06-06-2008
analyzing tcpdump output
hello, i have a lot of pcap files (tcpdump output) that i want to compare.
every tcpdump output has two file, server and client.
Quote:
Originally Posted by server
22:22:50.280335 IP 192.168.1.4.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10492 166400
22:22:50.297068 IP 10.14.15.30.8000 > 192.168.1.4.10728: udp/rtp 160 c8 1045 167200
22:22:50.297086 IP 10.14.15.30.8000 > 192.168.1.4.10728: udp/rtp 160 c8 1046 167360
22:22:50.297100 IP 192.168.1.4.13384 > 10.14.15.28.8000: udp/rtp 160 c8 15129 167040
22:22:50.297116 IP 192.168.1.4.13384 > 10.14.15.28.8000: udp/rtp 160 c8 15130 167200
22:22:50.304720 IP 10.14.15.28.8000 > 192.168.1.4.13384: udp/rtp 160 c8 1042 208800
22:22:50.304742 IP 10.14.15.28.8000 > 192.168.1.4.13384: udp/rtp 160 c8 1043 208960
22:22:50.304750 IP 192.168.1.4.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10493 166560
22:22:50.304765 IP 192.168.1.4.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10494 166720
Quote:
Originally Posted by client
22:22:50.473448 IP 10.14.15.29.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10493 166560
22:22:50.483449 IP 10.14.15.29.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10494 166720
22:22:50.488877 IP 10.14.15.30.8000 > 10.14.15.29.10728: udp/rtp 160 c8 1047 167520
22:22:50.503449 IP 10.14.15.29.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10495 166880
22:22:50.508760 IP 10.14.15.30.8000 > 10.14.15.29.10728: udp/rtp 160 c8 1048 167680
22:22:50.523450 IP 10.14.15.29.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10496 167040
22:22:50.528808 IP 10.14.15.30.8000 > 10.14.15.29.10728: udp/rtp 160 c8 1049 167840
22:22:50.528826 IP 10.14.15.30.8000 > 10.14.15.29.10728: udp/rtp 160 c8 1050 168000
22:22:50.543451 IP 10.14.15.29.10728 > 10.14.15.30.8000: udp/rtp 160 c8 10497 167200
what i want to do is:
1. take timestamp, source address, destination address, and packet id from each file (server and client)
2. find the packets sent from server, that client received (appear on client's tcpdump output). packet from server that not received by client will be remove
3. calculate the delay (client timestamp - server timestamp)
thanks in advance
ps: pardon my English
---edted---
the final output i'm thinking is something like:
server time stamp, client time stamp, delay, ip address, packet id
Last edited by slumpia; 06-06-2008 at 02:48 PM..
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
can some tell me how to do this. I mean, i tried finding this out on my own but when I checked the man pages, i got a truckload of commands available pertaining to this task which in turn got me confused.
so my question is, if there is a simple straight forward(not necessarily easy) way to... (2 Replies)
Discussion started by: TRUEST
2 Replies
2. Shell Programming and Scripting
Hello,
I have two data (.txt) files which I need to do some operations on them simultaneously. for example:
file1:
word11 word12 word13
word21 word 22 word 23
word31 word32 word33
file2:
word11 word12 word13
word21 word 22 word 23
word31 word32 word33
I need to see if each... (13 Replies)
Discussion started by: shira
13 Replies
3. Shell Programming and Scripting
i am trying to write a script to parse some tcpdump output, in each line of the tcpdump output, I know for sure there are 3 keywords exist:
User{different usernamehere}
NAS_ipaddr{different ip here}
Calling_station{ip or dns name here}
But the positions for these 3 keywords in the... (4 Replies)
Discussion started by: fedora
4 Replies
4. AIX
I have received errpt like this.Any help will be highly appreciated.Recently my application has been migrated to aix 5.3 and working fine in aix 5.2 with out crashes.
LABEL: CORE_DUMP
IDENTIFIER: C69F5C9B
Date/Time: Thu Apr 23 09:41:29 EDT 2009
Sequence Number: 948... (3 Replies)
Discussion started by: kittu1979
3 Replies
5. Emergency UNIX and Linux Support
We have a binary that generates coredump. So I ran the gdb command to analyze the issue. Pleae note the binary and code are in two different locations and we cannot build the whole binary using debugging symbols. Hence how and what details can I find from below backtarce:
gdb binary corefile
... (5 Replies)
Discussion started by: uunniixx
5 Replies
6. UNIX and Linux Applications
Is/Are there an/some application/applications , package/packages for benchmarking or system performance measuring which are there for almost all Linux releases and distributions? (2 Replies)
Discussion started by: nixhead
2 Replies
7. UNIX for Dummies Questions & Answers
Hi List,
Could someone please point me into the right direction with the following:
I have a file containing a list of street addresses.
I need to sort all the street addresses with the same number to a new file containing the street name and corresponding number.
So:
Strawinskylaan... (3 Replies)
Discussion started by: M474746
3 Replies
8. AIX
Hi Admins,
I need your help to analyze the cpu usage of our main server. I have shared below, CPU usages during busy hours and non busy hours.
CPU usage is always full at busy hours. Users always complaints about slowness. This server is a lpar partition and configured as uncapped mode.
... (7 Replies)
Discussion started by: newaix
7 Replies
9. Programming
Hello,
I was reading Heuritics text and came across an algorithm below. Finding hard to analyze it can any one help me out below...
How to analyze if I take say no. of types are 5 and each type has say 20 coins.
thanks.
Let {c1, c2...cn=1} be a set of distinct coin types where ci is... (1 Reply)
Discussion started by: sureshcisco
1 Replies
10. Cybersecurity
Hello everyone, so I'm getting this tcpdump, and it looks like..quite a mess... Can anyone decipher this? I can tell that one IP is requesting DNS info? but I'm having trouble finding out what some of the fields actually mean..
19:44:50.707637 IP 66.81.1.252.53 > 64.147.113.139.28638: 52313... (4 Replies)
Discussion started by: Lost in Cyberia
4 Replies
LEARN ABOUT DEBIAN
if_enc
ENC(4) BSD Kernel Interfaces Manual ENC(4)
NAME
enc -- Encapsulating Interface
SYNOPSIS
To compile this driver into the kernel, place the following line in your kernel configuration file:
device enc
DESCRIPTION
The enc interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using any firewall package that
hooks in via the pfil(9) framework.
The enc interface allows an administrator to see incoming and outgoing packets before and after they will be or have been processed by
ipsec(4) via tcpdump(1).
The ``enc0'' interface inherits all IPsec traffic. Thus all IPsec traffic can be filtered based on ``enc0'', and all IPsec traffic could be
seen by invoking tcpdump(1) on the ``enc0'' interface.
What can be seen with tcpdump(1) and what will be passed on to the firewalls via the pfil(9) framework can be independently controlled using
the following sysctl(8) variables:
Name Defaults Suggested
net.enc.out.ipsec_bpf_mask 0x00000003 0x00000001
net.enc.out.ipsec_filter_mask 0x00000001 0x00000001
net.enc.in.ipsec_bpf_mask 0x00000001 0x00000002
net.enc.in.ipsec_filter_mask 0x00000001 0x00000002
For the incoming path a value of 0x1 means ``before stripping off the outer header'' and 0x2 means ``after stripping off the outer header''.
For the outgoing path 0x1 means ``with only the inner header'' and 0x2 means ``with outer and inner headers''.
incoming path |------|
---- IPsec processing ---- (before) ---- (after) ----> | |
| Host |
<--- IPsec processing ---- (after) ----- (before) ---- | |
outgoing path |------|
Most people will want to run with the suggested defaults for ipsec_filter_mask and rely on the security policy database for the outer head-
ers.
EXAMPLES
To see the packets the processed via ipsec(4), adjust the sysctl(8) variables according to your need and run:
tcpdump -i enc0
SEE ALSO
tcpdump(1), bpf(4), ipf(4), ipfw(4), ipsec(4), pf(4), tcpdump(8)
BSD
November 28, 2007 BSD