2015-01-06 19:03:11 +00:00
|
|
|
# tcpdump
|
1996-08-19 20:34:12 +00:00
|
|
|
|
2015-01-06 19:03:11 +00:00
|
|
|
[![Build
|
|
|
|
Status](https://travis-ci.org/the-tcpdump-group/tcpdump.png)](https://travis-ci.org/the-tcpdump-group/tcpdump)
|
|
|
|
|
Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
One other notable change:
Do not use getprotobynumber() for protocol name resolution.
Do not do any protocol name resolution if -n is specified.
Submitted by: gordon
Reviewed by: delphij, emaste, glebius
MFC after: 1 week
Relnotes: Yes
Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision: https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00
|
|
|
To report a security issue please send an e-mail to security@tcpdump.org.
|
2001-04-03 07:45:48 +00:00
|
|
|
|
Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
One other notable change:
Do not use getprotobynumber() for protocol name resolution.
Do not do any protocol name resolution if -n is specified.
Submitted by: gordon
Reviewed by: delphij, emaste, glebius
MFC after: 1 week
Relnotes: Yes
Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision: https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00
|
|
|
To report bugs and other problems, contribute patches, request a
|
|
|
|
feature, provide generic feedback etc please see the file
|
|
|
|
CONTRIBUTING in the tcpdump source tree root.
|
2015-01-06 19:03:11 +00:00
|
|
|
|
Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
One other notable change:
Do not use getprotobynumber() for protocol name resolution.
Do not do any protocol name resolution if -n is specified.
Submitted by: gordon
Reviewed by: delphij, emaste, glebius
MFC after: 1 week
Relnotes: Yes
Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision: https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00
|
|
|
TCPDUMP 4.x.y
|
|
|
|
Now maintained by "The Tcpdump Group"
|
|
|
|
See www.tcpdump.org
|
2001-04-03 07:45:48 +00:00
|
|
|
|
2010-10-28 16:23:25 +00:00
|
|
|
Anonymous Git is available via:
|
2001-04-03 07:45:48 +00:00
|
|
|
|
2015-01-06 19:03:11 +00:00
|
|
|
git clone git://bpf.tcpdump.org/tcpdump
|
2001-04-03 07:45:48 +00:00
|
|
|
|
Update tcpdump to 4.9.2
It contains many fixes, including bounds checking, buffer overflows (in
SLIP and bittok2str_internal), buffer over-reads, and infinite loops.
One other notable change:
Do not use getprotobynumber() for protocol name resolution.
Do not do any protocol name resolution if -n is specified.
Submitted by: gordon
Reviewed by: delphij, emaste, glebius
MFC after: 1 week
Relnotes: Yes
Security: CVE-2017-11108, CVE-2017-11541, CVE-2017-11542
Security: CVE-2017-11543, CVE-2017-12893, CVE-2017-12894
Security: CVE-2017-12895, CVE-2017-12896, CVE-2017-12897
Security: CVE-2017-12898, CVE-2017-12899, CVE-2017-12900
Security: CVE-2017-12901, CVE-2017-12902, CVE-2017-12985
Security: CVE-2017-12986, CVE-2017-12987, CVE-2017-12988
Security: CVE-2017-12989, CVE-2017-12990, CVE-2017-12991
Security: CVE-2017-12992, CVE-2017-12993, CVE-2017-12994
Security: CVE-2017-12995, CVE-2017-12996, CVE-2017-12997
Security: CVE-2017-12998, CVE-2017-12999, CVE-2017-13000
Security: CVE-2017-13001, CVE-2017-13002, CVE-2017-13003
Security: CVE-2017-13004, CVE-2017-13005, CVE-2017-13006
Security: CVE-2017-13007, CVE-2017-13008, CVE-2017-13009
Security: CVE-2017-13010, CVE-2017-13011, CVE-2017-13012
Security: CVE-2017-13013, CVE-2017-13014, CVE-2017-13015
Security: CVE-2017-13016, CVE-2017-13017, CVE-2017-13018
Security: CVE-2017-13019, CVE-2017-13020, CVE-2017-13021
Security: CVE-2017-13022, CVE-2017-13023, CVE-2017-13024
Security: CVE-2017-13025, CVE-2017-13026, CVE-2017-13027
Security: CVE-2017-13028, CVE-2017-13029, CVE-2017-13030
Security: CVE-2017-13031, CVE-2017-13032, CVE-2017-13033
Security: CVE-2017-13034, CVE-2017-13035, CVE-2017-13036
