SLAC Home Page

Back to Top

Web100 is a linux kernel patch to the TCP mechanisms inside the linux kernel. It allows the user to monitor and change tcp/ip kernel parameters. It can be found at:Web100

Benefits of Web100

We are using web100 to allow the user to examine the performance of tcp application programs. Without access to the source code, it is difficult to tune the performance of application programs (e.g. ftp) used to transfer large amounts of data.

Web100 application for instrumenting applications

The first experiment we did was to incorporate some additional statistics into tcpdump. When running an application, we would like to know a) how long it took the window to open up, b) how long the program spent in max window size conditions.

Instrumenting avd to show additional information from our ftp wan transfers.

  • call pcap_lookupdev in inet.c. #define eth0 or eth1 into the program. tcpdump uses device = pcap_lookupdev(ebuf) where device is a string, and ebuf is a char array of size PCAP_ERRBUF_SIZE, which is #defined in pcap.h to be 256. This function returns a string. Running tcpdump with no arguments will cause this function to return eth0.
  • call pcap_open_live. This function returns a pcap descriptor. This initializes the pcap_t pd descriptor defined in pcap-int.h. This datastructure contains an int fd, int snapshot, int linktype, int tzoff, int offset, struct pcap_sf sf, struct pcap_md md, int bufsize, u_char *buffer, u_char *bp, int cc, u_char *pkt, struct bpf_program fcode, char errbuf[PCAP_ERRBUF_SIZE]. int snapshot is set to the snaplen. We are using the default snap length. There is the oprion with a -s flag to set the snaplength. The device name eth0 is copied into the pcap_md structure, specifically in the md.device field. live_open_new is called, it tests to see if the pf_packet option is supported. if it is, it sets teh sock_packet field in the pcap_md struct to 0 indicating the newer linux kernel pf_packet support exists. It detetcts the interface type and sets the md.cooked field and md.lo_index. This function initializes the pcap_t structure to the interface number, the type of interface, etc.... We can print this out if we want to read it. I'm not going to single step through this to verify each field.
  • int i = pcap_snapshot(pd); This function changes the current setting of snaplen in the pd descriptor. It simply returns the snapshot value set in the function before to the int i. Tcpdump does an error check to make sure snaplen in the struct is the same as the current snaplen in tcpdump. Just an error check.
  • pcap_lookupnet(device, &localnet, &netmask, ebuf). tcpdump tests this function if it is less than 0. It prints out an error message if it is. This function sets the netmask and mask bits. This should be in a config file somewhere in the linux os. Do we really have to do this this way?????
  • cmdbuf = copy_argv()
  • pcap_compile(pd, &fcode, cmdbuf, 0flag, netmask)
  • init_addrtoname(localnet, netmask);
  • pcap_setfilter(pd,&fcode)<0
  • lookup_printer(pcap_datalink(pd))
  • pcap_loop(pd, cnt, printer, pcap_userdata). This is the loop in tcpdump which records all the packets.
  • pcap_offline_read is called in pcap_loop. Does calling pcap_offline_read everytime avd takes a snapshot a good approach?

    test results of integration into tftp.c

    A pcap/web100 library for diagnostic tcp wan transfer updates.

    This is a set of C library functions which allow you to instrument your application.

  • initialize the interface and the connection to write data to a file. This returns a pcap handle and an avd handle. It should be possible to integrate both the web100 and pcap init into one handle. This handle should be correlated to the socket doing the ftp transfer, separate the control channels out of this. This is done afterwards in tcpdump/tcptrace mode. We do this after the file is generated, picking the connection id with the largest number of bytes transferred. This requires a 2 pass algorithm on the data file.
  • what functions should we put here?, probably something like int windowTimeToMax(); etc... performance metrics..... need to do the avd integration first to see what the problems are. We should separate retransmissions, timeouts, out of order packets and acks.
  • TCPDUMP/web100 integration notes to myself

    PCAP timestamp seconds and microsecond format

    tcpdump uses libpcap for all the calls. the timestamp in web100, currtime does not correspond to the tcpdump timestamp format of seconds:fractions of a second. The lipbcap struct in pcap-int.h storing the timestamp is struct pcap_sp_pkthdr or struct pcap_sf_patched_pkthdr; depending on the os version you are using. The pkthdr struct contains sturct pcap_timeval which is comprised of a bpf_int32 tvsec and bpf_int32 tv_usec data fields. This is the second and microsecond field of the timestamp. The hour and minutes field is stored in a separate datastructure.

