P. 1
Tcpdump Manual

Tcpdump Manual

|Views: 707|Likes:
Publicado porejjhkb

More info:

Published by: ejjhkb on Sep 08, 2010
Direitos Autorais:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/24/2013

pdf

text

original

Sections

  • Preface
  • Getting Started
  • 2.1 Installing tcptrace
  • 2.2 Using tcptrace
  • Basic Usage
  • Detailed Usage
  • 4.1 Detailed Stats
  • 4.2 RTT Stats
  • 4.3 CWND Stats
  • Graphing
  • 5.1 Time Sequence Graph
  • 5.2 Throughput Graph
  • 5.3 RTT Graph
  • 5.4 Outstanding Data Graph
  • 5.5 Segment Size Graph
  • 5.6 Time-Line Graph
  • 5.7 Miscellany
  • Filtering Connections
  • 6.1 Basic Filtering
  • 6.2 Advanced Filtering
  • Extended Options
  • 7.1 General
  • 7.2 Graphing Control
  • 7.3 Warning Control
  • Miscellany
  • 8.1 UDP Analysis
  • 8.2 Real-Time Analysis
  • 8.3 Packet Details
  • 8.4 Other Miscellany
  • Modules
  • 9.1 TRAFFIC Module
  • 9.2 HTTP Module
  • 9.3 SLICE Module
  • 9.4 COLLIE Module
  • 9.5 Real-Time Module
  • 9.6 Writing Modules

TCPTRACE Manual

Manikantan Ramadas mramadas@irg.cs.ohiou.edu

24 August 2003

Copyright c 2003 Internetworking Research Group, Ohio University. All rights reserved.

Abstract This manual documents the general usage of the tcptrace program. tcptrace is a TCP Connection Analysis Tool originally written by Dr.Shawn Ostermann at Ohio University. It is maintained these days by his students and members of the Internetworking Research Group (IRG) at Ohio University.

.

. . . . . . . . . 1 3 3 3 5 7 7 10 13 15 15 24 24 24 28 28 29 6 Filtering Connections 33 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CONTENTS 1 Preface 2 Getting Started 2. 4. . . . . . . . . . . . . . . .2 Real-Time Analysis 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . . . . . . . .2 Advanced Filtering . . . . 45 45 46 47 48 9 Modules 51 9. . . . . . . . . . . . . . . . . . . . . . . . . .3 Warning Control . . . . . . . 3 Basic Usage 4 Detailed Usage 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. . . . . . 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 7 Extended Options 39 7. . . . . .5 Segment Size Graph . . . . . . . . . . .1 TRAFFIC Module . . . . . . . . . . . . . . . . . .2 HTTP Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Other Miscellany . . . . . . . . . 8. . .1 Installing tcptrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Using tcptrace . . . . 61 i . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Outstanding Data Graph 5. . . . . . . . . . . . . . . . . . . . . . . . . 40 8 Miscellany 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Detailed Stats . . .2 Graphing Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Packet Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Time Sequence Graph . . . . . . . . . . . . . . . . . . 5. . . . . . . . . . . . . . . . . .2 RTT Stats . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . .6 Time-Line Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Miscellany . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 9. . . . . . . . . . . . . .3 RTT Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 6. . . . . . . .1 General . . . 5 Graphing 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 CWND Stats . . . . . . . . . . . . . . . . . . .1 UDP Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 2. . . . . 5. . . . . . . . . . . . 39 7. . . . . . . . . . . . . . . . . . . . . . . . . 40 7. . . .1 Basic Filtering . . . . . . . . . . . . . . . . . . . . . . .2 Throughput Graph . . . . . . . 5. . . . . . . .

. . . . . . . . . . . . . . . . . . 63 67 68 69 73 77 79 81 A Arguments QR B XPLOT QR C Protocol QR D License ii . . . . . . . . . . . . . .5 9. . . . . . . . . . . . . COLLIE Module Real-Time Module Writing Modules . . . . . . . .9. . . . . . . . . . . . . .6 SLICE Module . . . . . . .3 9. . . . . . . . . . . . . . . . . . . . . . . . . .4 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

for e. are not familiar to you. However. and the details from the environment that tcptrace uses. • Modules Explains the behavior of the modules distributed with tcptrace . and how they are calculated. • Graphing Explains the graphs that can be generated.. and the fields in the long output format. what all the output it generates mean. The manual is organized into chapters with the goal of making them as modular as possible so that they can be read independently of one another. Some sections of the manual have been drawn directly from his A manuscript. Finally. The syntactical definitions of common protocol headers are provided in Appendix C Protocol Quick Reference. • Filtering Connections Explains how to filter-out or filter-in the connection(s) of interest. • Basic Usage Explains the basic output generated by tcptrace . in a slight abuse of parlance. “pure ACK” etc. the goal is not to explain the working of the TCP/IP protocol suite itself. • Detailed Usage Explains how to perform more detailed analysis..CHAPTER ONE Preface The goal of this manual is to document the tcptrace program. and there are nice books that do this already. or if commonly used TCP/IP parlance like “SACK”. like minimal UDP analysis. 1 . and are just looking for the option that generates the output you need. Lakhiani for working on an earlier version of the manual and for getting the Documentation project kick-started. I recommend my favorite book [?] if you need to understand the TCP/IP protocol suite better. However it would be clear from context. If you are a tcptrace Power-user familiar with the program. printing out packet details. You may find answers to some of your xplot related questions in Appendix B: XPLOT Quick Reference. Thanks Thanks are due to my friend Avinash S. etc. Hopefully it would not be a cause of concern. to explain how to get it installed. explain its capabilities. It consists of the following chapters : • Getting Started Explains how to get tcptrace up and running on your system. • Extended Options Explains what each of the extended options mean and how to turn them on/off. “CWND”. and how to generate them. Thanks are also due to the Python Software Foundation for the LTEX 2ε style files from the Python Documentation Project used for generating this manual. the terms “segments” and “packets” have been used interchangeably in the manual. etc. if we say “TCP packets” we mean “TCP segments”. you might dive straight into Appendix A: Arguments Quick Reference. • Miscellany Explains all the miscellaneous things the program can do.g. and briefly on how to write your own modules. how to get it do all it can do.

2 .

/configure • make • make install (as super-user) You may also download cutting-edge version of tcptrace from the project’s CVS repository.1 Installing tcptrace tcptrace can be downloaded from the project web-site http://www. Unzip and Untar the tar-ball (tcptrace-X. or UNIX compress (Z) formats. A port of the tcptrace program has also been made to the Windows platforms. etherpeek.Z directory and install tcptrace with the following steps : • .CHAPTER TWO Getting Started 2. tcptrace reads the 3 . snoop. If you want tcptrace to always start processing with certain command-line options.tcptrace.tar Now. netm. Dumpfiles in these formats can also be compressed in GnuZIP (gz). or set the TCPTRACEOPTS environment variable with the options.Z.html . enter the tcptrace-X. tcptrace can be passed multiple command-line options to perform various tasks as explained in subsequent chapters.tcptracerc file in your home directory. Installing the stable version of tcptrace follows the typical procedure used to install most open-source software on UNIX-based systems.gz) with the following steps : • gunzip tcptrace-X. nlanr.Y. BZIP2 (bz2).org/windows. Instructions for doing so may be found in the download page at http://www.html . as tcptrace can uncompress them on the fly.Y. tcptrace understands various network dumpfile formats like tcpdump. However windows ports tend only to be made for stable releases of the program.org/download.tar. netscout. you may store them in .gz • tar xvf tcptrace-X.tar. ns.Y.Z.Z.org/download. 2.html . More information on the Windows version of the program can be found in : http://www.tcptrace.tcptrace.2 Using tcptrace tcptrace can be run on a network dumpfile trivially as in tcptrace dumpfile where dumpfile is a file containing traffic captured from the network.Y.

Getting Started . You may also use tcptrace -h to get brief descriptions of various command-line options.tcptracerc file and the TCPTRACEOPTS environment variable before processing options given in commandline. 4 Chapter 2..

ohiou. TCP connections may also be reported as reset if the connection was closed with an RST segment. SYN and FIN segments opening and closing the connection were traced.cs..cs. In the above example. Such name and service lookups can be turned off with the -n option to make tcptrace process faster.edu at TCP port 54736.cs. 2003 87 packets seen.ohiou.cs. The first connection was seen between machines pride.edu. and a17-112-152-32.edu ==> elephus. the time tcptrace took to process the dumpfile.cs.com:http (c2d) 30> 12> 30< 15< (complete) (complete) In the above example.e.ohiou. the duration of packet capture of the dumpfile calculated as the duration between the capture of the first and last packets.cs. The two connections are reported as complete indicating that the entire TCP connection was traced i. use the -s option. Similarly the second connection was seen between machines pride.dmp. If you need name lookups but would rather have the short names of machines (elephus instead of elephus.ohiou.com at TCP port http (80).ohiou. for example) and service names (http. 2295 pkts/sec analyzed trace file elapsed time: 0:00:12.edu for example).ohiou.5 -.4.cs.dmp.cs. The next line tells that a total of 87 packets were seen in the dumpfile and all the 87 TCP packets (in this case) were traced.. The subsequent lines indicate the two TCP connections traced from the dumpfile.edu at TCP port ssh (22).cs.cs.dmp 1 arg remaining. and when it was compiled. 87 TCP packets traced elapsed wallclock time: 0:00:00.elephus. The above brief output generated by tcptrace can also be generated with the -b option. tcptrace is run on dumpfile tigris. tcptrace uses a labeling scheme to refer to individual connections traced. it generates output similar to the following : Beluga:/Users/mani> tcptrace tigris.edu) and 30 packets were seen in the b2a direction (elephus.edu:54735 .CHAPTER THREE Basic Usage When tcptrace is run trivially on a dumpfile.apple.ohiou.ohiou. and the average speed in packets per second taken for processing.edu:54736 . 30 packets were seen in the a2b direction (pride.ohiou.e.ohiou. 5 .edu:ssh (a2b) 2: pride.edu). and elephus.e.cs.edu at TCP port 54735. The initial lines tell that the file tcptrace is processing currently is tigris.Fri Jun 13. or unidirectional if traffic was seen flowing in only one direction.180796 TCP connection info: 1: pride.037900. For the first connection.dmp’ Ostermann’s tcptrace -. for example) involving a DNS name lookup operation.edu ==> pride. starting with ’tigris.cs.a17-112-152-32. tcptrace looked up names (elephus. In the above example the two connections are labeled a2b and c2d respectively. The following line indicates the trace file elapsed time i. The next line tells that the elapsed wallclock timei.ohiou.ohiou.. the version of tcptrace running.version 6.apple.

6 .

ohiou.version 6.edu:59518 host b: a17-112-152-32.dmp.gz 1 arg remaining.4.318528 2003 elapsed time: 0:00:00. 2003 32 packets seen.1 Detailed Stats tcptrace can produce detailed statistics of TCP connections from dumpfiles when given the -l or the long output option. The -l option produces output similar to the one shown in this example.cs. starting with ’malus.CHAPTER FOUR Detailed Usage 4.apple. Beluga:/Users/mani> tcptrace -l malus.Tue Jul 1.037948.com:http complete conn: yes first packet: Thu Jul 10 19:12:54.404427 TCP connection info: 1 TCP connection traced: TCP connection 1: host a: elephus. 32 TCP packets traced elapsed wallclock time: 0:00:00.dmp.dmp.gz a->b: b->a: total packets: 16 total packets: ack pkts sent: 15 ack pkts sent: pure acks sent: 13 pure acks sent: sack pkts sent: 0 sack pkts sent: dsack pkts sent: 0 dsack pkts sent: max sack blks/ack: 0 max sack blks/ack: unique bytes sent: 450 unique bytes sent: actual data pkts: 1 actual data pkts: actual data bytes: 450 actual data bytes: rexmt data pkts: 0 rexmt data pkts: rexmt data bytes: 0 rexmt data bytes: zwnd probe pkts: 0 zwnd probe pkts: zwnd probe bytes: 0 zwnd probe bytes: outoforder pkts: 0 outoforder pkts: pushed data pkts: 1 pushed data pkts: SYN/FIN pkts sent: 1/1 SYN/FIN pkts sent: req 1323 ws/ts: Y/Y req 1323 ws/ts: 16 16 2 0 0 0 18182 13 18182 0 0 0 0 0 1 1/1 Y/Y 7 . 843 pkts/sec analyzed trace file elapsed time: 0:00:00.404427 total packets: 32 filename: malus.6 -.gz’ Ostermann’s tcptrace -.914101 2003 last packet: Thu Jul 10 19:12:55.

the filename currently being processed is listed. Similar explanation would hold for the b2a direction too. • dsack pkts sent The total number of sack packets seen that carried duplicate SACK (D-SACK) [?] blocks. the connection was traced in its entirety with the SYN and FIN segments of the connection observed in the dumpfile. followed by the multiple TCP statistics for the forward (a2b) and the reverse (b2a) directions. the total bytes of data sent excluding retransmitted bytes and any bytes sent doing window probing. 8 Chapter 4. • max sack blks/ack The maximum number of sack blocks seen in any sack packet.e.ohiou. i.000 103.e. followed by the lifetime of the connection. • actual data pkts The count of all the packets with at least a byte of TCP data payload.. • pure acks sent The total number of ack packets seen that were not piggy-backed with data (just the TCP header and no TCP data payload) and did not have any of the SYN/FIN/RST flags set. Note that this includes bytes from retransmissions / window probe packets if any. • ack pkts sent The total number of ack packets seen (TCP segments seen with the ACK bit set).edu:59518 a17-112-152-32. Then. The time at which the first and last packets of the connection were captured is reported.com:http The following lines indicate that the connection was seen to be complete i.9 44957 pkts bytes bytes bytes bytes bytes bytes bytes times bytes bytes pkts bytes bytes bytes pkts secs ms Bps The initial lines of output are similar to the brief output explained in Chapter 3. • actual data bytes The total bytes of data seen.. • unique bytes sent The number of unique bytes sent.adv wind scale: req sack: sacks sent: urgent data pkts: urgent data bytes: mss requested: max segm size: min segm size: avg segm size: max win adv: min win adv: zero win adv: avg win adv: initial window: initial window: ttl stream length: missed data: truncated data: truncated packets: data xmit time: idletime max: throughput: 0 Y 0 0 0 1460 450 450 449 40544 5840 0 23174 450 1 450 0 420 1 0.apple. The following lines indicate that the hosts involved in the connection and their TCP port numbers are: host a: host b: elephus.cs. • total packets The total number of packets seen.149 99. We explain the TCP parameter statistics in the following. Detailed Usage . for the a2b direction. • sack pkts sent The total number of ack packets seen carrying TCP SACK [?] blocks. and the number of packets seen.7 1113 pkts bytes bytes bytes bytes bytes bytes bytes times bytes bytes pkts bytes bytes bytes pkts secs ms Bps adv wind scale: req sack: sacks sent: urgent data pkts: urgent data bytes: mss requested: max segm size: min segm size: avg segm size: max win adv: min win adv: zero win adv: avg win adv: initial window: initial window: ttl stream length: missed data: truncated data: truncated packets: data xmit time: idletime max: throughput: 0 N 0 0 0 1460 1448 806 1398 33304 33304 0 33304 1448 1 18182 0 17792 13 0.

