tcpdstat make

 

tcpdstat-uw.tar

 

pcap.h 에러 메세지가 뜨면

libpcap-dev(el)  설치되어 있는 지 확인.

 

 

 

 

http://sickbits.net/tcpdstat-fixing-a-compilation-bug-and-using-statistics/

 

Synopsis:

tcpdstat [1] is very small program (see below) that provides statistical summary information from a pcap file.
Network anomalies and traffic deviations can be detected more easily when perusing statistical
information once a baseline has been established. To my knowledge, tcpdstat is no longer developed.

Dave Dittrich has added a lot of additional functionality to tcpdstat [2], I will be using his release.

We will look at fixing a minor bug encountered when trying to compile and install tcpdstat on Linux
and an attempt will be made to explain tcpdstat’s statistical output.

$ tcpdstat -h
tcpdstat: invalid option -- 'i'
usage: tcpdstat [-dn] [-c count] [-w len_file] [dumpfile]
-d: debug
-n: no flow info
-c: exit after "count" packets
-l: write packet length distributions to a file

Bug fix and Installation:

Download [3] and extract tcpdstat from its tar archive, then read the README for instructions:

$ tar xf tcpdstat-uw.tar
$ cd tcpdstat-uw
$ less README.uw

The error occurs right away, in particular, glance at 2nd and 3rd lines from the bottom:

$ make
cc -I. -I../libpcap-0.7.1 -DLINUX -D__FAVOR_BSD -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64 -L../libpcap-0.7.1 -c stat.c
stat.c: In function ‘show_stat’:
stat.c:565:5: warning: format ‘%d’ expects argument of type ‘int’, but argument 3 has type ‘long int’ [-Wformat]
cc -I. -I../libpcap-0.7.1 -DLINUX -D__FAVOR_BSD -D_LARGEFILE_SOURCE=1 -D_FILE_OFFSET_BITS=64 -L../libpcap-0.7.1 -c net_read.c
net_read.c:149:12: error: static declaration of ‘packet_length’ follows non-static declaration
tcpdstat.h:415:12: note: previous declaration of ‘packet_length’ was here
make: *** [net_read.o] Error 1

Let’s find the lines that contains the ‘packet_length’ declaration:

$ grep -n packet_length\; ./*
net_read.c:149:static int packet_length; /* length of current packet */
net_read.c:152: { tcpdstat[(name)].packets++; tcpdstat[(name)].bytes += packet_length; }
net_read.c:261: bytes_per_sec += packet_length;
net_read.c:279: bytes_per_sec += packet_length;
tcpdstat.h:415:static int packet_length;

Let’s make a small edit to the source.
Changing line 415 of tcpdstat.h from “extern int packet_length;” to “static int packet_length;” allows the code to compile:

$ vi tcpdstat.h

Now compile again:

$ make

And finally, install:

$ make install

install -m 0755 tcpdstat /usr/local/bin
cp tcpdstat /usr/local/bin
chmod 0755 /usr/local/bin/tcpdstat

Use make clean to remove the build files in the working directory:

$ make clean
rm -f tcpdstat *.o core *.core *.bak ,* *~ "#"*

Another Fork:

There’s a fork of tcpdstat [4] that has been taken up by a guy named Twitter but hasn’t been worked on since 2002.
This one compiled successfully without the bug discussed above.

$ git clone https://github.com/netik/tcpdstat

Here’s a diff on tcpdstat.h to see what he did to fix the bug.
The first is Twitter’s edited file, the second is of the original author, Dave Dittrich:

$ diff tcpdstat.h ../tcpdstat-uw/tcpdstat.h

67d66
< SCRIBE_TCP,
71d69
< MYSQL_TCP,
88,91d85
< HTTP_TW_TCP,
< HTTP_TWS_TCP,
< MEMCACHED_TCP,
< KESTREL_TCP,
421c415
< First Commit, fork of Dave Dittrich
---
> extern static int packet_length;

Which suggests that you can just comment out the packet_length declaration
with “//” :

//aextern static int packet_length;

The a in “//aextern” looks like a typo, it doesn’t have any significance since it’s commented out.

Use:

Very simple:

$ tcpdstat 1348537091.pcap

Don’t print flow statistics:

$ tcpdstat -n 1348537091.pcap

tcpdstat_no-flow

Print with flow statistics (default):

tcpdstat_flow

Print statistics for the first c number of packets

$ tcpdstat -c 100 file.pcap

Example of a 34G capture file:

tcpdstat_big-file

What’s the difference between http(c) and http(s)?:

http(c) refers to the client and is defined as packets destined to TCP source port 80 or 443.
http(s) refers to the server and is defined as packets destined to TCP destination port 80 or 443.

Let’s verify this. Below is the output of tcpdstat on a sample capture file.
Take notice of the number of packets in the http(c) and http(s) lines.

### Protocol Breakdown ###
<<<<
protocol packets bytes bytes/pkt
------------------------------------------------------------------------
[0] total 5902 (100.00%) 4993414 (100.00%) 846.05
[1] ip 5902 (100.00%) 4993414 (100.00%) 846.05
[2] tcp 5902 (100.00%) 4993414 (100.00%) 846.05
[3] ftp 22 ( 0.37%) 2595 ( 0.05%) 117.95
[3] smtp 894 ( 15.15%) 148980 ( 2.98%) 166.64
[3] http(s) 253 ( 4.29%) 291052 ( 5.83%) 1150.40
[3] http(c) 118 ( 2.00%) 13329 ( 0.27%) 112.96
[3] other 4615 ( 78.19%) 4537458 ( 90.87%) 983.20
>>>>

If we create BPF filters with tcpdump based on the definitions I exposited above and
count the number of matching packets we will find that they’re the same numbers reported
by tcpdstat.

$ tcpdump -nnr faf-exercise.pcap 'tcp and src port (80 or 443)' | wc -l
     253

$ tcpdump -nnr faf-exercise.pcap 'tcp and dst port (80 or 443)' | wc -l
     118

References:

[1]  http://www.sonycsl.co.jp/~kjc/papers/freenix2000/node14.html
[2] http://staff.washington.edu/dittrich/talks/core02/tools/tools.html
[3] http://staff.washington.edu/dittrich/talks/core02/tools/tcpdstat-uw.tar
[4] https://github.com/netik/tcpdstat

- See more at: http://sickbits.net/tcpdstat-fixing-a-compilation-bug-and-using-statistics/#sthash.INmI7QoD.dpuf