-
Notifications
You must be signed in to change notification settings - Fork 0
/
tcptrace.h
1192 lines (1016 loc) · 37.2 KB
/
tcptrace.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Copyright (c) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
* 2002, 2003, 2004
* Ohio University.
*
* ---
*
* Starting with the release of tcptrace version 6 in 2001, tcptrace
* is licensed under the GNU General Public License (GPL). We believe
* that, among the available licenses, the GPL will do the best job of
* allowing tcptrace to continue to be a valuable, freely-available
* and well-maintained tool for the networking community.
*
* Previous versions of tcptrace were released under a license that
* was much less restrictive with respect to how tcptrace could be
* used in commercial products. Because of this, I am willing to
* consider alternate license arrangements as allowed in Section 10 of
* the GNU GPL. Before I would consider licensing tcptrace under an
* alternate agreement with a particular individual or company,
* however, I would have to be convinced that such an alternative
* would be to the greater benefit of the networking community.
*
* ---
*
* This file is part of Tcptrace.
*
* Tcptrace was originally written and continues to be maintained by
* Shawn Ostermann with the help of a group of devoted students and
* users (see the file 'THANKS'). The work on tcptrace has been made
* possible over the years through the generous support of NASA GRC,
* the National Science Foundation, and Sun Microsystems.
*
* Tcptrace is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* Tcptrace is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Tcptrace (in the file 'COPYING'); if not, write to the
* Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
* MA 02111-1307 USA
*
* Author: Shawn Ostermann
* School of Electrical Engineering and Computer Science
* Ohio University
* Athens, OH
* http://www.tcptrace.org/
*/
/*
*
* The newest gcc (3.3) is much pickier about the unused variables that
* we define for Copyright and RCSid, so this will shut it up.
*
*/
#ifdef __GNUC__
#define GCC_UNUSED __attribute__((unused))
#else
#define GCC_UNUSED
#endif
static char const GCC_UNUSED rcsid_tcptrace[] =
"@(#)$Header: /usr/local/cvs/tcptrace/tcptrace.h,v 5.78 2004/11/04 21:55:38 sdo Exp $";
#include <stdio.h>
#include <string.h>
#include <strings.h>
#include <sys/types.h>
#include <unistd.h>
#include <time.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
#if __FreeBSD__ >= 2
#include <osreldate.h>
#if __FreeBSD_version >= 300000
#include <net/if_var.h>
#endif
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <netinet/if_ether.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <ctype.h>
#include <signal.h>
#include <sys/stat.h>
#include <stdarg.h>
#include <stdlib.h>
#include <math.h>
/* IPv6 support */
#include "ipv6.h"
/* dynamic string support */
#include "dstring.h"
/* memory allocation routines */
#include "pool.h"
/* we want LONG LONG in some places */
#if SIZEOF_UNSIGNED_LONG_LONG_INT >= 8
#define HAVE_LONG_LONG
typedef unsigned long long int u_llong;
typedef long long int llong;
/* Thanks to MacOSX, they use %qu to print unsigned long long ints */
/* There is a test to see if we need to use %qu or %llu to print these variables */
/* The test is located in configure.in */
#ifdef USE_LLU
#define FS_ULL "llu" /* For most systems use llu */
#define FS_LL "lld" /* For most systems use ll */
#else /* USE_LLU */
#define FS_ULL "qu" /* MacOSX use qu */
#define FS_LL "qd" /* MacOSX use qd */
#endif /* USE_LLU */
#else /* LONG LONG */
typedef unsigned long int u_llong;
typedef long int llong;
#define FS_ULL "lu" /* No long long unsigned, so use lu */
#define FS_LL "ld" /* No long long ints, so use ld */
#endif /* LONG LONG */
/* plotter information */
typedef int PLOTTER;
#define NO_PLOTTER -1
#define NCOLORS 8
extern char *ColorNames[NCOLORS];
/* {"green", "red", "blue", "yellow", "purple", "orange", "magenta", "pink"}; */
typedef struct pl_line *PLINE;
/* max number of letters in endpoint name */
/* (8 allows 26**8 different endpoints (209,000,000,000)
probably plenty for now!!!!!) */
#define MAX_HOSTLETTER_LEN 8
/* several places in the code NEED numbers of a specific size. */
/* since the definitions aren't standard across everything we're */
/* trying to support, the types are gathered up here */
/* specifically, we need:
tt_uint32 unsigned 32 bit
tt_uint16 unsigned 16 bit
tt_int32 signed 32 bit
tt_int16 signed 16 bit
*/
/* first, do the 32 bit ones */
#if SIZEOF_UNSIGNED_LONG_INT == 4
typedef unsigned long tt_uint32;
typedef long tt_int32;
#else
#if SIZEOF_UNSIGNED_INT == 4
typedef unsigned int tt_uint32;
typedef int tt_int32;
#else
OOPS: Please insert an appropriate 32-bit unsigned type here!
