TCP/IP stream analysis tool
This tool is part of a
series of utilities meant to
illustrate the use of the Unsniff Scripting API and to motivate you to
write your own tools.
 TCP
is arguably the most important protocol in the internet today. Under
the hood, TCP features complex algorithms for congestion control. TCP
attempts to seek the ideal bandwidth rate dynamically on any given
link. It constantly attempts to push the transfer rate higher and
periodically pulling back when it encounters errors. Observing the
behavior of TCP is quite a revealing experience about rate control and
error recovery. We present a utility here that detects retransmissions,
out of order segments, duplicate acks. It can produce charts
that
plot the congestion window, advertised window, in-flight data, sequence
number analysis and much more.
TCP/IP Analysis
Quick
Info
This tool
demonstrates the following concepts
Using the Unsniff Scripting API to work with Streams,
Packets, and Fields
Create sophisticated user interfaces (tabs, splitters, grids) using
Fx-Ruby toolbit
Using the free ruby charting library UnleashCharts to create bar charts
Ruby concepts such as classes and inheritance
TCP/IP algorithms for slow start, fast retrasmit, and congestion
avoidance
This application is written entirely using Ruby and the
Unsniff
Scripting API. The
purpose of this script is to demonstrate the full power of the Unsniff
Scripting
as well as to provide a powerful TCP/IP analysis tool to the community.
The key features of the tool are:
- 7 powerful TCP analysis charts
- Full Sequence number analysis
- Detect retransmissions, duplicate acks, delayed acks, out
of order (early and late)
- Each packet is flagged with appropriate analysis
- Calculate Estimated RTT if a valid sample is obtained
- Detect Maximum Segment Size from captured data
- Analyze In and Out directions separately
- Handle Sequence Wrapping
- Calculate the congestion window (cwnd)
- Chart : Sequence number analysis with specially colored
lines marking retransmissions, duplicate acks
- Chart : Traffic / RTT, this chart plots the traffic in
each RTT interval
- Chart : Inflight Data, no of bytes currently on the wire
- Chart : Bandwidth, Number of bytes transferred per sec for
the duration of the session
- Chart : RTT Estimation, plot all the RTT samples gathered.
- Chart : Window Sizes : Plot the advertised sender and
received windows
- Chart : Cwnd (Congestion Window), this chart indicates
when the TCP was in slow-start and in congestion avoidance mode
This utility is written in the Ruby
scripting language, using the
Fox-Ruby GUI toolkit, and the free UnleashCharts charting library.
Per packet analysis
 TCP/IP
analysis is performed for each packet. Packet details along with
analysis results are presented in a table. The information shown are :
Packet ID (from the capture file), Time (relative to the initial SYN
segment), Direction (Out = same direction as SYN segment, In = same
direction of SYN+ACK segment), relative SEQ and ACK numbers, Payload
bytes, RTT (if the segment yields a
valid RTT sample) and analysis of the segment.
Sequence number analysis
 This
chart shown how sequence numbers increase over time. Out of order
packets, duplicate ACKs, and retransmissions are shown as vertical
lines in the chart.
- Retransmissions shown as red vertical lines
- Duplicate acks shown as yellow vertical lines
- Out of order segments shown as purple vertical lines
- "Good" segments are marked with a while circle
- Gaps in the chart indicate periods where no effective data
transfer occurs, the two TCPs are busy making up for lost packets
In the chart shown on the right you can observe that there are large
periods of time when no good data transfer is occuring. You can also
see how the sender tries to climb too fast in the initial phase (slow
start) only to be pulled down due to a burst of duplicate acks.
Congestion Window analysis
 In
addition to the receive window, each TCP also maintains a window called
the Congestion Window or cwnd. The value of cwnd is responsible for
throttling the sender.
This tool estimates the value of "cwnd" based on observed packets
(duplicate acks) and plots the value of cwnd against time.
The slope of the congestion window indicates the rate at which data is
being transmitted.
In the slow start phase - cwnd increases exponentially;
in
congestion avoidance - cwnd increases linearly subject to a
maximum of 2*mss per round trip time.
In the chart shown here, you can see that cwnd increases
exponentially in the beginning - but is later cut down to a steady
state due to congestion in the network,.
Note: This chart makes several
assumptions about the behavior of the sender TCP which may not be valid
with all TCP implementations.
Sender and Receiver Window
 This chart plots the advertised sender and
receiver window sizes.
- Blue : Window size advertised by server
- Yellow : Window size advertised by client (sender of
initial SYN packet)
Other
Charts
In addition to the above charts you can also access these charts
| Chart
Name |
Data |
Purpose |
| Traffic
/ RTT |
Traffic
(bps) per Round Trip Time interval |
This
chart shows the net traffic bandwidth (kbps) per round trip
time
interval. You can use this to study the throttling behavior
of
the TCP congestion control algorithms. |
| Inflight
Data |
Bytes
per second |
How
many bytes of data are in-flight over the course of the TCP session ?
This computes the number of bytes sent by a TCP for which
acknowledgements have not been received |
| Bandwidth |
Bits
(kbps, Mbps) per second |
Shows
the bandwidth used over the course of the TCP session. |
| RTT
samples |
milliseconds
|
Round
Trip Time is computed by the intitial 3-way handshake. Over the course
of a TCP session, RTT can be estimated using acknowledgements
received. Delayed acks must not be included in the RTT estimation. This
chart plots the valid RTT samples over the course of a TCP session.
|
Download
How to run ?
- Download the (anastm.rb) script to a folder
- Download UnleashCharts charting library if required to the
same folder
- Execute the script (see below)
Usage:
anastm
<capture-file-name> <stream_no>
<In | Out>
capture-file-name :
Capture file in
Unsniff (*.usnf)
format
stream_no : Number
of
the TCP/IP stream you wish to
analyze
In/Out : Direction
you want to analyse
Example:
c:\RubyTest>
anastm SampleCapture12.usnf 32 In
|
