Ethereal-dev: [Ethereal-dev] Re: NEW MODULES FOR TRAFFIC ANALYSIS UNDER TETHEREAL

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Ronnie Sahlberg" <sahlberg@xxxxxxxxxxxxxxxx>
Date: Thu, 26 Sep 2002 23:30:41 +1000
Hi,

the user manual is 1.7MB but only 9 pages of basically text. you should
consider replacing it with an ascii file.


Suggestions:
The patch is very intrusive and not optimally generic.
You should split it up in different smaller patches, one for each new
feature.

Perhaps start with the -T option as the first small patch.
This option should not rely on patching tethereal.c but instead use the
tapping system (read doc/README.tapping and see tap-rpcstat.c)
to keep it from doing intrusive patching of tethereal.c that is just
unnessecary.

So, perhaps change -T to become a tap reader such as tap-rpcstat.c is an
example of.

This means:
1, create tap-iostat.[ch] based on tap-rpcstat.c
While rpcstat reads from the "rpc" tap, iostat should read from the "frame"
tap.
2, minor update to tethereal to add iostat to the parsing of the -z
argument.
arguments perhaps should be -z
frames,stat,<interval>,[frames|bytes|both]{,filter}
<interval> would be the measurement intervals in seconds.
your -T 1 would have <interval> == 1

tap-iostat would be very similar to rpcstat in several ways. Reuse the ideas
from
rpcstat for iostat.
Do not use any global variables. Everything should be handled through the
instance structure malloced and passed to the tap system. As rpcstat does.
This will enable it to automagically support multiple/unlimited numbers of
simultaneous -z frames,stat,... instances, each resulting in its own
independent table.
See tap-rpcstat.c.

tap-iostat.c would basically be
reset() callback would be NULL since it is not really used by tethereal.c
packet() callback: keep a linked list of time intervals and allocate a new
one automatically when it needs to.
This callback would also just increment the frame number and add the bytes
to the total.
draw() callback would just print the table with a simple header and footer.
Perhaps the table should look like :
===========================================
IOSTAT
TYPE:both
INTERVAL:5seconds
FILTER:no filter
----------------------------------------------------------------
    0 -    4              5        5194
    5 -    9              12      8112
  10 -   14
...
==========================================
Columns are :   time-start    time-stop   num-frames   num-bytes
It should print the time into the capture for the intervals and not the
interval number
as the first columns so it would be easier to correlate and find interesting
intervals when
looking at the capture with ethereal.

The optional ,filter argument would just be passthrough into the tap system
and allows
people to generate these kind of stats for ANY imaginable subset of the
capture.
To generate the kind of statistics you have in -T would be acheived by not
supplying a filter and calc the stats on everything.
But a user COULD do -z frame,stat,5,both,nfs
and thus get this kind of statistics for just the nfs traffic.
Or,  -z frame,stat,5,both,frame.pkt_len>=1400
to only measure the stats for large frames,
or,   the possibilities are endless, so would its usefulness be.


So, I think the patch should be split up, only adding a single feature at a
time.
Lets start with -T and change it to use the tap system as described above.
The changes suggested above would make it much more useful and powerful.

tap-iostat.c should not be more than 100-200 lines of c.  The changes to
parse the -z flag in thetereal.c should be <20 lines.


please rewrite the -T extension as suggested above. It will both provide a
very useful extension to tethereal as well as provide verification on the
useability of the tap api.

---
Of course, tap-iostat.c should later be ported to gtk{2}/iostat.c with a
nice gui and capable of displaying it in semi-real time with a nice graph.
The gtk{2} version should also be capable of displaying multiple subsets of
packets in teh same graph. i.e. one line for total, one line for "nfs" one
line for "smb" one line for "http" or whatever the user specifies as
filters.



Oh, dont write the output to a file. Do the output to stdout.
If you need the data in a file it is very easy to just redirect all
tethereal output to a file
and then just use some grep,head,tail magic to copy any interesting partsd
of the output to any file you want. This does not need to be implemented by
code inside tethereal


----- Original Message -----
From: "sergio morant"
Sent: Thursday, September 26, 2002 8:40 PM
Subject: NEW MODULES FOR TRAFFIC ANALYSIS UNDER TETHEREAL


>   Hi to all,
>
> I have been working with Ethereal to deal with a project that
> studies the traffic that is passing across the router of
> the a university.
> I have developped some new features that works under tethereal that are
> mostly analysis of the tha traffic captured with the tool and I want
> to send you those modules to see if that could be included in a future
> release of the tool. I attach the files I have done, and I also attach a
> part of the documentation that I have written for this project that is
> the user's manual for the new features but since the project is keep on
> going that documentation is not definitive.
>
> First of all I want to introduce what are the objectives for those
> modules: The main idea is to be able to evaluate the kind of traffic
> that is passing through the router, the machines that generates it, and
> how the traffic variates along the capture period using  all this
> information to build a rule set for COPS. The intention it  is also that
> the analysis can be scheduled using Cron or another scheduler daemon.
> Since all the analysis results are flushed to a text file I have written
> some functions that automatically generates the strings  for the file
> name based upon the timestamp of the first frame captured.
>
> I have taken as starting point the protocol hierarchy statistics module
> and I made some modifications to allow the module to be able to flush
> the information to a file besides a GTK window like it works with
Ethereal.
> The new files are :
> com_stats.c and com_stats.h : Generate the protocol hierarchy stats and
> IP communications.
> traffic_statistics.c and traffic_statistics.h: Measures the amount of
> information sent in little intervals during the capture.
>
> To make all of this work, I have made some modifications in the files
> tethereal.c
> Makefile.in
> (I have also attached the patches for this files )
>
>  I also have a question :  I write to a file the results of the
> analysis but in order to do that I have place all the routines to open
> the files and print at each module. I know there are already
> severeal modules with the printing routines to create the capture files
> but I don't know if there is a way to integrate all that together.
>
> I hope you will find somethings interesting that could be useful for
> other people.
>
> Thanks for your time and if you have any questions regarding those
> modules just send me an e-mail and I will be glad to answer them.
>