nexmon – Blame information for rev 1

Subversion Repositories:
Rev:
Rev Author Line No. Line
1 office 1 # tcpdump
2  
3 [![Build
4 Status](https://travis-ci.org/the-tcpdump-group/tcpdump.png)](https://travis-ci.org/the-tcpdump-group/tcpdump)
5  
6 TCPDUMP 4.x.y
7 Now maintained by "The Tcpdump Group"
8 See www.tcpdump.org
9  
10 Please send inquiries/comments/reports to:
11  
12 * tcpdump-workers@lists.tcpdump.org
13  
14 Anonymous Git is available via:
15  
16 git clone git://bpf.tcpdump.org/tcpdump
17  
18 Please submit patches by forking the branch on GitHub at:
19  
20 * http://github.com/the-tcpdump-group/tcpdump/tree/master
21  
22 and issuing a pull request.
23  
24 formerly from Lawrence Berkeley National Laboratory
25 Network Research Group <tcpdump@ee.lbl.gov>
26 ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)
27  
28 This directory contains source code for tcpdump, a tool for network
29 monitoring and data acquisition. This software was originally
30 developed by the Network Research Group at the Lawrence Berkeley
31 National Laboratory. The original distribution is available via
32 anonymous ftp to `ftp.ee.lbl.gov`, in `tcpdump.tar.Z`. More recent
33 development is performed at tcpdump.org, http://www.tcpdump.org/
34  
35 Tcpdump uses libpcap, a system-independent interface for user-level
36 packet capture. Before building tcpdump, you must first retrieve and
37 build libpcap, also originally from LBL and now being maintained by
38 tcpdump.org; see http://www.tcpdump.org/ .
39  
40 Once libpcap is built (either install it or make sure it's in
41 `../libpcap`), you can build tcpdump using the procedure in the `INSTALL.txt`
42 file.
43  
44 The program is loosely based on SMI's "etherfind" although none of the
45 etherfind code remains. It was originally written by Van Jacobson as
46 part of an ongoing research project to investigate and improve tcp and
47 internet gateway performance. The parts of the program originally
48 taken from Sun's etherfind were later re-written by Steven McCanne of
49 LBL. To insure that there would be no vestige of proprietary code in
50 tcpdump, Steve wrote these pieces from the specification given by the
51 manual entry, with no access to the source of tcpdump or etherfind.
52  
53 Over the past few years, tcpdump has been steadily improved by the
54 excellent contributions from the Internet community (just browse
55 through the `CHANGES` file). We are grateful for all the input.
56  
57 Richard Stevens gives an excellent treatment of the Internet protocols
58 in his book *"TCP/IP Illustrated, Volume 1"*. If you want to learn more
59 about tcpdump and how to interpret its output, pick up this book.
60  
61 Some tools for viewing and analyzing tcpdump trace files are available
62 from the Internet Traffic Archive:
63  
64 * http://www.sigcomm.org/ITA/
65  
66 Another tool that tcpdump users might find useful is tcpslice:
67  
68 * https://github.com/the-tcpdump-group/tcpslice
69  
70 It is a program that can be used to extract portions of tcpdump binary
71 trace files. See the above distribution for further details and
72 documentation.
73  
74 Problems, bugs, questions, desirable enhancements, etc. should be sent
75 to the address "tcpdump-workers@lists.tcpdump.org". Bugs, support
76 requests, and feature requests may also be submitted on the GitHub issue
77 tracker for tcpdump at:
78  
79 * https://github.com/the-tcpdump-group/tcpdump/issues
80  
81 Source code contributions, etc. should be sent to the email address
82 above or submitted by forking the branch on GitHub at:
83  
84 * http://github.com/the-tcpdump-group/tcpdump/tree/master
85  
86 and issuing a pull request.
87  
88 Current versions can be found at www.tcpdump.org.
89  
90 - The TCPdump team
91  
92 original text by: Steve McCanne, Craig Leres, Van Jacobson
93  
94 -------------------------------------
95 ```
96 This directory also contains some short awk programs intended as
97 examples of ways to reduce tcpdump data when you're tracking
98 particular network problems:
99  
100 send-ack.awk
101 Simplifies the tcpdump trace for an ftp (or other unidirectional
102 tcp transfer). Since we assume that one host only sends and
103 the other only acks, all address information is left off and
104 we just note if the packet is a "send" or an "ack".
105  
106 There is one output line per line of the original trace.
107 Field 1 is the packet time in decimal seconds, relative
108 to the start of the conversation. Field 2 is delta-time
109 from last packet. Field 3 is packet type/direction.
110 "Send" means data going from sender to receiver, "ack"
111 means an ack going from the receiver to the sender. A
112 preceding "*" indicates that the data is a retransmission.
113 A preceding "-" indicates a hole in the sequence space
114 (i.e., missing packet(s)), a "#" means an odd-size (not max
115 seg size) packet. Field 4 has the packet flags
116 (same format as raw trace). Field 5 is the sequence
117 number (start seq. num for sender, next expected seq number
118 for acks). The number in parens following an ack is
119 the delta-time from the first send of the packet to the
120 ack. A number in parens following a send is the
121 delta-time from the first send of the packet to the
122 current send (on duplicate packets only). Duplicate
123 sends or acks have a number in square brackets showing
124 the number of duplicates so far.
