forked from noahdavids/packet-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocal-drops.sh.html
executable file
·229 lines (201 loc) · 10.1 KB
/
local-drops.sh.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252" />
<title>local-drops.sh Information</title>
</head>
<body background="concret.jpg">
<center>
<h1>local-drops.sh Information</h1>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
</center>
<p>
This macro uses tshark to make 2N+1 passes (a large file with lots of retransmissions will be slow) through a file. The first pass identifies all retransmitted TCP segments and extracts the starting sequence number from those segments. Then for each identified segment it finds all segments which include the starting sequence number. It then finds the first ACK for that sequence number.
<p>
If this macro is run over a trace that was captured on the receiving host we can see if the original segment was seen and if so if an ACK was sent. If this macro is run over a trace that was captured in the sending host we can see if an ACK was received before the retransmitted segment was sent.
<p>
The Output file has the format
<br>
TCP Seq NNNNNNN Pattern: PPPPPP
<br>
Titles
<br>
     frame.number tcp.time_relative ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
<br>
     frame.number tcp.time_relative ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
<br>
     frame.number tcp.time_relative ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
<p>
Multiple frames from the sending IP indicate that the frame was received (or sent) multiple times. The placement of the ACK from the receiving IP indicates when the ACK was sent.
<p>
The pattern string PPPPPP represents the pattern of segments.
<br>
     D-A- would indicate the first segment is data followed by an ACK
<br>
     D-D-A- would be data, data again and then an ACK
<br>
     D-A-D- would be data and ack and then data again. We do not see the second ACK because only the first ACK is recorded.
<p>
Counting the unique patterns will give you an idea of the segment loss pattern
<p>
If the input file is large with many TCP streams it would make sense to first create a file containing just the segments of the TCP stream of interest.
<p>
If there are enough segments that the sequence numbers wrap and are reused this will probably result in false positives (or negatives, it depends on your point of view). If this is the case the trace file should be broken up so that the sequence number space is not reused. Note that a sequence number wrap is OK, it is when it wraps and proceeds past where it originally started that things get messy.
<p>
<b><h3>Usage</h3></b>
local-drops.sh FILE-NAME SRC-ADDR TCP-PORT OUTPUT-FILE
<br><br>
<b>FILE-NAME</b>
<br>
The file name (or path to the file), This file must be readable by tshark.
<br><br>
<b>SRC-ADDR</b>
<br>
The source IP address of the sender.
<br><br>
<b>TCP-PORT</b>
<br>
Is the client side TCP port. It may be long to the sender or the receiver. It is just to make sure that only 1 TCP stream is evaluated.
<br><br>
<b>OUTPUT-FILE</b>
<br>
The file name (or path) to an output file.
<br><br>
<b><h3>Examples</h3></b>
Example 1a - trace collected on the receiver. Note that it took approximately 30 minutes to run through the trace with 14,898 packets and 611 retransmissions in the selected stream.
<center>
<table border=5>
<tr><td align=left>
<pre>
$ time ./local-drops.sh retransmissions-remote-sender.pcap 10.13.32.196 65376 local-drops.out
local-drops.sh retransmissions-remote-sender.pcap 10.13.32.196 65376 local-drops.out
real 30m52.758s
user 26m33.832s
sys 3m23.152s
</pre>
</td></tr>
</table>
Figure 1a - Execution with the time command so we know how long it took
</center>
<p>
Example 1b - First part of the output file from the above execution. Note it reports the number of retransmissions, 611, and for each sequence number you can see the data packet and the first and the ACK.
<center>
<table border=5>
<tr><td align=left>
<pre>
$ cat local-drops.out
local-drops.sh retransmissions-remote-sender.pcap 10.13.32.196 65376 local-drops.out
local-drops.sh run on Thu Apr 25 17:11:22 MST 2019
local-drops.sh version 1.7_2019-04-24
Numer of retransmission 611
TCP Seq: 1401752293 Pattern: D-A-
Frame.num tcp.time.rel ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
8 0.683443000 10.13.32.196 62 10.13.12.129 1401752293 127807339 1401752793 500
9 0.683452000 10.13.12.129 64 10.13.32.196 127807339 1401754293 127807339 0
TCP Seq: 1401760793 Pattern: D-A-
Frame.num tcp.time.rel ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
34 3.280608000 10.13.32.196 62 10.13.12.129 1401760793 127807691 1401761293 500
35 3.280628000 10.13.12.129 64 10.13.32.196 127807691 1401762293 127807691 0
TCP Seq: 1401764793 Pattern: D-A-
Frame.num tcp.time.rel ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
51 4.896903000 10.13.32.196 62 10.13.12.129 1401764793 127807851 1401765293 500
52 4.896923000 10.13.12.129 64 10.13.32.196 127807851 1401766293 127807851 0
TCP Seq: 1401767293 Pattern: D-A-
Frame.num tcp.time.rel ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
61 6.129472000 10.13.32.196 62 10.13.12.129 1401767293 127807979 1401767793 500
. . . . . .