    PCAP generation of pcap_pkthdr header to each packet in the dump file

    PCAP STAT, number of packets received and number of dropped packets.

    struct pcap_stat in pcap.h stores the information about u_int ps_recv, the number of packets received on the interface, and u_int ps_drop, the number of packets dropped. There is a comment saying the number of packets dropped by teh interface are not yet supported.

    PCAP event loop, the event loop recording the arriving and departing packets is in function pcap_loop(pcap_t *p, int cnt, pcap_handler callback, u_char *user). This function has a loop reading using function pcap_read(p,cnt,callback, user). The pcap_loop reads till the cnt is reached. pcap_read is declared in pcap-int.h, used in pcap.c, and implemented in pcap-linux.c, pcap-pf.c, pcap-bpf.c, pcap-dlpi.c, pcap_snit.c, pcap-snoop.c, pcap-nit.c, and pcap-null.c. I assume the different implementations of pcap are for the different os. I ran an experiment by adding a print statement to all the pcap-read functions to verify under linux we only have to worry about pcap-linux.c.

    tcpdump uses in the following order pcap_open_offline, pcap_lookupdev, pcap_open_live, pcap_snapshot, pcap_lookupnet, pcap_dump_open, pcap_loop.

    pcap_open_offline is called to open a file for writing. This function is implemented in savefile.c. It is called when tcpdump is reading from a file with the -r option

    pcap_lookup_dev(); this function is implemented in inet.c. It returns a string indicating the names of the network interface attached to the system.

    pcap_open_live is implemented in pcap-linux.c. It returns a pointer to a pcap structure. this is a live handle.

    pcap_snapshot is implemented in pcap.c. It returns th e value p->snapshot. It is the number of bytes tcpdump expects to return.

    pcap_lookupnet is implemented in inet.c. It returns an int. It is not clear what this function exactly does. Not sure if it matters for now.

    pcap_dump_open is implemented in savefile.c. It returns a pointer to a pcap_dumper_t struct. The pcap_dumper_t struct is typedef'd in pcap.h to be the same as pcap_dumper. The pcap_dumper struct is defined in

    pcap_loop is implemented in pcap.c. It calls pcap_offline_read till we reach the count number in the argument -c xxx.

    pcap_offline_read is implemented in savefile.c. It prints out the packets in the file initialized by sf_read_init. It calls sf_next_packet in savefile.c. sf_next_packet sets the struct pcap_pkthdr in the calling argumrnt of sf_next_packet to include the timestamp values. Note: we need to track the sf_hdr structure to see where the ioctl is called to verify the machine time. I only see the ioctl in function pcap_dump which is not in this flow.

    How pcap_read in pcap-linux.c works

    pcap_read uses the

    pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) is the function which writes to the dump file specified in the -w option, or to stdout if no option is specified. This function uses a struct called pcap_sf_pkthdr and a file descriptor *f. The struct definition for pcap_sf_pkthdr is in pcap-int.h and contains data values for teh timestamp. The pcap_pkthdr struct contains the timestamp data, it is copied to a new struct called pcap_sf_pkthdr which is then printed using a fwrite command. pcap_pkthdr is defined in pcap.h, and consists of a timestamp value.

    the timestamp in pcap_pkthdr is set in pcap_read which calls pcap_read_packet in pcap-linux.c.

    Created 2/20/01
    Comments to