Move tcpdump-3.9/ to tcpdump/. No need for a versioned dir.
[dragonfly.git] / contrib / tcpdump / README
CommitLineData
825e8fa1 1@(#) $Header: /tcpdump/master/tcpdump/README,v 1.65.2.1 2007/09/14 01:03:12 guy Exp $ (LBL)
c8cf0f94
PA
2
3TCPDUMP 3.9
4Now maintained by "The Tcpdump Group"
5See www.tcpdump.org
6
7Please send inquiries/comments/reports to tcpdump-workers@tcpdump.org
8
9Anonymous CVS is available via:
10 cvs -d :pserver:cvs.tcpdump.org:/tcpdump/master login
11 (password "anoncvs")
12 cvs -d :pserver:cvs.tcpdump.org:/tcpdump/master checkout tcpdump
13
825e8fa1 14Version 3.9 of TCPDUMP can be retrieved with the CVS tag "tcpdump_3_9rel1":
c8cf0f94
PA
15 cvs -d :pserver:cvs.tcpdump.org:/tcpdump/master checkout -r tcpdump_3_9rel1 tcpdump
16
825e8fa1
PA
17Please submit patches against the master copy to the tcpdump project on
18sourceforge.net.
c8cf0f94
PA
19
20formerly from Lawrence Berkeley National Laboratory
21 Network Research Group <tcpdump@ee.lbl.gov>
22 ftp://ftp.ee.lbl.gov/tcpdump.tar.Z (3.4)
23
24This directory contains source code for tcpdump, a tool for network
25monitoring and data acquisition. This software was originally
26developed by the Network Research Group at the Lawrence Berkeley
27National Laboratory. The original distribution is available via
28anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z. More recent
29development is performed at tcpdump.org, http://www.tcpdump.org/
30
31Tcpdump uses libpcap, a system-independent interface for user-level
32packet capture. Before building tcpdump, you must first retrieve and
33build libpcap, also originally from LBL and now being maintained by
34tcpdump.org; see http://www.tcpdump.org/ .
35
36Once libpcap is built (either install it or make sure it's in
37../libpcap), you can build tcpdump using the procedure in the INSTALL
38file.
39
40The program is loosely based on SMI's "etherfind" although none of the
41etherfind code remains. It was originally written by Van Jacobson as
42part of an ongoing research project to investigate and improve tcp and
43internet gateway performance. The parts of the program originally
44taken from Sun's etherfind were later re-written by Steven McCanne of
45LBL. To insure that there would be no vestige of proprietary code in
46tcpdump, Steve wrote these pieces from the specification given by the
47manual entry, with no access to the source of tcpdump or etherfind.
48
49Over the past few years, tcpdump has been steadily improved by the
50excellent contributions from the Internet community (just browse
51through the CHANGES file). We are grateful for all the input.
52
53Richard Stevens gives an excellent treatment of the Internet protocols
54in his book ``TCP/IP Illustrated, Volume 1''. If you want to learn more
55about tcpdump and how to interpret its output, pick up this book.
56
57Some tools for viewing and analyzing tcpdump trace files are available
58from the Internet Traffic Archive:
59
60 http://www.acm.org/sigcomm/ITA/
61
62Another tool that tcpdump users might find useful is tcpslice:
63
64 ftp://ftp.ee.lbl.gov/tcpslice.tar.Z
65
66It is a program that can be used to extract portions of tcpdump binary
67trace files. See the above distribution for further details and
68documentation.
69
70Problems, bugs, questions, desirable enhancements, etc. should be sent
71to the address "tcpdump-workers@tcpdump.org". Bugs, support requests,
72and feature requests may also be submitted on the SourceForge site for
73tcpdump at
74
75 http://sourceforge.net/projects/tcpdump/
76
77Source code contributions, etc. should be sent to the email address
78"patches@tcpdump.org", or submitted as patches on the SourceForge site
79for tcpdump.
80
81Current versions can be found at www.tcpdump.org, or the SourceForge
82site for tcpdump.
83
84 - The TCPdump team
85
86original text by: Steve McCanne, Craig Leres, Van Jacobson
87
88-------------------------------------
89This directory also contains some short awk programs intended as
90examples of ways to reduce tcpdump data when you're tracking
91particular network problems:
92
93send-ack.awk
94 Simplifies the tcpdump trace for an ftp (or other unidirectional
95 tcp transfer). Since we assume that one host only sends and
96 the other only acks, all address information is left off and
97 we just note if the packet is a "send" or an "ack".
98
99 There is one output line per line of the original trace.
100 Field 1 is the packet time in decimal seconds, relative
101 to the start of the conversation. Field 2 is delta-time
102 from last packet. Field 3 is packet type/direction.
103 "Send" means data going from sender to receiver, "ack"
104 means an ack going from the receiver to the sender. A
105 preceding "*" indicates that the data is a retransmission.
106 A preceding "-" indicates a hole in the sequence space
107 (i.e., missing packet(s)), a "#" means an odd-size (not max
108 seg size) packet. Field 4 has the packet flags
109 (same format as raw trace). Field 5 is the sequence
110 number (start seq. num for sender, next expected seq number
111 for acks). The number in parens following an ack is
112 the delta-time from the first send of the packet to the
113 ack. A number in parens following a send is the
114 delta-time from the first send of the packet to the
115 current send (on duplicate packets only). Duplicate
116 sends or acks have a number in square brackets showing
117 the number of duplicates so far.
