Packet Capture, part 3: Analysis Tools - Page 5
For normal text-based operations, there are an overwhelming number of options and possibilities. One of the most useful is the -l option. This produces a long listing of summary statistics on a connection-by-connection basis. What follows is an example of the information provided for a single brief Telnet connection:
TCP connection 2: host c: sloan.lander.edu:1230 host d: 220.127.116.11:23 complete conn: yes first packet: Wed Aug 11 11:23:25.151274 1999 last packet: Wed Aug 11 11:23:53.638124 1999 elapsed time: 0:00:28.486850 total packets: 160 filename: telnet.trace c->d: d->c: total packets: 96 total packets: 64 ack pkts sent: 95 ack pkts sent: 64 pure acks sent: 39 pure acks sent: 10 unique bytes sent: 119 unique bytes sent: 1197 actual data pkts: 55 actual data pkts: 52 actual data bytes: 119 actual data bytes: 1197 rexmt data pkts: 0 rexmt data pkts: 0 rexmt data bytes: 0 rexmt data bytes: 0 outoforder pkts: 0 outoforder pkts: 0 pushed data pkts: 55 pushed data pkts: 52 SYN/FIN pkts sent: 1/1 SYN/FIN pkts sent: 1/1 mss requested: 1460 bytes mss requested: 1460 bytes max segm size: 15 bytes max segm size: 959 bytes min segm size: 1 bytes min segm size: 1 bytes avg segm size: 2 bytes avg segm size: 23 bytes max win adv: 8760 bytes max win adv: 17520 bytes min win adv: 7563 bytes min win adv: 17505 bytes zero win adv: 0 times zero win adv: 0 times avg win adv: 7953 bytes avg win adv: 17519 bytes initial window: 15 bytes initial window: 3 bytes initial window: 1 pkts initial window: 1 pkts ttl stream length: 119 bytes ttl stream length: 1197 bytes missed data: 0 bytes missed data: 0 bytes truncated data: 1 bytes truncated data: 1013 bytes truncated packets: 1 pkts truncated packets: 7 pkts data xmit time: 28.479 secs data xmit time: 27.446 secs idletime max: 6508.6 ms idletime max: 6709.0 ms throughput: 4 Bps throughput: 42 Bps
This was produced by using tcpdump to capture all traffic into the file telnet.trace and then executing tcptrace to process the data. Here is the syntax required to produce this output:
bsd1# tcptrace -l telnet.trace
Similar output is produced for each TCP connection recorded in the trace file. Obviously, a protocol (like HTTP) that uses many different sessions may overwhelm you with output.
There is a lot more to this program than covered in this brief discussion. If your primary goal is analysis of network performance and related problems rather than individual packet analysis, this is a very useful tool.