log_tcp_(no)complete | Parameters logged in the TCP flow level log file | ||
---|---|---|---|
Column no. | Short desc | Long descr | |
Client | Server | ||
1 | 45 | Client/Server IP address | IP addresses of the client/server |
2 | 46 | Client/Server TCP port | TCP port addresses for the client/server |
3 | 47 | packets | total number of packets observed form the client/server |
4 | 48 | RST sent | 0 if no RST segment has been sent by the client/server, 1 otherwise |
5 | 49 | ACK sent | number of segments with the ACK field set to 1 |
6 | 50 | PURE ACK sent | number of segments with ACK field set to 1 and no data |
7 | 51 | unique bytes | number of bytes sent in the payload |
8 | 52 | data packets | number of segments with payload |
9 | 53 | data bytes | number of bytes transmitted in the payload, including retransmissions |
10 | 54 | rexmit packets | number of retransmitted segments |
11 | 55 | rexmit bytes | number of retransmitted bytes |
12 | 56 | out seq packets | number of segments observed out of sequence |
13 | 57 | SYN count | number of SYN segments observed (including rtx) |
14 | 58 | FIN count | number of FIN segments observed (including rtx) |
15 | 59 | RFC1323 ws | Window scale option sent [boolean] |
16 | 60 | RFC1323 ts | Timestamp option sent [boolean] |
17 | 61 | window scale | Scaling values negotiated [scale factor] |
18 | 62 | SACK req | SACK option set [boolean] |
19 | 63 | SACK sent | number of SACK messages sent |
20 | 64 | MSS | MSS declared [bytes] |
21 | 65 | max seg size | Maximum segment size observed [bytes] |
22 | 66 | min seg size | Minimum segment size observed [bytes] |
23 | 67 | win max | Maximum receiver window announced (already scale by the window scale factor) [bytes] |
24 | 68 | win min | Maximum receiver windows announced (already scale by the window scale factor) [bytes] |
25 | 69 | win zero | Total number of segments declaring zero as receiver window |
26 | 70 | cwin max | Maximum in-flight-size computed as the difference between the largest sequence number so far, and the corresponding last ACK message on the reverse path. It is an estimate of the congestion window. [bytes] |
27 | 71 | cwin min | Minimum in-flight-size [bytes] |
28 | 72 | initial cwin | First in-flight size, or total number of unacknowledged bytes sent before receiving the first ACK segment [bytes] |
29 | 73 | Average rtt | Average RTT computed measuring the time elapsed between the data segment and the corresponding ACK [ms] |
30 | 74 | rtt min | Minimum RTT observed during connection lifetime [ms] |
31 | 75 | rtt max | Maximum RTT observed during connection lifetime [ms] |
32 | 76 | Stdev rtt | Standard deviation of the RTT [ms] |
33 | 77 | rtt count | Number of valid RTT observation |
34 | 78 | ttl_min | Minimum Time To Live |
35 | 79 | ttl_max | Maximum Time To Live |
36 | 80 | rtx RTO | Number of retransmitted segments due to timeout expiration |
37 | 81 | rtx FR | Number of retransmitted segments due to Fast Retransmit (three dup-ack) |
38 | 82 | reordering | Number of packet reordering observed |
39 | 83 | net dup | Number of network duplicates observed |
40 | 84 | unknown | Number of segments not in sequence or duplicate which are not classified as specific events |
41 | 85 | flow control | Number of retransmitted segments to probe the receiver window |
42 | 86 | unnece rtx RTO | Number of unnecessary transmissions following a timeout expiration |
43 | 87 | unnece rtx FR | Number of unnecessary transmissions following a fast retransmit |
44 | 88 | != SYN seqno | Set to 1 if the eventual retransmitted SYN segments have different initial seqno |
89 | Completion time | Flow duration since first packet to last packet [ms] | |
90 | First time | Flow first packet since first segment ever [ms] | |
91 | Last time | Flow last segment since first segment ever [ms] | |
92 | C first payload | Client first segment with payload since the first flow segment [ms] | |