OOPS: Please insert an appropriate 32-bit signed type here!
#endif /* SIZEOF_UNSIGNED_INT == 4 */
#endif /* SIZEOF_UNSIGNED_LONG_INT == 4 */
/* first, do the 16 bit ones */
#if SIZEOF_UNSIGNED_INT == 2
typedef unsigned int tt_uint16;
typedef int tt_int16;
#else
#if SIZEOF_UNSIGNED_SHORT == 2
typedef unsigned short tt_uint16;
typedef short tt_int16;
#else
OOPS: Please insert an appropriate 16-bit unsigned type here!
OOPS: Please insert an appropriate 16-bit signed type here!
#endif /* SIZEOF_UNSIGNED_INT == 4 */
#endif /* SIZEOF_UNSIGNED_LONG_INT == 4 */
/* type for a TCP sequence number, ACK, FIN, or SYN */
/* This type MUST be a 32-bit unsigned number */
typedef tt_uint32 seqnum;
/* length of a segment */
typedef u_long seglen;
/* type for a quadrant number */
typedef u_char quadnum; /* 1,2,3,4 */
/* type for a TCP port number */
typedef u_short portnum;
/* type for an IP address */
/* IP address can be either IPv4 or IPv6 */
typedef struct ipaddr {
u_char addr_vers; /* 4 or 6 */
union {
struct in_addr ip4;
struct in6_addr ip6;
} un;
} ipaddr;
#ifndef __VMS
/* some machines (TRUE64 for one) handle the 4-bit TCP/IP fields
differently, so this macro simplifies life */
#define IP_HL(pip) ((pip)->ip_hl)
#define IP_V(pip) ((pip)->ip_v)
#define TH_X2(ptcp) ((ptcp)->th_x2)
#define TH_OFF(ptcp) ((ptcp)->th_off)
/* some systems (darwin at least) use this for something else */
#else
/* One alternative looks like this: */
#define IP_HL(pip) ((pip)->ip_vhl&0xf)
#define IP_V(pip) ((pip)->ip_vhl>>4)
#define TH_X2(ptcp) ((ptcp)->th_xoff&0xf)
#define TH_OFF(ptcp) ((ptcp)->th_xoff>>4)
#endif
#undef TH_FLAGS
#define TH_FLAGS(ptcp) ((ptcp)->th_flags)
/* type for a timestamp */
typedef struct timeval timeval;
#define ZERO_TIME(ptv)(((ptv)->tv_sec == 0) && ((ptv)->tv_usec == 0))
/* type for a Boolean */
typedef u_char Bool;
#define TRUE 1
#define FALSE 0
#define BOOL2STR(b) (b)?"TRUE":"FALSE"
/* ACK types */
enum t_ack {NORMAL = 1, /* no retransmits, just advance */
AMBIG = 2, /* segment ACKed was rexmitted */
CUMUL = 3, /* doesn't advance */
TRIPLE = 4, /* triple dupack */
NOSAMP = 5}; /* covers retransmitted segs, no rtt sample */
/* type for an internal file pointer */
typedef struct mfile MFILE;
/* file name information */
extern char **filenames; /* all the files on the cmd line */
extern char *cur_filename; /* the current file */
/* first and last packet timestamp */
extern timeval first_packet;
extern timeval last_packet;
/* counters */
extern u_long tcp_trace_count;
extern u_long udp_trace_count;
typedef struct segment {
seqnum seq_firstbyte; /* seqnumber of first byte */
seqnum seq_lastbyte; /* seqnumber of last byte */
u_char retrans; /* retransmit count */
u_int acked; /* how MANY times has has it been acked? */
timeval time; /* time the segment was sent */
struct segment *next;
struct segment *prev;
} segment;
typedef struct quadrant {
segment *seglist_head;
segment *seglist_tail;
Bool full;
struct quadrant *prev;
struct quadrant *next;
} quadrant;
typedef struct seqspace {
quadrant *pquad[4];
} seqspace;
typedef struct tcb {
/* parent pointer */
struct stcp_pair *ptp;
struct tcb *ptwin;
/* TCP information */
seqnum ack;
seqnum seq;
seqnum syn;
seqnum fin;
seqnum windowend;
timeval time;
/* TCP options */
u_int mss;