this field is meaningful only if the connection was captured fully in the dumpfile to include the SYN packets. This field is calculated by summing the urgent pointer offset values found in packets having the URG bit set in the TCP header. 4. Detailed Stats 9 . • sacks sent The total number of ACK packets seen carrying SACK information. • SYN/FIN pkts sent The count of all the packets seen with the SYN/FIN bits set in the TCP header respectively. • req sack If the end-point sent a SACK permitted option in the SYN packet opening the connection. If the connection is using window scaling (both sides negotiated window scaling during the opening of the connection). • min win adv The minimum window advertisement seen. • zero win adv The number of times a zero receive window was advertised. Again. an “N/Y” in this field means that the window-scaling option was not specified. For example. otherwise ‘N’ is printed. this field is valid only if the connection was captured fully to include the SYN packets. For a connection using window scaling. • max segm size The maximum segment size observed during the lifetime of the connection. • pushed data pkts The count of all the packets seen with the PUSH bit set in the TCP header. • outoforder pkts The count of all the packets that were seen to arrive out of order. if the SYN packet in the reverse direction did not carry the window scale option. this is the maximum window-scaled advertisement seen in the connection. Note that since Window Scaling option is sent only in SYN packets. to see if the window has opened up now). Since the connection would use window scaling if and only if both sides requested window scaling [?]. • urgent data pkts The total number of packets with the URG bit turned on in the TCP header. • urgent data bytes The total bytes of urgent data sent. this field is reset to 0 (even if a window scale was requested in the SYN packet for this direction). while the Time-stamp option was specified in the SYN segment. • rexmt data bytes The total bytes of data found in the retransmitted packets. If the option was not requested.• rexmt data pkts The count of all the packets found to be retransmissions. • mss requested The Maximum Segment Size (MSS) requested as a TCP option in the SYN packet opening the connection. • max win adv The maximum window advertisement seen. both the SYN segments opening the connection have to be captured in the dumpfile for this and the following window statistics to be accurate. • zwnd probe pkts The count of all the window probe packets seen. • min segm size The minimum segment size observed during the lifetime of the connection. • zwnd probe bytes The total bytes of data sent in the window probe packets. • avg segm size The average segment size observed during the lifetime of the connection calculated as the value reported in the actual data bytes field divided by the actual data pkts reported. This is the minimum window-scaled advertisement seen if both sides negotiated window scaling. an ‘N’ is printed. • req 1323 ws/ts If the endpoint requested Window Scaling/Time Stamp options as specified in RFC 1323[?] a ‘Y’ is printed on the respective field. a ‘Y’ is printed.1. • adv wind scale The window scaling factor used. (Window probe packets are typically sent by a sender when the receiver last advertised a zero receive window.

calculated as the total bytes of data truncated during packet capture. • truncated data The truncated data. calculated as the difference between the ttl stream length and unique bytes sent. and any retransmitted packets in this stage are excluded. this average is calculated as the sum of all window-scaled advertisements divided by the number of window-scaled packets seen..e. Note that the ack packet from the other endpoint is the first ack acknowledging some data (the ACKs part of the 3-way handshake do not count). with tcpdump. the value reported in the unique bytes sent field divided by the elapsed time (the time difference between the capture of the first and last packets in the direction). the window advertisements in the SYN packets are excluded since the SYN packets themselves cannot have their window advertisements scaled. • idletime max Maximum idle time. Detailed Usage . truncating most of the packet data. calculated as the sum of all window advertisements divided by the total number of packets seen.• avg win adv The average window advertisement seen.gz 1 arg remaining..2 RTT Stats RTT (Round-Trip Time) statistics are generated when the -r option is specified along with the -l option (Section 4. • truncated packets The total number of packets truncated as explained above. the number of bytes seen in the initial flight of data before receiving the first ack packet from the other endpoint. 2003 153 packets seen. starting with ’indica. the snaplen option can be set to 64 (with -s option) so that just the headers of the packet (assuming there are no options) are captured. If the connection endpoints negotiated window scaling. • missed data The missed data. • initial window The total number of bytes sent in the initial window i. • initial window The total number of segments (packets) sent in the initial window as explained above.Fri Jun 13.version 6. • data xmit time Total data transmit time.dmp. 1191 pkts/sec analyzed trace file elapsed time: 0:00:19. calculated as the maximum time between consecutive packets seen in the direction. this would amount to truncated data of 1500 − 64 = 1436bytes for a packet. calculated as the difference between the times of capture of the first and last packets carrying non-zero TCP data payload. • ttl stream length The Theoretical Stream Length. The following fields of output are produced along with the output generated by the -l option.4. This is calculated as the difference between the sequence numbers of the SYN and FIN packets. For example.092645 TCP connection info: 1 TCP connection traced: TCP connection 1: 10 Chapter 4. giving the length of the data stream seen.dmp. surya:/home/mani/tcptrace-manual> tcptrace -lr indica.128422. If the connection was not complete. as per RFC 1323[?].1). this calculation is invalid and an “NA” (Not Available) is printed. • throughput The average throughput calculated as the unique bytes sent divided by the elapsed time i.5 -. In an Ethernet with maximum segment size of 1500 bytes. and is printed only if the connection was complete (both the SYN and FIN packets were seen). 4. Note that this calculation is aware of sequence space wrap-arounds. 153 TCP packets traced elapsed wallclock time: 0:00:00.gz’ Ostermann’s tcptrace -. Note that in the window-scaled case.e.

throughput: 10 Bps throughput: RTT RTT RTT RTT RTT samples: min: max: avg: stdev: 48 74. .0 ms 1 79.1 38. .168.3 ms RTT max (last): RTT avg (last): 76.0 0 ms ms ms ms ms ms ms ms post-loss acks: post-loss acks: For the following 5 RTT statistics.0.1 204.gz a->b: b->a: total packets: 91 total packets: .5 79. .edu:23 complete conn: yes first packet: Thu Aug 29 18:54:54.0 0.dmp.2 ms max retr time: avg retr time: 380. . Note : The former condition invalidates RTT samples due to the retransmission ambiguity problem. it is required that the packet being acknowledged was not retransmitted.1 14.0 ms RTT sdv (last): segs cum acked: 0 segs cum acked: duplicate acks: 0 duplicate acks: triple dupacks: 0 triple dupacks: max # retrans: 1 max # retrans: min retr time: 380.782937 2002 last packet: Thu Aug 29 18:55:13. . RTT Stats 11 . . ambiguous acks: 1 ambiguous acks: RTT min (last): 76.0 0 RTT from 3WHS: RTT RTT RTT RTT RTT full_sz full_sz full_sz full_sz full_sz smpls: min: max: avg: stdev: 0. .0 ms sdv retr time: 0 0.0 0. and not necessarily ack-ing the packet in question.0 0.1 ms 1 0. . and the latter condition invalidates RTT samples since it could be the case that the ack packet could be cumulatively acknowledging the retransmitted packet.2 ms min retr time: max retr time: 380.0 108.70:32791 host b: webco.0 0 0 0 0 0. 4.2.3 ms RTT avg (last): RTT sdv (last): 0.ent. and that no packets that came before it in the sequence space were retransmitted after the packet was transmitted.0 0.1 0.875583 2002 elapsed time: 0:00:19. Times are taken from the last instance of a segment.0 ms ms ms ms ms ms ms ms • RTT samples The total number of Round-Trip Time (RTT) samples found.host a: 192.8 8.0 0.7 ms ms ms ms ms ms ms ms RTT from 3WHS: RTT RTT RTT RTT RTT full_sz full_sz full_sz full_sz full_sz smpls: min: max: avg: stdev: 75.6 44.3 ms RTT min (last): RTT max (last): 76.5 0.0 0.ohiou. .092645 total packets: 153 filename: indica.1 0. An RTT sample is found only if an ack packet is received from the other endpoint for a previously transmitted packet such that the acknowledgment value is 1 greater than the last sequence number of the packet. only ACKs for multiply-transmitted segments (ambiguous ACKs) were considered.1 0. Further. .2 RTT RTT RTT RTT RTT samples: min: max: avg: stdev: 62 94 Bps 47 0. tcptrace is pretty smart about choosing only valid RTT samples.2 ms avg retr time: sdv retr time: 0. .5 79.

12 Chapter 4. the segment being ack-ed was retransmitted and it is impossible to determine if the ack is for the original or the retransmitted packet. Note : older versions of tcptrace (until version 6. • RTT full sz min The minimum full-size RTT sample. RTT sdvThese fields are printed only if there was at least one ack received that was ambiguous due to the retransmission ambiguity problem i. • ambiguous acks. o There must be some outstanding data. • RTT from 3WHS The RTT value calculated from the TCP 3-Way Hand-Shake (connection opening) [?]. a condition commonly used to trigger the fast-retransmit/fastrecovery phase of TCP. RTT max. This older behavior may be emulated (if necessary at all) with the --turn off BSD dupack option.4. calculated straightforward-ly as the sum of all the RTT values found divided by the total number of RTT samples. • RTT full sz max The maximum full-size RTT sample. More precisely. Detailed Usage . RTT sdv fields represent the minimum. • RTT max The maximum RTT sample seen. • RTT avg The average value of RTT found. Note that these samples are not considered in the RTT samples explained above. Full-size segments are defined to be the segments of the largest size seen in the connection. • duplicate acks The total number of duplicate acknowledgments received. a post-loss ack is found to occur when an ack packet acknowledges a packet sent (acknowledgment value in the ack pkt is 1 greater than the packet’s last sequence number). calculated from the RTT samples of fullsize segments. RTT avg. RTT max. was retransmitted later. RTT avg. • max # retrans The maximum number of retransmissions seen for any segment during the lifetime of the connection. • RTT stdev The standard deviation of the RTT samples. • RTT full sz avg The average full-size RTT sample. The following RTT min. to treat an ack as duplicate ack. and standard deviation respectively of the RTT samples calculated from ambiguous acks. In other words. the ack packet is received after we observed a (perceived) loss event and are recovering from it. • segs cum acked The count of the number of segments that were cumulatively acknowledged and not directly acknowledged.• RTT min The minimum RTT sample seen. • RTT full sz smpls The total number of full-size RTT samples.. • post-loss acks The total number of ack packets received after losses were detected and a retransmission occurred. An ack packet is found to be a duplicate ack based on this definition used by 4. and at least one packet occurring before the packet acknowledged. average. assuming that the SYN packets of the connection were captured. The statistics below are calculated from the time of capture of the last transmitted instance of the segment. o The ack should be pure (carry zero tcp data payload). o The advertised window carried in the ack packet should not change from the last window advertisement.4 BSD Lite TCP Stack [?] : o The ack packet has the biggest ACK (acknowledgment number) ever seen. maximum. RTT min. • triple dupacks The total number of triple duplicate acknowledgments received (three duplicate acknowledgments acknowledging the same segment). • RTT full sz stdev The standard deviation of full-size RTT samples.2) used a legacy algorithm using just the first condition amongst the four listed above. • ambiguous acks is the total number of such ambiguous acks seen.e.

the outstanding unacknowledged data is used to estimate the congestion window.• min retr time The minimum time seen between any two (re)transmissions of a segment amongst all the retransmissions seen. CWND Stats 13 .4.Tue Jul 1. The raw RTT samples found can also be dumped into data files with the -Z option as in tcptrace -Z file.dat and b2a rttraw.914101 2003 last packet: Thu Jul 10 19:12:55.dmp.ohiou. Since there is no direct way to determine the congestion window at the TCP sender.3. Note that only valid RTT samples (as counted in the RTT Samples field listed above) are dumped.404427 total packets: 32 filename: malus. are explained below. 1200 pkts/sec analyzed trace file elapsed time: 0:00:00. 16 4. The 4 new statistics produced by the -W option in addition to the detailed statistics reported due to the -l option. • avg retr time The average time seen between any two (re)transmissions of a segment calculated from all the retransmissions.318528 2003 elapsed time: 0:00:00.dat (for the second TCP connection traced) etc.dmp.apple.dmp.gz 1 arg remaining.edu:59518 host b: A17-112-152-32.dat and d2c rttraw.026658. surya:/home/mani/tcptrace-manual> tcptrace -lW malus.version 6. 4.gz a->b: b->a: total packets: 16 total packets: . Each of the datafiles contain lines of the form : seq# rtt where seq# is the sequence number of the first byte of the segment being acknowledged (by the ack packet that contributed this RTT sample) and rtt is the RTT value in milli-seconds of the sample. starting with ’malus. • sdv retr time The standard deviation of the retransmission-time samples obtained from all the retransmissions. . .3 CWND Stats tcptrace reports statistics on the estimated congestion window with the -W option when used in conjunction with the -l option. . 32 TCP packets traced elapsed wallclock time: 0:00:00.404427 TCP connection info: 1 TCP connection traced: TCP connection 1: host a: elephus.dat (for both directions of the first TCP connection traced). . in the working directory.dmp This generates files of the form a2b rttraw.com:80 complete conn: yes first packet: Thu Jul 10 19:12:54. c2d rttraw. • max retr time The maximum time seen between any two (re)transmissions of a segment.gz’ Ostermann’s tcptrace -. .cs. 2003 32 packets seen.6 -.

. throughput: 33304 bytes 1449 1 1213 682 bytes bytes bytes bytes 450 bytes 1448 bytes 1113 Bps 44957 Bps • max owin The maximum outstanding unacknowledged data (in bytes) seen at any point in time in the lifetime of the connection. avg win adv: max owin: min non-zero owin: avg owin: wavg owin: initial window: . . . . .1 seconds. .1) + (1000 x 1) + (2000 x 0. • avg owin The average outstanding unacknowledged data (in bytes).1)) / 1. avg win adv: max owin: min non-zero owin: avg owin: wavg owin: initial window: . Detailed Usage . . .. throughput: 22091 bytes 451 1 31 113 bytes bytes bytes bytes . . . Note that the straight-forward average reported in avg owin would have been (500+1000+2000)/1.2 = 1041.1 seconds of a connection that lasted 1. 1000 bytes for the next 1 second. and 2000 bytes for the last 0. a value less indicative of the outstanding data observed during most of the connection’s lifetime. . 14 Chapter 4. • wavg owin The weighted average outstanding unacknowledged data seen. .67 bytes. if the outstanding data (odata) was 500 bytes for the first 0. For example. calculated from the sum of all the outstanding data byte samples (in bytes) divided by the total number of samples.2 seconds. • min non-zero owin The minimum (non-zero) outstanding unacknowledged data (in bytes) seen. wavg owin= ((500 x 0. . .67 bytes an estimate closer to 1000 bytes which was the outstanding data for the most of the lifetime of the connection.2 = 2916.

A sample Time Sequence graph is shown in Figure 5. Here. The graphs and the options for tcptrace that generate them. 15 . The files a2b *. A section of this graph (zoomed in with xplot) is shown in Figure 5.CHAPTER FIVE Graphing tcptrace can generate six different types of graphs illustrating various parameters of a TCP connection. • Green Line keeps track of the ACK values received from the other endpoint. Further zooming into the beginning of the connection with xplot we find Figure 5. are explained below.xpl tcptrace uses the same naming scheme observed in previous chapters to generate the graphs. 5. These graphs can be viewed with Tim Shepard’s xplot program or with the Java version of the same program called jPlot from http://www.xpl and d2c *. The Y-axis represents sequence number space and the X-axis represents time.) • Little Green Ticks track the duplicate ACKs received.3.xpl data files in the working directory when the graphing options are given.1. and so on. • White Arrows represent segments sent.2 illustrating the following features.1 Time Sequence Graph Time Sequence graphs show the general activity and events that happen during the lifetime of a connection.xpl are the graphing data files for both the directions of traffic of the first connection. The up and down arrows represent the sequence numbers of the last and first bytes of the segment respectively. (It is drawn at the sequence number value corresponding to the sum of the acknowledgment number and the receive window advertised from the last ACK packet received. • Red Arrows (R) represent retransmitted segments with the up and down arrows similarly representing the sequence numbers of the last and first bytes of the segment. the c2d *. and can be generated with the -S option. • Little Yellow Ticks track the window advertisements that were the same as the last advertisement.xpl files are for the second connection. tcptrace leaves *. • Yellow Line tracks the receive window advertised from the other endpoint.xpl. These graphs are named as X2Y tsg.tcptrace.org/jPlot developed by Avinash Lakhiani. and the data files can be viewed with the xplot program as in xplot a2b_tsg. the SYN marks the sequence number and the time when a SYN packet was sent. and the slope of this curve gives the throughput over time.xpl and b2a *.

