NAME

yconalyzer - A program to analyze TCP traffic on a server or client port.

SYNOPSIS

yconalyzer -p port [ -i interface ] [ -t seconds ] [ expression ]
yconalyzer -p port [ -i interface ] [ -w file ] [ -t seconds ]

DESCRIPTION

Yconalyzer selects the packets on a network interface that match the boolean expression and prints out statistics about the TCP connections.

When run with the -w flag (recommended mode), it saves the packet data to file for later analysis.

When run with the -r flag, it reads from a saved packet file rather than to read packets from a network interface, and then print out statistics.

In all cases, only packets that match yconalyzer's internal filter as well as the expression will be processed by yconalyzer. The internal filter processes only those TCP packets that have the source or destination port matching port, and have one of SYN, FIN, or RST flags set in the TCP header.

The same permission restrictions apply as they do for tcpdump. As with tcpdump, you must have super-user permissions in order to invoke yconalyzer without the -r option. All files captured by tcpump are readable by yconalyzer and vice versa (as long as file permissions are set correctly).

Yconalyzer will stop capturing packets if it is interrupted by a SIGINT signal (generated, for example, by typing your interrupt character, typically control-C) or a SIGTERM sig- nal (typically generated with the kill(1) command)

When yconalyzer finishes capturing packets (or reading from a captured file), it will report statistics regarding the connections observed. The report is in two parts. The first part has an overall aggegated statistics, and information about lost connections, etc. The second part is a table in which the observed connections are placed in buckets according to the duration of the connection. A bucket is defined by the minimum and maximum duration of a connection (or, if -P option is chosen, then the minimum and maximum throughput of a connection). For each bucket, the following statistics are reported:

For a sample output, see the section on SAMPLE OUTPUT.

While running in capture mode (i.e. without the -r option), yconalyzer will also report the number of packets captured and dropped, like tcpdump (1) does. The same notes as in tcpdump apply for these numbers.

It is useful to monitor the number of packets dropped after yconalyzer runs. It should normally be zero, even if yconalyzer is run for extended period of time (tens of minutes, or even hours). If it is non-zero, it could be an indication (but not necessarily so) that running yconalyzer has skewed the performance of the system.

OPTIONS

-c

Print out the connections that took at least num_attempts attempts to establish

-C

Use the number of bytes sent by the client to place connections in buckets.

-d

Print out a trace of the packets in format similar to tcpdump -n. Repeating this option gives more information, useful for debugging yconalyzer.

-D

Print out the host and port numbers of all the connections in the specified bucket. The bucket_id is the first number in the bucket (which has two numbers, or only one if it is the last bucket). One line is printed for each connection in the bucket. This is printed in a format that can be cut and pasted to be used as expression with either yconalyzer or with tcpdump. Typical use of this option is to drill down on a specific bucket to list all the connections in that bucket in order to find out why these are slow. If the original data is captured using tcpdump, then the connection can be looked at to see how the transaction happened.

-i

Listen on interface. If unspecified, yconalyzer searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match.

-I

Consider packets later than specified time. datespec can be in HH:MM:SS or YYYY-MM-DD.HH:MM:SS format. All packets that have a timestamp before this time are discarded, so any connections established before the specified time will not show up in the final analysis.

-n

Number of buckets. Actually, one more than nbuckets buckets are printed, with the rest of the connections grouped in the last bucket.

-p

The TCP port to be monitored. This should always be specified.

-P

Use throughput buckets instead of response time. The throughput for each connection is computed as the total number of bytes sent in either direction divided by the total duration of the connection. So, this option is meaningful only when one side of the connection sends a much smaller number of bytes than the other one. Connections are bucketized in terms of the calculated throughput.

-r

Read packets from file (which was created with the -w option).

-R

Output in raw format. Useful for piping the output to a script.

-S

Use the number of bytes sent by the server to place connections in buckets.

-s

Bucket size in msecs (or, in Kbytes/sec if -P is specified).

-T

Attempt to estimate RTT for the connections. If the trace was captured on the client machine the estimated RTT is exactly the same as that experienced by the client in the beginning of the connection. Variation in RTT as the connection progresses is not tracked. If the trace was captured on the server side, then yconalyzer tries to estimate the RTT based on the way connection close is initiated by the upper layer protocol. In case of HTTP, this estimate should be quite close to the real RTT. See the section on RTT ESTIMATION.

-w

Write the raw packets to file rather than processing them and printing out statistics. The file can later be processed with the -r option.

-x

Select only those connections in which the client sends more than nbytes bytes to the server.

-X

Select only those connections in which the server sends more than nbytesP bytes to the client.

-y

Select only those connections in which the client sends less than nbytes bytes to the server.

