From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from pdx1-sub0-mail-a2.g.dreamhost.com (smtp19.dreamhost.com [64.90.62.188]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id B0D003B29E for ; Mon, 30 Jul 2018 18:18:35 -0400 (EDT) Received: from pdx1-sub0-mail-a2.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a2.g.dreamhost.com (Postfix) with ESMTP id 857AF80286; Mon, 30 Jul 2018 15:18:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pollere.net; h=subject:to :references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=pollere.net; bh=EM9oP vQetRFn5KyoT+oeg9REQhU=; b=Em2I5bOIS+doWBmROwvc8cxkxRD2KUparmVXa iFo/hRQP8FmyBTzHzZ7JoQsyKTO0J+pzxbLNxHJ4cW87DK4qlDwzx8zJvVNsglbO UIl+8b4zg3YzAwCGFBWjhCdyCgqUhOUxd2LeXGQj2rXoGYqvjmTBCsPvZdVuKfMr C3RYTU= Received: from kmnimac.local (c-67-160-239-168.hsd1.ca.comcast.net [67.160.239.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nichols@pollere.net) by pdx1-sub0-mail-a2.g.dreamhost.com (Postfix) with ESMTPSA id 63181807A6; Mon, 30 Jul 2018 15:18:33 -0700 (PDT) To: bloat@lists.bufferbloat.net References: From: Kathleen Nichols Openpgp: preference=signencrypt Autocrypt: addr=nichols@pollere.net; prefer-encrypt=mutual; keydata= xsDiBEC83ecRBAC+SoOIjjcKTrEvMEA6p7BamLNoS5P/Pb51j184ZU2/s3aCLl3Q/BCkFxT+ cFCnthIsgxMXrSGELwRkevkTX8GUlBaKIvrp7Ye9NjbYBC1NZWFyAKzZUI1eF2AibUbXAFtV qAIPyCXuMdaOSrXTPAdbHIQxZk9zEa6Xh0zj1uwczwCg7iDV4fIclpmP8arjkQWm8grrwi8D /2Bb81fEGvF83KVNoPiy1hNfrIHmYevQiLaOVJkJPQzi+DxJSRCRkAV7z7nAhXXWVCWkshHL r5d07ElPZPgxft74pk3U6ygqFAGz97V8A2+7ZLa2RHwgb5ZIUeaSMgpXqUfxjDQuq34AQBWX 8xwwBR4JhuhxrN+8uZEMG0Neqm5SA/9wkL6moHBKl+PvV3O7ap+kVXC97NfVFG72b8EVvw5W HRUtUGdxFhNuAhS4QNWaCdYOm6VC9xlZGhykcXAzyC0tjB8Kbk44KzJrtIzpCWoI58PZSCPD n8PhFKKItcQ/hY8QNAeHEcEvInCjNz/w+7ik0gF8xQy2yA9eulVzg7l2380mS2F0aGxlZW4g TmljaG9scyA8bmljaG9sc0Bwb2xsZXJlLm5ldD7CYgQTEQIAIgUCVL1s9AIbAwYLCQgHAwIG FQgCCQoLBBYCAwECHgECF4AACgkQ+dkULylClLYRYwCgzd2IlR14SGzqKWdxY5W4kJ1yAyQA oI6A9QUyuoz/5DDBN1o5g/nFXpS5zsFNBEC83ocQCACXUuOfleOzud5aRpG20cdZcmGwn46Y K7vXPKHrtKema3u3AhDhm/dpU2hnD/1bflCnHk2TX/MNnJ/9jVLVAMcj1GmXS4Zj/DMypQ2/ 5r213nBbWEjcS4wOhFEAcfApEU0d4LG/v/SPDJqqrvP5txXxox9z7JG0OEXeGzZU8Ro5LAkJ HJSBdSN1je61XYolMbPvZ8Wo9APIJnJEIc1DG2+3oHgJA1a2QN+xnia4hs90CnR/VDcBSH/l yFk0lWnBxeJLwqYTWgGRLAM4JtA3C3LYe/h6gK2o4ug0NRcKRBdJk4pHDJenjKx1LjjpGEBA L5FyZqAA+3Do9PH8Pzm4vDKDAAMGCACBSF4C01c4XJgm/qw0moM7sxcb2nBVIpEubl8OHQf3 zLX2UAoNy8SKjHZsyp984jTLBr/VHqY/+BsL9W1uPf0ssPnYieq58aMtRXEtFCF2i4m6CZoj a+hFImKhIIvvhGE1rYyK13AnvjywTDK0XadJwqNKNPwZasHnK7xx/foKmaMilZL4UwRDEs39 1FQfbhcm83NZ2xGEuK+fYAg8VA5pTIUcrhQEC9sORQ3g5Alw+2o13oC6fO/SyQ9iqnOZ0WBq +cJE10zM7K5aNuNI/853ot9fglOHRnlDnxd9pg+QxGq1L4O4l3rjoLbtiqtGOzJpUAguBsGu JZQJgyS9fkNjwkkEGBECAAkFAkC83ocCGwwACgkQ+dkULylClLYI6wCgtctwza77h+XplNbp hHp3WFniTxwAn1duX7R8SZX7KDSysitOQEXN3v6O Message-ID: Date: Mon, 30 Jul 2018 15:18:33 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [Bloat] measuring "flows-in-progress" over an interval X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2018 22:18:35 -0000 If you do not find a tool, you might try building your own. Using libtins http://libtins.github.io/ makes it much easier to build C++ programs that operate on sniffed packets than it used to be. I used it in pping https://github.com/pollere/pping and connmon for TCP flows and in some non-public stuff to try to figure out things about UDP "flows". You (or some student you can motivate) could use that code as a starting point but inspect a wider range of packet types. Kathie On 7/30/18 11:11 AM, Dave Taht wrote: > Of mice, elephants, ants, and lemmings.... > > I frequently take packet captures to look at actual traffic on my > production network, then look at them in wireshark or take them apart > via tcptrace. eyeball gives one measurement. Tcptrace gives me a > measurement of how many tcp flows were present over that interval, and > completed, but not udp. We can't easily measure udp quic traffic for > "completion", but we can look at peaks and valleys and the actual > presence of that "flow". DNS, and a zillion other sorts of > transactions (even arp), to me, count as one or two packet flows. > > Is there a tool out there that can pull out active flows of all sorts > from a cap? > > somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190 > > There was a classic one (early 90s) on self similar behavior that I > cannot remember just now. Used to cite it.... >