1: Time Sequence Graph #1 16 Chapter 5. Graphing .Figure 5.

Time Sequence Graph 17 .2: Time Sequence Graph #2 5.1.Figure 5.

3: Time Sequence Graph #3 18 Chapter 5.Figure 5. Graphing .

e.The graph shown in Figure 5.1. Time Sequence Graph 19 . • FIN marks a FIN segment sent in the direction. a RST OUT is marked in the graph. Figure 5..5. • PUSH segments. i. 5. • SACK [?. and a RST IN is marked in the Time Sequence graph of the opposite direction of the connection. • Little crosses (x) These are segments sent with zero TCP data payload (the down and up arrows of the segment coincide. TCP segments sent with the PUSH flag set are represented with a Diamond in place of the up arrow as shown in Figure 5.4 is a section of a TCP connection being closed. ?] blocks found in ACK packets are represented as purple lines with an S on top as shown in Figure 5. RST OUT: When a RST segment is sent. giving rise to a cross).6. • RST IN.4: Time Sequence Graph #4 Here.

Figure 5.5: SACK blocks 20 Chapter 5. Graphing .

Figure 5. Time Sequence Graph 21 .6: PUSH segments 5.1.

Figure 5. The Z labels in the graph represent a window advertisement of 0 bytes received from the other endpoint.7: URGENT segments • Window Probing happens when the receiver advertises a window of 0 (typically happens when the application goes dormant and TCP holds on to the allocated window full of received data. Graphing . The following other symbols also occur in Time Sequence graphs : • O represents packets received out of order.e. TCP segments carrying URGENT data with the URG flag set in the TCP header are represented with a red U on top of the segment. This is shown in Figure 5. 22 Chapter 5.. i. The subsequent P labels indicate the probe packets sent by the sending endpoint to see if the window has opened up yet.• URGENT segments. waiting to be picked up).8. A Time-Sequence graph illustrating this is shown in Figure 5.7.

Figure 5.8: Window Probing 5. Time Sequence Graph 23 .1.

A sample throughput graph is shown in Figure 5. Since this cannot be determined accurately. calculated as the average of N previous yellow dots.xpl) are generated with the -N option.3 RTT Graph RTT (Round Trip Time) graphs (named X2Y rtt. and is as explained in the calculation of the wavg owin field in Section 4.11.xpl) are generated with the -R option. The idea behind these graphs to estimate the congestion window at the sender. there tends to be a lot of banding of the dots. The yellow dots represent RTT samples calculated from non-retransmitted segments. For example giving -A5 along with the -T option calculates the throughput from the past 5 yellow dots to draw the line. If you find the yellow dots annoying.2 Throughput Graph Throughput graphs (named X2Y tput. 5. commonly used as the threshold to trigger the TCP fast retransmit/recovery algorithm. • Yellow Dots represent instantaneous throughput. 5. By default the line tracks the past 10 samples (N=10).3. we use the outstanding unacknowledged data as an estimate. 24 Chapter 5. • 3 indicates that the received ack packet was the triple duplicate ack. you may turn them off with the -y option. CWR indicates that the Congestion Window Reduced flag was set in the TCP header of the packet. • Green Line tracks the weighted average of outstanding data up to that point. A sample is shown in Figure 5. Graphing . and the red line just connects the dots.4 Outstanding Data Graph Outstanding Data graphs (named X2Y owin. Hardware Duplicates correspond to link layer retransmissions found when a duplicate packet with same IPv4 identification number and TCP sequence number as a previously observed packet is seen. 5. • Blue Line tracks the average outstanding data up to that point. The graph has throughput in bytes/second on the Y-axis and time on the X-axis. defined as the size of the segment seen divided by the time since the last segment was seen (in this direction). A sample RTT graph is shown in Figure 5.9. The Y-axis represents RTT in milli-seconds and the X-axis represents time. • CWR / CE track Explicit Congestion Notification [?] messages received. • Red Line tracks the throughput seen from the last few samples. Due to clock granularity. while the CE flag indicates that the Congestion Experienced code-point was found in the IP header of the packet. However it can be changed with the -AN option. • Blue Line tracks the average throughput of the connection up to that point in the life time of the connection (total bytes seen / total seconds so far). The Y-axis represents the Outstanding Data in bytes and the X-axis represents time.• HD represent Hardware Duplicates. • Red Line represents instantaneous outstanding data samples at various points in the lifetime of the connection.xpl) are generated with the -T option.10.

Figure 5.9: Throughput Graph 5. Outstanding Data Graph 25 .4.

Graphing .10: RTT Graph 26 Chapter 5.Figure 5.

4.Figure 5. Outstanding Data Graph 27 .11: Outstanding Data Graph 5.

• Red Line represents the instantaneous segment size samples.xpl 28 Chapter 5. illustrating the activities of connections. A sample segment size graph is shown in Figure 5. Graphing .12: Segment Size The Y-axis represents segment size in bytes and the X-axis represents time.12. The graphs can be generated with the -L option and generates graphs named as X Y tline.5. Figure 5.xpl) are generated with the -F option. Richard Stevens [?].5 Segment Size Graph Segment size graphs (named X2Y ssize.6 Time-Line Graph The goal of the Time-Line graphs is to generate graphs similar to the pretty graphs found in the book “TCP/IP Illustrated Volume I” by W. • Blue Line represents the average segment size seen up to that point. 5.

dmp would leave all the graphs in the graphs directory.The Time-Line graphs are still EXPERIMENTAL and are under development. tcptrace -G --output_dir=graphs --output_prefix=mangifera_ mangifera. timeouts etc. Doing this right tends to be a hard problem taking care of conditions like retransmits. 5. This graph provides a pictorial view of the segments being transmitted in either direction. sequence number from:sequence number to(difference.xpl in the graphs directory. more and more details will become visible. As you zoom in with xplot. The fundamental problem with generating these graphs is that the time values for the segments arriving/leaving are available only from the end where the traffic was captured. For example. The X-axis shows the segments being transmitted between the 2 hosts communicating. Here is an example of a time line graph: Following is a closeup (zoomed in with xplot): The following features can be seen in the graph Axis X-axis : segments being transmitted in either direction (zoom in to see the arrow heads for the correct direction) Y-axis : running time of the connection (TOP to BOTTOM. hardware duplicate indicator (“HD”) The sequence number for the first segment in either direction is absolute. use the -M option. tcptrace can also call xplot internally to pop-up the graphs generated at the end of processing the dumpfile(s) with the --xplot all files option.dmp would generate files of the form mangifera a2b tsg. use the -zx option while generating the graphs. bytes transmitted). while the rest are relative to the first segment. Now. 5. For example. Figure 5.7 Miscellany If you want to generate all the graphs. acknowledgment sequence number. If you want monochrome plots. causing both the axes to begin from 0. and not clutter your working directory. the X-axis represents the actual time of the connection. This is generally useful in Time Sequence graphs. The Y-axis shows increasing time going from the top to bottom of the graph. use the -G option. The Y-axis can also be made to begin from 0 with the -zy option.xpl files. You may wish to use the -output prefix option to fix this. if you are using the same graphs directory to store the graphs generated from another file mangifera. tcptrace -G --output_dir=graphs indica. If you want relative time with time beginning at 0.dmp. Miscellany 29 .xpl files from indica.dmp may get over-written by the new *. where the sequence offset rather than the actual sequence number values may be desired. For example. In all the above graphs. the old *. the -C option produces color plots (which of course is the default behavior). while the time values of when the packets arrived or left at the other end have to be estimated with some heuristic. use the --output dir option. For the sake of completeness. advertised window.4 shows a section of a Time Sequence graph generated with -zxy option. retransmit indicator (“R”). over the duration of the connection. ignoring the negative sign) Graph Features Green Lines The green lines show the segments traveling in the direction a-¿b Yellow Lines The yellow lines show the segments traveling in the direction b-¿a Labels The labels alongside the segments have the following format: TCP Flags (only if set).7. If you would rather have the graphs generated be placed in a separate directory. The current heuristic is a simple one of adding/subtracting 1/3rd of the rtt.

13: Time-Line Graph #1 30 Chapter 5.Figure 5. Graphing .

Miscellany 31 .14: Time-Line Graph #2 5.Figure 5.7.

. . any options that need to be given to xplot for drawing the graphs can also be specified with the ‘‘--xplot args=. . Graphing . While using this option.dmp. by passing the prefix in the -xplot title prefix=’’. . If multiple options are being passed to xplot. This option is meant for use when there are a few connections in the dumpfile.’’ option.’’ is the place-holder for any xplot options to be set. to protect it from being interpreted as multiple command-line arguments by your Shell.dmp This would pop-up all the Time Sequence graphs generated for the dumpfile elephus.tcptrace -S --xplot_all_files elephus.’’ option. . A user-defined prefix may be added to the title of the xplot graphs if necessary. it is recommended that the entire option be enclosed in double quotes as shown above. 32 Chapter 5.. where the ‘‘. which could be a lot depending on the number of connections found. unless you want your screen to be filled with xplot graphs. while calling xplot internally from tcptrace .

235.67.version 6.36:9119 (c2d) 1358> 1311< 3: 132. and perform detailed analysis on them alone.dmp.235.82:3640 .36:9080 (m2n) 48> 14< 8: 132. In such cases.235. For example 8 TCP connections were traced in the file rexmit.82:3299 .235.132.82:3640 . 6401 TCP packets traced elapsed wallclock time: 0:00:00.gz’ Ostermann’s tcptrace -.67.82:3584 .132.235.67.235.235.dmp.235.235.gz 1 arg remaining.6 -.version 6.086056.36:9080 (m2n) 48> 14< (reset) 33 .67.82:3299 .235.132.36:9080 (e2f) 60> 18< 4: 132.dmp.Tue Jul 1.7 rexmit.5.67.235.235.132.dmp.235.758299 TCP connection info: 3: 132.36:9119 (i2j) 722> 676< 6: 132.67.67. 6. starting with ’rexmit.67.235. filters out only the 3rd.67.235.132.235.82:2525 .82:3396 .132.36:9119 (g2h) 910> 872< 5: 132.67.1 Basic Filtering The -o option can be used to only look at certain connections.82:2666 .132. 5th.4.102161.235. starting with ’rexmit.132.758299 TCP connection info: 1: 132.CHAPTER SIX Filtering Connections It is commonly the case that the dumpfile captured for analysis by tcptrace has much more connections than the ones you may be interested in.67.132.gz : Beluga:/Users/mani/dmpfiles> tcptrace -n rexmit.67.67.36:9080 (e2f) 60> 18< 5: 132.67.235.235.132.67.67.67. 2003 6401 packets seen.6 -.82:4095 .235.36:9080 (o2p) 40> 9< (complete) (complete) (complete) (complete) (reset) (reset) Using the -o option with 3. 2003 6401 packets seen.67. This chapter describes how to do such connection filtering.67.36:9080 (k2l) 56> 16< 7: 132. it could be useful to pick and choose the connections of interest from the dumpfile.235. 62656 pkts/sec analyzed trace file elapsed time: 0:20:57.Tue Jul 1.82:1321 .67. and 7th connections out.7 as shown below. Beluga:/Users/mani/dmpfiles> tcptrace -n -o3.gz’ Ostermann’s tcptrace -.82:2525 .5. 6401 TCP packets traced elapsed wallclock time: 0:00:00.36:9119 (i2j) 722> 676< (complete) 7: 132.67.36:9080 (a2b) 178> 113< 2: 132.gz 1 arg remaining.dmp.4. 74381 pkts/sec analyzed trace file elapsed time: 0:20:57.235.67.132.

2003 6401 packets seen.235.82:3640 .gz’ Ostermann’s tcptrace -.5.dat rexmit. Filtering Connections . The following example saves just the connections 4-6 into the file filt rexmit.6 -.You may use the -l option (Section 4.82:3584 .dat for example and pass it to the -o option.235. Beluga:/Users/mani/dmpfiles> tcptrace -n -oconn. when the conn.dmp rexmit.gz 1 arg remaining.235.67.132.67. to generate the detailed statistics of only these connections as in tcptrace -n -o3.4.version 6.dmp.4.67.67. starting with ’rexmit.dmp.67.67.132.dmp.82:3640 .82:3396 . Beluga:/Users/mani/dmpfiles> tcptrace -n -o4-6 -Ofilt_rexmit.235.758299 TCP connection info: 1: 132.132.36:9080 (m2n) 48> 14< 8: 132.36:9080 (e2f) 60> 18< 5: 132. 2003 6401 packets seen. 6401 TCP packets traced elapsed wallclock time: 0:00:00. by combining both the -o and -G options.132.Tue Jul 1. For example. starting with ’rexmit.235.67.gz 1 arg remaining.132.36:9080 (o2p) 40> 9< Sometimes it could be useful to save only the filtered connections into a new dumpfile.758299 TCP connection info: 1: 132. 6401 TCP packets traced 34 Chapter 6.235.dmp.132.235.6 -.36:9080 (m2n) 48> 14< 8: 132.132.132.5.67.82:1321 .version 6.67.67. 69764 pkts/sec analyzed trace file elapsed time: 0:20:57.version 6.82:3396 .235.dmp. 2003 6401 packets seen.82:4095 .67.132.235. 6401 TCP packets traced elapsed wallclock time: 0:00:00.235.gz Similarly graphs can be generated for the connections you are interested in alone for example.6 -.235.67.4.67.67.235.gz 1 arg remaining.82:2525 .67.dmp.36:9080 (k2l) 56> 16< 7: 132.dmp. Beluga:/Users/mani/dmpfiles> tcptrace -n -o1-3.67. The following example illustrates how you could specify a range of connections with the -o option to get only the connections 1-3.67.dat file had just the line 1-3.132.7-8 rexmit.235.235.36:9080 (a2b) 178> 113< (complete) 2: 132.36:9080 (o2p) 40> 9< (reset) You may also store the connection numbers in a data file conn.67. starting with ’rexmit.Tue Jul 1.091752.82:4095 .67.67.1) for example. 6-8 it causes connections 1-3 and 6-8 alone to be filtered out.235.235. 5.235.Tue Jul 1.82:2525 .235. The -o option opens and reads from a file if the character following the -o is not a numeral.gz’ Ostermann’s tcptrace -.36:9119 (i2j) 722> 676< (complete) 7: 132. 69498 pkts/sec analyzed trace file elapsed time: 0:20:57. 7-8 from the dumpfile.7 -l rexmit. This can be done with the -O option.235.67.235.82:1321 .092103.82:3299 .67.235.132.67.36:9119 (c2d) 1358> 1311< (complete) 3: 132.gz’ Ostermann’s tcptrace -.235.235.36:9080 (e2f) 60> 18< 6: 132.132.235.36:9119 (c2d) 1358> 1311< (complete) 3: 132.dmp.67.36:9080 (a2b) 178> 113< (complete) 2: 132.

