TCP STatistic and Analysis Tool 


Tstat home | TNG home

Mailing list

We suggest you to subscribe to the tstat mailing list to get updates, news or signal a bug and the usual stuff. You can do it directly from tstat mailing list page from where you can also browse the mailing list archives.

Quick start

Tstat is not a commercial tool but is constantly updated. The latest stable development version is always available through our SVN repository. This is the suggested version to be used, since it contains the most recent bugfixes and the latest features, and it is the one we daily use on our production probes. To check out the latest commit copy on the repository use: 
  	svn checkout http://tstat.polito.it/svn/software/tstat/trunk tstat
If you prefer a stable feature-frozen version, you can download the latest frozen release.

To start using Tstat, after downloading the code, do 
./autogen.sh
./configure
make
Please note that libpcap is required. You might also need some development tools for your system (automake, libtool) or additional libraries. For all the other information please refer to documentation

Download

Tstat is tested on Linux systems (currently Ubuntu, Debian, RedHat, and CentOS), and on Mac OS X (starting from 10.6 Snow Leopard to the current 10.11 El Capitan). It includes support for compilation for Android, and has been reported working on OpenWRT. It should work under FreeBSD, NetBSD, and other unix-like systems, although we don't have any of those platforms to test it. If you are able to run Tstat on other OSes, we'll be happy to include them in the list.

Tstat is provided under the GPL software license and made available for free for personal and research usage. If you plan to use it for commercial usage, you should contact us.

Parts of the DN-Hunter engine and the Skype engine are protected by international patents, please contact us if you intend to use any of them.
See the DN-Hunter page or the Skype page for more details.

While the usage of the SVN version is suggested, here there is the list of the latest stable versions of Tstat:

2016, 30 May tstat-3.1.1.tar.gz Tstat 3.1.1 - Fixed several critical IPv6 issues (see below)
2016, 24 May tstat-3.1.0.tar.gz Tstat 3.1.0 (see below for changes)
2015, 07 December tstat-3.0.1.tar.gz Tstat 3.0.1
2015, 07 December InitGlobalArrays.patch Patch to fix a memory problem with InitGlobalArrays (for Tstat 3.0.0)
2015, 26 June tstat-3.0.tar.gz Tstat 3.0
2014, 6 May tstat-2.4.tar.gz Tstat 2.4
2012, 18 May reduced_flv_r394.patch fixes metadata collection for FLV videos with reduced header (for Tstat 2.3.1)
2012, 2 April tstat-2.3.1.tar.gz Updated version of Tstat 2.3 including the video payload and RRD bugfix
2012, 2 April video_2.3.patch restore possibly broken video payload classification and video RRDs (for Tstat 2.3)
2012, 14 February tstat-2.3.tar.gz improved classification of video over HTML
2012, 04 February configure.ac Configure.ac to be used when compiling on Ubuntu 11.10 (for Tstat 2.2)
2011, 15 June tstat-2.2.tar.gz additional classification features (YouTube, Bittorrent uTP)
2010, 23 June vimeo_r276.patch restore broken Vimeo identification (for Tstat 2.1)
2010, 31 May tstat-2.1.tar.gz improve the classification capabilities and the post process of the log files
2010, 24 February patch solve a bug when processing empty pcap files
2009, 29 January tstat-2.0.2.tar.gz bugfixes and updated the dump engine
2008, 28 October tstat-2.0.tar.gz restarting point for the software!
2005, 20 July tstat-1.01.tar.gz bug fixes and integrated ERF format
2005, 1 June tstat-1.0.tar.gz integrated RRD db and live capture through ethernet cards
2002, 1 Junetstat-0.92.tar.gz

The latest version of the Web interface, as well as the RRD configuration file, can be downloaded here: See the cgi configuration section of the manual to install it.

Version 3.1.1 fixes many severe IPv6 issues in version 3.1.0 associated to payload management and the header extentions chaining

Version 3.1 extends all Tstat features to IPv6 traffic, enably IPv6 support by default:
  • Improved and reworked IPv6 management
    • IPv6 datagrams will respect the direction (internal/external) determined by the MAC addresses (-M) or by the ip_direction parameter (when used in LibTstat)
    • DN-Hunter supports IPv6
    • IPv6 addresses can be CryptoPAn-encrypted
    • Unified the management for the lists of internal/crypto/cloud/whitelist networks
    • When IPv6 is enabled at compilation time, processing of IPv6 datagrams can be disabled via the -6 command line option
  • Added explicit Netflix classification, included as a separate Web class in the RRDs
  • Defined new RRD/histos for TLS classification based on SNI for the major services
  • Relaxed the test for HALFDUPLEX flows to be less strict on out-of-order SYN/SYNACKs
  • Added Cookies and Do-Not-Track to log_http_complete
  • General improvements and bugfixes
Version 3.0 introduces further personalization in the log management, improvements in configurability and in the privacy management for the collected data:
  • New features
    • New modular organization for the log files
      • Modular structure controlled by runtime.conf
      • Merged log_video_complete and log_streaming_complete in a single log_video_complete file, sharing modules from log_tcp_complete
    • Improved configurability
      • Most of the constant parameters that used to be defined at compilation time in param.h can now provided at startup with the new -G option
    • Usage of the CryptoPAn-based encryption for address anonymization
    • Inclusion of the DN-Hunter feature, to associate DNS information to the traffic flows
  • Improved performances for its usage with the DPDKStat framework
  • Updated DPI classification
    • Improved QUIC classification
    • Richer TLS information: NPN/ALPN negotiation for SPDY and HTTP2, TLS handshake timings
    • Disabled old or rare P2P protocols
  • Removed multi-threading support (not compatible with the new features)
  • General improvements and bugfixes
Version 2.4 introduces more flexible log and dump management, updated video classification, and deeper analysis of HTTP traffic:
  • New features
    • log files are created with a header at the beginning specifing their format
    • logs can be enabled/disable individually using runtime.conf
    • improved the reactivity of enabling/disabling logs using runtime.conf (no need to wait the creation of the new directory before to see a new file)
    • dump TCP traffic based on Conn_Type
    • log details of HTTP requests/responses
  • Added the option to distiguish internal/external traffic based on the MAC addresses
  • Added the option to mask/obfuscate internal IP addresses in logs and dumps
  • Updated DPI classification
    • Added HLS video classification
    • Updated Facebook, Vimeo, FLV, RTMP, and YouTube classification
    • Added support for the new 46-char YouTube IDs
  • General improvements and bugfixes

