![]() | ![]() |
would be reduced to 934303014.772066 1 2 1174 23 0. Notice that the IP numbers have been replaced with 1 and 2, respectively. This will be done in a consistent manner with multiple packets so you will still be able to compare addresses within a single trace. The actual data reported varies from script to script. Here is an example of the syntax:934303014.772066 205.153.63.30.1174 > 205.153.63.238.23: . ack 3259091394 win 8647 (DF) 4500 0028 b30c 4000 8006 2d84 cd99 3f1e cd99 3fee 0496 0017 00ff f9b3 c241 c9c2 5010 21c7 e869 0000 0000 0000 0000
This runs sanitize-tcp over the tcpdump trace file tracefile. There are no arguments.bsd1# sanitize-tcp tracefile
The -P99 option preserves (doesn't scramble) the port numbers, -C4 preserves the class identity of the IP addresses, and -M20 preserves multicast addresses. If you want the data output to your terminal, you can pipe the output to tcpdump:bsd1# tcpdpriv -P99 -C4 -M20 -r tracefile -w outfile
The last options look a little strange, but they will work.bsd1# tcpdpriv -P99 -C4 -M20 -r tracefile -w- | tcpdump -r-
will reduce tracefile, putting the output in outfile. The program tcp-summary, which comes with tcp-reduce, will further summarize the results. For example, on my system I traced a system briefly with tcpdump. This process collected 741 packets. When processed with tcp-reduce, this revealed 58 TCP connections. Here is an example when results were passed to tcp-summary :bsd1# tcp-reduce tracefile > outfile
This example produced the following five-line summary:bsd1# tcp-reduce out-file | tcp-summary
In this instance, this clearly shows that the HTTP traffic dominated the local network traffic.proto # conn KBytes % SF % loc % ngh ----- ------ ------ ---- ----- ----- www 56 35 25 0 0 telnet 1 1 100 0 0 pop-3 1 0 100 0 0
Here is corresponding output from tcpshow for the same packet:12:36:54.772066 sloan.lander.edu.1174 > 205.153.63.238.telnet: . ack 3259091394 win 8647 (DF) b
The syntax is:----------------------------------------------------------------------- Packet 1 TIME: 12:36:54.772066 LINK: 00:10:5A:A1:E9:08 -> 00:10:5A:E3:37:0C type=IP IP: sloan -> 205.153.63.238 hlen=20 TOS=00 dgramlen=40 id=B30C MF/DF=0/1 frag=0 TTL=128 proto=TCP cksum=2D84 TCP: port 1174 -> telnet seq=0016775603 ack=3259091394 hlen=20 (data=0) UAPRSF=010000 wnd=8647 cksum=E869 urg=0 DATA: <No data> -----------------------------------------------------------------------
There are numerous options.bsd1# tcpshow < trace-file
This will extract all packets with timestamps after 934224220.0000. Note the use of an unformatted timestamp. This is the same format displayed with the -tt option with tcpdump. Note also the use of redirection. Because it works with binary files, tcpslice will not allow you to send output to your terminal. See the manpage for additional options.bsd1# tcpslice 934224220.0000 in-file > out-file
This was produced by using tcpdump to capture all traffic into the file telnet.trace and then executing tcptrace to process the data. Here is the syntax required to produce this output:TCP connection 2: host c: sloan.lander.edu:1230 host d: 205.153.63.238:23 complete conn: yes first packet: Wed Aug 11 11:23:25.151274 1999 last packet: Wed Aug 11 11:23:53.638124 1999 elapsed time: 0:00:28.486850 total packets: 160 filename: telnet.trace c->d: d->c: total packets: 96 total packets: 64 ack pkts sent: 95 ack pkts sent: 64 pure acks sent: 39 pure acks sent: 10 unique bytes sent: 119 unique bytes sent: 1197 actual data pkts: 55 actual data pkts: 52 actual data bytes: 119 actual data bytes: 1197 rexmt data pkts: 0 rexmt data pkts: 0 rexmt data bytes: 0 rexmt data bytes: 0 outoforder pkts: 0 outoforder pkts: 0 pushed data pkts: 55 pushed data pkts: 52 SYN/FIN pkts sent: 1/1 SYN/FIN pkts sent: 1/1 mss requested: 1460 bytes mss requested: 1460 bytes max segm size: 15 bytes max segm size: 959 bytes min segm size: 1 bytes min segm size: 1 bytes avg segm size: 2 bytes avg segm size: 23 bytes max win adv: 8760 bytes max win adv: 17520 bytes min win adv: 7563 bytes min win adv: 17505 bytes zero win adv: 0 times zero win adv: 0 times avg win adv: 7953 bytes avg win adv: 17519 bytes initial window: 15 bytes initial window: 3 bytes initial window: 1 pkts initial window: 1 pkts ttl stream length: 119 bytes ttl stream length: 1197 bytes missed data: 0 bytes missed data: 0 bytes truncated data: 1 bytes truncated data: 1013 bytes truncated packets: 1 pkts truncated packets: 7 pkts data xmit time: 28.479 secs data xmit time: 27.446 secs idletime max: 6508.6 ms idletime max: 6709.0 ms throughput: 4 Bps throughput: 42 Bps
Similar output is produced for each TCP connection recorded in the trace file. Obviously, a protocol (like HTTP) that uses many different sessions may overwhelm you with output. There is a lot more to this program than covered in this brief discussion. If your primary goal is analysis of network performance and related problems rather than individual packet analysis, this is a very useful tool.bsd1# tcptrace -l telnet.trace
As you can see, it is used pretty much the same way as tcpdump. (Actually, the output has a slightly more readable format.) snoop, like tcpdump, supports a wide range of options and filters. You should have no trouble learning snoop if you have ever used tcpdump. Other systems will provide their own equivalents (for example, AIX provides iptrace ). While the syntax is different, these tools are used in much the same way.sol1> snoop -c5 Using device /dev/elxl (promiscuous mode) 172.16.2.210 -> sol1 TELNET C port=28863 sol1 -> 172.16.2.210 TELNET R port=28863 /dev/elxl (promiscuo 172.16.2.210 -> sol1 TELNET C port=28863 172.16.2.210 -> sloan.lander.edu TCP D=1071 S=22 Ack=143990 Seq=3737542069 Len=60 Win=17520 sloan.lander.edu -> 172.16.2.210 TCP D=22 S=1071 Ack=3737542129 Seq=143990 Len=0 Win=7908 snoop: 5 packets captured