Bool f1323_ws; /* did he request 1323 window scaling? */
Bool f1323_ts; /* did he request 1323 timestamps? */
Bool fsack_req; /* did he request SACKs? */
u_char window_scale;
/* If we are using window scaling, have we adjusted the
win_min field from the non-scaled window size
that appeared in the SYN packet?? */
Bool window_stats_updated_for_scaling;
u_llong win_scaled_pkts; /* Used to calculate avg win adv */
/* statistics added */
u_llong data_bytes;
u_llong data_pkts;
u_llong data_pkts_push;
u_llong unique_bytes; /* bytes sent (-FIN/SYN), excluding rexmits */
u_llong rexmit_bytes;
u_llong rexmit_pkts;
u_llong ack_pkts;
u_llong pureack_pkts; /* mallman - pure acks, no data */
u_long win_max;
u_long win_min;
u_llong win_tot;
u_long win_last; /* last advertised window size*/
u_long win_zero_ct;
u_llong packets;
u_char syn_count;
u_char fin_count;
u_char reset_count; /* resets SENT */
u_long min_seg_size;
u_long max_seg_size;
u_llong out_order_pkts; /* out of order packets */
u_llong sacks_sent; /* sacks returned */
u_long ipv6_segments; /* how many segments were ipv6? */
/* stats on urgent data */
u_long urg_data_bytes;
u_long urg_data_pkts;
/* Statistics to store the number of Zero window probes
seen and the total number of bytes spent for it. */
u_long num_zwnd_probes;
u_long zwnd_probe_bytes;
/* stats on sequence numbers */
seqnum min_seq; /* smallest seq number seen */
seqnum max_seq; /* largest seq number seen */
seqnum latest_seq; /* most recent seq number seen */
/* stats on sequence space wrap arounds */
u_int quad1, quad2, quad3, quad4; /* was every quadrant visited */
u_int seq_wrap_count; /* wrap count */
/* hardware duplicate detection */
#define SEGS_TO_REMEMBER 8
struct str_hardware_dups {
seqnum hwdup_seq; /* sequence number */
u_short hwdup_id; /* IP ID */
u_long hwdup_packnum; /* packet number */
} hardware_dups[SEGS_TO_REMEMBER];
u_long num_hardware_dups;
u_char hardware_dups_ix;
/* did I detect any "bad" tcp behavior? */
/* at present, this means: */
/* - SYNs retransmitted with different sequence numbers */
/* - FINs retransmitted with different sequence numbers */
Bool bad_behavior;
/* added for initial window stats (for Mallman) */
u_long initialwin_bytes; /* initial window (in bytes) */
u_long initialwin_segs; /* initial window (in segments) */
Bool data_acked; /* has any non-SYN data been acked? */
/* added for (estimated) congestions window stats (for Mallman) */
u_long owin_max;
u_long owin_min;
u_llong owin_tot;
u_llong owin_wavg; /* weighted owin */
u_llong owin_count;
u_long previous_owin_sample;
timeval previous_owin_sample_time;
/* RTT stats for singly-transmitted segments */
double rtt_last; /* RTT as of last good ACK (microseconds) */
u_long rtt_min;
u_long rtt_max;
double rtt_sum; /* for averages */
double rtt_sum2; /* sum of squares, for stdev */
u_long rtt_count; /* for averages */
/* RTT stats for multiply-transmitted segments */
u_long rtt_min_last;
u_long rtt_max_last;
double rtt_sum_last; /* from last transmission, for averages */
double rtt_sum2_last; /* sum of squares, for stdev */
u_long rtt_count_last; /* from last transmission, for averages */
/* To keep track of stats for FULL SIZE segments
Simple heuristic :
We shall treat the largest packet, so far seen as the
"full size" packet and collect stats. accordingly.
