Tcptrace

Tcptrace is a tool to analyze TCP (and now, also UDP) sessions captured with TcpDump. It provides a lot of different kinds of statistics and information, a lot of which is useful in diagnosing problems with TCP sessions. It also supports various graphing options.

Example usage

This shows the sessions in a tcpdump log:

tcptrace trace.log

You can select a subset of them for further information; here we take sessions 3 and 4 and show a lot of information about them (long statistics, RTT information, Window information):

tcptrace -o3-4 -lrW trace.log

Example output

Here you can easily see lots of interesting information, for example, the advertised window size, outoforder packet counts, window scaling factor, SACK counts, idletime, throughput (in bytes/sec), number of duplicate/triple acks and retransmissions (packet loss/congestion?), etc.

TCP connection 3:
		  host e:		  elvis.tigo.cl:2199
		  host f:		  cemp1.switch.ch:2630
		  complete conn: yes
		  first packet:  Fri Sep 29 11:03:12.044472 2006
		  last packet:	Fri Sep 29 11:13:26.934554 2006
		  elapsed time:  0:10:14.890081
		  total packets: 559379
		  filename:		file2net-2006-09-27.pcap
	e->f:										f->e:
	  total packets:		  364147			  total packets:		  195232
	  ack pkts sent:		  364146			  ack pkts sent:		  195232
	  pure acks sent:				2			  pure acks sent:		 195230
	  sack pkts sent:				0			  sack pkts sent:				0
	  dsack pkts sent:			  0			  dsack pkts sent:			  0
	  max sack blks/ack:			0			  max sack blks/ack:			0
	  unique bytes sent: 523337536			  unique bytes sent:			0
	  actual data pkts:	  364144			  actual data pkts:			 0
	  actual data bytes: 527280440			  actual data bytes:			0
	  rexmt data pkts:		  2723			  rexmt data pkts:			  0
	  rexmt data bytes:	 3942904			  rexmt data bytes:			 0
	  zwnd probe pkts:			  0			  zwnd probe pkts:			  0
	  zwnd probe bytes:			 0			  zwnd probe bytes:			 0
	  outoforder pkts:			749			  outoforder pkts:			  0
	  pushed data pkts:		  770			  pushed data pkts:			 0
	  SYN/FIN pkts sent:		 1/1			  SYN/FIN pkts sent:		 1/1
	  req 1323 ws/ts:			 Y/Y			  req 1323 ws/ts:			 Y/Y
	  adv wind scale:				9			  adv wind scale:				9
	  req sack:						Y			  req sack:						N
	  sacks sent:					 0			  sacks sent:					 0
	  urgent data pkts:			 0 pkts		urgent data pkts:			 0 pkts
	  urgent data bytes:			0 bytes	  urgent data bytes:			0 bytes
	  mss requested:			 1460 bytes	  mss requested:			 8960 bytes
	  max segm size:			 1448 bytes	  max segm size:				 0 bytes
	  min segm size:			 1376 bytes	  min segm size:				 0 bytes
	  avg segm size:			 1447 bytes	  avg segm size:				 0 bytes
	  max win adv:				6144 bytes	  max win adv:			5991424 bytes
	  min win adv:				6144 bytes	  min win adv:			  35840 bytes
	  zero win adv:				  0 times	  zero win adv:				  0 times
	  avg win adv:				6144 bytes	  avg win adv:			5977948 bytes
	  max owin:				2319697 bytes	  max owin:						1 bytes
	  min non-zero owin:			1 bytes	  min non-zero owin:			1 bytes
	  avg owin:				  37320 bytes	  avg owin:						1 bytes
	  wavg owin:				183495 bytes	  wavg owin:					  0 bytes
	  initial window:			1448 bytes	  initial window:				0 bytes
	  initial window:				1 pkts		initial window:				0 pkts
	  ttl stream length: 523635824 bytes	  ttl stream length:			0 bytes
	  missed data:			 298288 bytes	  missed data:					0 bytes
	  truncated data:	 507616664 bytes	  truncated data:				0 bytes
	  truncated packets:	 364144 pkts		truncated packets:			0 pkts
	  data xmit time:		614.256 secs		data xmit time:		  0.000 secs
	  idletime max:			 781.9 ms		  idletime max:			 782.0 ms
	  hardware dups:				 0 segs		hardware dups:				 3 segs
		 ** WARNING: presence of hardware duplicates makes these figures suspect!
	  throughput:			  851107 Bps		 throughput:					 0 Bps

	  RTT samples:			 167791			  RTT samples:					2
	  RTT min:					  0.0 ms		  RTT min:					281.4 ms
	  RTT max:					104.5 ms		  RTT max:					281.7 ms
	  RTT avg:					  0.2 ms		  RTT avg:					281.5 ms
	  RTT stdev:					3.2 ms		  RTT stdev:					0.0 ms

	  RTT from 3WHS:			  0.0 ms		  RTT from 3WHS:			281.7 ms

	  RTT full_sz smpls:	 167789			  RTT full_sz smpls:			1
	  RTT full_sz min:			0.0 ms		  RTT full_sz min:		 281.4 ms
	  RTT full_sz max:		 104.5 ms		  RTT full_sz max:		 281.4 ms
	  RTT full_sz avg:			0.2 ms		  RTT full_sz avg:		 281.3 ms
	  RTT full_sz stdev:		 3.2 ms		  RTT full_sz stdev:		 0.0 ms

	  post-loss acks:			 691			  post-loss acks:				0
			 For the following 5 RTT statistics, only ACKs for
			 multiply-transmitted segments (ambiguous ACKs) were
			 considered.  Times are taken from the last instance
			 of a segment.
	  ambiguous acks:				7			  ambiguous acks:				0
	  RTT min (last):			 0.0 ms		  RTT min (last):			 0.0 ms
	  RTT max (last):			 2.1 ms		  RTT max (last):			 0.0 ms
	  RTT avg (last):			 0.4 ms		  RTT avg (last):			 0.0 ms
	  RTT sdv (last):			 0.8 ms		  RTT sdv (last):			 0.0 ms
	  segs cum acked:		 192933			  segs cum acked:				0
	  duplicate acks:		  26510			  duplicate acks:				0
	  triple dupacks:			 280			  triple dupacks:				0
	  max # retrans:				 1			  max # retrans:				 0
	  min retr time:		  1820.3 ms		  min retr time:			  0.0 ms
	  max retr time:		  8403.4 ms		  max retr time:			  0.0 ms
	  avg retr time:		  4862.4 ms		  avg retr time:			  0.0 ms
	  sdv retr time:		  1815.5 ms		  sdv retr time:			  0.0 ms

-- Main.PekkaSavola - 26 Oct 2006