Captcp

Statistic Module

Documentation

Description

Show summary for PCAP files

Modes

Captcp statistic module operates in two modes. One provides a human readable overview over all values where the other mode can by used to generate CSV (comma separated value) lists and was introduced for post-process data (e.g. with another Python Test Script to automate testing).

  • Human Mode (default)
  • Machine Mode (activated via --format <format-string>)

Options

Short option Long option Description Example
-o FORMAT --format FORMAT Machine mode and display selected data --format '%(sent-network-layer)d byte transfered'
-i FILTER --filter FILTER Limit number of connections to filter --filter '*:5001-*:*,*:*-*:5001' 

$ captcp statistic --format '%(sent-network-layer)d byte transfered' --filter '*:5001-*:*,*:*-*:5001' trace.pcap
103804 byte transfered
2660 byte transfered

Displayed Data

Name Description Unit Keyword
Data link layer Byte captured at link layer including Ethernet header size. Retransmissions are accounted. byte sent-link-layer
Data network layer Bytes captured at network layer (IPv4 or IPv6) including IPv4/IPv6 header (incl IPv4 options and IPv6 Extension header) and up but not Ethernet header (14 byte) byte network-layer-byte
Data transport layer Byte captured at transport level. Includes all TCP header but no Ethernet and IP header. byte transport-layer-byte
Data application layer Bytes at application level, excluding TCP header. This includes retransmissions and not unique bytes. byte application-layer-byte
Retransmissions If TCP retransmission occur (or packet duplication) these data is accounted as retransmission. This value should be as low as possible. byte rexmt-data-bytes
Retransmissions The same as rexmt-data-bytes but accounted on a packet level, not byte level. packets rexmt-data-packets
Retransmissions per byte Ratio between transport-layer-byte and rexmt-data-bytes in percent percent rexmt-data-percent
ACK flag set but no payload Number of packets where no payload is transmitted but ACK flag is set packets pure-ack-packets

Filter

You may want to limit the number of displayed connections based on IP address or port information. Then the filter option is your friend! The filter options takes a list of several filters and works as a whitelist. The synopsis is sourceIp:sourcePort-destinationIp:destinationPort. The default filter is "*:*-*:*" - defacto no filtering.

To display the bytes sent on network layer for all streams with source or destination port 5001 the following filter helps: "*:*-*:5001,*:5001-*:*"

Examples

The following table listed all available data elements for the statistic module.

In this example we use a trace file where 20MB data are uploaded. We start by a simple print to stdout. We use the default mode where the data is collected at application level. No Ethernet Header, IPv{4,6} Header nor TCP header is accounted. Just application level data (i.e. including HTTP overhead if HTTP protocol). We can change this default via --mode: application-layer, transport-layer or network-layer or valid options. 

@hal:captcp $ captcp statistic trace.pcap
General:
	Packets processed:  1190 ( 100.00%)
	Network Layer
	   ARP:              0 (   0.00%)
	   IPv4:          1190 ( 100.00%)
	   IPv6:             0 (   0.00%)
	   Unknown:          0 (   0.00%)
	Transport Layer
	   TCP:           1190 ( 100.00%)
	   UDP:              0 (   0.00%)
	   ICMP:             0 (   0.00%)
	   ICMPv6:           0 (   0.00%)
	   Unknown:          0 (   0.00%)

Connections:

 1  192.168.1.39:52470<->78.47.222.210:5001

	Packets processed: 1190 (100.0%)

Flow 1.1:  192.168.1.39:52470 -> 78.47.222.210:5001
Flow 1.2:  78.47.222.210:5001 -> 192.168.1.39:52470
Packets:                           720 packets   Packets:                           470 packets
Data link layer:               1078408 bytes     Data link layer:                 34116 bytes  
Data network layer:            1068328 bytes     Data network layer:              27536 bytes  
Data transport layer:          1053928 bytes     Data transport layer:            18136 bytes  
Data application layer:        1030880 bytes     Data application layer:              0 bytes  
Retransmissions:                 30880 bytes     Retransmissions:                     0 bytes  
Retransmissions:                    22 packets   Retransmissions:                     0 packets
Retransmissions per byte:         3.00 percent   Retransmissions per byte:         0.00 percent
Retransmissions per packet:       3.06 percent   Retransmissions per packet:       0.00 percent
ACK flag set but no payload:         2 packets   ACK flag set but no payload:       470 packets
[...]