BLOG     |     FORUM
Tool: TCP Stream Analysis

TCP/IP stream analysis tool

This tool is part of a series of utilities  meant to illustrate the use of the Unsniff Scripting API and to motivate you to write your own tools.

TCP Stream AnalysisTCP is arguably the most important protocol in the internet today. Under the hood, TCP features complex algorithms for congestion control. TCP attempts to seek the ideal bandwidth rate dynamically on any given link. It constantly attempts to push the transfer rate higher and periodically pulling back when it encounters errors. Observing the behavior of TCP is quite a revealing experience about rate control and error recovery. We present a utility here that detects retransmissions, out of order segments, duplicate acks.  It can produce charts that plot the congestion window, advertised window, in-flight data, sequence number analysis and much more.



TCP/IP Analysis

Quick Info

This tool demonstrates the following concepts

Using the Unsniff Scripting API  to work with Streams, Packets, and Fields

Create sophisticated user interfaces (tabs, splitters, grids) using Fx-Ruby toolbit

Using the free ruby charting library UnleashCharts to create bar charts

Ruby concepts such as classes and inheritance

TCP/IP algorithms for slow start, fast retrasmit, and congestion avoidance

This application is written entirely using Ruby and the Unsniff Scripting API. The purpose of this script is to demonstrate the full power of the Unsniff Scripting as well as to provide a powerful TCP/IP analysis tool to the community.

TCP analysis tool

The key features of the tool are:

  • 7 powerful TCP analysis charts
  • Full Sequence number analysis
  • Detect retransmissions, duplicate acks, delayed acks, out of order (early and late)
  • Each packet is flagged with appropriate analysis
  • Calculate Estimated RTT if a valid sample is obtained
  • Detect Maximum Segment Size from captured data
  • Analyze In and Out directions separately
  • Handle Sequence Wrapping
  • Calculate the congestion window (cwnd)
  • Chart : Sequence number analysis with specially colored lines marking retransmissions, duplicate acks
  • Chart : Traffic / RTT, this chart plots the traffic in each RTT interval
  • Chart : Inflight Data, no of bytes currently on the wire
  • Chart : Bandwidth, Number of bytes transferred per sec for the duration of the session
  • Chart : RTT Estimation, plot all the RTT samples gathered.
  • Chart : Window Sizes : Plot the advertised sender and received windows
  • Chart : Cwnd (Congestion Window), this chart indicates when the TCP was in slow-start and in congestion avoidance mode
This utility is written in the Ruby scripting language, using the Fox-Ruby GUI toolkit, and the free UnleashCharts charting library.

Per packet analysis

Per packet TCP/IP analysisTCP/IP analysis is performed for each packet. Packet details along with analysis results are presented in a table. The information shown are :
Packet ID (from the capture file), Time (relative to the initial SYN segment), Direction (Out = same direction as SYN segment, In = same direction of SYN+ACK segment), relative SEQ and ACK numbers, Payload bytes, RTT (if the segment yields a valid RTT sample) and analysis of the segment.

Sequence number analysis

Sequence number analysisThis chart shown how sequence numbers increase over time. Out of order packets, duplicate ACKs, and retransmissions are shown as vertical lines in the chart.
  • Retransmissions shown as red vertical lines
  • Duplicate acks shown as yellow vertical lines
  • Out of order segments shown as purple vertical lines
  • "Good" segments are marked with a while circle
  • Gaps in the chart indicate periods where no effective data transfer occurs, the two TCPs are busy making up for lost packets
In the chart shown on the right you can observe that there are large periods of time when no good data transfer is occuring. You can also see how the sender tries to climb too fast in the initial phase (slow start) only to be pulled down due to a burst of duplicate acks.

Congestion Window analysis


Congestion Window AnalysisIn addition to the receive window, each TCP also maintains a window called the Congestion Window or cwnd. The value of cwnd is responsible for throttling the sender.
This tool estimates the value of "cwnd" based on observed packets (duplicate acks) and plots the value of cwnd against time.

The slope of the congestion window indicates the rate at which data is being transmitted.
In the slow start phase - cwnd increases exponentially; in  congestion avoidance  - cwnd increases linearly subject to a maximum of 2*mss per round trip time.

In the chart shown here, you can see that cwnd increases exponentially in the beginning - but is later cut down to a steady state due to congestion in the network,.

Note:  This chart makes several assumptions about the behavior of the sender TCP which may not be valid with all TCP implementations.

Sender and Receiver Window

Window analysisThis chart plots the advertised sender and receiver window sizes.
  • Blue : Window size advertised by server 
  • Yellow : Window size advertised by client (sender of initial SYN packet)





Other Charts

In addition to the above charts you can also access these charts
Chart NameDataPurpose
Traffic / RTTTraffic (bps) per  Round Trip Time intervalThis chart shows the net traffic bandwidth (kbps)  per round trip time interval.  You can use this to study the throttling behavior of the TCP congestion control algorithms.
Inflight DataBytes per secondHow many bytes of data are in-flight over the course of the TCP session ? This computes the number of bytes sent by a TCP for which acknowledgements have not been received
BandwidthBits (kbps, Mbps) per secondShows the bandwidth used over the course of the TCP session.
RTT samplesmilliseconds Round Trip Time is computed by the intitial 3-way handshake. Over the course of a TCP session, RTT can be estimated using acknowledgements received. Delayed acks must not be included in the RTT estimation. This chart plots the valid RTT samples over the course of a TCP session.

Download

How to run ?

  • Download the (anastm.rb) script to a folder
  • Download UnleashCharts charting library if required to the same folder
  • Execute the script (see below)

Usage:

anastm <capture-file-name> <stream_no> <In | Out>

capture-file-name : Capture file in Unsniff (*.usnf) format 
stream_no : Number of the TCP/IP stream you wish to analyze 
In/Out : Direction you want to analyse

Example:

c:\RubyTest> anastm  SampleCapture12.usnf 32 In
 

Sitemap | Privacy

Copyright © 2011-14 Unleash Networks