</pre>
</td></tr>
</table>
Figure 1b - the output file
</center>
<p>
Example 1c - summary of the data-ACK pattern. In 491 cases there is a data segment followed by the ACK so the probability is that the original data segment was lost. In 94 cases there is an ACK after the data segment and that is followed by another data segment. Chances are that the original ACK was lost. The subsequent ACK is not listed because the script only lists the first ACK. There are also 26 cases of two data segments and then an ACK. It is possible that the original data segment was dropped at the socket level.
<p>
<center>
<table border=5>
<tr><td align=left>
<pre>
$ cat local-drops.out | grep TCP | awk '{print $5}' | sort | uniq -c
491 D-A-
94 D-A-D-
26 D-D-A-
</pre>
</td></tr>
</table>
Figure 1c - summary of the data-ACK pattern.
</center>
<p>
Example 1d - Given the length of time the script takes to run it is nice to be able to monitor its progress. The script writes out the number of retransmissions after the first pass. You can grep for that number early on and then count the number of "TCP" lines to get some idea of the progress.
<p>
<center>
<table border=5>
<tr><td align=left>
<pre>
$ cat local-drops.out | grep Number
Number of retransmission 611
$ cat local-drops.out | grep TCP | wc -l
11
$ cat local-drops.out | grep TCP | wc -l
130
$ cat local-drops.out | grep TCP | wc -l
215
$ cat local-drops.out | grep TCP | wc -l
406
</pre>
</td></tr>
</table>
Figure 1d - Monitoring the progress of the script
</center>
<p>
Example 2 - trace collected on the sender. Note that the sender IP address 172.29.26.124 is shown with an IP TTL of 64 in the trace output indicating that the packets have not gone through a router. Also note the data-ACK pattern. In all cases there are multiple data packets before the ACK.
<center>
<table border=5>
<tr><td align=left>
<pre>
local-drops.sh retransmissions.pcap 172.29.26.124 42111 local-drops.out
local-drops.sh run on Wed Apr 24 20:46:40 MST 2019
local-drops.sh version 1.7_2019-04-24
Numer of retransmission 244
TCP Seq: 456834933 Pattern: D-D-A-
Frame.num tcp.time.rel ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
1326 1.464269000 172.29.26.124 64 172.21.198.87 456834933 2287642059 456836381 1448
1462 1.537262000 172.29.26.124 64 172.21.198.87 456834933 2287642059 456836381 1448
1612 1.610243000 172.21.198.87 57 172.29.26.124 2287642059 457081093 2287642059 0
TCP Seq: 457653053 Pattern: D-D-A-
Frame.num tcp.time.rel ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
1764 1.684147000 172.29.26.124 64 172.21.198.87 457651605 2287642059 457654501 2896
1852 1.757244000 172.29.26.124 64 172.21.198.87 457653053 2287642059 457654501 1448
1912 1.830185000 172.21.198.87 57 172.29.26.124 2287642059 457819573 2287642059 0
TCP Seq: 460237733 Pattern: D-D-A-
Frame.num tcp.time.rel ip.src ip.ttl ip.dst tcp.seq tcp.ack tcp.nxtseq data-len
3081 3.509171000 172.29.26.124 64 172.21.198.87 460236285 2287642059 460239181 2896
3119 3.653026000 172.29.26.124 64 172.21.198.87 460237733 2287642059 460239181 1448
3152 3.726052000 172.21.198.87 57 172.29.26.124 2287642059 460314477 2287642059 0
TCP Seq: 461598853 Pattern: D-D-A-
. . . . . . .
$ cat local-drops.out | grep TCP | awk '{print $5}' | sort | uniq -c
218 D-D-A-
23 D-D-D-A-
3 D-D-D-D-A-
</pre>
</td></tr>
</table>
Figure 2 - trace collected on the sender
</center>
<p>
You can find this script at <a href="https://github.com/noahdavids/packet-analysis/blob/master/local-drops.sh">local-drops.sh</a>
<br /><br />
<h5><center>
<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
<br />
This page was last modified on 19-04-25</h5>
</center>
<a href="mailto:[email protected]"><img src="mailbox.gif" width="32" height="32" alt="mailbox" align="left" hspace=3>
Send comments and suggestions
<br />
</a>
</body>
</html>