3 (c) 2003 Martin Mares <mj@ucw.cz>
5 This software can be freely distributed and used according to the GNU General Public License.
6 ---------------------------------------------------------------------------------------------
11 NetGrind is an experimental tool for analysing network traffic. It processes packet dumps
12 captured by tcpdump (or any other libpcap application) and it's able to do:
14 o Filtering of data by using libpcap filters.
15 o TCP demultiplexing and dumping of demultiplexed data to files
16 o Calculating per-connection TCP statistics
17 o Analysing HTTP connections and demultiplexing them to individual transactions,
18 calculating statistics for each transaction.
20 Although some of the analysis modes are available through command-line switches,
21 NetGrind still misses a powerful configuration language, so the more advanced features
22 like analysing HTTP must be configured (and bound to the right addresses and ports)
23 by modifying the source, namely the mux_open() function which gets called for each
24 newly established TCP connection when no command-line switches are given. The example
25 in our source just connects HTTP analyser to all TCP connections to ports 80, 8080, 8081
26 and 3128 and ignores the rest.
28 You will also find a couple of postprocessing tools in the "post" directory.
30 Thanks to Sun Microsystems Czech Republic for sponsoring the development of this project.
38 source address:port destination addr:port sent received | +--- KB/s (RX+TX)
40 2003-06-06 22:38:34.076 81.27.194.19:1165 195.113.31.123:22 1.604 OK 1991 12656 11% 8.914
42 date and time of first SYN elapsed time termination status: OK = closed with FIN
44 TO = timeout (maybe miscaptured)
45 DD = doomsday (cut by end of capture)
46 CO = corrupted (protocol violation)
54 data transmitted in both directions (excluding headers) ----+
56 transaction # on this connection ---+ | [sec] |
57 global | | | method and
58 transaction ID cache status --+ | | duration [sec] | request URI
59 | source address:port destination addr:port | | | | | |
61 000001 2003-06-06 22:53:38.642 81.27.194.19:1175 205.217.153.53:80 123.123.123.123 200 .... 0 14030 0.957 0.444 GET http://...
63 date and time of request start X-Forwarded-For HTTP response code or
64 (if it's the first request on a connection, ERR = HTTP violation
65 it's the time where the connection was initiated, CUT = connection closed before transaction finish
66 even if the request has been transmitted later) FIN = CONNECT request finished by connection close
67 Txx = TCP error xx (see above)
71 1st char: request cacheing control . = none
72 (first matching letter used) N = don't cache
74 c = conditional request (If-Modified-Since, If-Match)
76 2nd char: response cacheability . = not restricted
77 (first matching letter used) N = don't cache
79 S = don't store to non-volatile storage
81 V = "Vary:" header present
82 R = must be revalidated
83 E = short expiration time (less than 5min)
84 L = long expiration time (5min or more)
85 lowercase version = but cached by a HTTP/1.0 cache
87 3rd char: response validator . = none
92 4th char: cache response . = X-Cache not found
93 (X-Cache header, optional) - = MISS
projects / netgrind.git / blob