tdg: TcpDump Grapher

1. tcpdump -w filename.trace -i interface -s 100 host sender and host receiver
   Sniffs traffic on interface, saving 100 bytes of the header for all traffic between sender and receiver, saving the output to a file named filename.trace.
2. tcpdump -r filename.trace -n > filename.txt
   Reads the tracefile named filename.trace, not resolving IP addresses to hostnames, saving the output to a textfile named filename.txt.
3. tdg filename.txt sender acker [sack] [rwin] | xgraph
   Produce text output from filename.txt in the form of an xgraph input file. sender and acker are the IP address or name (and optionally, the port number), as they appear in the filename.txt file. Graphs show sequence numbers of data packets and ack packets over time. Only data packets from the sender to the acker are displayed, while ACK packets from the acker to the sender are displayed. If the option sack is included, SACK blocks will be displayed in the graph. If the option rwin is included, the receiver's advertised window will be displayed, as well.

X axis

The left edge of the X axis begins with the number of seconds that the trace is offset within the first minute. The seconds increase above 60 to the right when the trace continues to run beyond the first minute boundary. One annoyance (bug) is that traces that cross an hour boundary wrap in time. The wrap is not pretty, with the left edge of the graph sometimes showing up near -3500 seconds.

Y axis

As mentioned above, the Y axis represents sequence numbers. The relevance to each data set follows.

Sequence

The sequence number of the last byte of each data packet is plotted. (Technically, it is the first byte of the next packet to be sent that is displayed.) The sequence numbers will increase monotonically unless there are reordered or retransmitted packets.

Ack

As acknowledgement packets confirm receipt of data packets, the sequence number of the packet that has been acknowledged is displayed. (Technically, it is the first byte of the next packet expected that is displayed.)

SACK Start/End

For connections that are using Selective Acknowledgements, the beginning and end of blocks of data that have been received out of order (indicating possible losses) are displayed. This data set is produced if the sack command-line option is included.

Rwin

Using the advertised window in ACK packets, calculate the highest sequence number that the sender is allowed to send to the receiver. If the sequence numbers of data packets advance to the value of rwin and stop, then the connection is receive-window limited at that point. The data set is produced if the rwin command-line option is included.

|   Networking  |   Feedback  |   Home

This material is based in whole or in part on work supported by the National Science Foundation under Grant Nos. 9415552, 9870758, 9720674, or 9711091. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF).