|
NAMEyconalyzer - A program to analyze TCP traffic on a server or client port.SYNOPSISyconalyzer -p port [ -i interface ] [ -t seconds ] [ expression ]yconalyzer -p port [ -i interface ] [ -w file ] [ -t seconds ] [ expression ]
yconalyzer -p port [ -dRTP ] [ -i interface ] [ -t seconds ] [ -r file ] [ -n nbuckets ] [ -s
bucket_size ]
[ -X nbytes ] [ -x nbytes ] [ -Y nbytes ] [ -y nbytes ] [ -c num_attempts ] [ -I datespec ] [-P|-C|-S] [ -D bucket_id ] [ expression ] DESCRIPTIONYconalyzer selects the packets on a network interface that match the boolean expression and prints out statistics about the TCP connections.When run with the -w flag (recommended mode), it saves the packet data to file for later analysis. When run with the -r flag, it reads from a saved packet file rather than to read packets from a network interface, and then print out statistics. In all cases, only packets that match yconalyzer's internal filter as well as the expression will be processed by yconalyzer. The internal filter processes only those TCP packets that have the source or destination port matching port, and have one of SYN, FIN, or RST flags set in the TCP header. The same permission restrictions apply as they do for tcpdump. As with tcpdump, you must have super-user permissions in order to invoke yconalyzer without the -r option. All files captured by tcpump are readable by yconalyzer and vice versa (as long as file permissions are set correctly). Yconalyzer will stop capturing packets if it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM sig- nal (typically generated with the kill(1) command) When yconalyzer finishes capturing packets (or reading from a captured file), it will report statistics regarding the connections observed. The report is in two parts. The first part has an overall aggegated statistics, and information about lost connections, etc. The second part is a table in which the observed connections are placed in buckets according to the duration of the connection. A bucket is defined by the minimum and maximum duration of a connection (or, if -P option is chosen, then the minimum and maximum throughput of a connection). For each bucket, the following statistics are reported: The number of connections in the bucket, and a percent of
the total number of connections observed.
The average number of bytes sent from the clients for the connections in the bucket. The average number of bytes sent from the server for the connections in the bucket The average estimated Round Trip Time of the connections in the bucket (if -T option is specified). See section on RTT ESTIMATION. For a sample output, see the section on SAMPLE OUTPUT. While running in capture mode (i.e. without the -r option), yconalyzer will also report the number of packets captured and dropped, like tcpdump (1) does. The same notes as in tcpdump apply for these numbers. It is useful to monitor the number of packets dropped after yconalyzer runs. It should normally be zero, even if yconalyzer is run for extended period of time (tens of minutes, or even hours). If it is non-zero, it could be an indication (but not necessarily so) that running yconalyzer has skewed the performance of the system. OPTIONS
selects which packets will be selected for processing. If
no expression is given, all packets selected by yconalyzer will
be processed. Note that the expression is applied in addition to the
filter than yconalyzer already uses. The internal filter specifies the
TCP port and processes only those packets that has the SYN, FIN, or RST
flags set in the TCP header. See tcpdump (1).
