Skip to content
Go to file
Cannot retrieve contributors at this time
executable file 112 lines (82 sloc) 4.13 KB
# begins on the previous line
# This macro uses tshark to calculate the percentage of retransmitted packets
# in a packet trace. Claculation is based on the soutrce IP address and
# tshark stream number. The calculation is the number of retransmitted segments
# containing data from a given IP address in a given TCP stream divided by the
# number of not retransmitted segments containing data from that host in that
# stream.
# Note that this will not count retransmitted SYN or FIN segments unless they
# contain data.
# Output has the format
# Stream Src-IP:Port Dst-IP:Port TTL retran / not-retran percentage
# One line for each source stream/4-tuple. The TTL is to given so you
# some idea if the segments originated locally or remotely
# If the only thing printed is the command and file name it means that the
# packet tracefile did not contain any retransmitted segments containing data.
# Version 1.0 May 29, 2017
# Version 1.1 June 1, 2017
# changed so that there is only 1 pass through the file with tshark instead
# of 1+N passes where N is the number of Streams/4-tuples with
# retransmissions
# from
# Copyright (C) 2017 Noah Davids
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation, version 3,
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
if [ $# -ne 1 ]
then echo "Usage:"
echo " FILE"
echo " FILE is the name of the trace file to be analyzed"
echo "Example:"
echo " trace.pcap"
if [ ! -e $FILE ]
then echo "Could not find input file $FILE"
# Figure out if we can use "-Y" as the display filter argument or we need
# "-R". Basically look at the help output and if we do not find the "-Y"
# we use "-R"
if [ $(tshark -help | egrep "\-Y <display filter>" | wc -l) -eq 0 ]
then DASH="-R"
# I always echo the command and arguments to STDOUT as a sanity check
echo "$FILE"
# Find all data segments and display the TCP Stream, source IP, source port,
# TTL, destination IP and destination port and retransmission flag
# -- NOTE -- that this will not find SYN or FIN segments without data
# sort and then count them and write the results to a temporary file -1
tshark -r $FILE -Y "tcp.len > 0" -T fields -e \
-e ip.src -e tcp.srcport -e ip.ttl -e ip.dst -e tcp.dstport \
-e tcp.analysis.retransmission | sort | uniq -c \
> /tmp/percent-retransmissions-1
# scan temporary file for retransmissions (column 8 > 0) and write those lines
# to temporary file -2
awk '($8 > 0) {print $0}' /tmp/percent-retransmissions-1 > \
# For each line in temporary file -2 find the lines in temporary file -1 that
# match all the fields except the count and retransmission flag. There will
# always be two lines since there has to be at least 1 un-retransmitted line.
# combine those two lines into 1 line and write temporary file -3
cat /tmp/percent-retransmissions-2 | \
while read count stream sip sp ttl dip dp retran; do
egrep "$stream\s*$sip\s*$sp\s*$ttl\s*$dip\s*$dp" \
/tmp/percent-retransmissions-1 | tr "\n" " "; echo; done > \
# Finally, for each line in temporary file -3 extract out the not-retransmitted
# count, the TCP stream source IP/port and destination IP/port, the TTL and the
# retransmition count and write a formated line showing that and the calcuated
# retransmission percentage
awk '{print "Stream: " $2 " " $3 ":" $4 " -> " $6 ":" $7 " TTL: " $5 " " \
$8 "/" $1 "*100 = " $8/$1*100}' /tmp/percent-retransmissions-3
# ends here
You can’t perform that action at this time.