tcpeek is a Network Monitor that monitors and aggregates the errors that occur when a TCP session is established (3way handshake).
It has the following features:
You can aggregate TCP sessions that failed to connect
- Counts Sessions rejected by RST
- ICMP Unreach counts the sessions that have detected inaccessibility
- The connection counts the sessions that timed out
You can aggregate TCP sessions where retransmissions occur
- Counts sessions where the retransmission of the SYN segment occurred
- SYN / ACK counts the sessions where the segment retransmission occurred
You can specify a filter to summarize individually
- Direction of communication・specify the filter in the combination of IP address and port number
- Multiple filters can be specified
-
- You can also specify a filter such as excluding this port
Outputs the aggregated data via UNIX domain socket
- Output in JSON format that is easy to handle with scripts
- Comes with a script (tcpeekstat) to output rrd via Ganglia gmetric
$ git clone git://github.com/pandax381/tcpeek.git
$ cd tcpeek
$ ./configure
$ make
$ sudo make install
usage: tcpeek [option]... [expression]...
option:
-u --user=uid # it works setuid to the specified user
-i --interface=dev # specifies the interface name (for example, eth0)
-U --socket=path # UNIX specifies the path of the domain socket (default:/var/run/tcpeek/tcpeek.sock)
-c --checksum=[0|1|2] # Specify the checksum verification mode 0=No verification 1 = only IP header 2 = IP header+TCP header (default: 0)
-t --timeout=sec # Session timeout (default: 60)
-B --buffer # specify the buffer size of libpcap in MB (default: 2)
-l --loglevel=LEVEL # SYSLOG level (default: LOG_NOTICE) ※ status is not working
-q --quiet # Specify this option to suppress real-time session information output
--promisc # Specify this option to operate in promiscuous mode
--icmp # Specify this option to interpret ICMP unreachable messages
-h --help # Exit with help
-v --version # Display the version and exit
expression:
[filter]:dir@addr:port[:port...][,...]
example) '%' is the same as wildcard '*'
tcpeek -i eth0 filter:RX@%:80:443
tcpeek -i eth0 filter:TX@192.168.0.0/24:%
tcpeek -i eth0 filter1:RX@%:80:443 filter2:TX@192.168.0.0/24:%
if you specify only the interface in the -i
option, it will work anyway (by default, the filters RX:RX@*:*
and TX:TX@*:*
are specified).
$ sudo ./tcpeek -i eth0
expression
It is a bit more complicated to specify, but it is specified as follows.
Filter name: communication direction (RX|TX)@IP address: port number
-
Multiple filters can be specified.
filter1:RX@192.168.0.1:80 filter2:TX@192.168.0.2:80
-
The IP address and port number are
%
and the World card can be specified.filter:TX@%:%
-
The IP address can also be a network address.
filter:TX@192.168.0.0/24:%
-
You can specify multiple port numbers with a
:
separator.filter:TX@192.168.0.1:80:443:8080
-
You can specify more than one combination of IP address and port number separated by
,
.filter:TX@192.168.0.1:80:443:8080,192.168.0.2:80,192.168.0.3:80:8080
-
If you omit the filter name, it becomes an exclusion filter, the session that matches the condition will not be recorded in all filters (the order of description does not matter).
:RX@*:22 :TX@*:22
Sessions that match more than one filter will be aggregated across all applicable filters
when tcpeek is executed, the information of the TCP session is output to the standard error in real time.
