

                  L  I  B   N   E   T   D   U   D   E


	      The NETwork DUmp data Displayer and Editor
                      Packet Manipulation Library

                        Traffic Analyzer Plugin

                     http://netdude.sourceforge.net
         Christian Kreibich <christian.kreibich-AT-cl.cam.ac.uk>

------------------------------------------------------------------------

This plugin gathers simple statistics from one or more trace files and
allows you to save the results in a user-provided output stream. The
analysis steps performed can be selected individually, from the
follwing:

- Basic counts: 

  Counts the total number of packets scanned and the number of non-IP
  packets.

- IP protocol usage:

  Counts the number of packets and the number of bytes per IP protocol
  type.

- UDP/TCP port usage:

  Counts the number of packets and the number of bytes for each pair
  of TCP source and destination port numbers seen. In addition, you
  can select the output aggregated by source port, and by destination
  port.

- UDP/TCP flow usage:

  Counts the number of packets and the number of bytes for each
  individual TCP flow encountered.

The resulting numbers can be written to a separate output stream for
each analysis category, or be combined arbitrarily. The resulting output
contains absolute numbers and percentage values, and contains comments
starting with a "#" at the beginning of the line. Here's a (shortened)
sample output:


------------------------------------------------------------------------
# Netdude Traffic Analysis Output
# Files handled: 1
#

# BASIC ANALYSIS:
# ===============
#
# Total packets -- non-IP packets -- %non-IP

353	0	 0.00

# Total bytes -- non-IP bytes -- %non-IP

88414	0	 0.00


# IP PROTOCOL ANALYSIS:
# =====================
#
# Aggregates packets and bytes per IP protocol payload type.
# proto number -- #packets -- #bytes -- %packets -- %bytes

6	353	88414	100.00	100.00

# TCP/UDP PORTNUMBER ANALYSIS:
# ============================
#
# src port -- dst port -- TCP(1) or UDP(0) -- #packets -- #bytes -- %packets -- %bytes

34836	80	1	11	1531	 3.12	 1.73
34847	80	1	11	2032	 3.12	 2.30
34848	80	1	11	1570	 3.12	 1.78
34830	80	1	18	9605	 5.10	10.86
#...

# TCP/UDP SOURCE PORTS:
# =====================
#
# Aggregates packets and bytes per souce port. For TCP, we can
# do this right based on whether or not a SYN we see has an ACK or not.
# For UDP and for the case when we don't see SYNs in a TCP connection,
# whatever is the destination port on the first packet wins.
#
# src port -- TCP(1)/UDP(0) -- #packets -- #bytes -- %packets -- %bytes

34840	1	11	1728	 3.12	 1.95
34829	1	10	1283	 2.83	 1.45
#...

# TCP/UDP DESTINATION PORTS:
# =========================
#
# Aggregates packets and bytes per destination port. For TCP, we can
# do this right based on whether or not a SYN we see has an ACK or not.
# For UDP and for the case when we don't see SYNs in a TCP connection,
# whatever is the destination port on the first packet wins.
#
# dest port -- TCP(1)/UDP(0) -- #packets -- #bytes -- %packets -- %bytes

80	1	353	88414	100.00	100.00

# TCP FLOW  ANALYSIS:
# ===================
#
# Aggregates packets and bytes per TCP flow, doing full TCP connection state tracking.
# IP src -- IP dst -- src port -- dst port -- #packets -- #bytes -- %packets -- %bytes

128.232.110.120	212.3.243.132	34828	   80	2	132	 0.57	 0.15
128.232.110.120	66.35.250.123	34836	   80	11	1531	 3.12	 1.73
128.232.110.120	66.35.250.204	34851	   80	10	1750	 2.83	 1.98
128.232.110.120	216.239.41.104	34844	   80	9	2699	 2.55	 3.05
#...
------------------------------------------------------------------------

To build this plugin from source, do the following:

- make sure you have the following plugins installed:
    - Conntrack
    - Trace-Set
- run ./autogen.sh.
- run ./configure, adding --enable-debugging for debugging output.
- run make install.

The Netdude Traffic Analyzer plugin ("/Statistics/Traffic Analyzer")
provides a GUI front-end for this plugin.

Enjoy.

------------------------------------------------------------------------
  Yet another SRG production -- http://www.cl.cam.ac.uk/Research/SRG/
------------------------------------------------------------------------