Security: CVE-2017-13037, CVE-2017-13038, CVE-2017-13039
Security: CVE-2017-13040, CVE-2017-13041, CVE-2017-13042
Security: CVE-2017-13043, CVE-2017-13044, CVE-2017-13045
Security: CVE-2017-13046, CVE-2017-13047, CVE-2017-13048
Security: CVE-2017-13049, CVE-2017-13050, CVE-2017-13051
Security: CVE-2017-13052, CVE-2017-13053, CVE-2017-13054
Security: CVE-2017-13055, CVE-2017-13687, CVE-2017-13688
Security: CVE-2017-13689, CVE-2017-13690, CVE-2017-13725
Differential Revision: https://reviews.freebsd.org/D12404
2017-12-06 02:21:11 +00:00
|
|
|
formerly from Lawrence Berkeley National Laboratory
|
2015-01-06 19:03:11 +00:00
|
|
|
Network Research Group <tcpdump@ee.lbl.gov>
|
|
|
|
ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)
|
1996-08-19 20:34:12 +00:00
|
|
|
|
|
|
|
This directory contains source code for tcpdump, a tool for network
|
2001-04-03 07:45:48 +00:00
|
|
|
monitoring and data acquisition. This software was originally
|
|
|
|
developed by the Network Research Group at the Lawrence Berkeley
|
|
|
|
National Laboratory. The original distribution is available via
|
2015-01-06 19:03:11 +00:00
|
|
|
anonymous ftp to `ftp.ee.lbl.gov`, in `tcpdump.tar.Z`. More recent
|
2001-04-03 07:45:48 +00:00
|
|
|
development is performed at tcpdump.org, http://www.tcpdump.org/
|
1996-08-19 20:34:12 +00:00
|
|
|
|
2001-04-03 07:45:48 +00:00
|
|
|
Tcpdump uses libpcap, a system-independent interface for user-level
|
1996-08-19 20:34:12 +00:00
|
|
|
packet capture. Before building tcpdump, you must first retrieve and
|
2001-04-03 07:45:48 +00:00
|
|
|
build libpcap, also originally from LBL and now being maintained by
|
|
|
|
tcpdump.org; see http://www.tcpdump.org/ .
|
1996-08-19 20:34:12 +00:00
|
|
|
|
|
|
|
Once libpcap is built (either install it or make sure it's in
|
2015-01-06 19:03:11 +00:00
|
|
|
`../libpcap`), you can build tcpdump using the procedure in the `INSTALL.txt`
|
1996-08-19 20:34:12 +00:00
|
|
|
file.
|
|
|
|
|
1998-09-15 19:36:32 +00:00
|
|
|
The program is loosely based on SMI's "etherfind" although none of the
|
|
|
|
etherfind code remains. It was originally written by Van Jacobson as
|
|
|
|
part of an ongoing research project to investigate and improve tcp and
|
|
|
|
internet gateway performance. The parts of the program originally
|
|
|
|
taken from Sun's etherfind were later re-written by Steven McCanne of
|
|
|
|
LBL. To insure that there would be no vestige of proprietary code in
|
|
|
|
tcpdump, Steve wrote these pieces from the specification given by the
|
|
|
|
manual entry, with no access to the source of tcpdump or etherfind.
|
|
|
|
|
|
|
|
Over the past few years, tcpdump has been steadily improved by the
|
|
|
|
excellent contributions from the Internet community (just browse
|
2015-01-06 19:03:11 +00:00
|
|
|
through the `CHANGES` file). We are grateful for all the input.
|
1998-09-15 19:36:32 +00:00
|
|
|
|
|
|
|
Richard Stevens gives an excellent treatment of the Internet protocols
|
2015-01-06 19:03:11 +00:00
|
|
|
in his book *"TCP/IP Illustrated, Volume 1"*. If you want to learn more
|
1998-09-15 19:36:32 +00:00
|
|
|
about tcpdump and how to interpret its output, pick up this book.
|
1996-08-19 20:34:12 +00:00
|
|
|
|
|
|
|
Some tools for viewing and analyzing tcpdump trace files are available
|
|
|
|
from the Internet Traffic Archive:
|
|
|
|
|
2015-01-06 19:03:11 +00:00
|
|
|
* http://www.sigcomm.org/ITA/
|
1998-09-15 19:36:32 +00:00
|
|
|
|
|
|
|
Another tool that tcpdump users might find useful is tcpslice:
|
|
|
|
|
2015-01-06 19:03:11 +00:00
|
|
|
* https://github.com/the-tcpdump-group/tcpslice
|
1998-09-15 19:36:32 +00:00
|
|
|
|
|
|
|
It is a program that can be used to extract portions of tcpdump binary
|
|
|
|
trace files. See the above distribution for further details and
|
|
|
|
documentation.
