YCONALYZER(1)YCONALYZER(1)NAMEyconalyzer - A program to analyze TCP traffic on a server or client
port.
SYNOPSISyconalyzer-p port [ -i interface ] [ -t seconds ] [ expression ]
yconalyzer-p port [ -i interface ] [ -w file ] [ -t seconds ]
[ expression ]
yconalyzer-p port [ -dRTP ] [ -i interface ] [ -t seconds ]
[ -r file ] [ -n nbuckets ] [ -s bucket_size ]
[ -X nbytes ] [ -x nbytes ]
[ -Y nbytes ] [ -y nbytes ]
[ -c num_attempts ] [ -I datespec ]
[-P|-C|-S] [ -D bucket_id ] [ expression ]
DESCRIPTION
Yconalyzer selects the packets on a network interface that match the
boolean expression and prints out statistics about the TCP connections.
When run with the -w flag (recommended mode), it saves the packet
data to file for later analysis.
When run with the -r flag, it reads from a saved packet file rather
than to read packets from a network interface, and then print out
statistics.
In all cases, only packets that match yconalyzer's internal filter as
well as the expression will be processed by yconalyzer. The internal
filter processes only those TCP packets that have the source or desti‐
nation port matching port, and have one of SYN, FIN, or RST flags set
in the TCP header.
The same permission restrictions apply as they do for tcpdump. As with
tcpdump, you must have super-user permissions in order to invoke ycona‐
lyzer without the -r option. All files captured by tcpump are readable
by yconalyzer and vice versa (as long as file permissions are set cor‐
rectly).
Yconalyzer will stop capturing packets if it is interrupted by a SIGINT
signal (generated, for example, by typing your interrupt character,
typically control-C) or a SIGTERM sig- nal (typically generated with
the kill(1) command)
When yconalyzer finishes capturing packets (or reading from a captured
file), it will report statistics regarding the connections observed.
The report is in two parts. The first part has an overall aggegated
statistics, and information about lost connections, etc. The second
part is a table in which the observed connections are placed in buckets
according to the duration of the connection. A bucket is defined by
the minimum and maximum duration of a connection (or, if -P option is
chosen, then the minimum and maximum throughput of a connection). For
each bucket, the following statistics are reported:
The number of connections in the bucket, and a percent of the
total number of connections observed.
The average number of bytes sent from the clients for the con‐
nections in the bucket.
The average number of bytes sent from the server for the connec‐
tions in the bucket
The average estimated Round Trip Time of the connections in the
bucket (if -T option is specified). See section on RTT ESTIMA‐
TION.
For a sample output, see the section on SAMPLE OUTPUT.
While running in capture mode (i.e. without the -r option), yconalyzer
will also report the number of packets captured and dropped, like tcp‐
dump (1) does. The same notes as in tcpdump apply for these numbers.
It is useful to monitor the number of packets dropped after yconalyzer
runs. It should normally be zero, even if yconalyzer is run for
extended period of time (tens of minutes, or even hours). If it is non-
zero, it could be an indication (but not necessarily so) that running
yconalyzer has skewed the performance of the system.
OPTIONS-c Print out the connections that took at least num_attempts
attempts to establish
-C Use the number of bytes sent by the client to place connections
in buckets.
-d Print out a trace of the packets in format similar to tcpdump
-n. Repeating this option gives more information, useful for
debugging yconalyzer.
-D Print out the host and port numbers of all the connections in
the specified bucket. The bucket_id is the first number in the
bucket (which has two numbers, or only one if it is the last
bucket). One line is printed for each connection in the bucket.
This is printed in a format that can be cut and pasted to be
used as expression with either yconalyzer or with tcpdump. Typi‐
cal use of this option is to drill down on a specific bucket to
list all the connections in that bucket in order to find out why
these are slow. If the original data is captured using tcpdump,
then the connection can be looked at to see how the transaction
happened.
-i Listen on interface. If unspecified, yconalyzer searches the
system interface list for the lowest numbered, configured up
interface (excluding loopback). Ties are broken by choosing the
earliest match.
-I Consider packets later than specified time. datespec can be in
HH:MM:SS or YYYY-MM-DD.HH:MM:SS format. All packets that have a
timestamp before this time are discarded, so any connections
established before the specified time will not show up in the
final analysis.
-n Number of buckets. Actually, one more than nbuckets buckets are
printed, with the rest of the connections grouped in the last
bucket.
-p The TCP port to be monitored. This should always be specified.
-P Use throughput buckets instead of response time. The throughput
for each connection is computed as the total number of bytes
sent in either direction divided by the total duration of the
connection. So, this option is meaningful only when one side of
the connection sends a much smaller number of bytes than the
other one. Connections are bucketized in terms of the calculated
throughput.
-r Read packets from file (which was created with the -w option).
-R Output in raw format. Useful for piping the output to a script.
-S Use the number of bytes sent by the server to place connections
in buckets.
-s Bucket size in msecs (or, in Kbytes/sec if -P is specified).
-T Attempt to estimate RTT for the connections. If the trace was
captured on the client machine the estimated RTT is exactly the
same as that experienced by the client in the beginning of the
connection. Variation in RTT as the connection progresses is
not tracked. If the trace was captured on the server side, then
yconalyzer tries to estimate the RTT based on the way connection
close is initiated by the upper layer protocol. In case of HTTP,
this estimate should be quite close to the real RTT. See the
section on RTT ESTIMATION.
