--- /dev/null
+ This is NetGrind 1.0
+
+ (c) 2003 Martin Mares <mj@ucw.cz>
+
+This software can be freely distributed and used according to the GNU General Public License.
+---------------------------------------------------------------------------------------------
+
+What's that?
+~~~~~~~~~~~~
+
+NetGrind is an experimental tool for analysing network traffic. It processes packet dumps
+captured by tcpdump (or any other libpcap application) and it's able to do:
+
+ o Filtering of data by using libpcap filters.
+ o TCP demultiplexing and dumping of demultiplexed data to files
+ o Calculating per-connection TCP statistics
+ o Analysing HTTP connections and demultiplexing them to individual transactions,
+ calculating statistics for each transaction.
+
+Although some of the analysis modes are available through command-line switches,
+NetGrind still misses a powerful configuration language, so the more advanced features
+like analysing HTTP must be configured (and bound to the right addresses and ports)
+by modifying the source, namely the mux_open() function which gets called for each
+newly established TCP connection when no command-line switches are given. The example
+in our source just connects HTTP analyser to all TCP connections to ports 80, 8080, 8081
+and 3128 and ignores the rest.
+
+
+TCP report syntax:
+~~~~~~~~~~~~~~~~~~
+
+ +--- TCP overhead
+ bytes bytes |
+ source address:port destination addr:port sent received | +--- KB/s (RX+TX)
+ | | | | | |
+2003-06-06 22:38:34.076 81.27.194.19:1165 195.113.31.123:22 1.604 OK 1991 12656 11% 8.914
+ | | |
+date and time of first SYN elapsed time termination status: OK = closed with FIN
+ RE = connection reset
+ TO = timeout (maybe miscaptured)
+ DD = doomsday (cut by end of capture)
+ CO = corrupted (protocol violation)
+
+
+
+HTTP report syntax:
+~~~~~~~~~~~~~~~~~~~
+
+
+ data transmitted in both directions (excluding headers) ----+
+ | response delay ---+
+ transaction # on this connection ---+ | [sec] |
+ | | | method and
+ cache status --+ | | duration [sec] | request URI
+ source address:port destination addr:port | | | | | |
+ | | | | | | | |
+2003-06-06 22:53:38.642 81.27.194.19:1175 205.217.153.53:80 123.123.123.123 200 ... 0 14030 0.957 0.444 GET http://...
+ | | |
+date and time of request start X-Forwarded-For HTTP response code or
+(if it's the first request on a connection, ERR = HTTP violation
+it's the time where the connection was initiated, CUT = connection closed before transaction finish
+even if the request has been transmitted later) FIN = CONNECT request finished by connection close
+ Txx = TCP error xx (see above)
+
+Cache status codes:
+
+ 1st char: request cacheing control . = none
+ N = don't cache
+ R = revalidate
+ 2nd char: response cacheability . = not restricted
+ (first matching letter used) N = don't cache
+ P = private
+ S = don't store to non-volatile storage
+ R = must be revalidated
+ 3rd char: cache response . = X-Cache not found
+ (X-Cache header, optional) - = MISS
+ + = HIT
+ ? = other