118
119 Here is a short sample from near the start of an ftp:
120 3.00 0.20 send . 512
121 3.20 0.20 ack . 1024 (0.20)
122 3.20 0.00 send P 1024
123 3.40 0.20 ack . 1536 (0.20)
124 3.80 0.40 * send . 0 (3.80) [2]
125 3.82 0.02 * ack . 1536 (0.62) [2]
126 Three seconds into the conversation, bytes 512 through 1023
127 were sent. 200ms later they were acked. Shortly thereafter
128 bytes 1024-1535 were sent and again acked after 200ms.
129 Then, for no apparent reason, 0-511 is retransmitted, 3.8
130 seconds after its initial send (the round trip time for this
131 ftp was 1sec, +-500ms). Since the receiver is expecting
132 1536, 1536 is re-acked when 0 arrives.
133
134packetdat.awk
135 Computes chunk summary data for an ftp (or similar
136 unidirectional tcp transfer). [A "chunk" refers to
137 a chunk of the sequence space -- essentially the packet
138 sequence number divided by the max segment size.]
139
140 A summary line is printed showing the number of chunks,
141 the number of packets it took to send that many chunks
142 (if there are no lost or duplicated packets, the number
143 of packets should equal the number of chunks) and the
144 number of acks.
145
146 Following the summary line is one line of information
147 per chunk. The line contains eight fields:
148 1 - the chunk number
149 2 - the start sequence number for this chunk
150 3 - time of first send
151 4 - time of last send
152 5 - time of first ack
153 6 - time of last ack
154 7 - number of times chunk was sent
155 8 - number of times chunk was acked
156 (all times are in decimal seconds, relative to the start
157 of the conversation.)
158
159 As an example, here is the first part of the output for
160 an ftp trace:
161
162 # 134 chunks. 536 packets sent. 508 acks.
163 1 1 0.00 5.80 0.20 0.20 4 1
164 2 513 0.28 6.20 0.40 0.40 4 1
165 3 1025 1.16 6.32 1.20 1.20 4 1
166 4 1561 1.86 15.00 2.00 2.00 6 1
167 5 2049 2.16 15.44 2.20 2.20 5 1
168 6 2585 2.64 16.44 2.80 2.80 5 1
169 7 3073 3.00 16.66 3.20 3.20 4 1
170 8 3609 3.20 17.24 3.40 5.82 4 11
171 9 4097 6.02 6.58 6.20 6.80 2 5
172
173 This says that 134 chunks were transferred (about 70K
174 since the average packet size was 512 bytes). It took
175 536 packets to transfer the data (i.e., on the average
176 each chunk was transmitted four times). Looking at,
177 say, chunk 4, we see it represents the 512 bytes of
178 sequence space from 1561 to 2048. It was first sent
179 1.86 seconds into the conversation. It was last
180 sent 15 seconds into the conversation and was sent
181 a total of 6 times (i.e., it was retransmitted every
182 2 seconds on the average). It was acked once, 140ms
183 after it first arrived.
184
185stime.awk
186atime.awk
187 Output one line per send or ack, respectively, in the form
188 <time> <seq. number>
189 where <time> is the time in seconds since the start of the
190 transfer and <seq. number> is the sequence number being sent
191 or acked. I typically plot this data looking for suspicious
192 patterns.
193
194
195The problem I was looking at was the bulk-data-transfer
196throughput of medium delay network paths (1-6 sec. round trip
197time) under typical DARPA Internet conditions. The trace of the
198ftp transfer of a large file was used as the raw data source.
199The method was:
200
201 - On a local host (but not the Sun running tcpdump), connect to
202 the remote ftp.
203
204 - On the monitor Sun, start the trace going. E.g.,
205 tcpdump host local-host and remote-host and port ftp-data >tracefile
206
207 - On local, do either a get or put of a large file (~500KB),
208 preferably to the null device (to minimize effects like
209 closing the receive window while waiting for a disk write).
210
211 - When transfer is finished, stop tcpdump. Use awk to make up
212 two files of summary data (maxsize is the maximum packet size,
213 tracedata is the file of tcpdump tracedata):
214 awk -f send-ack.awk packetsize=avgsize tracedata >sa
215 awk -f packetdat.awk packetsize=avgsize tracedata >pd
216
217 - While the summary data files are printing, take a look at
218 how the transfer behaved:
219 awk -f stime.awk tracedata | xgraph
220 (90% of what you learn seems to happen in this step).
221
222 - Do all of the above steps several times, both directions,
223 at different times of day, with different protocol
224 implementations on the other end.
225
226 - Using one of the Unix data analysis packages (in my case,
227 S and Gary Perlman's Unix|Stat), spend a few months staring
228 at the data.
229
230 - Change something in the local protocol implementation and
231 redo the steps above.
232
233 - Once a week, tell your funding agent that you're discovering
234 wonderful things and you'll write up that research report
235 "real soon now".