From: Dave Taht <dave.taht@gmail.com>
To: Kathleen Nichols <nichols@pollere.net>
Cc: bloat <bloat@lists.bufferbloat.net>
Subject: Re: [Bloat] measuring "flows-in-progress" over an interval
Date: Mon, 30 Jul 2018 15:44:15 -0700 [thread overview]
Message-ID: <CAA93jw44h3WA+cbCRv29qU1ZrkS2vy5iJprdaqmSFt=PU3zMHg@mail.gmail.com> (raw)
In-Reply-To: <aba843fd-0eab-d8b7-bc80-7793d2ef4835@pollere.net>
On Mon, Jul 30, 2018 at 3:18 PM Kathleen Nichols <nichols@pollere.net> wrote:
>
>
> If you do not find a tool, you might try building your own. Using
> libtins http://libtins.github.io/ makes it much easier to build C++
> programs that operate on sniffed packets than it used to be. I used it
> in pping https://github.com/pollere/pping and connmon for TCP flows and
> in some non-public stuff to try to figure out things about UDP "flows".
> You (or some student you can motivate) could use that code as a starting
> point but inspect a wider range of packet types.
That looks nice. Thank you. Among other packet parsing problems we've
long had is tearing apart radiocaps.
https://github.com/mfontanini/libtins/blob/master/tests/src/radiotap_test.cpp
>
> Kathie
>
> On 7/30/18 11:11 AM, Dave Taht wrote:
> > Of mice, elephants, ants, and lemmings....
> >
> > I frequently take packet captures to look at actual traffic on my
> > production network, then look at them in wireshark or take them apart
> > via tcptrace. eyeball gives one measurement. Tcptrace gives me a
> > measurement of how many tcp flows were present over that interval, and
> > completed, but not udp. We can't easily measure udp quic traffic for
> > "completion", but we can look at peaks and valleys and the actual
> > presence of that "flow". DNS, and a zillion other sorts of
> > transactions (even arp), to me, count as one or two packet flows.
> >
> > Is there a tool out there that can pull out active flows of all sorts
> > from a cap?
> >
> > somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190
> >
> > There was a classic one (early 90s) on self similar behavior that I
> > cannot remember just now. Used to cite it....
> >
>
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat
--
Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619
prev parent reply other threads:[~2018-07-30 22:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-30 18:11 Dave Taht
2018-07-30 22:18 ` Kathleen Nichols
2018-07-30 22:44 ` Dave Taht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAA93jw44h3WA+cbCRv29qU1ZrkS2vy5iJprdaqmSFt=PU3zMHg@mail.gmail.com' \
--to=dave.taht@gmail.com \
--cc=bloat@lists.bufferbloat.net \
--cc=nichols@pollere.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox