Code Monkey home page Code Monkey logo

pcap_latency_analyzer's Introduction

pcap_latency_analyzer

Alt text

pcap_diff is a simple packet analyzer tool used to extract time difference between the same packets in 2 different pcap files.

More detailed examples can be found at http://fmad.io/blog-packet-analyzer.html

An example situation is calculating the latency profile of a switch/or other network device where the same packet is recorded with a highly accurate hardware timestamped packet capture device both before the network device and after it. Using this script a simple text based latency statistics and histogram can be generated.

Algo

It works by generating a 128b DEK hash of the entire packet (--full-packet) or just the payload (TCP payload / UDP payload) which gets stored into a large hash table. When a packet`s hash matches an existing entry in the table it appends the packet for further analysis. In addition to 128b DEK hash the match also checks the first 16B of the packet which includes the MAC header + first few bytes of the next layer. This is done because of the low entropy level of small say 64B packets which generates many false positives.

Command line options


Options:
 --packet-trace                  | write each packet events to stdout
 --length-histo                  | print packet length histogram
 --latency-histo                 | print latency histogram
 --hash-memory                   | (int MB) amount of memory to use for hashing. default 128MB
 --disable-mmap                  | use fread not mmap of the pcap files
 --packet-time-delta-max         | reset time between new and old packets with the same hash.
 --packet-max <number>           | maximum number of packets to process

 --tcp-length <number>           | filter tcp packets to include only payload length of <number>
 --tcp-only                      | only match tcp packets
 --udp-only                      | only match udp packets
 --udp-length <number>           | specifiy udp packets of only length <number>
 --udp-length-chomp <number>     | remove <number> bytes from the end of the UDP packet

Hash the entire packet
 --full-packet                   | use entire packet contents for hash (.e.g no protocol)
 --full-packet-tcp-only          | use entire packet contents for hash but only for tcp packets
 --full-packet-udp-only          | use entire packet contents for hash but only for udp packets

Diff 2 PCAP files: --file-diff                     | special mode of comparing packets between 2 files (instead of within the same file)
 --file-diff                     | special mode of comparing packets between 2 files (instead of within the same file)
 --file-diff-no-timesync         | do not attempt to time sync the two files. reads 1MB chunks at a time
 --file-diff-strict              | only matches with two entries in a hash node will be sampled
 --file-diff-nofcs-a             | file A has no FCS (ethernet crc) value
 --file-diff-nofcs-b             | file B has no FCS (ethernet crc) value
 --file-diff-missing-trace       | trace all packets that are missing
 --file-diff-latency-trace <number in ns> | trace packets that have latency greather than <number>

Diff 2 MAC address: --mac-diff                      | compare packets from 2 mac address in a single PCAP
 --mac-diff-a 00:11:22:33:44:55  | specify MAC address A
 --mac-diff-b 66:77:88:99:aa:bb  | specify MAC address B

Latency histogram shaping
 --latency-histo-min             | minimum time delta for histogram. default -1e6 ns
 --latency-histo-max             | maximum time delta for histogram. default 1e6 ns
 --latency-histo-unit            | duration of a single histogram slot. default 100ns

 --ts-last-byte-a                | adjust timestamp of first file A from last byte to first byte (assumes 10G)
 --ts-last-byte-b                | adjust timestamp of first file B from last byte to first byte (assumes 10G)

Examples

  1. Diff 2 PCAP files

there are 2 10g packet capture devices, capturing the same lines (e.g. for redundancy). The following searches for each packet in both files and reports the time difference between the 2 files.

$ ./pcap_latency_analyzer captureA.pcap captureB.pcap --latency-histo --latency-histo-unit 100 --file-diff --full-packet-tcp-only

  1. Trace the same packets within a single PCAP

$ ./pcap_latency_analyzer capture.pcap --tcp-only --packet-trace

  1. Trace the same packets within a single PCAP of a specific packet length

$ ./pcap_latency_analyzer capture.pcap --tcp-only --packet-trace --tcp-length 200

  1. Generate latency profile of the same packet from 2 different MACs

$ ./pcap_latency_analyzer capture.pcap --mac-diff --mac-diff-a 00:11:22:33:44:55 --mac--diff-b 66:77:88:99:aa:bb --latency-histo

Output

Example output of packet latency analysis


pacp_diff --file-diff-udp-only --latency-histo --latency-histo-unit 100 ./fmadio-10g-capture-A.pcap
./fmadio-10g-capture-B.pcap
.
.
[snip]
.
.

6200 .ns : 0.0001 (0.0000) : *
6300 .ns : 0.0011 (0.0001) : *
6400 .ns : 0.0032 (0.0004) : *
6500 .ns : 0.0117 (0.0014) : *
6600 .ns : 0.0387 (0.0046) : *
6700 .ns : 0.0743 (0.0108) : ***
6800 .ns : 0.1198 (0.0209) : *****
6900 .ns : 0.1522 (0.0337) : *******
7000 .ns : 0.2156 (0.0518) : **********
7100 .ns : 0.2956 (0.0766) : **************
7200 .ns : 0.3748 (0.1081) : ******************
7300 .ns : 0.4784 (0.1482) : ***********************
7400 .ns : 0.5714 (0.1962) : ****************************
7500 .ns : 0.7193 (0.2566) : ***********************************
7600 .ns : 0.8366 (0.3268) : *****************************************
7700 .ns : 0.8878 (0.4014) : ********************************************
7800 .ns : 0.9444 (0.4807) : ***********************************************
7900 .ns : 0.9624 (0.5615) : ************************************************
8000 .ns : 1.0000 (0.6454) : **************************************************
8100 .ns : 0.8957 (0.7206) : ********************************************
8200 .ns : 0.7725 (0.7855) : **************************************
8300 .ns : 0.7094 (0.8450) : ***********************************
8400 .ns : 0.5818 (0.8939) : *****************************
9500 .ns : 0.4292 (0.9299) : *********************
9600 .ns : 0.2947 (0.9547) : **************
9600 .ns : 0.2090 (0.9722) : **********
9700 .ns : 0.1325 (0.9833) : ******
9800 .ns : 0.0853 (0.9905) : ****
9900 .ns : 0.0576 (0.9953) : **
10000 ns : 0.0287 (0.9977) : *
10100 ns : 0.0141 (0.9989) : *
10200 ns : 0.0046 (0.9993) : *
10300 ns : 0.0036 (0.9996) : *
10400 ns : 0.0025 (0.9998) : *
10500 ns : 0.0015 (1.0000) : *
10600 ns : 0.0005 (1.0000) : *
10700 ns : 0.0000 (1.0000) : *

Support

This tool is part of the fmadio 10G sniffer appliance, more information can be found at http://fmad.io

Contact us for any bugs/patches/requests send a mail to: support at fmad.io

pcap_latency_analyzer's People

Contributors

aaron-fmad avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.