Upon seeing a bigger packet, we flush all stats. collected
incorrectly and begin all over again */
u_long rtt_full_size;
u_long rtt_full_min;
u_long rtt_full_max;
double rtt_full_sum; /* for averages */
double rtt_full_sum2; /* sum of squares for stdev */
u_long rtt_full_count; /* for averages */
u_long rtt_3WHS; /* rtt value used to seed RTO timers */
/* ACK Counters */
u_llong rtt_amback; /* ambiguous ACK */
u_llong rtt_cumack; /* segments only cumulativly ACKed */
u_llong rtt_nosample; /* segments ACKED, but after retransmission */
/* of earlier segments, so sample isn't */
/* valid */
u_llong rtt_unkack; /* unknown ACKs ??? */
u_llong rtt_dupack; /* duplicate ACKs */
u_llong rtt_triple_dupack; /* triple duplicate ACKs */
/* retransmission information */
seqspace *ss; /* the sequence space*/
u_long retr_max; /* maximum retransmissions ct */
u_long retr_min_tm; /* minimum retransmissions time */
u_long retr_max_tm; /* maximum retransmissions time */
double retr_tm_sum; /* for averages */
double retr_tm_sum2; /* sum of squares, for stdev */
u_long retr_tm_count; /* for averages */
/* Instantaneous throughput info */
timeval thru_firsttime; /* time of first packet this interval */
u_long thru_bytes; /* number of bytes this interval */
u_long thru_pkts; /* number of packets this interval */
PLOTTER thru_plotter; /* throughput data dump file */
timeval thru_lasttime; /* time of previous segment */
PLINE thru_avg_line; /* average throughput line */
PLINE thru_inst_line; /* instantaneous throughput line */
/* data transfer time stamps - mallman */
timeval first_data_time;
timeval last_data_time;
/* Time Sequence Graph info for this one */
PLOTTER tsg_plotter;
char *tsg_plotfile;
/* Time Line Graph */
PLOTTER tline_plotter;
/* Dumped RTT samples */
MFILE *rtt_dump_file;
/* Extracted stream contents */
MFILE *extr_contents_file;
u_llong trunc_bytes; /* data bytes not see due to trace file truncation */
u_llong trunc_segs; /* segments with trunc'd bytes */
seqnum extr_lastseq; /* last sequence number we stored */
seqnum extr_initseq; /* initial sequence number (same as SYN unless we missed it) */
/* RTT Graph info for this one */
PLOTTER rtt_plotter;
PLINE rtt_line;
/* Segment size graph */
PLOTTER segsize_plotter;
PLINE segsize_line;
PLINE segsize_avg_line;
/* Congestion window graph */
PLOTTER owin_plotter;
PLINE owin_line;
PLINE rwin_line;
PLINE owin_avg_line;
PLINE owin_wavg_line;
/* for tracking unidirectional idle time */
timeval last_time; /* last packet SENT from this side */
u_llong idle_max; /* maximum idle time observed (usecs) */
/* for looking for interesting SACK blocks */
u_long num_sacks;
u_long max_sack_blocks;
u_long num_dsacks;
/* for computing LEAST (see FAQ) */
enum tcp_strains { TCP_RENO, TCP_SACK, TCP_DSACK } tcp_strain;
u_long LEAST;
char in_rto;
u_long recovered, recovered_orig, rto_segment, lastackno;
u_long event_retrans, event_dupacks;
/* host name letter(s) */
char *host_letter;
} tcb;
typedef u_short hash;
typedef struct {
ipaddr a_address;
ipaddr b_address;
portnum a_port;
portnum b_port;
hash hash;
} tcp_pair_addrblock;
struct stcp_pair {
/* are we ignoring this one?? */
Bool ignore_pair;
/* inactive (previous instance of current connection */
Bool inactive;
/* endpoint identification */
tcp_pair_addrblock addr_pair;
/* connection naming information */
char *a_hostname;
char *b_hostname;
char *a_portname;
char *b_portname;
char *a_endpoint;
char *b_endpoint;
/* connection information */
timeval first_time;
timeval last_time;
u_llong packets;
tcb a2b;
tcb b2a;
/* module-specific structures, if requested */
void **pmod_info;
/* which file this connection is from */
char *filename;
};
typedef struct stcp_pair tcp_pair;
typedef struct tcphdr tcphdr;
extern int num_tcp_pairs; /* how many pairs are in use */
extern tcp_pair **ttp; /* array of pointers to allocated pairs */
/* Wed Aug 20, 2003 - Ramani*/
/* Prior to version 6.4.11, the data structure for storing the snapshots of
connections was a hashtable with linked lists. But this might lead to a
worst case scenario when many connections hash to the same hash table entry.
In such a case, searching for the connections degrades to searching a linked
list with a worst case complexity of O(number of connections in list). Hence
the new version implements an AVL tree in place of linked list leading to a
worst case complexity of O(ln(number of connections in tree)).