125  
126 Here is a short sample from near the start of an ftp:
127 3.00 0.20 send . 512
128 3.20 0.20 ack . 1024 (0.20)
129 3.20 0.00 send P 1024
130 3.40 0.20 ack . 1536 (0.20)
131 3.80 0.40 * send . 0 (3.80) [2]
132 3.82 0.02 * ack . 1536 (0.62) [2]
133 Three seconds into the conversation, bytes 512 through 1023
134 were sent. 200ms later they were acked. Shortly thereafter
135 bytes 1024-1535 were sent and again acked after 200ms.
136 Then, for no apparent reason, 0-511 is retransmitted, 3.8
137 seconds after its initial send (the round trip time for this
138 ftp was 1sec, +-500ms). Since the receiver is expecting
139 1536, 1536 is re-acked when 0 arrives.
140  
141 packetdat.awk
142 Computes chunk summary data for an ftp (or similar
143 unidirectional tcp transfer). [A "chunk" refers to
144 a chunk of the sequence space -- essentially the packet
145 sequence number divided by the max segment size.]
146  
147 A summary line is printed showing the number of chunks,
148 the number of packets it took to send that many chunks
149 (if there are no lost or duplicated packets, the number
150 of packets should equal the number of chunks) and the
151 number of acks.
152  
153 Following the summary line is one line of information
154 per chunk. The line contains eight fields:
155 1 - the chunk number
156 2 - the start sequence number for this chunk
157 3 - time of first send
158 4 - time of last send
159 5 - time of first ack
160 6 - time of last ack
161 7 - number of times chunk was sent
162 8 - number of times chunk was acked
163 (all times are in decimal seconds, relative to the start
164 of the conversation.)
165  
166 As an example, here is the first part of the output for
167 an ftp trace:
168  
169 # 134 chunks. 536 packets sent. 508 acks.
170 1 1 0.00 5.80 0.20 0.20 4 1
171 2 513 0.28 6.20 0.40 0.40 4 1
172 3 1025 1.16 6.32 1.20 1.20 4 1
173 4 1561 1.86 15.00 2.00 2.00 6 1
174 5 2049 2.16 15.44 2.20 2.20 5 1
175 6 2585 2.64 16.44 2.80 2.80 5 1
176 7 3073 3.00 16.66 3.20 3.20 4 1
177 8 3609 3.20 17.24 3.40 5.82 4 11
178 9 4097 6.02 6.58 6.20 6.80 2 5
179  
180 This says that 134 chunks were transferred (about 70K
181 since the average packet size was 512 bytes). It took
182 536 packets to transfer the data (i.e., on the average
183 each chunk was transmitted four times). Looking at,
184 say, chunk 4, we see it represents the 512 bytes of
185 sequence space from 1561 to 2048. It was first sent
186 1.86 seconds into the conversation. It was last
187 sent 15 seconds into the conversation and was sent
188 a total of 6 times (i.e., it was retransmitted every
189 2 seconds on the average). It was acked once, 140ms
190 after it first arrived.
191  
192 stime.awk
193 atime.awk
194 Output one line per send or ack, respectively, in the form
195 <time> <seq. number>
196 where <time> is the time in seconds since the start of the
197 transfer and <seq. number> is the sequence number being sent
198 or acked. I typically plot this data looking for suspicious
199 patterns.
200  
201  
202 The problem I was looking at was the bulk-data-transfer
203 throughput of medium delay network paths (1-6 sec. round trip
204 time) under typical DARPA Internet conditions. The trace of the
205 ftp transfer of a large file was used as the raw data source.
206 The method was:
207  
208 - On a local host (but not the Sun running tcpdump), connect to
209 the remote ftp.
210  
211 - On the monitor Sun, start the trace going. E.g.,
212 tcpdump host local-host and remote-host and port ftp-data >tracefile
213  
214 - On local, do either a get or put of a large file (~500KB),
215 preferably to the null device (to minimize effects like
216 closing the receive window while waiting for a disk write).
217  
218 - When transfer is finished, stop tcpdump. Use awk to make up
219 two files of summary data (maxsize is the maximum packet size,
220 tracedata is the file of tcpdump tracedata):
221 awk -f send-ack.awk packetsize=avgsize tracedata >sa
222 awk -f packetdat.awk packetsize=avgsize tracedata >pd
223  
224 - While the summary data files are printing, take a look at
225 how the transfer behaved:
226 awk -f stime.awk tracedata | xgraph
227 (90% of what you learn seems to happen in this step).
228  
229 - Do all of the above steps several times, both directions,
230 at different times of day, with different protocol
231 implementations on the other end.
232  
233 - Using one of the Unix data analysis packages (in my case,
234 S and Gary Perlman's Unix|Stat), spend a few months staring
235 at the data.
236  
237 - Change something in the local protocol implementation and
238 redo the steps above.
239  
240 - Once a week, tell your funding agent that you're discovering
241 wonderful things and you'll write up that research report
242 "real soon now".
243 ```