with the -B option as in tcptrace -n -B300 rexmit.3-5 rexmit.82:3584 . for some reason if you are interested in looking only at the first 200 packets found in the file for example.36:9119 (i2j) 722> 676< (complete) 6: 132.235. The supported filter variables are listed below : Beluga:/Users/mani/tcptrace-manual> tcptrace -hfilter Filter Variables: variable name type description ----------------.67. with the -i option.235.dmp.-------. 62750 pkts/sec analyzed trace file elapsed time: 0:20:57. the connections for which both the SYN and FIN segments opening and closing the connection were seen.758299 TCP connection info: 4: 132.235.gz 6.gz ignores the first connection alone.36:9119 (g2h) 910> 872< (complete) 5: 132.102007.82:3299 .235. lets you look at a range of packets as they occurred in the dumpfile. and tcptrace -n -i1. and 5.2 Advanced Filtering The -f option can be used to perform more sophisticated filtering of connections.132.67. For example. 4.82:2666 .67. as in tcptrace -n -B100 -E200 rexmit.235.132.e..gz ignores connections 1. based on various parameters.67.67.----------------------hostname STRING FQDN host name (unless -n) portname STRING service name of the port (unless -n) port UNSIGNED port NUMBER mss SIGNED maximum segment size f1323_ws BOOL 1323 window scaling requested f1323_ts BOOL 1323 time stampts requested fsack_req BOOL SACKs requested window_scale BOOL window scale factor 6. 3.235.132. you may use the -E option as in tcptrace -n -E200 rexmit. The -c option is useful if you are interested in looking at only complete connections i. A data file containing a list of connection numbers to ignore can also be given in the -i option (as shown above for the -o option). Advanced Filtering 35 . tcptrace -n -i1 rexmit.dmp.67.dmp.2.elapsed wallclock time: 0:00:00.dmp.gz Using both the options.36:9080 (k2l) 56> 16< (reset) (reset) Ignoring certain connections alone can be done too.dmp. Finally. The usage of the -i option is very similar to the -o option.gz You may also begin at the 300th packet in the file for example.

bad_behavior data_bytes data_segs data_segs_push unique_bytes rexmit_bytes rexmit_segs ack_segs pureack_segs win_max win_min win_zero_ct min_seq max_seq num_sacks max_sacks segs packets syn_count fin_count reset_count min_seg_size max_seg_size out_order_segs sacks_sent ipv6_segs max_idle num_hw_dups initwin_bytes initwin_segs rtt_min rtt_max rtt_count rtt_min_last rtt_max_last rtt_count_last rtt_amback rtt_cumack rtt_unkack rtt_dupack rtt_nosample rtt_triple_dupack retr_max retr_min_tm retr_max_tm trunc_bytes trunc_segs num_zwnd_probes zwnd_probe_bytes urg_data_pkts urg_data_bytes hostaddr thruput BOOL UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED UNSIGNED IPADDR UNSIGNED bad TCP behavior bytes of data segments of data segments with PUSH set non-retransmitted bytes retransmitted bytes segments w/ retransmitted data segments containing ACK segments containing PURE ACK (no data/syn/fin/reset) MAX window advertisement MIN window advertisement number of ZERO windows advertised smallest sequence number largest sequence number number of ACKs carrying SACKs most SACK blocks in a single ACK total segments total segments SYNs sent FINs sent RESETs sent smallest amount of data in a segment (not 0) largest amount of data in a segment out of order segments SACKs sent number of IPv6 segments sent maximum idle time (usecs) number of hardware-level duplicates number of bytes in initial window number of segments in initial window MIN round trip time (usecs) MAX round trip time (usecs) number of RTT samples MIN round trip time (usecs) (from last rexmit) MAX round trip time (usecs) (from last rexmit) number of RTT samples (from last rexmit) number of ambiguous ACKs number of cumulative ACKs number of unknown ACKs number of duplicate ACKs ACKs that generate no valid RTT sample number of triple duplicate ACKs (fast rexmit) MAX rexmits of a single segment MIN time until rexmit (usecs) MAX time until rexmit (usecs) number of bytes not in the file number of segments not in the file number of zero window probes number of window probe bytes Number of packets with URGENT bit set Number of bytes of urgent data IP Address (v4 or v6 in standard textual notation thruput (bytes/sec) All of the variables listed above can be used for filtering purposes. consider the file tigris. Filtering Connections . For example.dmp.gz 36 Chapter 6.dmp.gz having the following two connections: Beluga:/Users/mani> tcptrace tigris.

.cs.gz’ . commonly used boolean operators AND.edu:54735 .ohiou.cs. For the sake of completeness.edu:54735 .edu:54736 . &&.cs.elephus. You may also use parenthesis if you are not sure of the precedence of operators.2. =. NOT and their common synonyms (-a.apple. TCP connection info: 2: pride.ohiou.gz Output filter: (s_segs==15) .edu:ssh (a2b) 2: pride. -. For example.elephus.edu and port ssh.dmp The connection numbers that passed the filtering criteria specified in the -f option are stored in a file named PF in the working directory. . .cs.dmp. . if you are graphing along with the -f option with say the -G option. !=.cs. /) with their normal precedence and relational operators ( ¡. Boolean variables listed above can be used as flags as in tcptrace -f’f1323_ws’ file.cs.edu:54735 . .ohiou. The term c segs stands for the client segs (client2server direction) and s segs stands for the server segs (server2client direction).ohiou. requiring the filter variable to be applied to either of the directions (which is of course the default case). The prefix “b ” meaning “both” can be applied to the variables if you want the filter to be applied to both directions.cs.ohiou. Advanced Filtering 37 . Beluga:/Users/mani> tcptrace -f’segs>=30’ tigris. ¿= ) can be applied to SIGNED/UNSIGNED variables.com:http (c2d) 12> 15< (complete) The “c ” and “s ” prefixes can be applied analogously for all the filter variables cited above. TCP connection info: 1: pride.ohiou. graphs will be 6.dmp tcptrace -f‘b_segs>10 && thruput>10000’ file. !) can be used to combine boolean expressions.a17-112-152-32.gz Output filter: ((c_segs>=30)OR(s_segs>=30)) 1 arg remaining.cs.gz Output filter: (((c_hostname==elephus.a17-112-152-32.elephus. The following example illustrates the case when we are filtering out connections for the host elephus.dmp.. TCP connection info: 1: pride. ¿.cs.dmp to filter out only those connections that had window scaling requested in their SYN segments.edu)OR (s_hostname==elephus. . .edu:ssh (a2b) 30> 30< (complete) Note that as in the example above.cs.dmp.edu:ssh (a2b) 30> 30< (complete) Note the Output filter line in the above example.cs. *. We filter out only those connections that had at least 30 or more segments seen in either direction.ohiou. ——. -o.ohiou.edu" and portname=="ssh"’ tigris. You may specify the segments in the server2client direction alone as in : Beluga:/Users/mani> tcptrace -f’s_segs==15’ tigris. the prefix “e ” meaning “either” is also supported. Beluga:/Users/mani> tcptrace -f’hostname=="elephus.apple.com:http (c2d) 30> 12> 30< 15< (complete) (complete) The filter variable segs can be used to filter out connections having a specified amount of segments in either direction as shown below. TCP connection info: 1: pride.ohiou.ohiou. starting with ’tigris. ¡=. Note that.dmp.edu:54736 .edu))AND((c_portname==ssh)OR(s_portname==ssh))) . .ohiou. Arithmetic operators (+.ohiou. the following are valid : tcptrace -f‘(c_segs+10) < s_segs’ file. OR. The constant value to which the STRING type variables (hostname/portname) are matched need to be enclosed in double quotes.cs.

Filtering Connections .generated for all the connections and not just the filtered ones.dmp 38 Chapter 6. You might want to filter first with the -f option and graph the filtered connections with the PF file later. as in : tcptrace -oPF -G file.

it has been found that dumb devices like certain old printers tend to reuse their TCP port numbers pretty often. Though it is pretty rare to find two hosts reusing their same endpoints for a new connection between them.e. The extended options are used as in ---xyzblah.. A summary is printed at the end of the analysis. These options generally offer fine-grained control of the behavior of tcptrace . Port) is perceived as a new connection. you may use this option to change the default idle-time after which activity seen in the same endpoints can be perceived as a new connection. • —check hwdups (DEFAULT) Check for hardware duplicates i. • —checksum This option turns on checking of IP and TCP/UDP checksums. • —endpoint reuse interval=S This option can be used to change the default idle-time of 4 minutes after which activity in the same endpoint tuple (source IP.CHAPTER SEVEN Extended Options This chapter describes the extended options supported.e. If you run into such problems. to not resolve IP addresses. 39 .. • —res port (DEFAULT) Resolve port numbers to their service names. This option lets the third duplicate ack contain data with the legacy algorithm. 7. say ---xyzbl. Port.2) to turn on the legacy algorithm used by tcptrace to determine triple duplicate acks. Further. print http for TCP port 80. duplicate IP packets with the same IPv4 identification number and TCP sequence number as a previously seen packet. such hardware duplicates may be counted as retransmissions. You may use the —nores addr to turn it off i.. Note that if turned off with the —nocheck hwdups option. • —dupack3 data This option is meaningful only if given along with the —turn off BSD dupack option (refer to duplicate acks in Section 4. destination IP.. Note that the options explained below are labeled DEFAULT if it is the default behavior. to S seconds. as long as it is unambiguous amongst all the extended options. there exists a ---noxyzblah that turns off the behavior offered by the ---xyzblah option. • —ns hdrs When used while processing ns2style dumpfiles. Note that the -n option is equivalent to giving both the —nores addr and —nores port options. meaning that the option comes for free and you may use the ---no. you may use just the prefix of the option. and in most cases are useful if you want to turn off the default behavior. this option tells tcptrace that ns had the useHeaders flag set to TRUE while generating the dumpfile.1 General • —res addr (DEFAULT) Resolve IP addresses to their DNS names. version of the option if you need to turn it off. For every such option. indicating the number of packets with bad IP and TCP/UDP checksums. For example.

the segment that is being acknowledged by the ack packet had been retransmitted. if the dumpfile is of tcpdump style.2. Extended Options . you may notice that the green line has a blue diamond head on the top. The following options control the appearance of various features in Time Sequence Graphs 5.. You probably want to use the --no..1.3 Warning Control This section describes the options that control the printing of warning messages on various events. These options are turned off by default and you need to turn them on to be notified. For example. • —showoutorder (DEFAULT) Show the out-of-order segments (segments labeled O).2 Graphing Control The following options give fine-grained control over the graphs generated by tcptrace . • —showurg (DEFAULT) Show the segments with the TCP Urgent (URG) flag set with a U. • —showzwndprobes (DEFAULT) Show the window-probe packets that normally follow the zero-window advertisements (segments labeled P). An ack is plotted with a RED diamond head if the ack is ambiguous due to the fact that the segment being acknowledged was retransmitted.1. • —showsacks (DEFAULT) Show the purple colored SACK segments. Also note that unambiguous prefixes of these options work too. 40 Chapter 7. • —showzerowindow (DEFAULT) Show the zero-window advertisements (segments labeled Z). As can be seen in the graph. • —showtitle (DEFAULT) Show the title in xplot graphs. This is due to the fact that a segment being cumulatively acknowledged by this ack had been retransmitted. • —showrexmit (DEFAULT) Show the retransmissions (red segments labeled R). This is illustrated in Figure 7. this option would cause a warning message if the PCAP timestamps of successive packets were found decreasing. • —showrttdongles Show RTT Dongles on interesting acks as explained below. You may also use the -w option to turn on all of the following options. • —warn ooo Warn if packet capture timestamps are found to be out of order in the dumpfile. 7.7. Notice that the ack packet that causes the green line to go up towards the right-hand end of the graph has a RED diamond nailed on it. Note that. If you look closely at towards the right end of the Figure. • —showdupack3 (DEFAULT) Show triple duplicate acks with segment labeled 3. This is illustrated in Figure 7. unlike other options this is not turned on by default. • —showzerolensegs (DEFAULT) Show the TCP segments carrying no data (segments that appear as white crosses). versions of these options if you want to turn off the behavior available by default. An ack packet is plotted with a BLUE diamond head if the ack is ambiguous due to the fact that one of the segments being cumulatively acknowledged by it was retransmitted.

Warning Control 41 .3.Figure 7.1: RTT Dongle (RED) 7.

2: RTT Dongle (BLUE) 42 Chapter 7.Figure 7. Extended Options .

• —warn printbadmbz (Warn Bad Must Be Zero) Prints a warning message if any of the 4 least significant bits in the 13th byte of the header (that are reserved and expected to be zeroed) are found to be non zero. starting with ’input/bad_tcp_checksum.Thu Nov 14.chipper.nasa. 9 TCP packets traced elapsed wallclock time: 0:00:00.gz packet 1: bad TCP checksum 1 arg remaining.version 6. The following example illustrates this : alakhian@spider:% tcptrace --warn_printbadcsum --checksum input/bad_tcp_checksum. Note that.lerc. Hardware duplicates are defined to be the IPv4 packets with the same TCP sequence number and the 16-bit IPv4 identification number of a previously seen packet. this can be fixed with a suitable value to the -s snaplen option..nasa. • —warn printbadcsum This option needs to be given along with the --checksum option.gov:139 (a2b) 3> 6< • —warn printbad syn fin seq Prints a warning if the SYN or FIN segments were retransmitted with a different sequence number from their original transmissions.012379 bad IP checksums: 0 bad TCP checksums: 1 TCP connection info: 1: analex093.dmp.gov:2270 . With tcpdump for example.dmp. 7. 2002 10 packets seen. 175 pkts/sec analyzed trace file elapsed time: 0:00:00.• —warn printtrunc Warn if a packet captured was found too short to analyze i.3. this warning message typically means that the packet capture was not done requesting enough of every packet to be captured. • —warn printhwdups Warn if hardware duplicates (that commonly indicate link-level retransmissions) were found for IPv4 packets. if either the basic TCP header(20 bytes) for TCP packets or the UDP header (8 bytes) for UDP packets was not fully captured.2.e.057058. Warning Control 43 .lerc.gz’ Ostermann’s tcptrace -. and prints the packet numbers of the packets in the dumpfile that had bad IP and TCP/UDP checksums.6 -.

44

CHAPTER

EIGHT

Miscellany
This chapter details various miscellaneous stuff that can be done with tcptrace .

8.1

UDP Analysis

tcptrace analyzes UDP [?] traffic minimally with the -u option. The following example illustrates the same :

Beluga:/Users/mani/tcptrace-manual> tcptrace -n -u dmpfiles/udp.dmp.gz 1 arg remaining, starting with ’dmpfiles/udp.dmp.gz’ Ostermann’s tcptrace -- version 6.4.6 -- Tue Jul 1, 2003 14 packets seen, 0 TCP packets traced, 14 UDP packets traced elapsed wallclock time: 0:00:00.023567, 594 pkts/sec analyzed trace file elapsed time: 0:00:00.390867 no traced TCP packets UDP connection info: 1: 132.235.3.154:46096 - 132.235.1.1:53 (a2b) 1> 1< 2: 132.235.3.154:46097 - 132.235.1.1:53 (c2d) 1> 1< 3: 132.235.3.154:46098 - 132.235.1.1:53 (e2f) 1> 1< 4: 132.235.3.154:46099 - 132.235.1.1:53 (g2h) 1> 1< 5: 132.235.19.80:2649 - 132.235.18.1:53 (i2j) 2> 2< 6: 132.235.19.80:2650 - 132.235.64.1:53 (k2l) 1> 1<

Since there is no implicit notion of connections with UDP, tcptrace groups connections from the same pair of IP addresses and same pair of UDP ports to belong to a “connection”. Giving the -l option along with the -u option generates more detailed statistics as shown below :

Beluga:/Users/mani/tcptrace-manual> tcptrace -nul dmpfiles/udp.dmp.gz 1 arg remaining, starting with ’dmpfiles/udp.dmp.gz’ Ostermann’s tcptrace -- version 6.4.6 -- Tue Jul 1, 2003 14 packets seen, 0 TCP packets traced, 14 UDP packets traced elapsed wallclock time: 0:00:00.026584, 526 pkts/sec analyzed trace file elapsed time: 0:00:00.390867 no traced TCP packets UDP connection info: 6 UDP connections traced: UDP connection 1: host a: 132.235.3.154:46096 host b: 132.235.1.1:53

45

first packet: Wed Oct 31 14:11:11.046435 2001 last packet: Wed Oct 31 14:11:11.048531 2001 elapsed time: 0:00:00.002096 total packets: 2 filename: dmpfiles/udp.dmp.gz a->b: b->a: total packets: 1 total packets: data bytes sent: 46 data bytes sent: throughput: 21947 Bps throughput: ================================ UDP connection 2: . . .

