jeudi, août 12, 2010

TCP flow analysis with tshark, tcptrace and xplot

Troubleshooting bad TCP performance between old Windows 2003 SP1 servers and a Sun Solaris 8, my only goal was to generate some TCP flow graph with Wireshark :
  1. The TCP Stream Graph: Time sequence grap


  2. The flow graph: TCP flow


But my old desktop computer was not able to opening the 1Go cap file onto Wireshark.
I found another solution using tshark, tcptrace and xplot:
  1. tshark, used with a little shell script, is used for extracting the TCP stream
  2. tcptrace is used for generate all graph files in xplot format (throughput, rtt sample time sequence , owin, segsize)
  3. xplot is used for drawing the graph using the xplot file generated in step 2
Here the shell script used for extracting the TCP stream:

#!/bin/sh
set -e
if [ $# -eq 0 ]; then
        echo "usage:"
        echo '$0 tracefile.cap ["tshark filter"]'
        echo ""
        echo "Example:"
        echo '$0 trace.cap "ip.addr==192.168.10.10 && tcp.port==1290 && ip.addr==192.168.20.20 && tcp.port==20'
        exit 0
fi
if [ ! -f $1 ]; then
    echo "No input trace file found!"
    exit 1
fi
echo "Generating the lists of detected TCP stream (can take a very long time depending of your trace size)..."
echo "If the next table didn't give you enough detail, try to generate more details stats with tshark:"
echo "tshark -n -r $1 -q -z conv,tcp"
echo "Stream    IP src TCP port scr IP dst TCP port dst"

if [ $# -eq 2 ]; then
    tshark -n -r $1 -R "$2" -T fields -e tcp.stream -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | sort -un
else
    tshark -n -r $1 -T fields -e tcp.stream -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | sort -un
fi

echo "Enter the stream number you want to extract (enter all for all streams):"
read streamid <&1
if [ $streamid != "all" ]; then
    echo "Extracting stream ${streamid} …"
    tshark -r $1 -w stream-${streamid}.cap -R "tcp.stream eq ${streamid}"
    echo "Stream number ${streamid} extracted in file stream-${streamid}.cap"
else
    echo "Extracting All streams"
    for streamid in `tshark -n -r $1 -T fields -e tcp.stream | sort -un`
    do
        echo "Working on stream ${streamid} …"
        tshark -r $1 -w stream-${streamid}.cap -R "tcp.stream eq ${streamid}"
    done
    echo "All streams were extracted in files stream-STREAM-NUMBER.cap"
fi


This script should be run like that:

[[olivier@sparc64]~/>sh extract-stream.sh solaris-slow-TCP.cap
Generating the lists of detected TCP stream (can take a very long time depending of your trace size)...
If the next table didn't give you enough detail, try to generate more details stats with tshark:
tshark -n -r solaris-slow-TCP.cap -q -z conv,tcp
Stream    IP src TCP port scr IP dst TCP port dst
0       10.10.129.254   48001   10.10.142.220   31114
1       10.10.129.254   1004    10.10.142.220   513
2       10.10.142.242   2948    10.10.142.220   1521
3       10.10.142.242   3899    10.10.142.220   1521
4       10.10.142.244   3777    10.10.142.220   1521
5       10.10.142.244   3536    10.10.142.220   1521
6       10.10.142.243   3687    10.10.142.220   1521
7       10.10.142.244   4936    10.10.142.220   1521
8       10.10.142.220   1521    10.10.142.244   3569
9       10.10.142.244   1256    10.10.142.220   21
10      10.10.142.220   20      10.10.142.244   1290
11      10.10.142.158   1433    10.10.142.160   1652
12      10.10.142.245   1591    10.10.142.220   1521
13      10.10.142.158   1433    10.10.142.160   1678
14      10.10.142.244   3732    10.10.142.220   1521
15      10.10.142.158   1433    10.10.142.160   1555
16      10.10.142.158   1433    10.10.142.160   1683
17      10.10.142.158   1433    10.10.142.160   1684
        10.10.142.247           10.10.142.255
Enter the stream number you want to extract (enter all for all streams):
10
Extracting stream 10 …
Stream number 10 extracted in file stream-10.cap



Once you've get the filtered cap file, run tcptrace over it:

tcptrace -n -C -G stream-10.cap

Now, better than with Wireshark (because you can zoom in/out), here are the TCP Time sequence grap:
xplot a2b_tsg.xpl &



 And the TCP flow graph:

 xplot a_b_tline.xpl &


My problem is that packet are lost in the direction Solaris => Windows… I need to found where now :-)
Enregistrer un commentaire