On Mon, Jul 30, 2018 at 3:18 PM Kathleen Nichols <[email protected]> wrote: > > > If you do not find a tool, you might try building your own. Using > libtins http://libtins.github.io/ makes it much easier to build C++ > programs that operate on sniffed packets than it used to be. I used it > in pping https://github.com/pollere/pping and connmon for TCP flows and > in some non-public stuff to try to figure out things about UDP "flows". > You (or some student you can motivate) could use that code as a starting > point but inspect a wider range of packet types.
That looks nice. Thank you. Among other packet parsing problems we've long had is tearing apart radiocaps. https://github.com/mfontanini/libtins/blob/master/tests/src/radiotap_test.cpp > > Kathie > > On 7/30/18 11:11 AM, Dave Taht wrote: > > Of mice, elephants, ants, and lemmings.... > > > > I frequently take packet captures to look at actual traffic on my > > production network, then look at them in wireshark or take them apart > > via tcptrace. eyeball gives one measurement. Tcptrace gives me a > > measurement of how many tcp flows were present over that interval, and > > completed, but not udp. We can't easily measure udp quic traffic for > > "completion", but we can look at peaks and valleys and the actual > > presence of that "flow". DNS, and a zillion other sorts of > > transactions (even arp), to me, count as one or two packet flows. > > > > Is there a tool out there that can pull out active flows of all sorts > > from a cap? > > > > somewhat relevant paper: https://dl.acm.org/citation.cfm?id=987190 > > > > There was a classic one (early 90s) on self similar behavior that I > > cannot remember just now. Used to cite it.... > > > > _______________________________________________ > Bloat mailing list > [email protected] > https://lists.bufferbloat.net/listinfo/bloat -- Dave Täht CEO, TekLibre, LLC http://www.teklibre.com Tel: 1-669-226-2619 _______________________________________________ Bloat mailing list [email protected] https://lists.bufferbloat.net/listinfo/bloat
