Discussion:
measuring "flows-in-progress" over an interval
Add Reply
Dave Taht
2018-07-30 18:11:12 UTC
Reply
Permalink
Raw Message
Of mice, elephants, ants, and lemmings....

I frequently take packet captures to look at actual traffic on my
production network, then look at them in wireshark or take them apart
via tcptrace. eyeball gives one measurement. Tcptrace gives me a
measurement of how many tcp flows were present over that interval, and
completed, but not udp. We can't easily measure udp quic traffic for
"completion", but we can look at peaks and valleys and the actual
presence of that "flow". DNS, and a zillion other sorts of
transactions (even arp), to me, count as one or two packet flows.

Is there a tool out there that can pull out active flows of all sorts
from a cap?

somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190

There was a classic one (early 90s) on self similar behavior that I
cannot remember just now. Used to cite it....
--
Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619
Kathleen Nichols
2018-07-30 22:18:33 UTC
Reply
Permalink
Raw Message
If you do not find a tool, you might try building your own. Using
libtins http://libtins.github.io/ makes it much easier to build C++
programs that operate on sniffed packets than it used to be. I used it
in pping https://github.com/pollere/pping and connmon for TCP flows and
in some non-public stuff to try to figure out things about UDP "flows".
You (or some student you can motivate) could use that code as a starting
point but inspect a wider range of packet types.

Kathie
Post by Dave Taht
Of mice, elephants, ants, and lemmings....
I frequently take packet captures to look at actual traffic on my
production network, then look at them in wireshark or take them apart
via tcptrace. eyeball gives one measurement. Tcptrace gives me a
measurement of how many tcp flows were present over that interval, and
completed, but not udp. We can't easily measure udp quic traffic for
"completion", but we can look at peaks and valleys and the actual
presence of that "flow". DNS, and a zillion other sorts of
transactions (even arp), to me, count as one or two packet flows.
Is there a tool out there that can pull out active flows of all sorts
from a cap?
somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190
There was a classic one (early 90s) on self similar behavior that I
cannot remember just now. Used to cite it....
Dave Taht
2018-07-30 22:44:15 UTC
Reply
Permalink
Raw Message
Post by Kathleen Nichols
If you do not find a tool, you might try building your own. Using
libtins http://libtins.github.io/ makes it much easier to build C++
programs that operate on sniffed packets than it used to be. I used it
in pping https://github.com/pollere/pping and connmon for TCP flows and
in some non-public stuff to try to figure out things about UDP "flows".
You (or some student you can motivate) could use that code as a starting
point but inspect a wider range of packet types.
That looks nice. Thank you. Among other packet parsing problems we've
long had is tearing apart radiocaps.

https://github.com/mfontanini/libtins/blob/master/tests/src/radiotap_test.cpp
Post by Kathleen Nichols
Kathie
Post by Dave Taht
Of mice, elephants, ants, and lemmings....
I frequently take packet captures to look at actual traffic on my
production network, then look at them in wireshark or take them apart
via tcptrace. eyeball gives one measurement. Tcptrace gives me a
measurement of how many tcp flows were present over that interval, and
completed, but not udp. We can't easily measure udp quic traffic for
"completion", but we can look at peaks and valleys and the actual
presence of that "flow". DNS, and a zillion other sorts of
transactions (even arp), to me, count as one or two packet flows.
Is there a tool out there that can pull out active flows of all sorts
from a cap?
somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190
There was a classic one (early 90s) on self similar behavior that I
cannot remember just now. Used to cite it....
_______________________________________________
Bloat mailing list
https://lists.bufferbloat.net/listinfo/bloat
--
Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619
Loading...