lost and found ( for me ? )

Linux Mint 12 : install captcp

You can analyze TCP pcap file with captcp , for example , show connection stats , output the graph etc. nice tool !
http://research.protocollabs.com/captcp/

# lsb_release –a
No LSB modules are available.
Distributor ID: LinuxMint
Description:    Linux Mint 12 Lisa
Release:        12
Codename:       lisa

# uname -ri
3.2.0-32-generic x86_64


[ install captcp ]
# git clone git://github.com/hgn/captcp.git
# cd captcp/
# make
# make install

# ls -l /usr/bin/captcp
lrwxrwxrwx 1 root root 27 Oct 27 16:22 /usr/bin/captcp -> /usr/share/captcp/captcp.py


Install required python modules
# apt-get install -y python-pypcap python-dpkt python-geoip python-cairo python-numpy


[ sample usage ]

At first , preare a pcap file.
tshark -i br0 port 80 -w zzz.pcap

# /usr/bin/captcp statistic zzz.pcap
General:
       Packets processed:   806 ( 100.00%)
       Network Layer
          ARP:              0 (   0.00%)
          IPv4:           806 ( 100.00%)
          IPv6:             0 (   0.00%)
          Unknown:          0 (   0.00%)
       Transport Layer
          TCP:            806 ( 100.00%)
          UDP:              0 (   0.00%)
          ICMP:             0 (   0.00%)
          ICMPv6:           0 (   0.00%)
          Unknown:          0 (   0.00%)

Connections:

1  192.168.10.15:47385<->74.125.235.83:80

       Packets processed: 10 (1.2%)

       Flow 1.1:  192.168.10.15:47385 -> 74.125.235.83:80
       Flow 1.2:  74.125.235.83:80 -> 192.168.10.15:47385
       Packets:                          6 packets   Packets:                          4 packets
       Data link layer:               1748 bytes     Data link layer:                781 bytes
       Data network layer:            1664 bytes     Data network layer:             725 bytes
       Data transport layer:          1544 bytes     Data transport layer:           645 bytes
       Data application layer:        1344 bytes     Data application layer:         509 bytes
       Retransmissions:                  0 bytes     Retransmissions:                  0 bytes
       Retransmissions:                  0 packets   Retransmissions:                  0 packets
       Retransmissions per byte:      0.00 percent   Retransmissions per byte:      0.00 percent
       Retransmissions per packet:    0.00 percent   Retransmissions per packet:    0.00 percent
       ACK flag set but no payload:      4 packets   ACK flag set but no payload:      3 packets


2  192.168.10.15:47386<->74.125.235.83:80

       Packets processed: 15 (1.9%)

       Flow 2.1:  192.168.10.15:47386 -> 74.125.235.83:80
       Flow 2.2:  74.125.235.83:80 -> 192.168.10.15:47386
       Packets:                          9 packets   Packets:                          6 packets
       Data link layer:               3411 bytes     Data link layer:               1546 bytes
       Data network layer:            3285 bytes     Data network layer:            1462 bytes
       Data transport layer:          3105 bytes     Data transport layer:          1342 bytes
       Data application layer:        2833 bytes     Data application layer:        1142 bytes
       Retransmissions:                  0 bytes     Retransmissions:                  0 bytes
       Retransmissions:                  0 packets   Retransmissions:                  0 packets
       Retransmissions per byte:      0.00 percent   Retransmissions per byte:      0.00 percent
       Retransmissions per packet:    0.00 percent   Retransmissions per packet:    0.00 percent
       ACK flag set but no payload:      3 packets   ACK flag set but no payload:      4 packets

# /usr/bin/captcp throughput --stdio zzz.pcap
 1.0         0.0
 2.0         0.0
 3.0         0.0
 4.0         0.0
 5.0      3403.0
 6.0         0.0
 7.0      2425.0
 8.0     34907.0
 9.0    427526.0
10.0    128772.0
11.0         0.0
12.0     24511.0
13.0     79982.0
# total data (goodput): 703948 byte (5.63 Mbit)
# throughput (goodput): 50576.25 byte/s (404.61 kbit/s)


Output throughput graph

Make a directory to store the graph
# mkdir throuput-graph

# captcp throughput --init --output-dir throuput-graph zzz.pcap


Make png and PDF
# cd throuput-graph/

# ls
Makefile  throughput.data  throughput.gpi

# make png
compillation of throughput.gpi
make: gnuplot: Command not found
make: *** [throughput.eps] Error 127


Error ..
Install gnuplog
# apt-get install gnuplot -y


Try again … error
# make png
compillation of throughput.gpi
conversion in pdf format
make: epstopdf: Command not found
make: *** [throughput.pdf] Error 127
rm throughput.eps

# apt-get install -y texlive-font-utils

# make png
compillation of throughput.gpi
conversion in pdf format
end
conversion in png format
end
rm throughput.eps

Okay.
# ls throughput.p*
throughput.pdf  throughput.png



Output sequence graph
# captcp sequencegraph zzz.pcap  --local=192.168.10.15

# ls *.pdf
seq-graph.pdf



Output specific connection
# captcp sequencegraph --connection-id=3 --local=192.168.10.15 zzz.pcap --filename=con-3.pdf --rtt=0.5



You can check connection ID like this:
# captcp statistic zzz.pcap | grep "<->"
1  192.168.10.15:47385<->74.125.235.83:80
2  192.168.10.15:47386<->74.125.235.83:80
3  192.168.10.15:45850<->176.32.120.15:80
4  192.168.10.15:45851<->176.32.120.15:80
5  192.168.10.15:50662<->210.149.135.93:80
6  192.168.10.15:50663<->210.149.135.93:80
7  192.168.10.15:50664<->210.149.135.93:80


[ how to see help messages ]

Check module name with “captcp –help”
# /usr/bin/captcp --help
Usage: captcp [-h] modulename [modulename-options] <pcap-file>
Available modules:
   stacktrace
   show
   spacing
   statistic
   payloadtimeport
   timesequence
   geoip
   inflight
   sound
   connection
   throughput
   template
   sequencegraph


Check arguments of statstic module.
# /usr/bin/captcp statistic –help
Usage: captcp [options]

Options:
 -h, --help            show this help message and exit
 -v LOGLEVEL, --verbose=LOGLEVEL
                       set the loglevel (info, debug, warning, error)
 -i FILTER, --filter=FILTER
                       limit number of displayed connections "sip:sport-
                       dip:dport", default "*:*-*:*"
 -m FORMAT, --format=FORMAT
                       skip summary and display only selected values

2 comments:

  1. Thank you so much. It was of great help!

    ReplyDelete
  2. thank you for stopping by my blog.
    my pleasure. :)

    ReplyDelete

Note: Only a member of this blog may post a comment.