC Inertial Head
    Tracker ...
    Download facetracknoir
  • More »

Linux commands