$ sudo ./tcpeek -i eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
TIME(s) | TIMESTAMP | SRC IP:PORT DST IP:PORT | RESULTS | DUP SYN DUP S/A
----------------------------------------------------------------------------------------------------------------------
0.002 | 12-07-06 16:39:02.552 | 192.168.2.227:48967 192.168.2.202:80 | success | 0 0
0.002 | 12-07-06 16:39:02.559 | 192.168.2.227:48968 192.168.2.202:80 | success | 0 0
0.002 | 12-07-06 16:39:11.219 | 192.168.2.227:42031 192.168.2.202:443 | success | 0 0
0.002 | 12-07-06 16:39:11.273 | 192.168.2.227:48970 192.168.2.202:80 | success | 0 0
0.002 | 12-07-06 16:39:11.279 | 192.168.2.227:42033 192.168.2.202:443 | success | 0 0
0.002 | 12-07-06 16:39:11.309 | 192.168.2.227:48972 192.168.2.202:80 | success | 0 0
0.002 | 12-07-06 16:39:11.323 | 192.168.2.227:42035 192.168.2.202:443 | success | 0 0
0.001 | 12-07-06 16:39:11.354 | 192.168.2.227:42036 192.168.2.202:443 | success | 0 0
0.002 | 12-07-06 16:39:11.385 | 192.168.2.227:42037 192.168.2.202:443 | success | 0 0
0.001 | 12-07-06 16:39:36.254 | 192.168.2.228:62876 192.168.2.227:80 | failure (reject) | 0 0
0.000 | 12-07-06 16:39:38.160 | 192.168.2.228:62877 192.168.2.227:80 | failure (reject) | 0 0
0.000 | 12-07-06 16:39:44.689 | 192.168.2.227:56371 192.168.2.228:8080 | failure (reject) | 0 0
39.947 | 12-07-06 16:41:29.723 | 192.168.2.227:58376 192.168.2.207:8080 | failure (timeout) | 2 0
-
TIME(s)
Time (in seconds) spent on establishing a TCP session (3way handshake)
-
TIMESTAMP
The time when the TCP session started
-
SRC IP:PORT
IP address and port number of the beginning of the TCP session (client)
-
DST IP:PORT
TCP session termination (server) IP address and port number
-
RESULTS
TCP session availability
-
DUP SYN
The number of times the SYN segment was retransmitted (0 if no retransmissions occur)
-
DUP S/A
The number of times the SYN/ACK segment was retransmitted (0 if no retransmissions occur)
Output the above statistics by Ctrl+C
and exit.
========== TCPEEK SUMMARY ==========
from : 2012-07-02 16:48:33 # aggregate start-time
to : 2012-07-02 16:49:59 # aggregate end-time
time : 86.106 (sec) # Time (seconds)
------------------------------------
RX # filter name
Success: 0 session # 3way number of successful sessions
SYN Segment Duplicate : 0 # the number of sessions for which the retransmission of the SYN segment occurred
S/A Segment Duplicate : 0 # SYN/ACK the number of sessions in which the segment was resent
Failure: 10 session # 3way number of sessions where the handshake failed
Connection Timed Out : 0 # number of Sessions the connection timed out
Connection Rejected : 10 # the number of sessions that the connection was denied
------------------------------------
TX
Success: 783 session
SYN Segment Duplicate : 0
S/A Segment Duplicate : 0
Failure: 0 session
Connection Timed Out : 0
Connection Rejected : 0
------------------------------------
http-rx
Success: 0 session
SYN Segment Duplicate : 0
S/A Segment Duplicate : 0
Failure: 10 session
Connection Timed Out : 0
Connection Rejected : 10
------------------------------------
http-tx
Success: 767 session
SYN Segment Duplicate : 0
S/A Segment Duplicate : 0
Failure: 0 session
Connection Timed Out : 0
Connection Rejected : 0
====================================
This statistic can also be obtained while tcpeek is running by using the tcpeekstat command described below.
usage: tcpeekstat [OPTION]
[OPTION]
-g --gmetric # exec gmetric
-U --socket=path # unix domain socket (default: /var/run/tcpeek/tcpeek.sock)
-v --version # version
-h --help # help
you can run tcpeekstat to get statistics from a running tcpeek.
$ sudo ./tcpeekstat
run with the -g
option to output the rrd via Ganglia's 'gmetric' command.
$ sudo ./tcpeekstat -g
when
-g
option is not selected, the difference is output from the accumulated data at startup, and when it was last executed with-g
option if there is a-g
option
libpcap
must be installed (libpcap recommends the latest version http://www.tcpdump.org/#latest-release).
The author is not responsible for any damage caused by using this software.