[Bloat] measuring "flows-in-progress" over an interval

General list for discussing Bufferbloat
 help / color / mirror / Atom feed

* [Bloat] measuring "flows-in-progress" over an interval
@ 2018-07-30 18:11 Dave Taht
  2018-07-30 22:18 ` Kathleen Nichols
  0 siblings, 1 reply; 3+ messages in thread
From: Dave Taht @ 2018-07-30 18:11 UTC (permalink / raw)
  To: bloat

Of mice, elephants, ants, and lemmings....

I frequently take packet captures to look at actual traffic on my
production network, then look at them in wireshark or take them apart
via tcptrace. eyeball gives one measurement. Tcptrace gives me a
measurement of how many tcp flows were present over that interval, and
completed, but not udp. We can't easily measure udp quic traffic for
"completion", but we can look at peaks and valleys and the actual
presence of that "flow". DNS, and a zillion other sorts of
transactions (even arp), to me, count as one or two packet flows.

Is there a tool out there that can pull out active flows of all sorts
from a cap?

somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190

There was a classic one (early 90s) on self similar behavior that I
cannot remember just now. Used to cite it....

-- 

Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Bloat] measuring "flows-in-progress" over an interval
  2018-07-30 18:11 [Bloat] measuring "flows-in-progress" over an interval Dave Taht
@ 2018-07-30 22:18 ` Kathleen Nichols
  2018-07-30 22:44   ` Dave Taht
  0 siblings, 1 reply; 3+ messages in thread
From: Kathleen Nichols @ 2018-07-30 22:18 UTC (permalink / raw)
  To: bloat


If you do not find a tool, you might try building your own. Using
libtins http://libtins.github.io/ makes it much easier to build C++
programs that operate on sniffed packets than it used to be. I used it
in pping https://github.com/pollere/pping and connmon for TCP flows and
in some non-public stuff to try to figure out things about UDP "flows".
You (or some student you can motivate) could use that code as a starting
point but inspect a wider range of packet types.

	Kathie

On 7/30/18 11:11 AM, Dave Taht wrote:
> Of mice, elephants, ants, and lemmings....
> 
> I frequently take packet captures to look at actual traffic on my
> production network, then look at them in wireshark or take them apart
> via tcptrace. eyeball gives one measurement. Tcptrace gives me a
> measurement of how many tcp flows were present over that interval, and
> completed, but not udp. We can't easily measure udp quic traffic for
> "completion", but we can look at peaks and valleys and the actual
> presence of that "flow". DNS, and a zillion other sorts of
> transactions (even arp), to me, count as one or two packet flows.
> 
> Is there a tool out there that can pull out active flows of all sorts
> from a cap?
> 
> somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190
> 
> There was a classic one (early 90s) on self similar behavior that I
> cannot remember just now. Used to cite it....
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Bloat] measuring "flows-in-progress" over an interval
  2018-07-30 22:18 ` Kathleen Nichols
@ 2018-07-30 22:44   ` Dave Taht
  0 siblings, 0 replies; 3+ messages in thread
From: Dave Taht @ 2018-07-30 22:44 UTC (permalink / raw)
  To: Kathleen Nichols; +Cc: bloat

On Mon, Jul 30, 2018 at 3:18 PM Kathleen Nichols <nichols@pollere.net> wrote:
>
>
> If you do not find a tool, you might try building your own. Using
> libtins http://libtins.github.io/ makes it much easier to build C++
> programs that operate on sniffed packets than it used to be. I used it
> in pping https://github.com/pollere/pping and connmon for TCP flows and
> in some non-public stuff to try to figure out things about UDP "flows".
> You (or some student you can motivate) could use that code as a starting
> point but inspect a wider range of packet types.

That looks nice. Thank you. Among other packet parsing problems we've
long had is tearing apart radiocaps.

https://github.com/mfontanini/libtins/blob/master/tests/src/radiotap_test.cpp

>
>         Kathie
>
> On 7/30/18 11:11 AM, Dave Taht wrote:
> > Of mice, elephants, ants, and lemmings....
> >
> > I frequently take packet captures to look at actual traffic on my
> > production network, then look at them in wireshark or take them apart
> > via tcptrace. eyeball gives one measurement. Tcptrace gives me a
> > measurement of how many tcp flows were present over that interval, and
> > completed, but not udp. We can't easily measure udp quic traffic for
> > "completion", but we can look at peaks and valleys and the actual
> > presence of that "flow". DNS, and a zillion other sorts of
> > transactions (even arp), to me, count as one or two packet flows.
> >
> > Is there a tool out there that can pull out active flows of all sorts
> > from a cap?
> >
> > somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190
> >
> > There was a classic one (early 90s) on self similar behavior that I
> > cannot remember just now. Used to cite it....
> >
>
> _______________________________________________
> Bloat mailing list
> Bloat@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/bloat



-- 

Dave Täht
CEO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-669-226-2619

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-07-30 22:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-30 18:11 [Bloat] measuring "flows-in-progress" over an interval Dave Taht
2018-07-30 22:18 ` Kathleen Nichols
2018-07-30 22:44   ` Dave Taht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox