tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: number of concurrent TCP sessions

From: Stephen Donnelly <stephen () endace com>
Date: Thu, 26 Aug 2004 09:20:18 +1200
tcpdump may not be the right tool for the job, but considerable work has been done on IP flows.
You might want to look at tcptrace, or a flows analysis package like Coralreef, or a flow probe like fprobe or ntop. 

http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html
http://www.caida.org/tools/measurement/coralreef/
http://fprobe.sourceforge.net/
http://www.ntop.org/

Regards,
Stephen.

César Cárdenas wrote:

Many Thanks Kiss, Dear all:
I am using windump (windows 2000)...
I really appreciate if you could say me how I can determine the number of
concurrent TCP connections?
César



-- Mensaje Original --
Date: Tue, 24 Aug 2004 19:57:36 +0200 (CEST)
From: Kiss Karoly <crash () sunserv klamzi hu>
To: tcpdump-workers () lists tcpdump org
Subject: Re: [tcpdump-workers] number of concurrent TCP sessions
Reply-To: tcpdump-workers () lists tcpdump org


On Tue, 24 Aug 2004, [iso-8859-1] César Cárdenas wrote:




Dear all:
In a captured file I found '.', S, F and FP flags...
According to the manual:

flag = '.' and data-seqno = '1' implies the first time tcpdump sees a


TCP


conversation.




flag = 'S' and 'win (value)' stands for the beginning of a TCP conversation

flag = 'F" implies FIN (end) and flag = 'FP' I guess implies Fin/Pushed
(anyway end)

I computed the number of concurrent TCP conversations throughout the ti
e
by adding a '1' each time I found a 'S' and substractin a '1' each time
I found a 'F' or a 'FP'

By doing this the number of concurrent TCP connections decreases linearly
in a negative way through the time.

Am I determining in a c
rrect way the number of Concurrent TCP connections?
I really appreciate if you could suggest me how to determine the number
of concurrent TCP connections?

Please accept mys best regards,
Cesar Cardenas

-
This is the tcpdump-work
rs list.
Visit https://lists.sandelman.ca/ to unsubscribe.




You forgot to mention the system you are using but if wou use linux and
have connection tracking enabled in the kernel ( module ip_conntrack )
then it's much easyer if you do a wc -l


/proc/net/tcp


This will give you the number of connections pretty accurately.
But be careful with using ip_conntrack because it makes your box
vulnerable to SYN flood attacks.

Regards

Karoly Kiss
-


--
-----------------------------------------------------------------------
    Stephen Donnelly BCMS PhD           email: sfd () endace com
    Endace Technology Ltd               phone: +64 7 839 0540
    Hamilton, New Zealand               cell:  +64 21 1104378
-----------------------------------------------------------------------
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: