Web100 is a linux kernel patch to the TCP mechanisms inside the linux kernel. It allows the user to monitor and change tcp/ip kernel parameters. It can be found at:Web100
We are using web100 to allow the user to examine the performance of tcp application programs. Without access to the source code, it is difficult to tune the performance of application programs (e.g. ftp) used to transfer large amounts of data.
The first experiment we did was to incorporate some additional statistics into tcpdump. When running an application, we would like to know a) how long it took the window to open up, b) how long the program spent in max window size conditions.
Instrumenting avd to show additional information from our ftp wan transfers.
test results of integration into tftp.c
This is a set of C library functions which allow you to instrument your application.
tcpdump uses libpcap for all the calls. the timestamp in web100, currtime does not correspond to the tcpdump timestamp format of seconds:fractions of a second. The lipbcap struct in pcap-int.h storing the timestamp is struct pcap_sp_pkthdr or struct pcap_sf_patched_pkthdr; depending on the os version you are using. The pkthdr struct contains sturct pcap_timeval which is comprised of a bpf_int32 tvsec and bpf_int32 tv_usec data fields. This is the second and microsecond field of the timestamp. The hour and minutes field is stored in a separate datastructure.
struct pcap_stat in pcap.h stores the information about u_int ps_recv, the number of packets received on the interface, and u_int ps_drop, the number of packets dropped. There is a comment saying the number of packets dropped by teh interface are not yet supported.
PCAP event loop, the event loop recording the arriving and departing packets is in function pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user). This function has a loop reading using function pcap_read(p,cnt,callback, user). The pcap_loop reads till the cnt is reached. pcap_read is declared in pcap-int.h, used in pcap.c, and implemented in pcap-linux.c, pcap-pf.c, pcap-bpf.c, pcap-dlpi.c, pcap_snit.c, pcap-snoop.c, pcap-nit.c, and pcap-null.c. I assume the different implementations of pcap are for the different os. I ran an experiment by adding a print statement to all the pcap-read functions to verify under linux we only have to worry about pcap-linux.c.
tcpdump uses in the following order pcap_open_offline, pcap_lookupdev, pcap_open_live, pcap_snapshot, pcap_lookupnet, pcap_dump_open, pcap_loop.pcap_open_offline is called to open a file for writing. This function is implemented in savefile.c. It is called when tcpdump is reading from a file with the -r option
pcap_lookup_dev(); this function is implemented in inet.c. It returns a string indicating the names of the network interface attached to the system.
pcap_open_live is implemented in pcap-linux.c. It returns a pointer to a pcap structure. this is a live handle.
pcap_snapshot is implemented in pcap.c. It returns th e value p->snapshot. It is the number of bytes tcpdump expects to return.
pcap_lookupnet is implemented in inet.c. It returns an int. It is not clear what this function exactly does. Not sure if it matters for now.
pcap_dump_open is implemented in savefile.c. It returns a pointer to a pcap_dumper_t struct. The pcap_dumper_t struct is typedef'd in pcap.h to be the same as pcap_dumper. The pcap_dumper struct is defined in
pcap_loop is implemented in pcap.c. It calls pcap_offline_read till we reach the count number in the argument -c xxx.
pcap_offline_read is implemented in savefile.c. It prints out the packets in the file initialized by sf_read_init. It calls sf_next_packet in savefile.c. sf_next_packet sets the struct pcap_pkthdr in the calling argumrnt of sf_next_packet to include the timestamp values. Note: we need to track the sf_hdr structure to see where the ioctl is called to verify the machine time. I only see the ioctl in function pcap_dump which is not in this flow.
pcap_read uses the
pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) is the function which writes to the dump file specified in the -w option, or to stdout if no option is specified. This function uses a struct called pcap_sf_pkthdr and a file descriptor *f. The struct definition for pcap_sf_pkthdr is in pcap-int.h and contains data values for teh timestamp. The pcap_pkthdr struct contains the timestamp data, it is copied to a new struct called pcap_sf_pkthdr which is then printed using a fwrite command. pcap_pkthdr is defined in pcap.h, and consists of a timestamp value.
the timestamp in pcap_pkthdr is set in pcap_read which calls pcap_read_packet in pcap-linux.c.
Comments to email@example.com