[Bloat] measuring "flows-in-progress" over an interval

Kathleen Nichols nichols at pollere.net
Mon Jul 30 18:18:33 EDT 2018


If you do not find a tool, you might try building your own. Using
libtins http://libtins.github.io/ makes it much easier to build C++
programs that operate on sniffed packets than it used to be. I used it
in pping https://github.com/pollere/pping and connmon for TCP flows and
in some non-public stuff to try to figure out things about UDP "flows".
You (or some student you can motivate) could use that code as a starting
point but inspect a wider range of packet types.

	Kathie

On 7/30/18 11:11 AM, Dave Taht wrote:
> Of mice, elephants, ants, and lemmings....
> 
> I frequently take packet captures to look at actual traffic on my
> production network, then look at them in wireshark or take them apart
> via tcptrace. eyeball gives one measurement. Tcptrace gives me a
> measurement of how many tcp flows were present over that interval, and
> completed, but not udp. We can't easily measure udp quic traffic for
> "completion", but we can look at peaks and valleys and the actual
> presence of that "flow". DNS, and a zillion other sorts of
> transactions (even arp), to me, count as one or two packet flows.
> 
> Is there a tool out there that can pull out active flows of all sorts
> from a cap?
> 
> somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190
> 
> There was a classic one (early 90s) on self similar behavior that I
> cannot remember just now. Used to cite it....
> 




More information about the Bloat mailing list