What is TCPtrace ?
|Wireshark wins over TCPtrace on GUI|
So TCPtrace takes the output file from TCPdump as an input and it then outputs useful information and graphs.
How do I get TCPtrace ?I downloaded it from the Ubuntu repositories using the typical 'sudo apt-get install tcptrace'. If this is not possible you can download it from here.
How do I input a TCPdump file to TCPtrace ?You can call TCPtrace with a TCPdump file using 'tcptrace <my-file>' where my-file is the name of the file outputted by TCPdump. For example you could do something like:
$ sudo tcpdump -v -i wlan0 -w my_tcpdump_output -c 100
$ tcptrace my_tcpdump_output
The above will run TCPdump and create the output file called "my_tcpdump_output", this file is then passed as a argument to the TCPtrace tool
How do i interpret the basic TCPtrace output ?The structure of the output is (in order from the top) :
- 1st line returns the name of the TCPdump output file that TCPtrace is currently analyzing
- Then it printed the version of TCPtrace and then this version was last compiled
- The next line states the number of packets seen and the number of those which were TCP
- The following line gives the elapsed wallclock time, this is the time TCPtrace took to process the file and it then gives the average number of packets processed by TCPtrace per second
- The following line gives the trace file elasped time, this is the time between the capture of the first packet and the last packet in the file
- The sequential lines contain information on each TCP connection
- First it gives the address and ports of the two machines involved in the connection
- Then is the label given to this connection by TCPtrace is printed in parenthesis
- The number proceeding '>' is the number of packets seen in the first host to second host direction
- The number proceeding '<' is the number of packets seen in the second host to the first host direction
- Then the connection is labelled with '(complete)' or '(reset)', with the connection being labelled as complete if SYN and FIN packets were seen
When using TCPdump, you can see more detailed output using the '-v' option but with TCPtrace you can see more detailed output using the '-l' option.
When adding options to TCPtrace, you need to ensure the you place the extra options before the name of the input file and after the tool name.
When viewing the output from the long mode (when -l is the option) then all information is labelled. I'm now going to explain each label given in long output (warning .. this might take a while):
Packets and ACKS
- total packets - number of packets sent in that specific direction
- ack pkts sent - number of ACKs sent in that direction
- pure acks sent - number of ACK sent without data and the SYN,FIN&RST not set
- sack pkts sent - number of selective ACKs sent in that direction
- dsack pkts sent - number of duplicate selective ACKs sent in that direction
- max sack blks/ack - maximum number of selective ACK blocks seen in any selective ACK packet
- unique bytes sent - total number of bytes sent excluding retransmittions
- actual data pkts - total number of packet with at least 1 byte of TCP payload
- actual data bytes - total number of bytes seen including retransmittion
- rexmt data pkts - total number of packets that where retransmittions
- rexmt data bytes - total number of bytes of data that where retransmittions
- zxnd probe pkts - total number of window probe packets seen
- zxnd probe bytes - total number of bytes sent in window probe packets
- outoforder pkts - number of packets that arrived out of order
- pushed data pkts - number of packets with the PUSH bit set, this means that the buffered data should be sent to the receiving application
- SYN/FIN pkts sent - number of packets with SYN or FIN bits set
etc... (sorry I hate leaving things half done, but I really wanted to move on, its in my to-do list)