Menu

tcpdump/tcptrace

Quick Summary:

Sample Use:

tcpdump -i ethN -s 100 -w /tmp/tcpdump.out host hostname
tcptrace -Sl /tmp/tcpdump.out
xplot /tmp/a2b_tsg.xpl

 

Details

TCP hides performance related details from the user.  While tools like web100 and web10G can expose the underlying behavior in the TCP stack for a given flow, these require modifications to the kernel and specialized tools to extract the data during a performance test.  The act of capturing packets from a test, through tools like tcpdump, can reveal all of the nuances of a particular data transfer such as the behavior of the data and acknowledgment stream (and if duplication, retransmission, or packet ordering issues have occurred) as well as behavior related to the window advertisement procedure.  After a packet trace is captured between hosts participating in a performance test, tools such as tcptrace can be used to analyze the behavior of the flow.  In addition to printing a summary of behavior, tcptrace can output files suitable for use with the xplot tool.

The following sections outline use of these tools in debugging network problems. 

tcpdump

Tcpdump is an application designed to capture packets.  Normally the packet headers are all that is needed for performance analysis. By reducing the "snapshot length" (-s flag) we can reduce the portion of the packet we capture and save on disk I/O - this is often critical to loss-free packet capture since perfSONAR hosts are often built without high-performance disk subsystems. Specifying a snapshot length of 0 will capture the entire packet, in contrast to the snapshot length of 100 bytes specified in the examples on this page (here we are interested in capturing the headers for performance analysis). Tcpdump is designed to run on a target interface, and is flexible enough to accept patterns to help capture only the ports and destinations that are of interest.  Tcpdump requires that the interface be placed into promiscuous mode, it is necessary to use this tool as the root use or via mechanisms like sudo.  Example use cases appear below:

Capture all traffic from specific host (incoming and outgoing) on target interface (eth0)

sudo tcpdump -n –i eth0 -s 100 host 192.168.0.1

Capture all traffic from /24 subnet (incoming and outgoing) on target interface and store it in the ~/dump.dmp file

sudo tcpdump –i eth0 -s 100 net 192.168.0 -w ~/dump.dmp

Capture all traffic from a specific port (incoming and outgoing) on target interface

sudo tcpdump -n –i eth0 -s 100 port 5001

Capture all traffic from specific ports (incoming and outgoing) on target interface. 

sudo tcpdump -n –i eth0 -s 100 portrange 100-200

Capture all traffic where the specified host is the source (src) of traffic on a specific interface

sudo tcpdump -n –i eth0 -s 100 src 192.168.0.1

Capture all traffic where the specified /24 subnet is the (destination) dst on specific interface

sudo tcpdump -n –i eth0 -s 100 dst net 192.168.0

Capture all traffic labeled with a source (src) port of 5001 on specific interface

sudo tcpdump -n –i eth0 -s 100 src port 5001

Capture all tcp traffic where port 5001 is being used on specific interface

sudo tcpdump -n –i eth0 -s 100 tcp port 5001

Servers that are underpowered in terms of memory or CPU may have a hard time capturing packets without loss.  The gulp tool was designed to combat this, and is available at this site:

http://staff.washington.edu/corey/gulp/

tcptrace

Tcpdump captures packets according to specific filters,  while the tcptrace tool is used to analyze the data and output succinct summaries.  Tcptrace will analyze a complete dump file (e.g. output the contents of the tcpdump into a file with the '-F' option), and will categorize the output into distinct flow sumaries in the event that multiple exchanges exits.  There are options to view the summaries, as well as produce files that can be viewed through the xplot viewer.  The end goal is to identify the behavior of a specific flow for a given dump file, and be able to make judgements on the flow of the data and acknowledgements.  Example use cases appear below:

Output "long" analysis  with congestion window information for target dump file

tcptrace –lW ~/dump.dmp

Generate all graphs for target dump file

tcptrace –G ~/dump.dmp

Note that with the later use, there are a couple of graph types that will be created for each source/destination flow in the dump file:

  • Time Sequence Graph (TSG)
  • Throughput Graph (TPUT)
  • RTT Graph (RTT)
  • Outstanding Data Graph (OWIN)
  • Segment Size Graph (SSIZE)
  • Time-Line Graph (TLINE)

The TSG graph is normally the most useful output to analyze further, as it contains an ordered graph of events (retransmissions, losses, duplicate acknowledgements) for the specific flow.

Additional information can be found in the tcptrace manual: http://www.tcptrace.org/manual/index.html

xplot

Xplot is a visualization tool for plotting complex data sets, and is available as a a package for linux and OS X systems (via mac ports).  Xplot is able to support multiple plots on a single graph, has the ability to arbitrarily color and annotate plot points, and allows for click/drag/zoom support.  Example use cases appear below:

Display graph generated from tcptrace (‘-G option over target dumpfile’). 

xplot graph.xpl 

Open 2 graphs, use a common ‘y’ axis (assists with seeing a relative slope for ‘throughput’)

xplot -y ’yrange’ graph1.xpl graph2.xpl 

Additional information can be found in the tcptrace manual: http://www.tcptrace.org/manual/index.html

 

More Information:

Debugging TCP connections using tcptrace

Presentation demonstrating the use of TCPDump, TCPTrace, and XPlot

 

Downloads