|
1996-08-19 20:34:12 +00:00
|
|
|
|
2013-05-30 06:46:26 +00:00
|
|
|
Current versions can be found at www.tcpdump.org.
|
2001-04-03 07:45:48 +00:00
|
|
|
|
|
|
|
- The TCPdump team
|
|
|
|
|
|
|
|
original text by: Steve McCanne, Craig Leres, Van Jacobson
|
1996-08-19 20:34:12 +00:00
|
|
|
|
|
|
|
-------------------------------------
|
2015-01-06 19:03:11 +00:00
|
|
|
```
|
1996-08-19 20:34:12 +00:00
|
|
|
This directory also contains some short awk programs intended as
|
|
|
|
examples of ways to reduce tcpdump data when you're tracking
|
|
|
|
particular network problems:
|
|
|
|
|
|
|
|
send-ack.awk
|
|
|
|
Simplifies the tcpdump trace for an ftp (or other unidirectional
|
|
|
|
tcp transfer). Since we assume that one host only sends and
|
|
|
|
the other only acks, all address information is left off and
|
|
|
|
we just note if the packet is a "send" or an "ack".
|
|
|
|
|
|
|
|
There is one output line per line of the original trace.
|
|
|
|
Field 1 is the packet time in decimal seconds, relative
|
|
|
|
to the start of the conversation. Field 2 is delta-time
|
|
|
|
from last packet. Field 3 is packet type/direction.
|
|
|
|
"Send" means data going from sender to receiver, "ack"
|
|
|
|
means an ack going from the receiver to the sender. A
|
|
|
|
preceding "*" indicates that the data is a retransmission.
|
|
|
|
A preceding "-" indicates a hole in the sequence space
|
|
|
|
(i.e., missing packet(s)), a "#" means an odd-size (not max
|
|
|
|
seg size) packet. Field 4 has the packet flags
|
|
|
|
(same format as raw trace). Field 5 is the sequence
|
|
|
|
number (start seq. num for sender, next expected seq number
|
|
|
|
for acks). The number in parens following an ack is
|
|
|
|
the delta-time from the first send of the packet to the
|
|
|
|
ack. A number in parens following a send is the
|
|
|
|
delta-time from the first send of the packet to the
|
|
|
|
current send (on duplicate packets only). Duplicate
|
|
|
|
sends or acks have a number in square brackets showing
|
|
|
|
the number of duplicates so far.
|
|
|
|
|
|
|
|
Here is a short sample from near the start of an ftp:
|
|
|
|
3.00 0.20 send . 512
|
|
|
|
3.20 0.20 ack . 1024 (0.20)
|
|
|
|
3.20 0.00 send P 1024
|
|
|
|
3.40 0.20 ack . 1536 (0.20)
|
|
|
|
3.80 0.40 * send . 0 (3.80) [2]
|
|
|
|
3.82 0.02 * ack . 1536 (0.62) [2]
|
|
|
|
Three seconds into the conversation, bytes 512 through 1023
|
|
|
|
were sent. 200ms later they were acked. Shortly thereafter
|
|
|
|
bytes 1024-1535 were sent and again acked after 200ms.
|
|
|
|
Then, for no apparent reason, 0-511 is retransmitted, 3.8
|
|
|
|
seconds after its initial send (the round trip time for this
|
|
|
|
ftp was 1sec, +-500ms). Since the receiver is expecting
|
|
|
|
1536, 1536 is re-acked when 0 arrives.
|
|
|
|
|
|
|
|
packetdat.awk
|
|
|
|
Computes chunk summary data for an ftp (or similar
|
|
|
|
unidirectional tcp transfer). [A "chunk" refers to
|
|
|
|
a chunk of the sequence space -- essentially the packet
|
|
|
|
sequence number divided by the max segment size.]
|
|
|
|
|
|
|
|
A summary line is printed showing the number of chunks,
|
|
|
|
the number of packets it took to send that many chunks
|
|
|
|
(if there are no lost or duplicated packets, the number
|
|
|
|
of packets should equal the number of chunks) and the
|
|
|
|
number of acks.
|
|
|
|
|
|
|
|
Following the summary line is one line of information
|
|
|
|
per chunk. The line contains eight fields:
|
|
|
|
1 - the chunk number
|
|
|
|
2 - the start sequence number for this chunk
|
|
|
|
3 - time of first send
|
|
|
|
4 - time of last send
|
|
|
|
5 - time of first ack
|
|
|
|
6 - time of last ack
|
|
|
|
7 - number of times chunk was sent
|
|
|
|
8 - number of times chunk was acked
|
|
|
|
(all times are in decimal seconds, relative to the start
|
|
|
|
of the conversation.)
