Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 169 lines (146 sloc) 6.93 KB
# begins on the previous line
# This macro finds the bytes in flight after each segment. Basically how
# many bytes are unACKed. This is slightly different from what Wireshark
# does. Wireshark shows the bytes in flight from when a packet is sent.
# For example if there are no outstanding bytes and the sender sends
# 32,000 bytes (we can assume TCP offloading) Wireshark will show 32,000
# bytes in flight. If a series of ACKs acks all bytes and then the sender
# sends another 32,000 bytes Wireshark will again show 32,000 bytes in flight.
# At no point will it show 0 bytes in flight. I think this is misleading
# since you cannot see that the receiver is sending multiple ACKs and the
# bytes in flight is going down to zero and then the sender sends more data.
# It also calculates the available window by subtracting the bytes in flight
# from the last window receivied.
# The data probably makes more sense when the trace is captured on the sender
# Version 1.0 February 4, 2017
# Version 1.1 February 16, 2017
# swapped TSHARK-FILTER and OUTPUT-FILE is the usage message and added
# "not tcp.flags.syn == 1" to filter out the SYN segment because tshark
# does not include tcp.len in the SYN segment so that segment is short a
# field which screws everything up. Also changed display to show after
# the sender sends data so if there are multiple sends without an ACK you
# can see the bytes in flight go up. Added the available window calculation
# which is the last window minus the bytes in flight
# Version 1.2 April 1, 2017
# Added copyright and GNU GPL statement and disclaimer
# Version 1.3 July 10, 2017
# Removed the Filter argument, corrected some typos.
# from
# Copyright (C) 2017 Noah Davids
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, version 3,
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
if [ $# -ne 6 ]
then echo "Usage:"
echo " FILE is the name of the trace file to be analyzed"
echo " SND-IP is the IP address of the host sending data"
echo " SND-PORT is the TCP Port number sending data"
echo " DST-IP is the IP address of the host receiving data"
echo " DST-PORT is the TCP Port number receiving data"
echo " OUTPUT-FILE is the name of the output file"
if [ ! -e $FILE ]
then echo "Could not find input file $FILE"
# I'm not checking the individual octets, that is more complicated than I
# want and Tshark will report an error. This will just make sure that the
# format is correct, i.e. ddd.ddd.ddd.ddd
if [[ ! $SNDIP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
then echo "$SNDIP is not a valid IP Address"
if [[ ! $DSTIP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
then echo "$DSTIP is not a valid IP Address"
# I always echo the command and arguments to STDOUT as a sanity check
if [ $(tshark -help | egrep "\-Y <display filter>" | wc -l) -eq 0 ]
then DASH="-R"
# Filter the trace file for connections matching the SND-IP, SND-PORT,
# DST-IP, DST-PORT and output the source IP address, TCP sequence
# number, the TCP length, and ACK number, relative time window size and
# frame number. The frame number is to make it easy to go back in the
# trace and find frames that correspond to areas of interest
tshark -r $FILE $DASH "(ip.addr eq $SNDIP and ip.addr eq $DSTIP) and \
(tcp.port eq $SNDPORT and tcp.port eq $DSTPORT) \
and not tcp.flags.syn == 1" -T fields \
-e ip.src -e tcp.seq -e tcp.len -e tcp.ack -e tcp.time_relative \
-e tcp.window_size -e frame.number >/tmp/bytes-in-flight.out
# For each line output, if the source IP matches the SND-IP print the
# source IP and the sum of the TCP sequence number and the TCP length.
# You cannot just output tcp.nxtseq since if there is no data that
# field is not printed and you send up with rows with different numbers
# of columns. You can parse this arrangement of data but it seemed
# easier to do it this way. If the IP does not match SND-IP print the
# source IP and the ACK number. In either case also print the relative
# time and frame number. Also if the IP matches the sender we do not care
# about the window size so just use an X.
awk -v sndip=$SNDIP '{if ($1 == sndip) print $1 " " $2+$3 " " $5 " X " $7; \
else print $1 " " $4 " " $5 " " $6 " " $7}' \
/tmp/bytes-in-flight.out > /tmp/bytes-in-flight-2.out
# For each line, if the entry matches SNDIP read the fields in the entry
# and save the sequence number as sendersequence -- if the sequence value
# is greater than the previous sendersequence value. If the entry is not
# SNDIP then save the sequnce number as acksequence. ACK numbers do not
# go down so no need to test for that. There will be a discontinuity when
# seqence numbers wrap. Also if it is not the sender then save the window as
# lastwindow. Then output the relative time, sendersequence, acksequence,
# the difference between sendersequence and acksequence and the difference
# between the lastwindow and difference between the sendersequence and the
# acksequence. This is the bytes left in the window. Finally include the
# frame number.
echo "" > $OUTPUT
cat /tmp/bytes-in-flight-2.out | while read senderip sequence reltime \
window framenumber; do
if [ $senderip == "$SNDIP" ]
if [ $sequence -gt $sendersequence ]
echo $reltime " " $sendersequence " - " $acksequence " = BIF: " \
$(($sendersequence - $acksequence)) " " $lastwindow \
" Avail-Window: " \
$(($lastwindow - ($sendersequence - $acksequence))) " " \
$framenumber >> $OUTPUT
# clean up temporary files
rm /tmp/bytes-in-flight.out
rm /tmp/bytes-in-flight-2.out
# You can no manipulate the bytes in flight (column 6) however you want.
# You can graph bytes in flight over time, assuming you have installed
# gnuplot, with the plot commands below
# echo "set term x11 persist; plot \"$OUTPUT\" using 1:6" | gnuplot
# ends here