Tag Archives: tcpdump

how to calculate packet loss from a binary TCPDUMP file

Posted on by

You can measure packet retransmits from the client to the server by counting the number of duplicate sequence numbers.

Packet retransmits from the server to the client can be measured by counting duplicate Ack numbers.

Note that a retransmit is triggered by more than just total loss (= timeout); if the remote machine rejects the packet, or the packet is corrupted, the local machine must also retransmit.

via networking – how to calculate packet loss from a binary TCPDUMP file – Server Fault.

I needed a way to measure this on a wifi network where packet loss can be very high and bursty.  This answer seems relatively simple to implement — just store off  ACK sequence numbers into an array of limited size and count how many times every new ACK matches in that array.  By monitoring this count I can determine where and when certain areas are getting bad and perhaps alert or alarm based upon a certain threshold.

hype-free: Parsing pcap files with Perl

Posted on by

Recently I was reading the blogpost on the BrekingPoint labs log about parsing pcap files with Perl and I immediately said to myself: it is impossible that there isn’t a module on CPAN, because Perl is great. Turns out I was right, there is Net::TcpDumpLog which can be combined with the NetPacket family of modules to parse the higher level protocols. Because example code is rather sparse on the POD pages of the respective modules, here is a small example to illustrate their use:

via hype-free: Parsing pcap files with Perl.

TCPDUMP question

Posted on by

It seems to work as expected for me, but I did notice one thing. When I first tried to run the program as root, it failed to create the first file with a permission error. It turns out that tcpdump changes uid/gid internally to the user/group tcpdump. Since that user/group did not have write access to the directory, it failed. Once I created a subdir and gave tcpdump ownership of the subdir (chown/chgrp), tcpdump performed as expected.

via TCPDUMP question – FedoraForum.org.