|
|
|
|
|
|
|
|
As an example, here is the first part of the output for
|
|
|
|
an ftp trace:
|
|
|
|
|
|
|
|
# 134 chunks. 536 packets sent. 508 acks.
|
|
|
|
1 1 0.00 5.80 0.20 0.20 4 1
|
|
|
|
2 513 0.28 6.20 0.40 0.40 4 1
|
|
|
|
3 1025 1.16 6.32 1.20 1.20 4 1
|
|
|
|
4 1561 1.86 15.00 2.00 2.00 6 1
|
|
|
|
5 2049 2.16 15.44 2.20 2.20 5 1
|
|
|
|
6 2585 2.64 16.44 2.80 2.80 5 1
|
|
|
|
7 3073 3.00 16.66 3.20 3.20 4 1
|
|
|
|
8 3609 3.20 17.24 3.40 5.82 4 11
|
|
|
|
9 4097 6.02 6.58 6.20 6.80 2 5
|
|
|
|
|
|
|
|
This says that 134 chunks were transferred (about 70K
|
|
|
|
since the average packet size was 512 bytes). It took
|
|
|
|
536 packets to transfer the data (i.e., on the average
|
|
|
|
each chunk was transmitted four times). Looking at,
|
|
|
|
say, chunk 4, we see it represents the 512 bytes of
|
|
|
|
sequence space from 1561 to 2048. It was first sent
|
|
|
|
1.86 seconds into the conversation. It was last
|
|
|
|
sent 15 seconds into the conversation and was sent
|
|
|
|
a total of 6 times (i.e., it was retransmitted every
|
|
|
|
2 seconds on the average). It was acked once, 140ms
|
|
|
|
after it first arrived.
|
|
|
|
|
|
|
|
stime.awk
|
|
|
|
atime.awk
|
|
|
|
Output one line per send or ack, respectively, in the form
|
|
|
|
<time> <seq. number>
|
|
|
|
where <time> is the time in seconds since the start of the
|
|
|
|
transfer and <seq. number> is the sequence number being sent
|
|
|
|
or acked. I typically plot this data looking for suspicious
|
|
|
|
patterns.
|
|
|
|
|
|
|
|
|
|
|
|
The problem I was looking at was the bulk-data-transfer
|
|
|
|
throughput of medium delay network paths (1-6 sec. round trip
|
|
|
|
time) under typical DARPA Internet conditions. The trace of the
|
|
|
|
ftp transfer of a large file was used as the raw data source.
|
|
|
|
The method was:
|
|
|
|
|
|
|
|
- On a local host (but not the Sun running tcpdump), connect to
|
|
|
|
the remote ftp.
|
|
|
|
|
|
|
|
- On the monitor Sun, start the trace going. E.g.,
|
|
|
|
tcpdump host local-host and remote-host and port ftp-data >tracefile
|
|
|
|
|
|
|
|
- On local, do either a get or put of a large file (~500KB),
|
|
|
|
preferably to the null device (to minimize effects like
|
|
|
|
closing the receive window while waiting for a disk write).
|
|
|
|
|
|
|
|
- When transfer is finished, stop tcpdump. Use awk to make up
|
|
|
|
two files of summary data (maxsize is the maximum packet size,
|
|
|
|
tracedata is the file of tcpdump tracedata):
|
|
|
|
awk -f send-ack.awk packetsize=avgsize tracedata >sa
|
|
|
|
awk -f packetdat.awk packetsize=avgsize tracedata >pd
|
|
|
|
|
|
|
|
- While the summary data files are printing, take a look at
|
|
|
|
how the transfer behaved:
|
|
|
|
awk -f stime.awk tracedata | xgraph
|
|
|
|
(90% of what you learn seems to happen in this step).
|
|
|
|
|
|
|
|
- Do all of the above steps several times, both directions,
|
|
|
|
at different times of day, with different protocol
|
|
|
|
implementations on the other end.
|
|
|
|
|
|
|
|
- Using one of the Unix data analysis packages (in my case,
|
|
|
|
S and Gary Perlman's Unix|Stat), spend a few months staring
|
|
|
|
at the data.
|
|
|
|
|
|
|
|
- Change something in the local protocol implementation and
|
|
|
|
redo the steps above.
|
|
|
|
|
|
|
|
- Once a week, tell your funding agent that you're discovering
|
|
|
|
wonderful things and you'll write up that research report
|
|
|
|
"real soon now".
|
2015-01-06 19:03:11 +00:00
|
|
|
```
|