EXAMPLESTo capture all relevant packets on port 80 for 10 minutes and save the packets in file http.1 for later analysis:yconalyzer -p 80 -w http.1 -t 600 To print out the processed data from the above file: yconalyzer -p 80 -r http.1 To change the bucket size to 2 seconds (instead of a default of 20 msec) and divide into 5 buckets (instead of deault of 20): yconalyzer -p 80 -r http.1 -s2000 -n5 To process only those connections in which the client sends less than 4k bytes: yconalyzer -p 80 -r http.1 -s2000 -n5 -y4096 To process those connections in which the server sends more than 64k of data. yconalyzer -p 80 -r http.1 -s2000 -n5 -X64000 To filter out only those connections from host 23.34.45.56 yconalyzer -p 80 -r http.1 -s2000 -n5 host 23.34.45.56 To monitor only outgoing connections from an HTTP proxy (in which both incoming and outgoing connections are on port 80) for 3 minutes: yconalyzer -p 80 -w proxy-out.1 -t180 '(src host proxy.domain.com and dst port 80) or (dst host proxy.domain.com and src port 80)' To monitor only incoming connections to an HTTP proxy (in which both incoming and outgoing connections are on port 80) for 3 minutes: yconalyzer -p 80 -w proxy-out.1 -t180 '(dst port 80 and dst host proxy.domain.com) or (src port 80 and src host proxy.domain.com)' To have yconalyzer estimate RTT to the clients. yconalyzer -p 80 -r http.1 -s2000 -n5 -T To print details about connections that took between 500 and 600 msecs yconalyzer -p 80 -r http.1 -s100 -D500 To get the percentage of connections that had a response time of 400msecs yconalyzer -p 80 -r http.1 -n1 -s400 SAMPLE OUTPUTyconalyzer -p 80 -r http.1 -T Results of monitoring port 80 for 599.930000 seconds Start time: Thu Jan 4 10:35:55 2007 End time: Thu Jan 4 10:45:55 2007 Total Connections (terminated by FIN): 6291 Avg Client Data: 3025 bytes Avg Server Data: 23066 bytes Avg conn time: 865 msecs Avg Round Trip Time: 152 msecs Total number of SYNs: 6382 (duplicates: 88) Connections terminated by RESET: 37 Number of SYNs taken to establish connections: 6319 Avg no. of SYNs to establish a connection: 1.00 Number of unique connections that never completed: 0 Number of SYNs from incomplete connections: 0 Number of established connections in progress: 33 (12 may have been discarded) Number of connections in closing state: 7 Distribution of SYNs to establsh connections (nSYNs:nConns): 1:6283,2:2,3:1,4:1,5:2,7:1,8:1, Duration NumConns AvClient AvServer EstRtt AvThruput (msecs) (bytes) (bytes) (msecs) (KB/s) 0 - 20 40( 0.64%) 903 7412 3 1613.58 20 - 40 109( 1.73%) 628 2257 30 89.67 40 - 60 181( 2.88%) 1350 3671 60 101.32 60 - 80 324( 5.15%) 1507 1273 66 39.25 80 - 100 279( 4.43%) 1352 4460 77 62.40 100 - 120 196( 3.12%) 1504 2856 93 38.85 120 - 140 183( 2.91%) 1528 10695 76 91.69 140 - 160 172( 2.73%) 1515 6077 84 49.94 160 - 180 155( 2.46%) 2407 5362 90 44.55 180 - 200 208( 3.31%) 1316 9759 104 58.02 200 - 220 162( 2.58%) 1672 14240 124 75.02 220 - 240 155( 2.46%) 4169 11908 136 69.50 240 - 260 157( 2.50%) 2592 18188 140 82.02 260 - 280 131( 2.08%) 2249 16619 142 69.07 280 - 300 137( 2.18%) 6110 11858 143 61.67 300 - 320 131( 2.08%) 1748 14579 130 52.05 320 - 340 124( 1.97%) 1783 17429 147 57.65 340 - 360 136( 2.16%) 1910 16969 164 53.03 360 - 380 139( 2.21%) 3945 20649 157 65.37 380 - 400 116( 1.84%) 1896 17909 156 50.16 400+ 3056(48.58%) 4057 37201 203 47.08 RTT ESTIMATIONIf we make the assumption that the server side closes the connection first, and the client side closes the connection when it is done receiving all data, then the RTT can be estimated on the server as the difference between the time the server's FIN is sent and when the client's FIN is received.SEE ALSOtcpdump(1)BUGSWhen a machine has very low or no traffic on the port being monitored, it is possible that yconalyzer does not respond to ^C.yconalyzer prints negative value for time when there is no traffic on the machine in which it is run.
Visit the GSP FreeBSD Man Page Interface. |