From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 36AAD3B29E for ; Mon, 30 Jul 2018 18:44:28 -0400 (EDT) Received: by mail-qk0-x235.google.com with SMTP id 126-v6so8999569qke.5 for ; Mon, 30 Jul 2018 15:44:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ENqk7mW3HN6vMv4Ky52daI7c1WQBouXfNFKAG/Tzqbg=; b=HeWp4VRPGrXNFpx1VOKeXtvvE9LWp3xPRS/MRWNFX1tY63KtDHOS7lx7UKkGvmRAqf ezAAkow8Cvye5uqoo9nW1yozfO7HbrqTwg+MSpoRrUu0zykL8vNoluD+O1e4yikIsfcW 6V9HntiaFmn/DZRwZynsEJBxFJ3lPnNxJYMx1Vu3r64HlFMHvg3QbeHUHHenYuuWBC+D K77EPxHEetab02b3rPSrE82ho+Dw7elR2ZmE4TgJ2CnYi94FhExWwU6ad9JpWe+vj1tw vhWwHr2G8Izkv659/0mGPkv/BKN6nSoZpN2NMXu5e3QeRCZYKZ074fwmVyuQ/7la/IAB W/jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ENqk7mW3HN6vMv4Ky52daI7c1WQBouXfNFKAG/Tzqbg=; b=sdQrEdtclBqx3kbO35rDy/aaTdcpTjdBX5pD2keOtohhMy6v/STVi45pInPasLZY5o zqjlE6SYOv5e+sFIMh2/d5JpbRraC+5nBgShm0LGBErsa12mMC4NSLgrIUyBLpesl/6W CALsjApYXTg3gWmxn1ZYUwyjdFx+tfAlwfbNj3xv7jRSk0GVN9KuDVoqkLjLkejE53HO P0sGcuUPcjBj0sJ2NOK89OEgKiSHnubMey8BfkTaA0dpBX49fN8+bdDFmFQ2AwLkjBuv hoUP+6P4mdv1bvUlXcflIDB1lYjOsuwLYDiAk9ivXyQRr+99kGc4cFCkCfcXRtYS7THC 4ARA== X-Gm-Message-State: AOUpUlF1SyDoiGYxJ+BJaXR8BcVO+ym0VzWPe4fcMzlPT36Gem7vYimE CBiNalTCTnVPHw89rJtQ3uzJ3sP4/7fCIeZYTfk= X-Google-Smtp-Source: AAOMgpdfkTWVPUyUMr572XsZq6eJWpx0v4LG8iiN/Qe7V2znZ34zXMwZcvnNHg4Yf7lXMFbulbt3gBjKRB81cI7yGqY= X-Received: by 2002:a37:c40d:: with SMTP id d13-v6mr17459049qki.190.1532990667718; Mon, 30 Jul 2018 15:44:27 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dave Taht Date: Mon, 30 Jul 2018 15:44:15 -0700 Message-ID: To: Kathleen Nichols Cc: bloat Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Bloat] measuring "flows-in-progress" over an interval X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2018 22:44:28 -0000 On Mon, Jul 30, 2018 at 3:18 PM Kathleen Nichols wrot= e: > > > If you do not find a tool, you might try building your own. Using > libtins http://libtins.github.io/ makes it much easier to build C++ > programs that operate on sniffed packets than it used to be. I used it > in pping https://github.com/pollere/pping and connmon for TCP flows and > in some non-public stuff to try to figure out things about UDP "flows". > You (or some student you can motivate) could use that code as a starting > point but inspect a wider range of packet types. That looks nice. Thank you. Among other packet parsing problems we've long had is tearing apart radiocaps. https://github.com/mfontanini/libtins/blob/master/tests/src/radiotap_test.c= pp > > Kathie > > On 7/30/18 11:11 AM, Dave Taht wrote: > > Of mice, elephants, ants, and lemmings.... > > > > I frequently take packet captures to look at actual traffic on my > > production network, then look at them in wireshark or take them apart > > via tcptrace. eyeball gives one measurement. Tcptrace gives me a > > measurement of how many tcp flows were present over that interval, and > > completed, but not udp. We can't easily measure udp quic traffic for > > "completion", but we can look at peaks and valleys and the actual > > presence of that "flow". DNS, and a zillion other sorts of > > transactions (even arp), to me, count as one or two packet flows. > > > > Is there a tool out there that can pull out active flows of all sorts > > from a cap? > > > > somewhat relevant paper: https://dl.acm.org/citation.cfm?id=3D987190 > > > > There was a classic one (early 90s) on self similar behavior that I > > cannot remember just now. Used to cite it.... > > > > _______________________________________________ > Bloat mailing list > Bloat@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/bloat --=20 Dave T=C3=A4ht CEO, TekLibre, LLC http://www.teklibre.com Tel: 1-669-226-2619