From a8c35bd91ff76bb79f5e4202e72e472d2e4d897a Mon Sep 17 00:00:00 2001 From: Martin Mares Date: Thu, 19 Jun 2003 11:17:50 +0000 Subject: [PATCH] Initial README. --- README | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 README diff --git a/README b/README new file mode 100644 index 0000000..4f4f45b --- /dev/null +++ b/README @@ -0,0 +1,78 @@ + This is NetGrind 1.0 + + (c) 2003 Martin Mares + +This software can be freely distributed and used according to the GNU General Public License. +--------------------------------------------------------------------------------------------- + +What's that? +~~~~~~~~~~~~ + +NetGrind is an experimental tool for analysing network traffic. It processes packet dumps +captured by tcpdump (or any other libpcap application) and it's able to do: + + o Filtering of data by using libpcap filters. + o TCP demultiplexing and dumping of demultiplexed data to files + o Calculating per-connection TCP statistics + o Analysing HTTP connections and demultiplexing them to individual transactions, + calculating statistics for each transaction. + +Although some of the analysis modes are available through command-line switches, +NetGrind still misses a powerful configuration language, so the more advanced features +like analysing HTTP must be configured (and bound to the right addresses and ports) +by modifying the source, namely the mux_open() function which gets called for each +newly established TCP connection when no command-line switches are given. The example +in our source just connects HTTP analyser to all TCP connections to ports 80, 8080, 8081 +and 3128 and ignores the rest. + + +TCP report syntax: +~~~~~~~~~~~~~~~~~~ + + +--- TCP overhead + bytes bytes | + source address:port destination addr:port sent received | +--- KB/s (RX+TX) + | | | | | | +2003-06-06 22:38:34.076 81.27.194.19:1165 195.113.31.123:22 1.604 OK 1991 12656 11% 8.914 + | | | +date and time of first SYN elapsed time termination status: OK = closed with FIN + RE = connection reset + TO = timeout (maybe miscaptured) + DD = doomsday (cut by end of capture) + CO = corrupted (protocol violation) + + + +HTTP report syntax: +~~~~~~~~~~~~~~~~~~~ + + + data transmitted in both directions (excluding headers) ----+ + | response delay ---+ + transaction # on this connection ---+ | [sec] | + | | | method and + cache status --+ | | duration [sec] | request URI + source address:port destination addr:port | | | | | | + | | | | | | | | +2003-06-06 22:53:38.642 81.27.194.19:1175 205.217.153.53:80 123.123.123.123 200 ... 0 14030 0.957 0.444 GET http://... + | | | +date and time of request start X-Forwarded-For HTTP response code or +(if it's the first request on a connection, ERR = HTTP violation +it's the time where the connection was initiated, CUT = connection closed before transaction finish +even if the request has been transmitted later) FIN = CONNECT request finished by connection close + Txx = TCP error xx (see above) + +Cache status codes: + + 1st char: request cacheing control . = none + N = don't cache + R = revalidate + 2nd char: response cacheability . = not restricted + (first matching letter used) N = don't cache + P = private + S = don't store to non-volatile storage + R = must be revalidated + 3rd char: cache response . = X-Cache not found + (X-Cache header, optional) - = MISS + + = HIT + ? = other -- 2.39.2