1 367 175095 Bps

The total packets field lists the total number of packets seen in the direction, while the data bytes sent field lists the total number of bytes seen in the direction. The throughput field lists average throughput calculated as the total bytes seen divided by the connection lifetime (the time elapsed between the first and last packets of the connection). Analogous to the connection filtering options -o and -i used for selectively processing or ignoring TCP connections (refer Section 6.1), options —oUDP and —iUDP options selectively process or ignore UDP connections, with the same semantics. The following example illustrates selecting just UDP connections 1,3,5 and storing them to file filt udp.dmp :

Beluga:/Users/mani/tcptrace-manual> tcptrace -n -u --oUDP1,3,5 -Ofilt_udp.dmp dmpfiles/udp.dmp 1 arg remaining, starting with ’dmpfiles/udp.dmp.gz’ Ostermann’s tcptrace -- version 6.4.6 -- Tue Jul 1, 2003 14 packets seen, 0 TCP packets traced, 14 UDP packets traced elapsed wallclock time: 0:00:00.022974, 609 pkts/sec analyzed trace file elapsed time: 0:00:00.390867 no traced TCP packets UDP connection info: 1: 132.235.3.154:46096 - 132.235.1.1:53 (a2b) 1> 1< 3: 132.235.3.154:46098 - 132.235.1.1:53 (e2f) 1> 1< 5: 132.235.19.80:2649 - 132.235.18.1:53 (i2j) 2> 2<

8.2

Real-Time Analysis

Real-Time analysis can be done trivially by piping the output of the packet capture program, and letting tcptrace fetch its input from stdin. With tcpdump, it can be done as in :
tcpdump -w - | tcptrace stdin

This would let tcptrace read the input from the binary output generated by tcpdump, until the process is interrupted with say Ctrl C, for example. However, this is not really real-time in the sense that the output is generated only after the process is interrupted, which is analogous to tcptrace printing output at the end of processing a dumpfile. The option —continuous lets tcptrace run continuously and provides no summary of connections at the end. This option is normally useful when used along with modules and maintains a list of active connections. The following options can be used along with the —continuous option : • —limit conn num Limits the number of active connections kept track of, to the default value of 50000 connections to save on memory. • —max conn num=. . . 46 Lets you choose the maximum number of connections to be kept track of. If the Chapter 8. Miscellany

• —remove live conn interval=.235.maximum connection limit is reached. 8. . • —update interval=.dmp.3. tcptrace periodically looks at the list of live and inactive connections and updates the list removing “old” connections. Note that a TCP connection is considered live until a FIN / RST segment is seen in the connection. . When operating in the —continuous mode.dmp. giving a suitable value in seconds.(0x12) 0x1fbdbe84 0x0f455ca5 33304 40 0xfa0f 0 20 bytes MSS(1460) WS(0) TS(-202350942.edu) Type: 0x6 (TCP) HLEN: 20 TTL: 50 LEN: 60 ID: 32113 CKSUM: 0x9936 OFFSET: 0x4000 Don’t Fragment TCP SPRT: DPRT: FLG: SEQ: ACK: WIN: HLEN: CKSUM: DLEN: OPTS: Packet 3 80 (http) 59518 -A--S.gz produces output as shown below for all the packets found in the file malus.1957864058) 8.152. This option can be used to customize this interval. giving a suitable value in seconds. it is moved from the list of live connections to the list of inactive connections. The default interval (from the time at which the last packet was seen in the connection) after which a connection is removed from the list of inactive connections is 8*60 seconds (8 minutes).112. Beluga:/Users/mani> tcptrace -p malus.com) IP Dest: 132. • —remove closed conn interval=. . The default interval after which a live connection is removed from the list of live connections is 8*3600 seconds (8 hours). Packet Details 47 .cs. and TCP/UDP headers C for all the packets found in the dumpfile.3 Packet Details Printing The -p option prints information from the Ethernet. The default update interval is 30 seconds.987110 2003 ETH Srce: 00:00:00:00:00:00 ETH Dest: 00:00:00:00:00:00 Type: 0x800 (IP) IP VERS: 4 IP Srce: 17.ohiou. . .153 (elephus. Packet 2 Packet Length: 74 Collected: Thu Jul 10 19:12:54. IP. This option can be used to customize this interval. . . the least recently used connection is removed to make space for the new connection. which can be changed using this option giving the update interval in seconds. For example.32 (a17-112-152-32.gz. .apple.3. . Once a FIN / RST segment is seen in a connection.

. . .

As illustrated above, detailed information from the protocol headers of is printed for every packet. The -X option which is set by default causes fields like SEQ, ACK to be printed in hexadecimal. You may use the -D option to print them in decimal. Note that since this option prints loads of output for every packet, you probably want to use the -B and/or -E options 6.1 to selectively print information on the packets of interest. On the other hand, if you are using the -o/-i options 6.1 or the —oUDP/—iUDP 8.1 to selectively process TCP or UDP connections respectively, you need to use the -P option (instead of the -p option) to print packet information on the selected connections alone. For example,

tcptrace -n -o1,3 -P sirius.dmp

prints packet header information only from the packets part of TCP connections 1 and 3, found in the dumpfile sirius.dmp. Extracting The -e option can be used to extract the contents (TCP data payload) of each connection into a separate data file. For example,

Beluga:/Users/mani> tcptrace -e albus.dmp

generates files a2b contents.dat, b2a contents.dat; c2d contents.dat, d2c contents.dat if the file albus.dmp had 2 traced TCP connections. tcptrace is pretty smart in generating these contents files. It does not commit trivial mistakes like saving retransmissions multiple times in the file for example, and is aware of sequence space wrap-arounds. However, if you want the entire contents of the traffic, please make sure that packets are captured in their entirety (give suitable snaplen value with tcpdump for example).

8.4

Other Miscellany

• —csv/—tsv/—sv=’. . . ’ These options can print the detailed statistics (Chapter 4) in a format that can be easily imported into a spread-sheet program. The —csv (comma separated values) option prints out a header line that contains the list of the fields of output to be printed depending on which of the options -l/-r/-W were given. Each of the header fields are delimited by a comma in the header line. Subsequent lines list the detailed statistics generated, each of which is delimited by a comma too. The —tsv (tab separated values) option prints the detailed statistics with the fields delimited by TAB, while the —sv=’. . . ’ option lets the user choose a string as the delimiter to be used between fields. • -t option is useful when you are processing huge dumpfiles. It prints ticks indicating the progress in processing the file, printing out the packet number currently being processed and the percentage of the file processed, periodically. • -v prints information on the version of tcptrace being run. • -h prints help messages as shown below :
Beluga:/Users/mani> tcptrace -h For help on specific topics, try: -hargs tell me about the program’s arguments -hxargs tell me about the module arguments -hconfig tell me about the configuration of this binary -houtput explain what the output means -hfilter output filtering help -hhints usage hints

48

Chapter 8. Miscellany

Version: Ostermann’s tcptrace -- version 6.4.6 -- Tue Jul 1, 2003 Compiled by ’root’ at ’Thu Jul 10 19:07:29 EDT 2003’ on machine ’pride.cs.ohiou.edu’

More specific help can be found on specific topics by giving the options -hargs, -hxargs etc., as in :
Beluga:/Users/mani> tcptrace -hxargs

• -d Prints debug information on the program. It is probably not useful unless you are tracking a bug in the program. Multiple -d options can be given to get more and more debug information. • -q Make the program quiet and print no output. This option is useful if you are interested only in the output generated by the modules.

8.4. Other Miscellany

49

50

CHAPTER NINE Modules tcptrace comes with a plugin module architecture so that users can develop their own modules to do more sophisticated analysis pertinent to their needs. and are explained in the following.version 6.409 bytes/second 28427 packets sent.4.149090 Dumping port statistics into file traffic_byport. 28427 TCP packets traced elapsed wallclock time: 0:00:00.000 second intervals it generates two data files traffic stats.Fri Aug 1. TRAFFIC.gz mod_traffic: characterizing traffic 1 arg remaining. 9. 43736 pkts/sec analyzed trace file elapsed time: 1:22:34. starting with ’sack_city. HTTP. The traffic module can be invoked as follows : tcptrace -xtraffic‘‘[ARGS]’’ <dumpfile> where the field ARGS represents any arguments to be sent to the traffic module.gz’ Ostermann’s tcptrace -.dat and traffic byport. 2003 28427 packets seen. The traffic stats. 1734.dmp.dmp.dat Plotting performed at 15.1 TRAFFIC Module We have seen in the earlier chapters that tcptrace can generate detailed statistics and graphs from a dumpfile on a per connection basis. When the traffic module is invoked without any arguments as in : surya:/home/mani> tcptrace -xtraffic sack_city. 795. SLICE. 0. 5. 2529.149090): 12531375 ttl bytes sent. COLLIE.649954.738 packets/second 19 connections opened. and uses the REAL-TIME module to explain how to write your own modules.7 -. and REAL-TIME.dat.dat Dumping overall statistics into file traffic_stats. The goal of the traffic module is to raise the level of abstraction and present statistics on a per port basis. and for the entire traffic found in the dumpfile. RTTGRAPH. This chapter describes the modules distributed with tcptrace namely.138 bytes/second 3940457 ttl rexmit bytes sent.004 conns/second 51 .547 bytes/second 8590918 ttl non-rexmit bytes sent.dat file has statistics on the entire traffic found from the dumpfile and looks as in : Overall Statistics over 4954 seconds (1:22:34.

the total (ttl) number of bytes sent. the total number of packets. Note that if there a lot of ports being analyzed. • -P option generates similarly. the packets-per-second per port# graph (traffic packets. the total number of retransmitted and non-retransmitted bytes and the average bytes (retransmitted and non-retransmitted) per second.xpl). packets. The traffic module can also generate graphs that can be read with the xplot program as explained below. You may also selectively ignore web traffic (port 80) but have the rest of the low port traffic as analyzed above with : tcptrace -xtraffic’’-p1-1024. For example : tcptrace -xtraffic’’-p80’’ rubeus.59 dupacks sent. For example the following surya:/home/mani> tcptrace -xtraffic’’-p22. .dmp prints statistics for just web connections (TCP port 80). duplicate acks (dupacks) and retransmits (rexmits) seen (along with their respective averages seen per second) and finally the average RTT found from all the RTT samples.2.dmp generated the graph shown in Figure 9. 12531375 892552 11638823 pkts: pkts: pkts: 28427 10324 18103 conns: conns: conns: 19 1 18 tput: tput: tput: 2529 B/s 180 B/s 2349 B/s listing per-port statistics on the bytes. Please zoom into the beginning of the graphs to find out which colored line in the graph represents the port number you are interested in.xpl) for the connections analyzed by the traffic module. The traffic byport. and the observed throughput. where S represents the interval S in seconds.1 and illustrates the bytes-per-second seen on ports 22 and 80 respectively.-80-89’’ rubeus.dat file looks as in : Overall totals by port TOTAL bytes: Port 22 bytes: Port 5002 bytes: . This interval at which the graph is plotted can be altered if necessary with the -iS option.dmp prints statistics only for TCP connections with either of the ports in the range of 1 to 1024 (inclusive). Note that the average RTT includes RTT samples found that were ambiguous too (Total samples = RTT samples + ambiguous acks as explained in Section 4.268 msecs From the above. • -B option generates the bytes-per-second per port# graph (traffic bytes. 52 Chapter 9.-80’’ rubeus. connections.dmp ignores traffic destined to ports 80-89 while choosing the connections destined to the rest of the ports in the range 1-1024. The -p option to the traffic module lets it gather statistics only on certain ports of interest.80 -B’’ minerva.dmp The following tcptrace -xtraffic’’-p1-1024. Modules . connections.012 dupacks/second 3015 rexmits sent. your graph may have as many colors. 0. while tcptrace -xtraffic’’-p1-1024’’ rubeus. we can notice that the traffic module prints the total time the dumpfile lasted. .609 rexmits/second average RTT: 78. The traffic module plots the graphs at discrete intervals of 15 seconds on the x-axis by default. average bytes sent per second. 0.

TRAFFIC Module 53 .Figure 9.1: Traffic Module (-B) 9.1.

A connection is deemed open after a packet is seen in either direction and is considered open until either a RST segment or FIN segments (in both directions) are seen. A connection is deemed active if a packet belonging to the connection was noticed in the last interval. A sample graph is illustrated in Figure 9.2: Traffic Module (-T) • -T option generates the graph (traffic data. Modules .5 • -H option generates the half-open graph (traffic halfopen.2. A sample graph shown in Figure 9.4 illustrates the number of open connections for one port (5002 in this case) over time.xpl) of the number of open connections over time by port.3 • -O option generates the graph (traffic open. The red-line tracks the non-retransmitted data while the blue line tracks the total data sent.xpl) of the active connections over time per port.Figure 9.xpl) so that connections opening or closing are plotted when they are found to do so (as opposed to graphing them only at the end of the sampling interval as done by the -O option).xpl) representing the number of half-open 54 Chapter 9. The instantaneous version of the graph in Figure 9.xpl) representing the total data seen across all the connections analyzed and is illustrated in Figure 9.4 is shown in Figure 9. • -I option generates the “instantaneous-open” graph (traffic i open. • -A option generates a graph (traffic active.

Figure 9.3: Traffic Module (-A) 9.1. TRAFFIC Module 55 .

4: Traffic Module (-O) 56 Chapter 9.Figure 9. Modules .

5: Traffic Module (-I) 9.1.Figure 9. TRAFFIC Module 57 .

6: Traffic Module (-C) connections over time per port.6 illustrates the following.xpl). A sample graph shown in Figure 9. which can be changed to a user-defined S seconds by giving the option as in -DS. A connection is deemed idle for an interval if no packets belonging to it were seen in the interval. • -C option generates the open-close graph (traffic openclose. Modules .Figure 9. where a connection is deemed half-open from the time a FIN segment is seen in one direction until the FIN segment is received from the opposite direction. plotting the total number of idle connections over time per port. The green-line tracks the number of connections open in the past interval. • -D option generates the long-duration graph (traffic long. • -Q option generates the idle (Quiet) connections over time graph (traffic idle. 58 Chapter 9. the blue line tracks the total number of open connections (same as the line plotted with the -O option). The default definition of long duration is 60 seconds.xpl) representing the number of connections open for a long duration of time over time per port. the red-line tracks the number of connections closed in the past interval (either a RST segment or FIN segments in both directions.xpl). are seen) .

the -G option can be used to generate all the graphs.xpl) representing the loss events per second seen in the dumpfile. average. between 100 milli-sec and 200 milli-sec for example giving -R100-200. a green line always tracks the total value of the statistic represented on the y-axis.7: Traffic Module (-L) • -K option generates the pureacks graph (traffic pureacks. Note that. • -R option generates the RTT graph from the RTT samples (including RTT from ambiguous acks) representing the minimum. and the red-line tracks the maximum observed RTT. Note that.1. summing up the statistic of all the individual ports drawn in the graph. This would consider only the RTT samples in the range 100-200 msecs observed in the past interval for plotting. 9.7. A sample graph is shown in Figure 9. you may choose to generate the graph of RTT values in the range of interest. • -L option generates the loss graph (traffic loss.Figure 9. the blue-line the average RTT observed. The green-line tracks the minimum RTT observed. The blue-line tracks actual retransmit events per second observed in the past interval while the yellow-line tracks the number of triple duplicate acks observed per second in the past interval.8. A sample graph is shown in Figure 9. Further.xpl) representing the number of pureacks seen per second over time on a per port basis. in all the graphs that carry information on a per port basis. and maximum RTT values observed in the dumpfile in the past interval. TRAFFIC Module 59 .