-w Write the raw packets to file rather than processing them and
printing out statistics. The file can later be processed with
the -r option.
-x Select only those connections in which the client sends more
than nbytes bytes to the server.
-X Select only those connections in which the server sends more
than nbytesP bytes to the client.
-y Select only those connections in which the client sends less
than nbytes bytes to the server.
-Y Select only those connections in which the server sends less
than nbytesP bytes to the client.
expression
selects which packets will be selected for processing. If no
expression is given, all packets selected by yconalyzer will be
processed. Note that the expression is applied in addition to
the filter than yconalyzer already uses. The internal filter
specifies the TCP port and processes only those packets that has
the SYN, FIN, or RST flags set in the TCP header. See tcpdump
(1).
EXAMPLES
To capture all relevant packets on port 80 for 10 minutes and save the
packets in file http.1 for later analysis:
yconalyzer-p 80 -w http.1 -t 600
To print out the processed data from the above file:
yconalyzer-p 80 -r http.1
To change the bucket size to 2 seconds (instead of a default of 20
msec) and divide into 5 buckets (instead of deault of 20):
yconalyzer-p 80 -r http.1 -s2000 -n5
To process only those connections in which the client sends less than
4k bytes:
yconalyzer-p 80 -r http.1 -s2000 -n5 -y4096
To process those connections in which the server sends more than 64k of
data.
yconalyzer-p 80 -r http.1 -s2000 -n5 -X64000
To filter out only those connections from host 23.34.45.56
yconalyzer-p 80 -r http.1 -s2000 -n5 host 23.34.45.56
To monitor only outgoing connections from an HTTP proxy (in which both
incoming and outgoing connections are on port 80) for 3 minutes:
yconalyzer-p 80 -w proxy-out.1 -t180 '(src host proxy.domain.com and dst port 80) or (dst host proxy.domain.com and src port 80)'
To monitor only incoming connections to an HTTP proxy (in which both
incoming and outgoing connections are on port 80) for 3 minutes:
yconalyzer-p 80 -w proxy-out.1 -t180 '(dst port 80 and dst host proxy.domain.com) or (src port 80 and src host proxy.domain.com)'
To have yconalyzer estimate RTT to the clients.
yconalyzer-p 80 -r http.1 -s2000 -n5 -T
To print details about connections that took between 500 and 600 msecs
yconalyzer-p 80 -r http.1 -s100 -D500
To get the percentage of connections that had a response time of
400msecs
yconalyzer-p 80 -r http.1 -n1 -s400
SAMPLE OUTPUTyconalyzer-p 80 -r http.1 -T
Results of monitoring port 80 for 599.930000 seconds
Start time: Thu Jan 4 10:35:55 2007
End time: Thu Jan 4 10:45:55 2007
Total Connections (terminated by FIN): 6291
Avg Client Data: 3025 bytes
Avg Server Data: 23066 bytes
Avg conn time: 865 msecs
Avg Round Trip Time: 152 msecs
Total number of SYNs: 6382 (duplicates: 88)
Connections terminated by RESET: 37
Number of SYNs taken to establish connections: 6319
Avg no. of SYNs to establish a connection: 1.00
Number of unique connections that never completed: 0
Number of SYNs from incomplete connections: 0
Number of established connections in progress: 33 (12 may have been dis‐
carded)
Number of connections in closing state: 7
Distribution of SYNs to establsh connections (nSYNs:nConns):
1:6283,2:2,3:1,4:1,5:2,7:1,8:1,
Duration NumConns AvClient AvServer EstRtt AvThruput
(msecs) (bytes) (bytes) (msecs) (KB/s)
0 - 20 40( 0.64%) 903 7412 3 1613.58
20 - 40 109( 1.73%) 628 2257 30 89.67
40 - 60 181( 2.88%) 1350 3671 60 101.32
60 - 80 324( 5.15%) 1507 1273 66 39.25
80 - 100 279( 4.43%) 1352 4460 77 62.40
100 - 120 196( 3.12%) 1504 2856 93 38.85
120 - 140 183( 2.91%) 1528 10695 76 91.69
140 - 160 172( 2.73%) 1515 6077 84 49.94
160 - 180 155( 2.46%) 2407 5362 90 44.55
180 - 200 208( 3.31%) 1316 9759 104 58.02
200 - 220 162( 2.58%) 1672 14240 124 75.02
220 - 240 155( 2.46%) 4169 11908 136 69.50
240 - 260 157( 2.50%) 2592 18188 140 82.02
260 - 280 131( 2.08%) 2249 16619 142 69.07
280 - 300 137( 2.18%) 6110 11858 143 61.67
300 - 320 131( 2.08%) 1748 14579 130 52.05
320 - 340 124( 1.97%) 1783 17429 147 57.65
340 - 360 136( 2.16%) 1910 16969 164 53.03
360 - 380 139( 2.21%) 3945 20649 157 65.37
380 - 400 116( 1.84%) 1896 17909 156 50.16
400+ 3056(48.58%) 4057 37201 203 47.08
RTT ESTIMATION
If we make the assumption that the server side closes the connection
first, and the client side closes the connection when it is done
receiving all data, then the RTT can be estimated on the server as the
difference between the time the server's FIN is sent and when the
client's FIN is received.
SEE ALSOtcpdump(1)BUGS
When a machine has very low or no traffic on the port being monitored,
it is possible that yconalyzer does not respond to ^C.
yconalyzer prints negative value for time when there is no traffic on
the machine in which it is run.
5 January 2007 YCONALYZER(1)