93 | S first payload | Server first segment with payload since the first flow segment [ms] | |
94 | C last payload | Client last segment with payload since the first flow segment [ms] | |
95 | S last payload | Server last segment with payload since the first flow segment [ms] | |
96 | Internal | Boolean set to 1 if the client has internal IP | |
97 | Connection type | Bitmask stating the connection type (by TCPL7 payload inspection engine). See description below. | |
98 | P2P type | Type of P2P protocol, as identified by the IPP2P engine. See description below. | |
99 | P2P subtype | P2P protocol message type, as identified by the IPP2P engine. Application dependent. See ipp2p_tstat.c | |
100 | ED2K Data | For P2P ED2K flows, the number of data messages | |
101 | ED2K Signaling | For P2P ED2K flows, the number of signaling (not data) messages | |
102 | ED2K C2S | For P2P ED2K flows, the number of client<->server messages | |
103 | ED2K C2C | For P2P ED2K flows, the number of client<->client messages | |
104 | ED2K Chat | For P2P ED2K flows, the number of chat messages |
Bitmask Value | Description |
---|---|
0 | Unknown protocol |
1 | HTTP protocol |
2 | RTSP protocol |
4 | RTP protocol |
8 | ICY protocol |
16 | RTCP protocol |
32 | MSN protocol |
64 | YMSG protocol |
128 | XMPP protocol |
256 | P2P protocol |
512 | SKYPE protocol |
1024 | SMTP protocol |
2048 | POP3 protocol |
4096 | IMAP protocol |
Set-to-1 n-th bit of Bitmask | Description |
---|---|
1 | IPP2P_ED2K |
2 | IPP2P_DATA_KAZAA |
3 | IPP2P_DATA_ED2K |
4 | IPP2P_DATA_DC |
5 | IPP2P_DC |
6 | IPP2P_DATA_GNU |
7 | IPP2P_GNU |
8 | IPP2P_KAZAA |
9 | IPP2P_BIT |
10 | IPP2P_APPLE |
11 | IPP2P_SOUL |
12 | IPP2P_WINMX |
13 | IPP2P_ARES |
14 | IPP2P_MUTE |
15 | IPP2P_WASTE |
16 | IPP2P_XDCC |
17 | IPP2P_KAD |
18 | IPP2P_KADU |
19 | IPP2P_PPLIVE |
20 | IPP2P_SOPCAST |
21 | IPP2P_TVANTS |
Tstat produces a "log_udp_complete" file which logs every UDP possible flow
pair tracked by tstat.
By default, only P2P UDP traffic is logged here. UDP information for
other application protocols (Skype, IM protocols, etc.) is logged in the
protocol own log_*_complete file.
It's possible to log all the UDP traffic by defining LOG_ALL_UDP.
An UDP flow pair is identified when the first UDP segment is observed for a
UDP socket pair, and is ended when no packet has been observed
(from both sides) for UDP_IDLE_TIME microsec (defined in param.h).
By default is set to 5 min.
Each line is composed of two parts: values referring to the "client"
host (i.e. the host source of the first segment for the flow),
and values referring to the "server" host (i.e. the destination of the first
segment of the flow).
Here it follows a brief description of the columns.
log_udp_complete | Parameters logged in the UDP flow level log file | ||
---|---|---|---|
Column no. | Short desc | Long descr | |
Client | Server | ||
1 | 9 | Client/Server IP address | IP addresses of the client/server |
2 | 10 | Client/Server UDP port | UDP port addresses for the client/server |
3 | 11 | First time | Client/Server first packet time since first segment ever [ms] |
4 | 12 | Completion time | Time between the first and the last packet from the client/server [s] |
5 | 13 | Data bytes | Number of bytes transmitted in the payload |
6 | 14 | Packets | Total number of packets observed from the client/server |
7 | 15 | Internal | Bool set to 1 if the client/server has internal IP |
8 | 16 | UDP Type | Protocol type for the client->server/server->client semiflow. See description below. |
Value | Description |
---|---|
0 | UDP UNKNOWN |
1 | FIRST_RTP |
2 | FIRST_RTCP |
3 | RTP |
4 | RTCP |
5 | SKYPE_E2E |
6 | SKYPE_E2O |
7 | SKYPE_SIG |
8 | P2P_ED2K |
9 | P2P_KAD |
10 | P2P_KADU |
11 | P2P_GNU |
12 | P2P_BT |
13 | P2P_DC |
14 | P2P_KAZAA |
15 | P2P_PPLIVE |
16 | P2P_SOPCAST |
17 | P2P_TVANTS |
Similarly, a complete log keeping track of each RTP flow measured indexes is maintained in the
log_rtp_complete file.
