Usage | |
Step 1 | |
Convert the data-trace (outgoing) to ASCII after filtering on TCP. Use absolute sequence numbers first, then sort the trace on connections, then use the sack_rel_seqno program to convert that to relative sequence numbers. | |
Step 2 | |
Convert the ack-trace (incoming) to ASCII after filtering
on TCP. Again, use absolute sequence numbers first, then use the 2wayprep
program, just to revert src and dst. Then sort this, and convert to
relative sequence numbers using sack_rel seqno. The steps for ACK stream is similar to the DATA stream except that we use the 2wayprep program before sorting in the above step. The 2wayprep program simple reverse the source and destination. This allows us to compare the same column later when we try to combine these two streams. |
|
Step 3 | |
Now use extract_dat_seq_v3 to convert the sorted data-trace to
output one line per SYN, DATA and TRM (FIN). Use sack_extract_ack_seq_v3 to do the
same for the ack-trace. Then merge the two to obtain a sorted file, sorted
on connections, and time stamp within the connection. e.g. for step 1 and 2 and 3 for data pkts gunzip -c $1 | tcpdump -S -n -tt -r - tcp | egrep
'^[0-9]+\.[0-9]+ [0-9]{1,3}\.' | sort -s +1 -2 +3 -4 +0 -1 -T $3 | sack_rel_seqno | extract_dat_seq_v3 |gzip -c > $4.dat e.g. for step 1 and 2 and 3 for Ack pkts gunzip -c $1 | tcpdump -S -n -tt -r - tcp | egrep '^[0-9]+\.[0-9]+ [0-9]{1,3}\.' | sort -s +1 -2 +3 -4 +0 -1 -T $3 | 2way_prep | sack_rel_seqno | sack_extract_ack_seq_v3 |gzip -c > $4.ack sort -s -o $4.seq_sort +1 -2 +3 -4 +0 -1 +5 -6 $4.ack $4.dat |
|
Step 4 | |
At the end of this step you would have a single file with
both the ack and the data packets sorted in this.
Now this is ready to be used by the analyzer. We have to run the above file through each of the 4 different OSes. e.g. t.a.log file is a log_file with one line for each connection in the
trace. All the Files are available here |