Modules .Figure 9.8: Traffic Module (-R) 60 Chapter 9.

6 -.998) Client Fin Time: Thu May 1 14:33:35.12.176:80 (a2b) 1601> 2671< 2: 88.56.147:15414 ==> 151.79. . HTTP Module 61 . 4810 TCP packets traced elapsed wallclock time: 0:00:00.246.dat.394593 2003 (1051813786. it is important that the packet contents are fully captured in dumpfiles.132:80 (am2an) 26> 34< (reset) Http module output: 103.215.146.50. .963562 2003 (1051813847.gz’ Ostermann’s tcptrace -.version 6.130:35457 .199.695579 2003 (1051813781.19.Tue Jul 1.8. The module can be run by passing in the -xhttp[P] option to tcptrace .dmp. .700691 2003 (1051813781.115:80 (c2d) .8.gz we get the following output.80. and extracts data found from individual connections to data files of the form X2Y contents.56.4.925) GET /main.114.133. 19: 247.151.28.189720 2003 (1051813785.924972 2003 (1051813847.734937 2003 (1051814015.12. you may pass it in as P in the command line as shown above.196. beginning of connection (SYNs) were not found in trace fi 88. If your dumpfile has web traffic in port number P (not 80). . starting with ’/Users/mani/dmpfiles/standard/severus.176:80 (a2b) Server Syn Time: <the epoch> (0.196. . mod_http: Capturing HTTP traffic (port 80) 1 arg remaining.838094 TCP connection info: 1: 103.696) Client Syn Time: Thu May 1 14:29:41. the module looks for web traffic in the TCP well known port 80.56.115:80 (c2d) 1> 1< 3: .dmp.asp HTTP/1.395) Elapsed time: 3489 ms (request to first byte sent) 9. Note that since the HTTP module needs the data from HTTP connections.190) Time reply ACKed: Thu May 1 14:29:46. . where P represents the HTTP port number.139.840086. With tcpdump for example.250.19. .000) Client Syn Time: <the epoch> (0.0 Response Code: 200 (OK) Request Length: 438 Reply Length: 30730 Content Length: 30447 Content Type : text/html Time request sent: Thu May 1 14:29:41.8.657188 2003 (1051813781.0 [?] and HTTP 1. When the HTTP module is invoked as in Beluga:/Users/mani> tcptrace -n -xhttp severus.90:80 (i2j) Server Syn Time: Thu May 1 14:29:41.000) Server Fin Time: Thu May 1 14:33:34.701) Time reply started: Thu May 1 14:29:45.735) No additional information available. By default.218:2349 . you need to ensure that an appropriate snaplen (with the -s option) value is chosen.130:35457 ==> 199.657) Server Fin Time: Thu May 1 14:30:47. 5725 pkts/sec analyzed trace file elapsed time: 0:04:06.215.43:80 (ak2al) 10> 11< (complete) 20: 181.9.179:4482 .209. . 2003 4810 packets seen. 88.3).2.146.188.998156 2003 (1051814014. .32.209.147:15414 .130:35458 ==> 21.964) Client Fin Time: Thu May 1 14:30:47.2 HTTP Module The HTTP module can be used to analyze web (HTTP 1.169. .1 [?]) traffic from dumpfiles. The http module implicitly has the effect of the -e option (refer Section 8.

. the connection is incomplete. • Content Type reports the content type of the data being sent in the response.gif HTTP/1.asp.asp HTTP/1.0 Response Code: 302 (Found) Request Length: 496 Reply Length: 376 Content Length: 137 Content Type : text/html Time request sent: Thu May 1 14:29:48. and hence. 62 Chapter 9.940) First. • Response Code field displays the HTTP response code indicating the type of HTTP response received from the server. we see the regular output of tcptrace listing the 20 connections traced in the dumpfile.. .etc. the module lists the time the FIN segments were received from the client and server.asp HTTP/1. .asp HTTP/1. .0 Response Code: 200 (OK) Request Length: 392 Reply Length: 2038 Content Length: 1836 Content Type : text/html Time request sent: Thu May 1 14:29:46. . (1051813786. • Time request sent.023979 2003 Time reply started: Thu May 1 14:29:46. track the time the request was sent.772) (1051813789.. which is followed by the http module output. and when the response was ACKed by the client..asp.0 .254) (1051813788. . If the Content Length field is not found in the response. For the first connection labeled a2b. Let us see the information reported as part of the GET /main.161) (1051813790. and we see the times the SYN and FIN segments were received from the client and server respectively. • Reply Length tracks the length of the HTTP response received from the server for this HTTP request. Since the SYN segments opening the connections were not captured in the dumpfile. Time reply started. . the Content Length is reported as the length of the remaining data (after the headers) in the server-to-client data file.0 . • Content Length field reports the length of the response found from the Content Length field part of the HTTP response. Time reply ACKed fields.asp. .300471 2003 Time reply ACKed: Thu May 1 14:29:49. GET /img/color.asp HTTP request. . GET /poll-include.160714 2003 Time reply ACKed: Thu May 1 14:29:50.asp. respectively. The connection labeled i2j was complete however.asp and poll-include. .254442 2003 Elapsed time: 276 ms (request to first byte sent) Elapsed time: 3230 ms (request to content ACKed) POST /poll-include. the module does not report any detailed HTTP information.771677 2003 Time reply started: Thu May 1 14:29:49. requesting (GET) or submitting (POST) files main. This is followed by various HTTP requests and responses seen in the connection : GET /main. .024) (1051813786. the time when the first segment carrying the response was received. Note that the times are printed in human readable text format along with their absolute values.300) (1051813789.Elapsed time: 4694 ms (request to content ACKed) GET /poll-include. Modules . as is obvious from their names. POST /poll-include. • Request Length tracks the total length (in bytes) of this HTTP request.939836 2003 Elapsed time: 389 ms (request to first byte sent) Elapsed time: 2168 ms (request to content ACKed) GET /poll-include.

The http module also generates graphs for every client found in the dumpfile. When the SLICE module is invoked as in : 9. reqrep .130:35458 21.8.28. the time the connection was open. .65.9. The first reqrep line shown above denotes the first request/response seen as part of the first connection. and is just an offset that begins from 1000 and is incremented by a constant value by the module for every web connection found in the dumpfile. reqrep . In Figure 9.asp HTTP/1.90:80 i2j 2117 5 34953 5 reqrep 88.8. pollinclude.• Elapsed time fields indicate the time elapsed between seeing the request and receiving the first byte of the response.8.701).130.130:35458. .190 1051813786.0 text/html reqrep 88. Similarly Clnt FIN and Serv FIN found towards the end of the line represent the times when the FIN segments were seen from the client and server respectively. Each of the long lines in the figure represent a web connection initiated by the client and their length represents the lifetime of the connection. The ticks drawn below the lines represent the times when non-zero data segments were received from the server.asp. the requests formain.90:80 i2j 1051813786.asp HTTP/1. the total request length in bytes (2117) found as the length of the file storing the contents of data from the client to server. the content requested (/main. and the total number of responses found (5). the module also generates the http.130:35458 21. If we zoom into the beginning of the bottom-most connection shown in Figure 9. and when the response was ACKed ( 1051813786.146. is shown in Figure 9.28. A sample graph generated for all the web connections initiated by client 88. The left diamond adjacent to the label /main.0 text/html reqrep .190).56. The y-axis labeled URL doesn’t mean anything specific.0) and the content type (text/html).3. with the text field 30447 representing the length of the response.79. We can see in this Figure. Each such small line segment represents a request-response seen in the connection. when the first byte of the response is seen (1051813785. The Clnt SYN and Serv SYN ticks on the line represent the times when the SYN segments were seen from the client and server respectively. Besides listing HTTP information for connections as specified above.300 1051813789. The diamond on the right represents the time the response was ACKed.times file looks similar to the following : conn 88.asp HTTP/1.10. the connection label assigned to the connection (i2j).times file that lists for all the complete connections found. The following fields list the timestamps when the request was sent (1051813781.79. . plotting information on every web connection generated by the client. the times when the request/responses were received.11.395).12. . This line lists first the client and server endpoints and the connection label (i2j) assigned.asp.176:80 o2p 562 1 8558 1 The first line (beginning with conn) denotes the opening of a HTTP connection and lists the client and server endpoints (IP and port # : 88. . etc.90:80). The length of the small line segment found towards the right represents the time elapsed receiving the response. the length of the request (438) and the response (30730). the total reply length in bytes (34953) found as the length of the file storing the contents of data from the server to the client.9.254 392 2038 200 GET /poll-include. and the time elapsed between seeing the request and having the response ACKed. we zoom into the information printed on top of the connection lines. 9.8.56. with the left and right arrows representing the times when the first and last bytes of the response were received. we get Figure 9.701 1051813785.79.90.3 SLICE Module The SLICE module prints basic traffic statistics observed every timeslice.395 438 30730 200 GET /main. the total number of requests found (5).63:63018 151.56.56.024 1051813786. SLICE Module 63 .130:35458 21. .56.28. The http.90:80 i2j 1051813781. conn 231.0 represents the time when the request was seen.8.79.asp HTTP/1. 21. the response code (200) and the method it stands for (GET).28.

Modules .Figure 9.9: HTTP Module Plot #1 64 Chapter 9.

3. SLICE Module 65 .Figure 9.10: HTTP Module Plot #2 9.

11: HTTP Module Plot #3 66 Chapter 9. Modules .Figure 9.

-------.gz’ Ostermann’s tcptrace -.dmp.-------. Note that S can be a floating point value if you want.813146.680899 2003 Last packet: Tue Aug 5 15:34:42. . to see how the reported characteristics varied over time in the period of data capture of the dumpfile.813146 2000 -tu prints the . As shown above the date field indicates the time at the end of the time slice (15 seconds by default). The module also allows the following options that can be passed as ARGS in -xslice’’[ARGS]’’ and given in the command line.-------.318839 2003 9. • -iS if you want to change the default slice interval of 15 seconds to S seconds. -tl specifies the date in the long text format as in Fri Apr 28 03:00:23. the total number of new connections opened in the past time-slice (new) and the total number of connections active in the past time-slice (active). • -t[b—l—u—U] The -tb specifies the date field in brief and is the default (as shown in the above example).623647 Source file: alastor.6 -. 9. COLLIE Module 67 .dat file can be used as a data file to plot a graph with the gnuplot program for example.dat in the working directory that looks like : date segs bytes rexsegs rexbytes new active --------------.052520.surya:/home/mani> tcptrace -xslice rexmit. Beluga:/Users/mani> tcptrace -xcollie alastor.Tue Jul 1.813146 40 33976 3 3060 1 1 03:00:38. date as Unix timestamps as in 956905223. • -d turns on local debugging of this module. The slice.-------. 83 TCP packets traced.gz File modification timestamp: Wed Aug 6 18:27:22 2003 First packet: Tue Aug 5 15:34:30.-------03:00:23. starting with ’alastor. 1637 pkts/sec analyzed trace file elapsed time: 0:00:11. the total number of retransmitted segments (rexsegs) and retransmitted bytes (rexbytes). The subsequent fields indicate the segments seen (segs).version 6.813146 77 70612 6 9000 0 1 03:01:08. A sample output is shown below.813146 29 29020 5 7500 0 1 .dmp.813146 54 50592 7 10500 0 1 03:00:53. 2 UDP packets traced elapsed wallclock time: 0:00:00.dmp.4.4 COLLIE Module The COLLIE module is a simple module that can display basic information on the connections (TCP and UDP) found in the dumpfile. -tU prints the date as Unix timestamps too. . but also includes the micro-second part of the timestamp as in 956905223.4.304547 2003 TCP Connections Session Start: Tue Aug 5 15:34:40.-------. the total bytes of data seen (bytes). 2003 86 packets seen.gz 1 arg remaining.dmp. . . .gz it leaves a data file by name slice.

The following options are supported by the collie module and are to be supplied as ARGS in xcollie’’ARGS’’ to tcptrace in command line. the source and destination endpoints.3.317724 2003 Source IP address: 132. 68 Chapter 9. Session Start respectively).373548 2003 Source IP address: 132. • -n—-l The -n option turns off printing of the labels printed at the beginning of each line ( Session Start.680899 2003 The collie module has the side effect of turning on UDP processing (the -u) option.3..235. the total number of bytes and packets transferred in the either direction of the connection.140 Source Port: 51214 Source Fully Qualified domain name: pride.gz).235.cs. Session End.e. and turning on the —continuous option and UDP processing internally.3. the module prints details on the source file (alastor.cs.2. the most recently opened connection’s information gets printed before a connection opened earlier. .edu Bytes Transferred Source to Destination: 1796 Bytes Transferred Destination to Source: 17895 Packets Transferred Source to Destination: 8 Packets Transferred Destination to Source: 17 Session Start: Tue Aug .Session End: Tue Aug 5 15:34:40. . As shown above.313479 2003 Session End: Tue Aug 5 15:34:40. UDP Connections Session Start: Tue Aug 5 15:34:40.cs. i.64.ohiou. Source IP address etc.edu Destination IP address: 132.edu Destination IP address: 132.ohiou. as described in Section 8. . • -d option turns on local debugging in the module.140 Source Port: 49572 Source Fully Qualified domain name: pride.154 Destination Port: 80 Destination Fully Qualified domain name: masaka. while the -l option turns on printing of the labels.ohiou. when it was last modified. which is the default behavior. .235.dmp. A sample run of tcptrace with the module is shown below. The information includes the times when the first and last packet of the connection were found (Session Start.1 Destination Port: 53 Destination Fully Qualified domain name: watson. Subsequent lines print basic information on the TCP and UDP connections traced. and the times of the first and last packets found in the file.cns. Modules . 9.235. . This module has the side effect of turning off name lookups.edu Bytes Transferred Source to Destination: 42 Bytes Transferred Destination to Source: 143 Packets Transferred Source to Destination: 1 Packets Transferred Destination to Source: 1 5 15:34:30.).5 Real-Time Module The Real-Time module is a sample module that can be used to run tcptrace continuously.ohiou. Note that the collie module prints the connection information in reverse chronological order.