Version 2.3 introduces a new DPI engine for video classification, separated from the previous URL-based one:
  • New additional DPI engine for classification of video streams, with a new associated log file (log_streaming_complete)
  • New dump options
  • Updated DPI classification:
    • UDP MPEG2 PES video streams, PPStream P2P TV, TEREDO
    • Updated Facebook and YouTube classification
    • Added Twitter and Dropbox services
    • Added additional TLS/SSL logging
  • General improvements and bugfixes

Version 2.2 introduces additional classification features (YouTube, Bittorrent uTP):
  • Direct generation of compressed (.gz) logs and dumps
  • Updated DPI classification:
    • Bittorrent uTP (new Bittorrent protocol for content transfer over UDP)
    • Detailed YouTube characterization
  • "Cloud" characterization: separate identification and statistics (RDD/Histograms) for traffic to/from a specific range of addresses ("cloud")
  • New log file for videos (log_video_complete)
  • General improvements and bugfixes

Version 2.1 improves the classification capabilities and the post process of the log files:
  • Bugfixes (see ChangeLog)
  • Updated DPI classification:
    • Added SSL/TLS
    • Improved IMAP classification
    • Heuristics for identification of eMule/ED2K obfuscate TCP connections and eMule/KAD obfuscate UDP flows
    • Heuristics for identification of Bittorrent encrypted connections
    • HTTP flow content identification, based on the shallow matching of the URL path:
      • Facebook
      • YouTube and other video download services
      • File Hosting services like RapidShare, MegaUpload, and others
  • New format for subnet file (-N)
  • Changed bitrate RRDs and histograms from kbit/s to bit/s
  • Improved detection of duplicated TCP/UDP segments
  • Improved identification of MPLS packets when using libpcap
  • Included a MySQL db scheme and a few Perl scripts for Tstat Log analysis (in scripts/MySQL/)

Version 2.0 is a fresh restarting point because a lot of new features has been added:
  • Added a Skype classification engine
  • Added a Deep Packet Inspector - DPI classifier for application level.It is based on the IPP2P engine, with lot of manual tuning and extended protocol support.
    • Supported protocols are (++,+,?,- states the goodness)
    • P2P protocols: Emule (++), Kad (++), Kad/Adunanza (++), Bittorrent (+), others P2P (?)
    • P2P-TV: PPlive (++), SopCast (++), TVAnts (++) [udp only]
    • Chat: MSN (++), Yahoo (++), Jabber (+)
    • Client Server Protocols: HTTP (+), SMTP (+), IMAP (-), POP (+), RTP/RTCP (++), ICY(+)
  • Added support to create packet level traces splitting the input traffic w.r.t DPI classification. It allows to run Tstat live and get packet level traces with only packets matching a subset of the protocols.
  • Added a runtime module to enable/disable writing of traces and logs without kill the Tstat process. This is useful it you want to run Tstat and change its configuration on the fly, e.g., enable dumping of packet level traces.
  • Added support for building Libtstat, a shared library that enable to use Tstat features from external tools. This will simplify the merging of Tstat with other tools.
  • Added a new compact format for log files
  • Improved Endace DAG card support
  • Lot of bug fixes and code optimizations.

Version 1.01 contains several bug fixes and few novelties; among others
  • fixed a bug in address.c that caused wrong hit counter updates
  • fixed some #ifdef errors when GROK_TCPDUMP was not defined
  • fixed some problems when reading from a pipe
New features in version 1.01:
  • updated erf.c so that also VLAN encapsulation over SDH should be correctly decoded
  • experimental and quick patch that allows to read from two separate files when using the ERF file formats. This is useful when using two separate trace files (one file for each directions). To enable this, add the -2 switch, and then pass two files at tstat, e.g., tstat -2 in.erf out.erf Warning: the first file may be compressed, while the second one must not; use a pipe to avoid this limitation.
Version 1.0 Since version 0.92, Tstat has been deeply developed. Among the most important novelties, you'll find
  • Integration with RRDtool
  • Live analysis with libpcap and DAG interface
  • multithread to support live analysis on high-speed links
  • new measurement indexes
    • TCP out-of-sequence and duplicate classification
    • RTP/RTCP flow analysis
    • UDP flow analysis
    • other changes and tune-up
  • updated code to TCPTrace ver 6.6.x
  • many bug fixes
  • uniformed naming to English (possibly) language
  • many more...
  Navigation Shortcuts
  Main
  Overview
  Web Interface
        Gallery
  Download
        Archives
        SVN
  Available Traces
        Mobile
        Log TCP
        WeBrowse
        Skype
        Instant Messaging
        Multicast IP-TV
  Documentation
        Measurement
              Histograms
              Logs
              RRD interface
        Publications
        HOWTO
  Useful Links
  Contacts
  Tstat Mailing List
  M. Mellia
  M. Munafò


Tstat home | TNG home | workgroup | people | software | papers

©2008 Telecommunication Networks Group - Politecnico di Torino