Removed the TSHARK-FILTER argument from stream-throughpt, added a che…

…ck for no packets found, and added the HTML description
noahdavids · Jul 27, 2017 · f446711 · f446711
1 parent 24c6f41
commit f446711
Show file tree

Hide file tree

Showing 3 changed files with 149 additions and 14 deletions.
diff --git a/Descriptions b/Descriptions
@@ -45,6 +45,7 @@ start-packet-tracing.sh         runs tcpdump in the background with 10 files
 -------------------------------------------------------------------------------
 stream-throughput.sh		calculate the throughput of all TCP streams
                                 in a trace file
+stream-throughput.sh.html	An HTML description
 -------------------------------------------------------------------------------
 unterminated-connections.sh	find TCP connections that have not been
                                 closed or reset

diff --git a/stream_throughput.sh b/stream_throughput.sh
@@ -28,8 +28,12 @@
 #    to STREAMTHROUGHPUTVERSION
 # Version 1.3 Apr 1 2017
 #    Added copyright and GNU GPL statement and disclaimer
+# Version 1.4 Jul 26, 2017
+#    Removed the TSHARK-FILTER argument and now automagically figure out
+#    if "-Y" or "-R" is needed
+#    Added test to report if no packets from source where found.
 
-STREAMTHROUGHPUTVERSION="1.3_2017-04-01"
+STREAMTHROUGHPUTVERSION="1.4_2017-07-26"
 #
 # from https://github.com/noahdavids/packet-analysis.git
 
@@ -44,25 +48,22 @@ STREAMTHROUGHPUTVERSION="1.3_2017-04-01"
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 
-if [ $# -ne 4 ]
+if [ $# -ne 3 ]
 
    then echo "Usage:"
         echo "   stream-throughput.sh FILE IPSRC TSHARK-FILTER OUTFILE"
         echo "      FILE is the name of the trace file to be analyzed"
         echo "      IPSRC is the IP address of the host sending the bytes"
         echo "         you wish to calculate the throughput for."
-        echo "      TSHARK-FILTER is either Y or R depening on the release \
-of Tshark"
         echo "      OUTFILE is the name of the output file"
         echo "Example:"
-        echo "   stream-throughput.sh trace.pcap Y stream-throughput.out"
+        echo "   stream-throughput.sh trace.pcap stream-throughput.out"
         exit
 fi
 
 FILE=$1
 IPSRC=$2
-FILTER=$3
-OUTFILE=$4
+OUTFILE=$3
 
 if [ ! -e $FILE ]
    then echo "Could not find input file $FILE"
@@ -78,18 +79,22 @@ if [[ ! $IPSRC =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
    exit
 fi
 
-if [ $FILTER != "R" -a $FILTER != "Y" ]
-   then echo "Filter string must be either R or Y, $FILTER is not allowed"
-   exit
+# Figure out if we can use "-Y" as the display filter argument or we need 
+# "-R". Basically look at the help output and if we do not find the "-Y"
+# we use "-R"
+
+DASH="-Y"
+if [ $(tshark -help | egrep "\-Y <display filter>" | wc -l) -eq 0 ]
+then DASH="-R"
 fi
 
 # I always echo the command and arguments to STDOUT as a sanity check
 
-echo stream-throughput.sh $FILE $IPSRC $FILTER $OUTFILE
+echo stream-throughput.sh $FILE $IPSRC $OUTFILE
 
 # Also echo the command, arguments, date and version to the output file
 
-echo stream-throughput.sh $FILE $IPSRC $FILTER $OUTFILE > $OUTFILE
+echo stream-throughput.sh $FILE $IPSRC $OUTFILE > $OUTFILE
 echo stream-throughput.sh run on $(date) >> $OUTFILE
 echo stream-throughput.sh version $STREAMTHROUGHPUTVERSION >> $OUTFILE
 echo >> $OUTFILE
@@ -98,14 +103,21 @@ echo >> $OUTFILE
 # Tshark commands because we are interested in the ACK values going back to
 # the source.
 
-tshark -r $FILE -$FILTER "ip.dst == $IPSRC" -T fields -e tcp.stream | sort -nu > /tmp/tcp_streams
+tshark -r $FILE $DASH "ip.dst == $IPSRC" -T fields -e tcp.stream | sort -nu > /tmp/tcp_streams
+
+if [ $(cat /tmp/tcp_streams | wc -l) -eq 0 ]
+then echo "There are no acknowledgment packets going to the IP source address " $IPSRC " - exiting"
+     echo "There are no acknowledgment packets going to the IP source address " $IPSRC " - exiting" >> $OUTFILE
+     exit
+fi
+
 
 cat /tmp/tcp_streams | while read x
 do
    echo -n "TCP Stream $x  " >> /tmp/tcp_streams_throughput
    tshark -r $FILE -o tcp.relative_sequence_numbers:TRUE \
                    -o tcp.calculate_timestamps:TRUE \
-       -$FILTER "tcp.stream == $x && not tcp.flags.reset == 1 && \
+       $DASH "tcp.stream == $x && not tcp.flags.reset == 1 && \
                 ip.dst == $IPSRC" \
        -T fields -e tcp.time_relative -e ip.src -e tcp.srcport -e ip.dst \
                  -e tcp.dstport -e tcp.ack | tail -1  > /tmp/tcp_a_stream