41.235.elephus:/home/mramadas> tcpdump -n -w .68:80 132.87. struct module { Bool module_inuse.87.3.3.235.87.Sat May 17.3.153:47240 132.235.235.111.153:47463 132.154:22 new connection 24.3.055810 1060719569.version 6.161771 1060719449.9.103. starting with ’stdin’ Ostermann’s tcptrace -.235.153:47520 202.153:47500 63.3.3.153:44860 new connection 2001:0468:0b02:0820:0208:74ff:fe40:0b81:51846 2001:1418:0013:0001::0 number of open connections is 5 132.096991 1060719574.115:80 connection closes (had 6 packets) 132.h) is shown below.87.235.153:47511 202. number: 4 As shown above the module prints a message everytime a new connection is found opening or closing in the network.235.162:80 new connection 132. 2003 tcpdump: listening 1060719445.9.115:80 new connection 132.3.3.93.4.962796 1060719453.3.68:80 132. The structure definition of a module (found in modules.154:22 new connection 132.115:80 new connection 132.240305 1060719575.475633 1060719509.153:47510 202.412365 on eth0 132. 9.153:47240 132.161771 1060719445. UDP.995794 1060719573.3. Periodically (every minute).119:80 new connection 2251 packets received by filter 0 packets dropped by kernel Terminating processing early on signal 2 Partial result after processing 2109 packets: realtime: TCP packets .119:80 new connection 132.4 protocol: 1.235.41.111. int (*module_init) (int argc. at the end of processing.115:80 connection closes (had 6 packets) 132.3.531 realtime: UDP packets . Finally.235. char *module_name.235.235.3.3. Writing Modules 69 .41.235.153:47218 new connection number of open connections is 7 132.153:44883 205.235.3.962521 1060719449.883715 1060719577.497398 1060719575.41.153:22 new connection 132.153:47217 new connection 132.015844 1060719535.3.3.276251 1060719575.154:22 connection closes (had 1 packets) 128.153:47510 202.162:80 new connection 132.87.41. the module also prints out the number of connections open.6 Writing Modules This section describes how to write your own plug-in modules for tcptrace .235.153:47501 63.194. char *argv[]).87.92:23 new connection 132.001292 1060719475.235.156.497344 1060719574.647109 1060719485.41.12.153:47511 202.235.235.235.194. the module prints the total number of TCP.6.235.235. and other packets found in the network as shown above.3 -.1431 realtime: other packets .153:47521 202.10.995893 1060719535.3.3.| tcptrace -xrealtime stdin mod_realtime: Capturing traffic 1 arg remaining.235.12:54238 132.188.242:706 132.3. 9.996664 1060719574. char *module_descr.

/* name of the module */ "example real-time package". /* make FALSE if you don’t want to call it at all */ "realtime"./* the packet */ udp_pair *pup. /* info I have about this connection */ void (*module_nontcpudp_read) ( struct ip *pip.void (*module_read) ( struct ip *pip./* the name of the current file */ u_long filesize. /* module-specific structure */ void (*module_done) (void). /* routine to pass each non-tcp and non-udp 70 Chapter 9./* info I have about this connection */ void *plast./* info I have about this connection */ void *pmodstruct). The function pointers and their assignments for the Real-Time module (from the modules. void (*module_newfile)( char *filename. /* routine to call on each new UDP conn */ realtime_nontcpudp_read. {TRUE. /* is the file compressed? */ void *(*module_newconn)( tcp_pair *ptp). /* routine to call on each new file */ realtime_newconn. void (*module_usage)(void). and module descr fields store the name and a short description of the module and are useful for debugging purposes. The module name. As shown above./* the packet */ void *plast). /* pointer to last byte */ void (*module_deleteconn) ( tcp_pair *ptp./* pointer to last byte */ void *pmodstruct)./* description of the module */ realtime_init. /* info I have about this connection */ void (*module_udp_read) ( struct ip *pip./* number of bytes in file (might be compressed) */ Bool fcompressed). /* module-specific structure */ }./* pointer to last byte */ void *pmodstruct). /* routine to call to init the module */ realtime_read. /* routine to call to print module usage */ NULL. /* routine to pass each UDP segment */ NULL. /* module-specific structure */ void *(*module_udp_newconn)( udp_pair *ptp)./* the packet */ tcp_pair *ptp./* info I have about this connection */ void *plast. /* routine to pass each TCP segment */ realtime_done.c file. /* routine to call on each new connection */ realtime_udp_read. These functions are defined in the mod realtime. Modules . each module definition consists of fields that store a basic description of the module followed by a list of function pointers that need to be filled with functions specific to the module. The list of function pointers that follow need to be set to appropriate module specific functions. The module inuse variable is used by tcptrace to see if the module has been selected and is active.h file) are shown below. /* routine to call at program end */ realtime_usage.

A file size value of 1 is returned if reading from stdin. and a boolean variable indicating if the file were compressed. tcptrace returns the rtconn structure associated with the connection by the realtime newconn function when the connection was opened as the fourth argument in the realtime read function (called for every TCP packet of the connection). Please make sure what command line arguments your module understands and what they mean. a pointer to the memory location storing the last byte of the packet. char *argv[]) to all of the registered modules and the modules are expected to note the arguments that concern them and delete them by making the corresponding argv[] pointer point to NULL. Similarly. tcptrace will treat the module as active by turning on the module inuse flag for the module. and 0 otherwise.packets*/ realtime_deleteconn} • *module init This is the module initialization function. the module is treated as inactive. If this function returns 1. the information tcptrace keeps for this connection. • *module udp read This function is called for every UDP packet seen. and any module specific structure returned in the previous call to the *module udp newconn function. tcptrace supplies the IP packet itself in host byte order (pip). if 0 is returned. a void pointer pointing to the memory location of the last byte of the packet (plast). you may set any of the function pointers you are not interested in to NULL if you do not want to be notified of the corresponding event by tcptrace . Note that the function *module newconn is called before the *module read function so that the latter function is called on the first packet of the connection too. The arguments and their semantics are similar to the *module read call. If you want your module mymod to be able to handle module specific arguments as in -xmymod’’ARGS’’. • *module usage The function to be called to print module specific usage message.6. The arguments to the function include the filename. the information it has about the TCP connection (ptp). You may initialize any module specific structure for this new connection and return its address as a void pointer. 9. the realtime init function assigned by the Real-Time module looks for the command-line argument -xrealtime to decide if the module is being invoked or not and returns 1 if found. Note that the Real-Time module sets the function pointer corresponding to this function to NULL meaning that the module does not want to be notified of the event. Writing Modules 71 . are printed out briefly in this function. A module-specific structure can be initialized and given to tcptrace in the *module newconn function and gets returned to the module in subsequent calls to the *module read function. and a pointer to the module specific structure previously associated with this connection (pmodstruct) in the call to *module newconn function (called when the connection was opened). You might print the end results/statistics accumulated by your module in this function. • *module done This function is called at the end when tcptrace is done processing the dumpfile(s). The arguments include the IP packet itself that was captured. The arguments passed are the IP packet in itself and a pointer to the last byte of the packet. For example. • *module newfile This function is called everytime tcptrace begins processing a new dumpfile. • *module newconn This function is called every time a new TCP connection is seen opening (upon seeing the first packet of a new connection). this function is called whenever a new UDP connection is opened (upon seeing the first packet of the connection). the file size.c for example. • *module udp newconn Similar to the *module newconn function. On the other hand. look into the traffic module code in mod traffic. • *module nontcpudp read This function is called for every non TCP/UDP packet seen. tcptrace passes the received command-line arguments (int argc. This module specific structure is useful when the module needs to store any module-specific information that needs to be associated with the connection. • *module read This function is called for every TCP packet being processed. With the Real-Time module for example. See the realtime newconn for an example of how a module specific connection structure is initialized and returned.

Modules .• *module deleteconn This function is called whenever tcptrace deletes a connection from its list of active connections in Real-Time mode as explained in Section 8.2. 72 Chapter 9.

explains briefly the options supported by tcptrace .tcptracerc file or the TCPTRACEOPTS environment variable but want to turn-off an option for this invocation of tcptrace from command line. If N is a file rather than a number. default is 10 -z zero axis options -z plot time axis from 0 rather than wall clock time (backward compat) 73 . and finally from the command line. Output format options -b brief output format -l long output format -r print rtt statistics (slower for large files) -W report on estimated congestion window (not generally useful) -q no output (if you just want modules output) Graphing options -T create throughput graph[s]. and then from the environment variable TCPTRACEOPTS (if it exists). (average over 10 segments. Arg can be used many times.edu" as just "picard") Connection filtering options -iN ignore connection N (can use multiple times) -oN[-M] only connection N (or N through M). -c ignore non-complete connections (didn’t see syn’s and fin’s) -BN first segment number to analyze (default 1) -EN last segment number to analyze (default last in file) Graphing detail options -C produce color plot[s] -M produce monochrome (b/w) plot[s] -AN Average N segments for throughput graphs. read list from file instead.tcptracerc (if it exists). see -A) -R create rtt sample graph[s] -S create time sequence graph[s] -N create owin graph[s] (_o_utstanding data on _N_etwork) -F create segsize graph[s] -L create time line graph[s] -G create ALL graphs Output format detail options -D print in decimal -X print in hexadecimal -n don’t resolve host or service names (much faster) -s use short names (list "picard.ohiou.cs. All the boolean options (options that do not take in an argument along with it) can be given with a “+” prefix that has the effect of negating the option. you may give a “+l” to not print in the long output format. Basic Arguments The following options are first read from the file $HOME/.APPENDIX A Arguments QR This chapter Arguments Quick Reference (QR). For example. This can be useful if you store the options you always want tcptrace to use in the $HOME/.

see compress. use -d -d for more output) -e extract contents of each TCP stream into file -h print help messages -u perform (minimal) UDP analysis too -Ofile dump matched packets to tcpdump file ’file’ +[v] reverse the setting of the -[v] flag (for booleans) Dump File Names Anything else in the arguments is taken to be one or more filenames. then we read from standard input rather than from a file -zx -zy -zxy Extended boolean options (unambiguous prefixes also work) --showsacks show SACK blocks on time sequence graphs (default) --noshowsacks DON’T show SACK blocks on time sequence graphs --showrexmit mark retransmits on time sequence graphs (default) --noshowrexmit DON’T mark retransmits on time sequence graphs --showoutorder mark out-of-order on time sequence graphs (default) --noshowoutorder DON’T mark out-of-order on time sequence graphs --showzerowindow mark zero windows on time sequence graphs (default) --noshowzerowindow DON’T mark zero windows on time sequence graphs --showurg mark packets with URGENT bit set on the time sequence graphs (default) --noshowurg DON’T mark packets with URGENT bit set on the time sequence graphs --showrttdongles mark non-RTT-generating ACKs with special symbols --noshowrttdongles DON’T mark non-RTT-generating ACKs with special symbols (default) --showdupack3 mark triple dupacks on time sequence graphs (default) --noshowdupack3 DON’T mark triple dupacks on time sequence graphs --showzerolensegs show zero length packets on time sequence graphs (default) --noshowzerolensegs DON’T show zero length packets on time sequence graphs --showzwndprobes show zero window probe packets on time sequence graphs (default) --noshowzwndprobes DON’T show zero window probe packets on time sequence graphs --showtitle show title on the graphs (default) --noshowtitle DON’T show title on the graphs --res_addr resolve IP addresses into names (may be slow) (default) --nores_addr DON’T resolve IP addresses into names (may be slow) --res_port resolve port numbers into names (default) --nores_port DON’T resolve port numbers into names --checksum verify IP and TCP checksums --nochecksum DON’T verify IP and TCP checksums (default) --dupack3_data count a duplicate ACK carrying data as a triple dupack --nodupack3_data DON’T count a duplicate ACK carrying data as a triple dupack (default) --check_hwdups check for ’hardware’ dups (default) --nocheck_hwdups DON’T check for ’hardware’ dups --warn_ooo print warnings when packets timestamps are out of order --nowarn_ooo DON’T print warnings when packets timestamps are out of order (default --warn_printtrunc print warnings when packets are too short to analyze 74 Appendix A.h for configuration.plot time axis from 0 rather than wall clock time plot sequence numbers from 0 (time sequence graphs only) plot both axes from 0 -y omit the (yellow) instantaneous throughput points in tput graph Misc options -Z dump raw rtt sample times to file[s] -p print all packet contents (can be very long) -P print packet contents for selected connections -t ’tick’ off the packet numbers as a progress indication -fEXPR output filtering (see -hfilter) -v print version information and exit -w print various warning messages -d whistle while you work (enable debug. The files can be compressed. If the dump file name is ’stdin’. Arguments QR .

0 -pP include information on port P -pP1-P2 include information on ports in the range [P1-P2] -p-P exclude information on port P -p-P1-P2 exclude information on ports in the range [P1-P2] -pSPEC.--nowarn_printtrunc DON’T print warnings when packets are too short to analyze (default) --warn_printbadmbz print warnings when MustBeZero TCP fields are NOT 0 --nowarn_printbadmbz DON’T print warnings when MustBeZero TCP fields are NOT 0 (default) --warn_printhwdups print warnings for hardware duplicates --nowarn_printhwdups DON’T print warnings for hardware duplicates (default) --warn_printbadcsum print warnings when packets with bad checksums --nowarn_printbadcsum DON’T print warnings when packets with bad checksums (default) --warn_printbad_syn_fin_seq print warnings when SYNs or FINs rexmitted with different sequen --nowarn_printbad_syn_fin_seq DON’T print warnings when SYNs or FINs rexmitted with differen --dump_packet_data print all packets AND dump the TCP/UDP data --nodump_packet_data DON’T print all packets AND dump the TCP/UDP data (default) --continuous run continuously and don’t provide a summary --nocontinuous DON’T run continuously and don’t provide a summary (default) --print_seq_zero print sequence numbers as offset from initial sequence number --noprint_seq_zero DON’T print sequence numbers as offset from initial sequence number ( --limit_conn_num limit the maximum number of connections kept at a time in real-time m --nolimit_conn_num DON’T limit the maximum number of connections kept at a time in real--xplot_all_files display all generated xplot files at the end --noxplot_all_files DON’T display all generated xplot files at the end (default) --ns_hdrs assume that ns has the useHeaders_flag true (uses IP+TCP headers) (def --nons_hdrs DON’T assume that ns has the useHeaders_flag true (uses IP+TCP headers --csv display the long output as comma separated values --nocsv DON’T display the long output as comma separated values (default) --tsv display the long output as tab separated values --notsv DON’T display the long output as tab separated values (default) --turn_off_BSD_dupack turn of the BSD version of the duplicate ack handling --noturn_off_BSD_dupack DON’T turn of the BSD version of the duplicate ack handling (default) Extended variable options (unambiguous prefixes also work) --output_dir="STR" directory where all output files are placed (default: ’<NULL>’) --output_prefix="STR" prefix all output files with this string (default: ’<NULL>’) --xplot_title_prefix="STR" prefix to place in the titles of all xplot files (default: ’<NULL --update_interval="STR" time interval for updates in real-time mode (default: ’<NULL>’) --max_conn_num="STR" maximum number of connections to keep at a time in real-time mode (de --remove_live_conn_interval="STR" idle time after which an open connection is removed in rea --endpoint_reuse_interval="STR" time interval of inactivity after which an open connection i --remove_closed_conn_interval="STR" time interval after which a closed connection is removed --xplot_args="STR" arguments to pass to xplot. default 15.SPEC commas chain together specs 75 . if we are calling xplot from here (default --sv="STR" separator to use for long output with <STR>-separated-values (default: Module-specific Arguments Beluga:/Users/mani/tcptrace-manual> tcptrace -hxargs Module http: usage: -xHTTP[P] print info about http traffic (on port P. default 80) Module traffic: usage: -xtraffic"[ARGS]" print info about overall traffic module argument format: -iS set statistics interval to S (float) seconds.

usecs) Module rttgraph: usage: -xrttgraph print info about rttgraph traffic Module collie: usage: -xcollie"[-ln] provide connection summary -l attach labels -n no labels please Module realtime: usage: -xrealtime an example module showing how to use real-time tcptrace 76 Appendix A.-G generate all graphs -A generate the ’active connections’ graph -B generate the ’bytes per second’ graph -C generate the ’opens and closes’ graph -H generate the ’halfopen connections’ graph -K generate the ’pure acKs/second’ graph -L generate the ’losses per second’ graph -O generate the ’open connections’ graph -I generate the ’instantaneous open connections’ graph -P generate the ’packets per second’ graph -Q generate the ’idle (Quiet) connections’ graph -R[MIN[-MAX]]generate the ’round trip time’ graph with args. Arguments QR .-10-20 -L -O" only ports 1-1023. all ports are gathered. ignore samples outside MIN to MAX (in ms) -T generate the ’total data’ graph -D[SECS] generate the ’long duration connection’ graph default definition of ’long’ is 60 seconds -d enable local debugging in this module Examples -xtraffic" -p23" only port 23 -xtraffic" -p1-1023" only ports 1-1023 -xtraffic"-p1-1023. With ANY spec.0 -d enable local debugging in this module -tb specify time and date ’briefly’ -tl specify time and date in long. default 15. but exclude ports 10-20 With no ports specification. all ports are initially EXCLUDED Module slice: usage: -xslice"[ARGS]" print data info in slices module argument format: -iS set slice interval to S (float) seconds. ’Unix Format’ -tu specify time and date as a Unix timestamp (secs) -tU specify time and date as a Unix timestamp (secs.

