SUMMARY: protocol analysis--how to tell if a particular packet is "bad" ie. a retrans or out of seq.

From: J Beck (jbeck@dolsun.dol.state.nj.us)
Date: Thu Aug 31 2000 - 19:11:45 CDT


QUESTION:
when looking at snoop output, does anyone have any suggestions, filters,
reporting programs to sift through this data.
I must say that I've learned a good bit about tcp/ip by not having such a
utility, but now I have to start putting something together to be able to
parse through snoop output.
do I need to get granular and look at the actual ack nums and seq nums and
lengths and whatnot; and put together something in perl or something or does
such a utility exist.

RESPONSES: [ thanks very much for the feedback ]

Don't know if this will help, but netstat -s output displays counters like
this:

UDP
        udpInDatagrams = 702 udpInErrors = 0
        udpOutDatagrams = 790

TCP tcpRtoAlgorithm = 4 tcpRtoMin = 200
        tcpAttemptFails = 12 tcpEstabResets = 8
        tcpOutDataSegs =174430 tcpOutDataBytes =162744912
        tcpRetransSegs = 1 tcpRetransBytes = 1
        tcpOutAck = 18004 tcpOutAckDelayed = 3235
        tcpInSegs =124808
        tcpInAckSegs =100535 tcpInAckBytes =162744948
        tcpInInorderSegs = 49169 tcpInInorderBytes =4341698
        tcpInUnorderSegs = 0 tcpInUnorderBytes = 0
        tcpInDupSegs = 0 tcpInDupBytes = 0
        ........
        ........
        ........
IP ipForwarding = 2 ipDefaultTTL = 255
        ipInAddrErrors = 0 ipInCksumErrs = 0
        ipInUnknownProtos = 0 ipInDiscards = 0
        ipInDelivers =125504 ipOutRequests =193270
        ipOutDiscards = 0 ipOutNoRoutes = 0
        ipReasmTimeout = 60 ipReasmReqds = 0
        tcpInErrs = 0 udpNoPorts = 44884
        udpInCksumErrs = 0 udpInOverflows = 0
        rawipInOverflows = 0
        .........
        .........
        .........

And so on including stats for ICMP (ping) and IGMP (multicast) protocols.
I cut a bunch of it out. Hope it helps.

Regards,

Jim Taylor

----
go get ethereal (ethereal.zing.org).  it is a powerful protocol analyzer
that has both a gui and cli.  it requires GNOME to build, but the command
line will run without it.  (ideally, you can through it on an inexpensive
linux laptop and have yourself a grand ol' time.)

-pate

& Mike Michael P. Sullivan

many suggested this prod ---

my recommendation is to just use snort. it's at www.snort.org.

hope this helps, -john

john benjamins johnb@soliton.com

---

I have no affiliation with this product. I think it is about $1k.

You may want to have a look at it. ----------------------------------------------------------------- If you had trouble downloading or have any questions regarding our products, please don't hesitate to contact us at support@net3group.com.

For ordering any of our products, please consult our web site for more information at http://www.net3group.com/.

Best Regards, Net3 Group, Inc. http://www.net3group.com/

Regards, Jim --- Start to look at something like NFR (www.nfr.net) and if you have the correct Cisco router/switch kit, take a look at cflowd (www.caida.org under tools...)

Greetz Hendrik

---

--- one thing that I would check in the snoop man page/documentation is the packet dropping ratio. If packets could be dropped than you need to handle it in your parser or you could think you are looking at some problem. ciao benedetto

--- I'd highly recommend tcptrace (http://jarok.cs.ohiou.edu/software/tcptrace/)

I've been using it for the last couple of weeks, and it does a pretty good job of sumarizing stuff.

Jason

---

-----Original Message----- From: Beck, Joe Sent: Wednesday, August 30, 2000 12:40 PM To: sun-managers@sunmanagers.ececs.uc.edu Subject: protocol analysis--how to tell if a particular packet is "bad" ie. a retrans or out of seq.

when looking at snoop output, does anyone have any suggestions, filters, reporting programs to sift through this data. I must say that I've learned a good bit about tcp/ip by not having such a utility, but now I have to start putting something together to be able to parse through snoop output. do I need to get granular and look at the actual ack nums and seq nums and lengths and whatnot; and put together something in perl or something or does such a utility exist.

any suggestions greatly welcomed, we do have a sniffer that our OIT/wan group purchased; but that requires a cost & a good amt of planning...i'd like to have something I can do/use on my own

thanks, joe ________________________________________________________ Joe Beck Unix Administrator/Tax Redesign Project jbeck@dol.state.nj.us voice: (609)292-5785

S U BEFORE POSTING please READ the FAQ located at N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq . and the list POLICY statement located at M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy A To submit questions/summaries to this list send your email message to: N sun-managers@ececs.uc.edu A To unsubscribe from this list please send an email message to: G majordomo@sunmanagers.ececs.uc.edu E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers original@subscription.address L To view an archive of this list please visit: I http://www.latech.edu/sunman.html S T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:16 CDT