The modified data structure was tested with dumpfiles containing lots of
connections. A comparison of the profiles suggests an improvement in the time
spent in the dotrace function. Even though the AVL tree implementation
involves balancing the tree, since most of the accesses involve searching the
data structure, AVL tree performs MUCH better than linked list.
The algorithms for AVL tree implementation are based on those explained in
"Data Structures and Program Design in C by Robert L.Kruse, Bruce P.Leung,
Clovis L.Tondo". The source code for AVL tree implementation is from the
Institute of Applied Iconoclasm who put up the source code at
<http://www.purists.org>. We thank Georg for the source code whose mail
address has been mentioned as <[email protected]> */
/* Data structures for AVL tree */
/* Which of a given node's subtrees is higher in the AVL tree */
enum AVLSKEW {
EQUAL1, LEFT, RIGHT
};
/* Did an insertion/deletion succeed and if we need to balance the AVL tree */
enum AVLRES {
OK, BALANCE
};
/* Tue Nov 17, 1998 */
/* prior to version 5.13, we kept a hash table of all of the connections. */
/* The most recently-accessed connections move to the front of the bucket */
/* linked list. Unfortunately, when reading thousands of connections on */
/* a machine with limited physical memory, this worked poorly. Every time */
/* a new connection opened, we had to search the entire bucket, which */
/* pulled all of the paged-out connections back into memory. The new */
/* system keeps a quick snapshot of the connection (ptp_snap) in the */
/* hash table. We only retrieve the connection record if the snapshot */
/* matches. The result is that it works MUCH better when memory is low. */
typedef struct ptp_snap {
enum AVLSKEW skew; /* Skew of the AVL tree node */
tcp_pair_addrblock addr_pair; /* just a copy */
struct ptp_snap *left, *right; /* Left and right trees of the AVL node */
void *ptp;
} ptp_snap;
typedef struct ptp_ptr {
struct ptp_ptr *next;
struct ptp_ptr *prev;
struct ptp_snap *from;
tcp_pair *ptp;
} ptp_ptr;
#define NONREAL_LIVE_CONN_INTERVAL 4*60 /* 4 minutes */
#define REMOVE_LIVE_CONN_INTERVAL 8*3600 /* 8 hours */
#define REMOVE_CLOSED_CONN_INTERVAL 8*60 /* 8 minutes */
#define UPDATE_INTERVAL 30 /* 30 seconds */
#define MAX_CONN_NUM 50000 /* max number of connections */
/* for continuous mode */
/* minimal support for UDP "connections" */
typedef struct ucb {
/* parent pointer */
struct sudp_pair *pup;
struct ucb *ptwin;
/* statistics added */
u_llong data_bytes;
u_llong packets;
u_long min_dg_size;
u_long max_dg_size;
/* host name letter(s) */
char *host_letter;
} ucb;
typedef tcp_pair_addrblock udp_pair_addrblock;
struct sudp_pair {
/* Are we ignoring this 'connection' ? */
Bool ignore_pair;
/* endpoint identification */
udp_pair_addrblock addr_pair;
/* connection naming information */
char *a_hostname;
char *b_hostname;
char *a_portname;
char *b_portname;
char *a_endpoint;
char *b_endpoint;
/* connection information */
timeval first_time;
timeval last_time;
u_llong packets;
ucb a2b;
ucb b2a;
/* module-specific structures, if requested */
void **pmod_info;
/* which file this connection is from */
char *filename;
/* linked list of usage */
struct sudp_pair *next;
};
typedef struct sudp_pair udp_pair;
typedef struct udphdr udphdr;
extern int num_udp_pairs; /* how many pairs are in use */
extern udp_pair **utp; /* array of pointers to allocated pairs */
/* option flags */
extern Bool colorplot;
extern Bool dump_rtt;
extern Bool graph_rtt;
extern Bool graph_tput;
