when looking at snoop output, does anyone have any suggestions, filters,
reporting programs to sift through this data.
I must say that I've learned a good bit about tcp/ip by not having such a
utility, but now I have to start putting something together to be able to
parse through snoop output.
do I need to get granular and look at the actual ack nums and seq nums and
lengths and whatnot; and put together something in perl or something or does
such a utility exist.
RESPONSES: [ thanks very much for the feedback ]
Don't know if this will help, but netstat -s output displays counters like
udpInDatagrams = 702 udpInErrors = 0
udpOutDatagrams = 790
TCP tcpRtoAlgorithm = 4 tcpRtoMin = 200
tcpAttemptFails = 12 tcpEstabResets = 8
tcpOutDataSegs =174430 tcpOutDataBytes =162744912
tcpRetransSegs = 1 tcpRetransBytes = 1
tcpOutAck = 18004 tcpOutAckDelayed = 3235
tcpInAckSegs =100535 tcpInAckBytes =162744948
tcpInInorderSegs = 49169 tcpInInorderBytes =4341698
tcpInUnorderSegs = 0 tcpInUnorderBytes = 0
tcpInDupSegs = 0 tcpInDupBytes = 0
IP ipForwarding = 2 ipDefaultTTL = 255
ipInAddrErrors = 0 ipInCksumErrs = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =125504 ipOutRequests =193270
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
tcpInErrs = 0 udpNoPorts = 44884
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0
And so on including stats for ICMP (ping) and IGMP (multicast) protocols.
I cut a bunch of it out. Hope it helps.
---- go get ethereal (ethereal.zing.org). it is a powerful protocol analyzer that has both a gui and cli. it requires GNOME to build, but the command line will run without it. (ideally, you can through it on an inexpensive linux laptop and have yourself a grand ol' time.)
& Mike Michael P. Sullivan
many suggested this prod ---
my recommendation is to just use snort. it's at www.snort.org.
hope this helps, -john
john benjamins email@example.com
I have no affiliation with this product. I think it is about $1k.
You may want to have a look at it. ----------------------------------------------------------------- If you had trouble downloading or have any questions regarding our products, please don't hesitate to contact us at firstname.lastname@example.org.
For ordering any of our products, please consult our web site for more information at http://www.net3group.com/.
Best Regards, Net3 Group, Inc. http://www.net3group.com/
Regards, Jim --- Start to look at something like NFR (www.nfr.net) and if you have the correct Cisco router/switch kit, take a look at cflowd (www.caida.org under tools...)
--- one thing that I would check in the snoop man page/documentation is the packet dropping ratio. If packets could be dropped than you need to handle it in your parser or you could think you are looking at some problem. ciao benedetto
--- I'd highly recommend tcptrace (http://jarok.cs.ohiou.edu/software/tcptrace/)
I've been using it for the last couple of weeks, and it does a pretty good job of sumarizing stuff.
-----Original Message----- From: Beck, Joe Sent: Wednesday, August 30, 2000 12:40 PM To: email@example.com Subject: protocol analysis--how to tell if a particular packet is "bad" ie. a retrans or out of seq.
when looking at snoop output, does anyone have any suggestions, filters, reporting programs to sift through this data. I must say that I've learned a good bit about tcp/ip by not having such a utility, but now I have to start putting something together to be able to parse through snoop output. do I need to get granular and look at the actual ack nums and seq nums and lengths and whatnot; and put together something in perl or something or does such a utility exist.
any suggestions greatly welcomed, we do have a sniffer that our OIT/wan group purchased; but that requires a cost & a good amt of planning...i'd like to have something I can do/use on my own
thanks, joe ________________________________________________________ Joe Beck Unix Administrator/Tax Redesign Project firstname.lastname@example.org voice: (609)292-5785
S U BEFORE POSTING please READ the FAQ located at N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq . and the list POLICY statement located at M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy A To submit questions/summaries to this list send your email message to: N email@example.com A To unsubscribe from this list please send an email message to: G firstname.lastname@example.org E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers email@example.com L To view an archive of this list please visit: I http://www.latech.edu/sunman.html S T
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:16 CDT