xpl [file2.xpl b2a_tsg. Ask for MIT/LCS/TR-494. sets their x-axes in sync so that. used so that files do not overwritten accidentally in the working directory. The Middle-Mouse button (clicking and dragging) lets you scroll the graph.xpl {.gz .APPENDIX B XPLOT QR This chapter briefly explains the usage of the xplot program.mit. You may also look at the program’s web-site http://www. Clicking the Right-Mouse Button with the SHIFT key pressed also drops a smaller size postscript file. The zoom views are stored in a stack internally.xplot. The postscript files are named Title. also zooms the other graph. The -x option can be useful if you are viewing related graphs (the forward and reverse directions of a connection. 1. for example.edu. Clicking the Middle-Mouse Button with the SHIFT key pressed drops a postscript file of smaller size that is good for including in a paper. thesis ”TCP Packet Trace Analysis” for David Clark at the MIT Laboratory for Computer Science. You may keep repeating this procedure to zoom in more and more to see any specific area of the graph in more and more detail.org for the latest version of the program. .PS.edu/pub/lcs-pubs/tr. Similar semantics are also supported for the y-axis with the -y option. Generating Postscript Clicking the Left-Mouse Button with the SHIFT key pressed. .xpl suffix) is as simple as saying : xplot file1. zooming in on one of the graphs. for example) to line-up the x-axes of both the graphs.ps. . 77 .mit.} ] You may use the Left-Mouse button to drag and select a specific area in the graph to zoom on it. This one was written by Tim Shepard while doing his S.M. but the graph is made smaller vertically. drops a postscript version of the graph being viewed in the working directory. .# where Title is the title of the graph and # is a serial number that gets from 0. The thesis can be ordered from MIT/LCS Publications.xpl for example. Ordering information can be obtained from +1 617 253 5851 or send mail to publications@lcs. Using : xplot -x a2b_tsg.outbox/MIT-LCS-TR-494. Or you can get it on the net free of charge from ftp://ftp. Basic Usage Viewing xplot graph(s) (commonly named as files with the . and clicking the Left-Mouse button on the graph lets you zoom-out level by level popping out the stack. There seems to be a few other programs floating around the net by the same name. The Right-Mouse button closes the graph being viewed.lcs. so that you see the same time-scales on both the graphs all the time. .

78 .

APPENDIX C Protocol QR The IP. TCP Header Structure 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | 79 . TCP. and UDP protocol headers are specified here for quick reference. Ethernet Header Structure +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination | Source | Type | Data | CRC | | Address | Address | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 6 6 2 46-1500 4 IPv4 Header Structure 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| HL | DSCP |ECN| Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification |Flags| Fragment Offset | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Time to Live | Protocol | Header Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ < Options (if any) > | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ < > | Data | < > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Note that the above Figure includes the DSCP (Differentiated Services Code Point) and ECN (Explicit Congestion Notification) bits defined in the IP header as per RFC 3168 [?].

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Header| |C|E|U|A|P|R|S|F| | | Length| Rsrvd. Protocol QR . UDP Header Structure 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UDP Length | UDP Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ < > | Data | < > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 80 Appendix C.|W|C|R|C|S|S|Y|I| Window Size | | | |R|E|G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ < Options (if any) > | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ < > | Data | < > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Note again that the above Figure includes the CWR (Congestion Window Reduced) and ECE (ECN-Echo) flag bits defined for the TCP header as per RFC 3168 [?].

to use that work under the conditions stated herein. it can be used for any textual work. which is a copyleft license designed for free software. But this License is not limited to software manuals. either commercially or noncommercially. in any medium. If a section does not fit the above 81 . The ”Document”. with or without modifying it. MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document. if the Document is in part a textbook of mathematics. either copied verbatim. unlimited in duration. or with modifications and/or translated into another language. a Secondary Section may not explain any mathematics. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work. textbook. modify or distribute the work in a way requiring permission under copyright law.2001. PREAMBLE The purpose of this License is to make a manual. below. The ”Invariant Sections” are certain Secondary Sections whose titles are designated. This License is a kind of ”copyleft”. philosophical. in the notice that says that the Document is released under this License. or other functional and useful document ”free” in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it. A ”Modified Version” of the Document means any work containing the Document or a portion of it. GNU Free Documentation License Version 1. refers to any such manual or work.APPENDIX D License We see the following GNU Free Documentation License as the most appropriate license for copying this manual. A ”Secondary Section” is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document’s overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. November 2002 Copyright (C) 2000. Boston. this License preserves for the author and publisher a way to get credit for their work. 1. Such a notice grants a world-wide. ethical or political position regarding them. that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. which means that derivative works of the document must themselves be free in the same sense. but changing it is not allowed. royalty-free license.2002 Free Software Foundation. Suite 330. Secondarily. while not being considered responsible for modifications made by others. or of legal. Any member of the public is a licensee. You accept the license if you copy.) The relationship could be a matter of historical connection with the subject or with related matters. Inc. 0. and is addressed as ”you”. 59 Temple Place. because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. commercial. We have designed this License in order to use it for manuals for free software. We recommend this License principally for works whose purpose is instruction or reference. regardless of subject matter or whether it is published as a printed book. It complements the GNU General Public License.2. (Thus. as being those of Invariant Sections.

(Here XYZ stands for a specific section name mentioned below. the title page itself. You may also lend copies. Copying with changes limited to the covers. or absence of markup. SGML or XML using a publicly available DTD. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. for a printed book.) To ”Preserve the Title” of such a section when you modify the Document means that it remains a section ”Entitled XYZ” according to this definition. Both covers must also clearly and legibly identify you as the publisher of these copies. ”Endorsements”. A ”Transparent” copy of the Document means a machine-readable copy. and Back-Cover Texts on the back cover. provided that this License. XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors. A Front-Cover Text may be at most 5 words. Texinfo input format. You may add other material on the covers in addition. The front cover must present the full title with all words of the title equally prominent and visible. If the Document does not identify any Invariant Sections then there are none. that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor. and the license notice saying this License applies to the Document are reproduced in all copies. you must enclose the copies in covers that carry. LaTeX input format. Examples of suitable formats for Transparent copies include plain ASCII without markup. the copyright notices. For works in formats which do not have any title page as such. plus such following pages as are needed to hold. and a Back-Cover Text may be at most 25 words. Examples of transparent image formats include PNG. 3. all these Cover Texts: Front-Cover Texts on the front cover. and standard-conforming simple HTML. However. and that you add no other conditions whatsoever to those of this License. in the notice that says that the Document is released under this License. numbering more than 100. has been arranged to thwart or discourage subsequent modification by readers is not Transparent. VERBATIM COPYING You may copy and distribute the Document in any medium. can be treated as verbatim copying in other respects.definition of Secondary then it is not allowed to be designated as Invariant. clearly and legibly. as Front-Cover Texts or Back-Cover Texts. 2. either commercially or noncommercially. ”Dedications”. License . The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. The Document may contain zero Invariant Sections. COPYING IN QUANTITY If you publish printed copies (or copies in media that commonly have printed covers) of the Document. A section ”Entitled XYZ” means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. A copy made in an otherwise Transparent file format whose markup. preceding the beginning of the body of the text. and the Document’s license notice requires Cover Texts. legibly. such as ”Acknowledgements”. you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. These Warranty Disclaimers are considered to be included by reference in this License. ”Title Page” means the text near the most prominent appearance of the work’s title. A copy that is not ”Transparent” is called ”Opaque”. SGML or XML for which the DTD and/or processing tools are not generally available. as long as they preserve the title of the Document and satisfy these conditions. PostScript or PDF produced by some word processors for output purposes only. the material this License requires to appear in the title page. under the same conditions stated above. 82 Appendix D. The ”Title Page” means. The ”Cover Texts” are certain short passages of text that are listed. or ”History”. and you may publicly display copies. but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License. An image format is not Transparent if used for any substantial amount of text. PostScript or PDF designed for human modification. represented in a format whose specification is available to the general public. and the machine-generated HTML.

authors. For any section Entitled ”Acknowledgements” or ”Dedications”. thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. L. as the publisher. List on the Title Page. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. a license notice giving the public permission to use the Modified Version under the terms of this License. together with at least five of the principal authors of the Document (all of its principal authors. Preserve the network location. Preserve all the Invariant Sections of the Document. you should put the first ones listed (as many as fit reasonably) on the actual cover. K. Preserve any Warranty Disclaimers. then add an item describing the Modified Version as stated in the previous sentence. that you contact the authors of the Document well before redistributing any large number of copies. Include. B. and publisher of the Modified Version as given on the Title Page. It is requested. Preserve its Title. you may at your option designate some or all of these sections as invariant. if any) a title distinct from that of the Document. but not required.If the required texts for either cover are too voluminous to fit legibly. to give them a chance to provide you with an updated version of the Document. and publisher of the Document as given on its Title Page. You may use the same title as a previous version if the original publisher of that version gives permission. you must either include a machine-readable Transparent copy along with each Opaque copy. if any. If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document. H. when you begin distribution of Opaque copies in quantity. Such a section may not be included in the Modified Version. if there were any. M. with the Modified Version filling the role of the Document. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices. Section numbers or the equivalent are not considered part of the section titles. immediately after the copyright notices. new authors. Do not retitle any existing section to be Entitled ”Endorsements” or to conflict in title with any Invariant Section. as authors. In addition. You may omit a network location for a work that was published at least four years before the Document itself. to the end of the list of Cover Texts in the Modified Version. Use in the Title Page (and on the covers. in the form shown in the Addendum below. and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein. N. and from those of previous versions (which should. be listed in the History section of the Document). If the Document already 83 . create one stating the title. You may add a passage of up to five words as a Front-Cover Text. J. G. F. C. and continue the rest onto adjacent pages. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document’s license notice. If you publish or distribute Opaque copies of the Document numbering more than 100. State on the Title page the name of the publisher of the Modified Version. If there is no section Entitled ”History” in the Document. Preserve all the copyright notices of the Document. To do this. and a passage of up to 25 words as a Back-Cover Text. 4. year. You may add a section Entitled ”Endorsements”. E. These titles must be distinct from any other section titles. provided that you release the Modified Version under precisely this License. one or more persons or entities responsible for authorship of the modifications in the Modified Version. Delete any section Entitled ”Endorsements”. you must take reasonably prudent steps. you must do these things in the Modified Version: A. I. given in the Document for public access to a Transparent copy of the Document. O. If you use the latter option. and likewise the network locations given in the Document for previous versions it was based on. if it has fewer than five). or if the original publisher of the version it refers to gives permission. to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. free of added material. D. or state in or with each Opaque copy a computernetwork location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document. MODIFICATIONS You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above. provided it contains nothing but endorsements of your Modified Version by various parties–for example. unless they release you from this requirement. These may be placed in the ”History” section. Include an unaltered copy of this License. add their titles to the list of Invariant Sections in the Modified Version’s license notice. Preserve the Title of the section. year. statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. unaltered in their text and in their titles. Preserve the section Entitled ”History”. and add to it an item stating at least the title.

this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document. or ”History”. forming one section Entitled ”History”. and multiple identical Invariant Sections may be replaced with a single copy. the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title. The combined work need only contain one copy of this License. provided that you include in the combination all of the Invariant Sections of all of the original documents. and all the license notices in the Document. and any sections Entitled ”Dedications”. 5. COMBINING DOCUMENTS You may combine the Document with other documents released under this License. the original version will prevail. unmodified. COLLECTIONS OF DOCUMENTS You may make a collection consisting of the Document and other documents released under this License. provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. in or on a volume of a storage or distribution medium. and follow this License in all other respects regarding verbatim copying of that document. 9. You may extract a single document from such a collection. under the terms defined in section 4 above for modified versions. so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders. you must combine any sections Entitled ”History” in the various original documents. 8. or else a unique number. but you may replace the old one. 6. License . then if the Document is less than one half of the entire aggregate. TRANSLATION Translation is considered a kind of modification. and distribute it individually under this License. previously added by you or by arrangement made by the same entity you are acting on behalf of. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer. provided that you also include the original English version of this License and the original versions of those notices and disclaimers. is called an ”aggregate” if the copyright resulting from the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual works permit. Otherwise they must appear on printed covers that bracket the whole aggregate. likewise combine any sections Entitled ”Acknowledgements”. in parentheses. If a section in the Document is Entitled ”Acknowledgements”. on explicit permission from the previous publisher that added the old one. you may not add another. and replace the individual copies of this License in the various documents with a single copy that is included in the collection. AGGREGATION WITH INDEPENDENT WORKS A compilation of the Document or its derivatives with other separate and independent documents or works. ”Dedications”. provided you insert a copy of this License into the extracted document. and that you preserve all their Warranty Disclaimers. You must delete all sections Entitled ”Endorsements”. 7. but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. the Document’s Cover Texts may be placed on covers that bracket the Document within the aggregate. You may include a translation of this License. and any Warranty Disclaimers.includes a cover text for the same cover. the name of the original author or publisher of that section if known. or the electronic equivalent of covers if the Document is in electronic form. and list them all as Invariant Sections of your combined work in its license notice. TERMINATION 84 Appendix D. In the combination. If there are multiple Invariant Sections with the same name but different contents. When the Document is included in an aggregate. make the title of each such section unique by adding at the end of it.

such as the GNU General Public License. If you have Invariant Sections without Cover Texts. Such new versions will be similar in spirit to the present version. we recommend releasing these examples in parallel under your choice of free software license. ADDENDUM: How to use this License for your documents To use this License in a document you have written. distribute and/or modify this document under the terms of the GNU Free Documentation License. A copy of the license is included in the section entitled ”GNU Free Documentation License”.You may not copy. Front-Cover Texts and Back-Cover Texts. parties who have received copies. replace the ”with. sublicense. See http://www. with the Front-Cover Texts being LIST. FUTURE REVISIONS OF THIS LICENSE The Free Software Foundation may publish new.org/copyleft/. or rights. revised versions of the GNU Free Documentation License from time to time. If your document contains nontrivial examples of program code. Permission is granted to copy. include a copy of the License in the document and put the following copyright and license notices just after the title page: Copyright (c) YEAR YOUR NAME. you may choose any version ever published (not as a draft) by the Free Software Foundation. to permit their use in free software.gnu. but may differ in detail to address new problems or concerns. or some other combination of the three. 85 . modify. If you have Invariant Sections. and with the BackCover Texts being LIST. no Front-Cover Texts.. Any other attempt to copy. and no Back-Cover Texts.2 or any later version published by the Free Software Foundation. with no Invariant Sections.” line with this: with the Invariant Sections being LIST THEIR TITLES. sublicense or distribute the Document is void. or distribute the Document except as expressly provided for under this License. you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. and will automatically terminate your rights under this License. merge those two alternatives to suit the situation. However. Each version of the License is given a distinguishing version number. 10. modify.Texts. Version 1.. from you under this License will not have their licenses terminated so long as such parties remain in full compliance. If the Document does not specify a version number of this License. If the Document specifies that a particular numbered version of this License ”or any later version” applies to it.

You're Reading a Free Preview

Descarregar
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->