diff --git a/stream_throughput.sh.html b/stream_throughput.sh.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<meta http-equiv="content-type" content="text/html; charset=windows-1252" />
+<title>stream_throughput.sh.sh Information</title>
+</head>
+
+<body background="concret.jpg">
+<center>
+<h1>stream_throughput.sh Information</h1>
+<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
+</center>
+<p>
+This macro uses tshark to make N+1 passes through a file. The first pass identifies all TCP streams. Then for each stream it calculates the throughput from the last frame's ACK number and dividing by the TCP relative time. Reset frames are excluded since they do not always carry an ACK number.
+<p>
+The Output file has the format
+&nbsp&nbsp&nbsp&nbsp&nbspTCP Stream: N IPSRC:PORTSRC -> IPDST:PORTDST   ACK / TIME = THROUGHPUT Bytes/Sec
+<p>
+If the input file is large with many TCP streams it would make sense to first create a file containing just the segments of the TCP stream of interest, assuming you are not interested in all the streams.
+<p>
+If there are enough segments that the sequence numbers wrap and are reused this macro cannot be used.
+<p>
+This also does not consider any bytes ACKed via Selective Acknowledgment blocks. 
+#<p>
+
+<b><h3>Usage</h3></b>
+stream_throughput.sh FILE-NAME IP-SRC OUTFILE
+<br><br>
+<b>FILE-NAME</b>
+<br>
+The file name (or path to the file), This file must be readable by tshark.
+<br><br>
+<b>IP-SRC</b>
+<br>
+Is the IP address of the host sending the bytes you wish to calculate the throughput for.
+<br><br>
+<b>OUTFILE</b>
+<br>
+A file to put he results in.
+<br><br>
+
+<b><h3>Examples</h3></b>
+
+Example 1 - trace file with just 1 TCP stream with the source address
+<center>
+<table border=5>
+<tr><td align=left>
+<pre>                                                                   
+
+$ ./stream_throughput.sh test.pcap 10.123.5.61 throughput.out
+stream-throughput.sh test.pcap 10.123.5.61 throughput.out
+
+
+$ cat throughput.out 
+stream-throughput.sh test.pcap 10.123.5.61 throughput.out
+stream-throughput.sh run on Wed Jul 26 20:47:56 MST 2017
+stream-throughput.sh version 1.4_2017-07-26
+
+TCP  Stream  0  10.123.5.61:753  ->  10.123.4.165:2049  264990145  /  2.363086000  =  112137325.937354  Bytes/sec
+</pre>
+</td></tr>
+</table>
+Figure 1
+</center>
+<p>
+
+Example 2 - trace file with multiple streams from the source address
+<center>
+<table border=5>
+<tr><td align=left>
+<pre>                                                                   
+$ ./stream_throughput.sh /tmp/test2.pcap 192.168.1.200 throughput.out
+stream-throughput.sh /tmp/test2.pcap 192.168.1.200 throughput.out
+
+$ cat throughput.out 
+stream-throughput.sh /tmp/test2.pcap 192.168.1.200 throughput.out
+stream-throughput.sh run on Wed Jul 26 20:58:12 MST 2017
+stream-throughput.sh version 1.4_2017-07-26
+
+TCP  Stream  17  192.168.1.200:22  ->  192.168.1.12:37262  9111      /  9.223089000   =  987.846913      Bytes/sec
+TCP  Stream  18  192.168.1.200:22  ->  192.168.1.12:37264  35921567  /  14.336424000  =  2505615.556571  Bytes/sec
+TCP  Stream  19  192.168.1.200:22  ->  192.168.1.12:37266  35921647  /  14.155734000  =  2537603.984364  Bytes/sec
+TCP  Stream  22  192.168.1.200:22  ->  192.168.1.12:37270  35921647  /  13.547399000  =  2651553.039812  Bytes/sec
+</pre>
+</td></tr>
+</table>
+Figure 2
+</center>
+<p>
+
+Example 3 - Mistyping the source address so no streams are found
+<center>
+<table border=5>
+<tr><td align=left>
+<pre>                                                                   
+$ ./stream_throughput.sh /tmp/test2.pcap 192.168.2.200 throughput.out
+stream-throughput.sh /tmp/test2.pcap 192.168.2.200 throughput.out
+There are no acknowledgment packets going to the IP source address  192.168.2.200  - exiting                     
+</pre>
+</td></tr>
+</table>
+Figure 3
+</center>
+<p>
+<br /><br />
+<h5><center>
+<img src="bluebar.gif" width="576" height="14" alt="Blue Bar separator">
+<br />
+This page was last modified on 17-07-26</h5>
+</center>
+<a href="mailto:noah@noahdavids.org"><img src="mailbox.gif" width="32" height="32" alt="mailbox" align="left" hspace=3>
+Send comments and suggestions
+<br />
+to noah@noahdavids.org
+</a>
+</body>
+
+</html>