extern Bool graph_tsg;
extern Bool graph_segsize;
extern Bool graph_owin;
extern Bool graph_tline;
extern Bool hex;
extern Bool ignore_non_comp;
extern Bool resolve_ipaddresses;
extern Bool resolve_ports;
extern Bool triple_dupack_allows_data;
extern Bool verify_checksums;
extern Bool print_rtt;
extern Bool print_owin;
extern Bool printbrief;
extern Bool printsuppress;
extern Bool printem;
extern Bool printallofem;
extern Bool printticks;
extern Bool dump_packet_data;
extern Bool warn_ooo;
extern Bool warn_printtrunc;
extern Bool warn_printbadmbz;
extern Bool warn_printhwdups;
extern Bool warn_printbad_syn_fin_seq;
extern Bool show_out_order;
extern Bool show_rexmit;
extern Bool show_zero_window;
extern Bool show_urg;
extern Bool show_sacks;
extern Bool show_rtt_dongles;
extern Bool show_triple_dupack;
extern Bool show_zwnd_probes;
extern Bool use_short_names;
extern Bool save_tcp_data;
extern Bool graph_time_zero;
extern Bool graph_seq_zero;
extern Bool print_seq_zero;
extern Bool graph_zero_len_pkts;
extern Bool plot_tput_instant;
extern Bool filter_output;
extern Bool do_udp;
extern Bool show_title;
extern Bool show_rwinline;
extern Bool docheck_hw_dups;
/* constants for real-time (continuous) mode */
extern Bool run_continuously;
extern Bool conn_num_threshold;
extern Bool xplot_all_files;
extern Bool ns_hdrs;
extern Bool dup_ack_handling;
extern Bool csv;
extern Bool tsv;
extern u_long remove_live_conn_interval;
extern u_long nonreal_live_conn_interval;
extern u_long remove_closed_conn_interval;
extern u_long update_interval;
extern u_long max_conn_num;
extern int debug;
extern int thru_interval;
extern u_long pnum;
/* extended variables with values */
extern char *output_file_dir;
extern char *output_file_prefix;
extern char *xplot_title_prefix;
extern char *xplot_args;
extern char *sv;
extern char *sp; /* Separator used for long output with <SP>-separated-values */
/* Used to comment out header lines of the long output
* when <SP>-separated-values is requested
*/
extern char *comment;
extern u_long ctrunc;
extern timeval current_time;
extern char *output_filename;
/* first and last packet timestamp */
extern timeval first_packet;
extern timeval last_packet;
#define MAX_NAME 20
/* external routine decls */
double sqrt(double x);
void free(void *);
int finite(double);
/* note that many machines have an ether_ntoa, but the output differs, as does
the prototype, so we'll include our own and change the name to avoid conflicts
with local prototypes if they exist and differ */
char *Ether_Ntoa(struct ether_addr *e);
/* global routine decls */
void *MallocZ(int);
void *ReallocZ(void *oldptr, int obytes, int nbytes);
void trace_init(void);
void trace_done(void);
void seglist_init(tcb *);
void printpacket(int, int, void *, int, struct ip *, void *plast, tcb *tcb);
void plotter_vtick(PLOTTER, timeval, u_long);
void plotter_utick(PLOTTER, timeval, u_long);
void plotter_uarrow(PLOTTER, timeval, u_long);
void plotter_tick(PLOTTER, timeval, u_long, char);
void plotter_text(PLOTTER, timeval, u_long, char *, char *);
void plotter_temp_color(PLOTTER, char *color);
void plotter_ltick(PLOTTER, timeval, u_long);
void plotter_rtick(PLOTTER, timeval, u_long);
void plotter_rarrow(PLOTTER, timeval, u_long);
void plotter_plus(PLOTTER, timeval, u_long);
void plotter_perm_color(PLOTTER, char *color);
void plotter_line(PLOTTER, timeval, u_long, timeval, u_long);
void plotter_larrow(PLOTTER, timeval, u_long);
void plotter_htick(PLOTTER, timeval, u_long);
void plotter_dtick(PLOTTER, timeval, u_long);