Being it impossible to detect RTP/RTCP flows, a heuristic methodology as
been implemented. A state machine is used, to track RTP flows. At the first
UDP packet, it is labeled as unknown. For each new UDP flows, Tstat
double checks if the UDP payload may be an RTP/RTCP packet. This is done by
double checking that
If so, the flow is marked as possible RTP/RTCP flow (first_RTP/first_RTCP
status).
When the second UDP segment of this UDP flow (same IP/ports) is observed,
then Tstat double checks it still be interpreted as RTP/RTCP payload.
In the case of RTP flows, it checks that
Then the flows is marked as RTP and its analysis may start.
For RTCP flows, a simpler heuristic is used:
If so, the flow is considered a RTCP flow and its analysis may start.
For each RTP flow which is successfully tracked, a line in the log_rtp_complete file will be written when the flows ends. Here it follows a brief description of the columns.
log_rtp_complete | Parameters logged in the RTP flow level log file | |
---|---|---|
Col no. | Short desc | Long descr |
1 | Client IP addr | IP addresses of the transmitter |
2 | Client TCP port | UDP port addresses of the transmitter |
3 | pnum | total number of packets observed |
4 | ssrc | synchronization source identifier used |
5 | avg pkt delay | average inter-packet gap [ms] over the all session |
6 | jitter | average jitter observed over all session (RFC3550) |
7 | out of sequence | total number of out of sequence packets observed |
8 | duplicate | total number of duplicate packets observed |
9 | late | total number of late packets observed |
10 | lost | total number of lost packets observed |
11 | internal src | 1 if the IP sender address was internal |
12 | internal dst | 1 if the IP sender address was internal |
Similarly, a complete log keeping track of each SKYPE flow measured indexes is maintained in the
log_skype_complete file.
Being it very difficult to detect Skype flows, a methodology described into "Revealing skype traffic: when
randomness plays with you" has
been implemented.
For each Skype flow which is successfully tracked, a line in the log_skype_complete file will be written when the flow ends. Here it follows a brief description of the columns.
Note that records change according to the trasport layer (UDP or TCP) used by Skype.
log_skype_complete -- TCP only -- | Parameters logged in the SKYPE flow level log file -- TCP flows only -- | ||
---|---|---|---|
Column no. | Short Description | Long Description | |
Client | Server | ||
1 | 17 | Client/Server IP addr | IP address of the client/server |
2 | 18 | Client/Server port | TCP port address for the client/server |
3 | 19 | Internal | Internal address (0=no, 1=yes) |
4 | 20 | Flow Size | Flow Size [Bytes] |
5 | 21 | Total packets | No. of Total flow packets |
6 | 22 | Audio/video pkts | No. of audio or audio+video packets |
7 | 23 | Video only pkts | No. of video only packets |
8 | 24 | Avg Pktsize | Average Packet size |
9 | 25 | Avg Pktsize: MMB | Average Packet Size: Max Mean Belief |
10 | 26 | Avg IPG | Average Inter-packet Gap [ms] |
11 | 27 | Avg IPG: MMB | Average IPG: Max Mean Belief |
12 | 28 | CHI HDR max | Chi-square on Header: max value |
13 | 29 | CHI PAY max | Chi-square on Payload: max value |
14 | 30 | BFT | Bayesian Flow Type |
15 | 31 | CSFT | Chi-square Flow Type |
16 | 32 | Video present | Video present flag (0=no, 1=yes) |
33 | Start Time | Flow Start Time (Unix Epoch Time) [s] | |
34 | Elapsed Time | Flow Elapsed Time [s] | |
35 | T | Label to state a TCP flow |
log_skype_complete -- UDP only -- | Parameters logged in the SKYPE flow level log file -- UDP flows only -- | ||
---|---|---|---|
Column no. | Short Description | Long Description | |
Client | Server | ||
1 | 24 | Client/Server IP addr | IP address of the client/server |
2 | 25 | Client/Server port | UDP port address for the client/server |
3 | 26 | Internal | Internal address (0=no, 1=yes) |
4 | 27 | Flow Size | Flow Size [Bytes] |
5 | 28 | Total packets | No. of Total flow packets |
6 | 29 | E2E packets | No. of End-to-End packets |
7 | 30 | E2O packets | No. of SkypeOut packets |
8 | 31 | SIG packets | No. of Signaling packets |
9 | 32 | UNK packets | No. of Unknown packets |
10 | 33 | Audio/video pkts | No. of audio or audio+video packets |
11 | 34 | Video only pkts | No. of video only packets |
12 | 35 | Avg Pktsize | Average Packet size |
13 | 36 | Avg Pktsize: MMB | Average Packet Size: Max Mean Belief |
14 | 37 | Avg IPG | Average Inter-packet Gap [ms] |
15 | 38 | Avg IPG: MMB | Average IPG: Max Mean Belief |
16 | 39 | CHI HDR min | Chi-square on Header: min value |
17 | 40 | CHI HDR max | Chi-square on Header: max value of {1-4}&{7,8} blocks |
18 | 41 | CHI HDR min 5,6 | Chi-square on Header: min value of {5,6} blocks |
19 | 42 | CHI PAY max | Chi-square on Payload: max value |
20 | 43 | DFT | Deterministic Flow Type |
21 | 44 | BFT | Bayesian Flow Type |
22 | 45 | CSFT | Chi-square Flow Type |
23 | 46 | Video present | Video present flag (0=no, 1=yes) |
47 | Start Time | Flow Start Time (Unix Epoch Time) [s] | |
48 | Elapsed Time | Flow Elapsed Time [s] | |
49 | U | Label to state a UDP flow |
Similarly, a complete log keeping track of each CHAT flow measured indexes is maintained in the
log_chat_complete file.
