This is NetGrind 1.1 (c) 2003 Martin Mares This software can be freely distributed and used according to the GNU General Public License. --------------------------------------------------------------------------------------------- What's that? ~~~~~~~~~~~~ NetGrind is an experimental tool for analysing network traffic. It processes packet dumps captured by tcpdump (or any other libpcap application) and it's able to do: o Filtering of data by using libpcap filters. o TCP demultiplexing and dumping of demultiplexed data to files o Calculating per-connection TCP statistics o Analysing HTTP connections and demultiplexing them to individual transactions, calculating statistics for each transaction. Although some of the analysis modes are available through command-line switches, NetGrind still misses a powerful configuration language, so the more advanced features like analysing HTTP must be configured (and bound to the right addresses and ports) by modifying the source, namely the mux_open() function which gets called for each newly established TCP connection when no command-line switches are given. The example in our source just connects HTTP analyser to all TCP connections to ports 80, 8080, 8081 and 3128 and ignores the rest. You will also find a couple of postprocessing tools in the "post" directory. Thanks to Sun Microsystems Czech Republic for sponsoring the development of this project. TCP report syntax: ~~~~~~~~~~~~~~~~~~ +--- TCP overhead bytes bytes | source address:port destination addr:port sent received | +--- KB/s (RX+TX) | | | | | | 2003-06-06 22:38:34.076 81.27.194.19:1165 195.113.31.123:22 1.604 OK 1991 12656 11% 8.914 | | | date and time of first SYN elapsed time termination status: OK = closed with FIN RE = connection reset TO = timeout (maybe miscaptured) DD = doomsday (cut by end of capture) CO = corrupted (protocol violation) HTTP report syntax: ~~~~~~~~~~~~~~~~~~~ data transmitted in both directions (excluding headers) ----+ | response delay ---+ transaction # on this connection ---+ | [sec] | | | | method and cache status --+ | | duration [sec] | request URI source address:port destination addr:port | | | | | | | | | | | | | | 2003-06-06 22:53:38.642 81.27.194.19:1175 205.217.153.53:80 123.123.123.123 200 ... 0 14030 0.957 0.444 GET http://... | | | date and time of request start X-Forwarded-For HTTP response code or (if it's the first request on a connection, ERR = HTTP violation it's the time where the connection was initiated, CUT = connection closed before transaction finish even if the request has been transmitted later) FIN = CONNECT request finished by connection close Txx = TCP error xx (see above) Cache status codes: 1st char: request cacheing control . = none N = don't cache R = revalidate 2nd char: response cacheability . = not restricted (first matching letter used) N = don't cache P = private S = don't store to non-volatile storage R = must be revalidated 3rd char: cache response . = X-Cache not found (X-Cache header, optional) - = MISS + = HIT ? = other