-Y

Select only those connections in which the server sends less than nbytesP bytes to the client.

expression

EXAMPLES

To capture all relevant packets on port 80 for 10 minutes and save the packets in file http.1 for later analysis:

yconalyzer -p 80 -w http.1 -t 600

To print out the processed data from the above file:

yconalyzer -p 80 -r http.1

To change the bucket size to 2 seconds (instead of a default of 20 msec) and divide into 5 buckets (instead of deault of 20):

yconalyzer -p 80 -r http.1 -s2000 -n5

To process only those connections in which the client sends less than 4k bytes:

yconalyzer -p 80 -r http.1 -s2000 -n5 -y4096

To process those connections in which the server sends more than 64k of data.

yconalyzer -p 80 -r http.1 -s2000 -n5 -X64000

To filter out only those connections from host 23.34.45.56

yconalyzer -p 80 -r http.1 -s2000 -n5 host 23.34.45.56

To monitor only outgoing connections from an HTTP proxy (in which both incoming and outgoing connections are on port 80) for 3 minutes:

yconalyzer -p 80 -w proxy-out.1 -t180 '(src host proxy.domain.com and dst port 80) or (dst host proxy.domain.com and src port 80)'

To monitor only incoming connections to an HTTP proxy (in which both incoming and outgoing connections are on port 80) for 3 minutes:

yconalyzer -p 80 -w proxy-out.1 -t180 '(dst port 80 and dst host proxy.domain.com) or (src port 80 and src host proxy.domain.com)'

To have yconalyzer estimate RTT to the clients.

yconalyzer -p 80 -r http.1 -s2000 -n5 -T

To print details about connections that took between 500 and 600 msecs

yconalyzer -p 80 -r http.1 -s100 -D500

To get the percentage of connections that had a response time of 400msecs

yconalyzer -p 80 -r http.1 -n1 -s400

SAMPLE OUTPUT

yconalyzer -p 80 -r http.1 -T

Results of monitoring port 80 for 599.930000 seconds
Start time: Thu Jan 4 10:35:55 2007
End time: Thu Jan 4 10:45:55 2007
Total Connections (terminated by FIN): 6291
Avg Client Data: 3025 bytes
Avg Server Data: 23066 bytes
Avg conn time: 865 msecs
Avg Round Trip Time: 152 msecs
Total number of SYNs: 6382 (duplicates: 88)
Connections terminated by RESET: 37
Number of SYNs taken to establish connections: 6319
Avg no. of SYNs to establish a connection: 1.00
Number of unique connections that never completed: 0
Number of SYNs from incomplete connections: 0
Number of established connections in progress: 33 (12 may have been discarded)
Number of connections in closing state: 7
Distribution of SYNs to establsh connections (nSYNs:nConns): 1:6283,2:2,3:1,4:1,5:2,7:1,8:1,

Duration NumConns AvClient AvServer EstRtt AvThruput
(msecs) (bytes) (bytes) (msecs) (KB/s)
0 - 20 40( 0.64%) 903 7412 3 1613.58
20 - 40 109( 1.73%) 628 2257 30 89.67
40 - 60 181( 2.88%) 1350 3671 60 101.32
60 - 80 324( 5.15%) 1507 1273 66 39.25
80 - 100 279( 4.43%) 1352 4460 77 62.40
100 - 120 196( 3.12%) 1504 2856 93 38.85
120 - 140 183( 2.91%) 1528 10695 76 91.69
140 - 160 172( 2.73%) 1515 6077 84 49.94
160 - 180 155( 2.46%) 2407 5362 90 44.55
180 - 200 208( 3.31%) 1316 9759 104 58.02
200 - 220 162( 2.58%) 1672 14240 124 75.02
220 - 240 155( 2.46%) 4169 11908 136 69.50
240 - 260 157( 2.50%) 2592 18188 140 82.02
260 - 280 131( 2.08%) 2249 16619 142 69.07
280 - 300 137( 2.18%) 6110 11858 143 61.67
300 - 320 131( 2.08%) 1748 14579 130 52.05
320 - 340 124( 1.97%) 1783 17429 147 57.65
340 - 360 136( 2.16%) 1910 16969 164 53.03
360 - 380 139( 2.21%) 3945 20649 157 65.37
380 - 400 116( 1.84%) 1896 17909 156 50.16
400+ 3056(48.58%) 4057 37201 203 47.08

RTT ESTIMATION

If we make the assumption that the server side closes the connection first, and the client side closes the connection when it is done receiving all data, then the RTT can be estimated on the server as the difference between the time the server's FIN is sent and when the client's FIN is received.

SEE ALSO

tcpdump(1)

BUGS

When a machine has very low or no traffic on the port being monitored, it is possible that yconalyzer does not respond to ^C.

yconalyzer prints negative value for time when there is no traffic on the machine in which it is run.