Tstat is able to classify MSN Messenger, Yahoo! Messenger and Chat based on
XMPP Protocol such as Jabber or Google Talk.
For each chat flow which is successfully tracked, a line in the log_chat_complete file will be written when the flows ends. Here it follows a brief description of the columns.
log_chat_complete | Parameters logged in the CHAT flow level log file | ||
---|---|---|---|
Column no. | Short Description | Long Description | |
Client | Server | ||
1 | 11 | Client/Server IP addr | IP address of the client/server |
2 | 12 | Client/Server port | TCP port address for the client/server |
3 | 13 | Flow Size | Flow Size [Bytes] |
4 | 14 | Total packets | No. of Total flow packets |
5 | 15 | Total messages | No. of Total messages sent by client |
6 | 16 | No. of MSGs A | No. of messages "A" sent by client [for MSN only, always 0 for the others] |
7 | 17 | No. of MSGs D | No. of messages "D" sent by client [for MSN only, always 0 for the others] |
8 | 18 | No. of MSGs N | No. of messages "N" sent by client [for MSN only, always 0 for the others] |
9 | 19 | No. of MSGs U | No. of messages "U" sent by client [for MSN only, always 0 for the others] |
10 | 20 | No. of MSGs Y | No. of messages "Y" sent by client [for MSN only, always 0 for the others] |
21 | Start Time | Flow Start Time (Unix Epoch Time) [s] | |
22 | End Time | Flow End Time [s] | |
23 | Chat Flow Type | Chat Flow Type : see below | |
24 | Chat Version | Version of the protocol used by the Instant Messaging application | |
25 | Internal | Client IP address is internal ? (0=no, 1=yes) | |
26 | TCP Flow No. | TCP Flow ID Number | |
27 | "T" | Label to state a TCP Flow | |
28 | Chat Protocol | Type of Upper Level Protocol [32=MSN, 64=Yahoo, 128=Jabber/GTalk] |
Chat Flow Type | ||
---|---|---|
Value | Description | IM Protocols |
0 | Unknown | All |
1 | Login | All |
2 | Presence | All |
3 | Chat | All |
4 | Presence+Chat | Yahoo only |
5 | Http Tunneling | MSN only |
6 | Peer-to-Peer Chat (i.e. direct TCP connection between clients instead of C2S/S2C) | Yahoo only |
7 | Unclassified Yahoo Messenger flow | Yahoo only |
Each message tracked by Tstat is maintained in the log_chat_messages file.
Tstat is able to detect messages received or sent by MSN, Yahoo, Jabber or
GTalk clients.
For each chat message successfully tracked, a line in the log_chat_messages file will be written as soon as the message is received/sent. Here it follows a brief description of the columns.
log_chat_messages | Parameters logged in the CHAT flow level log file | |
---|---|---|
Col no. | Short Description | Long Description |
1 | TCP Flow No. | TCP Flow ID Number |
2 | Message Type | Type of Message (? if not available) |
3 | Dir | TCP Flow Direction (1=C2S, -1=S2C) |
4 | Message Size | Message Payload Size [Bytes] (? if not available) |
5 | Payload Size | TCP Payload Size [Bytes] |
6 | Start Time | Flow Start Time (Unix Epoch Time) [s] |
7 | Arrival Time | Message Arrival Time [s] |