void plotter_dot(PLOTTER, timeval, u_long);
void plotter_done(void);
void plotter_dline(PLOTTER, timeval, u_long, timeval, u_long);
void plotter_diamond(PLOTTER, timeval, u_long);
void plotter_darrow(PLOTTER, timeval, u_long);
void plotter_box(PLOTTER, timeval, u_long);
void plotter_arrow(PLOTTER, timeval, u_long, char);
void plotter_nothing(PLOTTER, timeval);
void plotter_invisible(PLOTTER, timeval, u_long);
void plotter_switch_axis(PLOTTER, Bool);
void plot_init(void);
tcp_pair *dotrace(struct ip *, struct tcphdr *ptcp, void *plast);
void PrintRawData(char *label, void *pfirst, void *plast, Bool octal);
void PrintRawDataHex(char *label, void *pfirst, void *plast);
void PrintTrace(tcp_pair *);
void UDPPrintTrace(udp_pair *);
void PrintSVHeader(void);
void PrintBrief(tcp_pair *);
void UDPPrintBrief(udp_pair *);
void OnlyConn(int);
void IgnoreConn(int);
void OnlyUDPConn(int);
void IgnoreUDPConn(int);
double elapsed(timeval, timeval);
void tv_sub(struct timeval *plhs, struct timeval rhs);
void tv_add(struct timeval *plhs, struct timeval rhs);
int tv_cmp(struct timeval lhs, struct timeval rhs);
Bool tv_same(struct timeval lhs, struct timeval rhs);
char *elapsed2str(double etime);
int ConnReset(tcp_pair *);
int ConnComplete(tcp_pair *);
u_int SynCount(tcp_pair *ptp);
u_int FinCount(tcp_pair *ptp);
char *ts2ascii(timeval *);
char *ts2ascii_date(timeval *);
char *ServiceName(portnum);
char *HostName(ipaddr);
char *HostAddr(ipaddr);
char *HostLetter(llong);
char *NextHostLetter(void);
char *EndpointName(ipaddr,portnum);
PLOTTER new_plotter(tcb *plast, char *filename, char *title,
char *xlabel, char *ylabel, char *suffix);
int rexmit(tcb *, seqnum, seglen, Bool *);
enum t_ack ack_in(tcb *, seqnum, unsigned tcp_data_length, u_long eff_win);
Bool IsRTO(tcb *ptcb, seqnum s);
void DoThru(tcb *ptcb, int nbytes);
struct mfile *Mfopen(char *fname, char *mode);
void Minit(void);
int Mfileno(MFILE *pmf);
int Mvfprintf(MFILE *pmf, char *format, va_list ap);
int Mfwrite(void *buf, u_long size, u_long nitems, MFILE *pmf);
long Mftell(MFILE *pmf);
int Mfseek(MFILE *pmf, long offset, int ptrname);
int Mfprintf(MFILE *pmf, char *format, ...);
int Mfflush(MFILE *pmf);
int Mfclose(MFILE *pmf);
int Mfpipe(int pipes[2]);
struct tcp_options *ParseOptions(struct tcphdr *ptcp, void *plast);
FILE *CompOpenHeader(char *filename);
FILE *CompOpenFile(char *filename);
void CompCloseFile(char *filename);
void CompFormats(void);
int CompIsCompressed(void);
Bool FileIsStdin(char *filename);
struct tcb *ptp2ptcb(tcp_pair *ptp, struct ip *pip, struct tcphdr *ptcp);
void PcapSavePacket(char *filename, struct ip *pip, void *plast);
void StringToArgv(char *buf, int *pargc, char ***pargv);
void CopyAddr(tcp_pair_addrblock *, struct ip *pip,portnum,portnum);
int WhichDir(tcp_pair_addrblock *, tcp_pair_addrblock *);
int SameConn(tcp_pair_addrblock *, tcp_pair_addrblock *, int *);
Bool ip_cksum_valid(struct ip *pip, void *plast);
Bool tcp_cksum_valid(struct ip *pip, struct tcphdr *ptcp, void *plast);
Bool udp_cksum_valid(struct ip *pip, struct udphdr *pudp, void *plast);
ipaddr *str2ipaddr(char *str);
int IPcmp(ipaddr *pipA, ipaddr *pipB);
void ModulesPerOldConn(tcp_pair *ptp);
/* Memory allocation routines with page boundaries */
tcp_pair *MakeTcpPair(void);
void FreeTcpPair(tcp_pair *ptr);
udp_pair *MakeUdpPair(void);
void FreeUdpPair(udp_pair *ptr);
seqspace *MakeSeqspace(void);
void FreeSeqspace(seqspace *ptr);
ptp_snap *MakePtpSnap(void);
void FreePtpSnap(ptp_snap *ptr);
segment *MakeSegment(void);
void FreeSegment(segment *ptr);
quadrant *MakeQuadrant(void);
void FreeQuadrant(quadrant *ptr);
ptp_ptr *MakePtpPtr(void);
void FreePtpPtr(ptp_ptr *ptr);
void freequad(quadrant **);
/* AVL tree support routines */
enum AVLRES SnapInsert(ptp_snap **n, ptp_snap *new_node);
enum AVLRES SnapRemove(ptp_snap **n, tcp_pair_addrblock address);
int AVL_WhichDir(tcp_pair_addrblock *ptpa1, tcp_pair_addrblock *ptpa2);
/* high-level line drawing */
PLINE new_line(PLOTTER pl, char *label, char *color);
void extend_line(PLINE pline, timeval xval, int yval);
/* UDP support routines */
void udptrace_init(void);
void udptrace_done(void);
udp_pair *udpdotrace(struct ip *pip, struct udphdr *pudp, void *plast);
/* filter routines */
void HelpFilter(void);
void ParseFilter(char *expr);
Bool PassesFilter(tcp_pair *ptp);
/* simple string expansion for file names, directories, etc */
char *ExpandFormat(const char *format);
/* TCP flags macros */
#define SYN_SET(ptcp)((ptcp)->th_flags & TH_SYN)
#define FIN_SET(ptcp)((ptcp)->th_flags & TH_FIN)
#define ACK_SET(ptcp)((ptcp)->th_flags & TH_ACK)
#define RESET_SET(ptcp)((ptcp)->th_flags & TH_RST)
#define PUSH_SET(ptcp)((ptcp)->th_flags & TH_PUSH)
#define URGENT_SET(ptcp)((ptcp)->th_flags & TH_URG)
#define FLAG6_SET(ptcp)((ptcp)->th_flags & 0x40)
#define FLAG7_SET(ptcp)((ptcp)->th_flags & 0x80)
/* Changed the following macros to reflect the correct position
of bits as specified in RFC 2481 and draft-ietf-tsvwg-ecn-04.txt */
/*
#define CWR_SET(ptcp) (TH_X2((ptcp)) & TH_CWR)
#define ECN_ECHO_SET(ptcp)(TH_X2((ptcp)) & TH_ECN_ECHO)
*/
#define CWR_SET(ptcp) (TH_FLAGS((ptcp)) & TH_CWR)
#define ECN_ECHO_SET(ptcp) (TH_FLAGS((ptcp)) & TH_ECN_ECHO)
/* connection directions */
#define A2B 1
#define B2A -1
/* If the AVL node is to left or right in the AVL tree */
/* Words "LEFT" and "RIGHT" have already been taken in an enum
* above. Let us call them LT, RT just not to make it ambiguous for ourselves
* or the compiler or both :-)
*/
#define LT -2
#define RT 2
/*macros for maintaining the seqspace used for rexmit*/
#define QUADSIZE (0x40000000)
#define QUADNUM(seq) ((seq>>30)+1)
#define IN_Q1(seq) (QUADNUM(seq)==1)
#define IN_Q2(seq) (QUADNUM(seq)==2)
#define IN_Q3(seq) (QUADNUM(seq)==3)
#define IN_Q4(seq) (QUADNUM(seq)==4)
#define FIRST_SEQ(quadnum) (QUADSIZE*(quadnum-1))
#define LAST_SEQ(quadnum) ((QUADSIZE*quadnum)-1) /* bug fix by Priya */
#define BOUNDARY(beg,fin) (QUADNUM((beg)) != QUADNUM((fin)))
/* physical layers currently understood */
#define PHYS_ETHER 1
#define PHYS_FDDI 2
/*
* SEQCMP - sequence space comparator
* This handles sequence space wrap-around. Overlow/Underflow makes
* the result below correct ( -, 0, + ) for any a, b in the sequence
* space. Results: result implies
* - a < b
* 0 a = b
* + a > b
*/
#define SEQCMP(a, b) ((long)(a) - (long)(b))
#define SEQ_LESSTHAN(a, b) (SEQCMP(a,b) < 0)
#define SEQ_GREATERTHAN(a, b) (SEQCMP(a,b) > 0)
/* SACK TCP options (not an RFC yet, mostly from draft and RFC 1072) */
/* I'm assuming, for now, that the draft version is correct */
/* sdo -- Tue Aug 20, 1996 */
#define TCPOPT_SACK_PERM 4 /* sack-permitted option */
#define TCPOPT_SACK 5 /* sack attached option */
#define MAX_SACKS 10 /* max number of sacks per segment (rfc1072) */
typedef struct sack_block {
seqnum sack_left; /* left edge */
seqnum sack_right; /* right edge */
} sack_block;
#define MAX_UNKNOWN 16
typedef struct opt_unknown {
u_char unkn_opt;
u_char unkn_len;
} opt_unknown;
/* RFC 1323 TCP options (not usually in tcp.h yet) */
#define TCPOPT_WS 3 /* window scaling */
#define TCPOPT_TS 8 /* timestamp */