- The TCP Stream Graph: Time sequence grap
- The flow graph: TCP flow
But my old desktop computer was not able to opening the 1Go cap file onto Wireshark.
I found another solution using tshark, tcptrace and xplot:
- tshark, used with a little shell script, is used for extracting the TCP stream
- tcptrace is used for generate all graph files in xplot format (throughput, rtt sample time sequence , owin, segsize)
- xplot is used for drawing the graph using the xplot file generated in step 2
#!/bin/sh
set -e
if [ $# -eq 0 ]; then
echo "usage:"
echo '$0 tracefile.cap ["tshark filter"]'
echo ""
echo "Example:"
echo '$0 trace.cap "ip.addr==192.168.10.10 && tcp.port==1290 && ip.addr==192.168.20.20 && tcp.port==20'
exit 0
fi
if [ ! -f $1 ]; then
echo "No input trace file found!"
exit 1
fi
echo "Generating the lists of detected TCP stream (can take a very long time depending of your trace size)..."
echo "If the next table didn't give you enough detail, try to generate more details stats with tshark:"
echo "tshark -n -r $1 -q -z conv,tcp"
echo "Stream IP src TCP port scr IP dst TCP port dst"
if [ $# -eq 2 ]; then
tshark -n -r $1 -R "$2" -T fields -e tcp.stream -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | sort -un
else
tshark -n -r $1 -T fields -e tcp.stream -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport | sort -un
fi
echo "Enter the stream number you want to extract (enter all for all streams):"
read streamid <&1
if [ $streamid != "all" ]; then
echo "Extracting stream ${streamid} …"
tshark -r $1 -w stream-${streamid}.cap -R "tcp.stream eq ${streamid}"
echo "Stream number ${streamid} extracted in file stream-${streamid}.cap"
else
echo "Extracting All streams"
for streamid in `tshark -n -r $1 -T fields -e tcp.stream | sort -un`
do
echo "Working on stream ${streamid} …"
tshark -r $1 -w stream-${streamid}.cap -R "tcp.stream eq ${streamid}"
done
echo "All streams were extracted in files stream-STREAM-NUMBER.cap"
fi
This script should be run like that:
[[olivier@sparc64]~/>sh extract-stream.sh solaris-slow-TCP.cap
Generating the lists of detected TCP stream (can take a very long time depending of your trace size)...
If the next table didn't give you enough detail, try to generate more details stats with tshark:
tshark -n -r solaris-slow-TCP.cap -q -z conv,tcp
Stream IP src TCP port scr IP dst TCP port dst
0 10.10.129.254 48001 10.10.142.220 31114
1 10.10.129.254 1004 10.10.142.220 513
2 10.10.142.242 2948 10.10.142.220 1521
3 10.10.142.242 3899 10.10.142.220 1521
4 10.10.142.244 3777 10.10.142.220 1521
5 10.10.142.244 3536 10.10.142.220 1521
6 10.10.142.243 3687 10.10.142.220 1521
7 10.10.142.244 4936 10.10.142.220 1521
8 10.10.142.220 1521 10.10.142.244 3569
9 10.10.142.244 1256 10.10.142.220 21
10 10.10.142.220 20 10.10.142.244 1290
11 10.10.142.158 1433 10.10.142.160 1652
12 10.10.142.245 1591 10.10.142.220 1521
13 10.10.142.158 1433 10.10.142.160 1678
14 10.10.142.244 3732 10.10.142.220 1521
15 10.10.142.158 1433 10.10.142.160 1555
16 10.10.142.158 1433 10.10.142.160 1683
17 10.10.142.158 1433 10.10.142.160 1684
10.10.142.247 10.10.142.255
Enter the stream number you want to extract (enter all for all streams):
10
Extracting stream 10 …
Stream number 10 extracted in file stream-10.cap
Generating the lists of detected TCP stream (can take a very long time depending of your trace size)...
If the next table didn't give you enough detail, try to generate more details stats with tshark:
tshark -n -r solaris-slow-TCP.cap -q -z conv,tcp
Stream IP src TCP port scr IP dst TCP port dst
0 10.10.129.254 48001 10.10.142.220 31114
1 10.10.129.254 1004 10.10.142.220 513
2 10.10.142.242 2948 10.10.142.220 1521
3 10.10.142.242 3899 10.10.142.220 1521
4 10.10.142.244 3777 10.10.142.220 1521
5 10.10.142.244 3536 10.10.142.220 1521
6 10.10.142.243 3687 10.10.142.220 1521
7 10.10.142.244 4936 10.10.142.220 1521
8 10.10.142.220 1521 10.10.142.244 3569
9 10.10.142.244 1256 10.10.142.220 21
10 10.10.142.220 20 10.10.142.244 1290
11 10.10.142.158 1433 10.10.142.160 1652
12 10.10.142.245 1591 10.10.142.220 1521
13 10.10.142.158 1433 10.10.142.160 1678
14 10.10.142.244 3732 10.10.142.220 1521
15 10.10.142.158 1433 10.10.142.160 1555
16 10.10.142.158 1433 10.10.142.160 1683
17 10.10.142.158 1433 10.10.142.160 1684
10.10.142.247 10.10.142.255
Enter the stream number you want to extract (enter all for all streams):
10
Extracting stream 10 …
Stream number 10 extracted in file stream-10.cap
Once you've get the filtered cap file, run tcptrace over it:
tcptrace -n -C -G stream-10.cap
Now, better than with Wireshark (because you can zoom in/out), here are the TCP Time sequence grap:
xplot a2b_tsg.xpl &
And the TCP flow graph:
xplot a_b_tline.xpl &
My problem is that packet are lost in the direction Solaris => Windows… I need to found where now :-)
Hey, what is sort -un function here if i don't use it i get more streams. also some sequence of numbers are not in correct order, 1-2-3-8..
RépondreSupprimerany idea? thanks for the post