Mailing list
We suggest you to subscribe to the tstat mailing list to get updates, news
or signal a bug and the usual stuff. You can do it directly from
tstat
mailing list page from where you can also browse the
mailing list archives.
Quick start
Download the latest release and do
./autogen.sh
./configure [--enable-libtstat]
make
Please note that libpcap is required!.
For all the other information please refer to documentation
Download
Tstat is tested on Linux 2.4 and 2.6 kernels, including RedHat, Fedora, Ubuntu, Debian and OpenSuse
systems, and on Mac OS X 10.7 (Lion) and 10.6 (Snow Leopard).
It should work under FreeBSD 4.1, NetBSD 1.3, HP-UX and IRIX,
although we don't have either of those platforms to test it.
If you are able to run Tstat on other OS, we'll be happy to include them in
the list.
Tstat is provided under the GPL software license and made available for
free for personal and research usage. If you plan to use it for commercial usage, you should contact us.
Parts of the Skype engine are protected by international patents, please contact us if you intend to use them.
See the Skype page for more details.
This is the list of the latest stable versions of Tstat:
|
2012, 18 May |
reduced_flv_r394.patch |
fixes metadata collection for FLV videos with reduced header (for Tstat 2.3.1) |
|
2012, 2 April |
video_2.3.patch |
restore possibly broken video payload classification and video RRDs (for Tstat 2.3) |
|
2012, 2 April |
tstat-2.3.1.tar.gz |
Updated version of Tstat 2.3 including the video payload and RRD bugfix |
|
2012, 2 April |
video_2.3.patch |
restore possibly broken video payload classification and video RRDs (for Tstat 2.3) |
|
2012, 14 February |
tstat-2.3.tar.gz |
improved classification of video over HTML |
|
2012, 04 February |
configure.ac |
Configure.ac to be used when compiling on Ubuntu 11.10 (for Tstat 2.2) |
|
2011, 15 June |
tstat-2.2.tar.gz |
additional classification features (YouTube, Bittorrent uTP) |
| 2010, 23 June |
vimeo_r276.patch |
restore broken Vimeo identification (for Tstat 2.1) |
| 2010, 31 May |
tstat-2.1.tar.gz |
improve the classification capabilities and the post process of the log files |
| 2010, 24 February |
patch |
solve a bug when processing empty pcap files |
| 2009, 29 January |
tstat-2.0.2.tar.gz |
bugfixes and updated the dump engine |
| 2008, 28 October |
tstat-2.0.tar.gz |
restarting point for the software! |
| 2005, 20 July | tstat-1.01.tar.gz |
bug fixes and integrated ERF format |
| 2005, 1 June |
tstat-1.0.tar.gz |
integrated RRD db and live capture through ethernet cards |
| 2002, 1 June | tstat-0.92.tar.gz |
The latest version of the Web interface, as well as the
RRD configuration file, can be downloaded here:
See the
cgi configuration section of the manual to install it.
Tstat is not a commercial tool but is constantly updated. A new stable version
is released per year while an unstable version is constantly updated through our
SVN repository.
To check out the latest commit copy on the repository use:
svn checkout http://tstat.polito.it/svn/software/tstat/trunk tstat
News
Version 2.3 introduces a new DPI engine for video
classification, separated from the previous URL-based one:
- New additional DPI engine for classification of video streams,
with a new associated log file (log_streaming_complete)
- New dump options
- Updated DPI classification:
- UDP MPEG2 PES video streams, PPStream P2P TV, TEREDO
- Updated Facebook and YouTube classification
- Added Twitter and Dropbox services
- Added additional TLS/SSL logging
- General improvements and bugfixes
Version 2.2 introduces additional classification
features (YouTube, Bittorrent uTP):
- Direct generation of compressed (.gz) logs and dumps
- Updated DPI classification:
- Bittorrent uTP (new Bittorrent protocol for content transfer over UDP)
- Detailed YouTube characterization
- "Cloud" characterization: separate identification and statistics
(RDD/Histograms) for traffic to/from a specific range of
addresses ("cloud")
- New log file for videos (log_video_complete)
- General improvements and bugfixes
Version 2.1 improves the classification capabilities and
the post process of the log files:
- Bugfixes (see ChangeLog)
- Updated DPI classification:
- Added SSL/TLS
- Improved IMAP classification
- Heuristics for identification of eMule/ED2K obfuscate TCP connections
and eMule/KAD obfuscate UDP flows
- Heuristics for identification of Bittorrent encrypted connections
- HTTP flow content identification, based on the shallow matching of
the URL path:
- Facebook
- YouTube and other video download services
- File Hosting services like RapidShare, MegaUpload, and others
- New format for subnet file (-N)
- Changed bitrate RRDs and histograms from kbit/s to bit/s
- Improved detection of duplicated TCP/UDP segments
- Improved identification of MPLS packets when using libpcap
- Included a MySQL db scheme and a few Perl scripts for Tstat Log analysis
(in scripts/MySQL/)
Version 2.0 is a fresh restarting point because a lot of new features has been added:
- Added a Skype classification engine
- Added a Deep Packet Inspector - DPI classifier for application level.It
is based on the IPP2P engine, with lot
of manual tuning and extended protocol support.
Supported protocols are (++,+,?,- states the goodness)
- P2P protocols: Emule (++), Kad (++), Kad/Adunanza (++), Bittorrent (+),
others P2P (?)
- P2P-TV: PPlive (++), SopCast (++), TVAnts (++) [udp only]
- Chat: MSN (++), Yahoo (++), Jabber (+)
- Client Server Protocols: HTTP (+), SMTP (+), IMAP (-), POP
(+), RTP/RTCP (++), ICY(+)
- Added support to create packet level traces splitting the input traffic
w.r.t DPI classification. It allows to run Tstat live and get packet level
traces with only packets matching a subset of the protocols.
- Added a runtime module to enable/disable writing of traces and logs
without kill the Tstat process. This is useful it you want to run Tstat
and change its configuration on the fly, e.g., enable dumping of packet
level traces.
- Added support for building Libtstat, a shared library that enable to
use Tstat features from external tools. This will simplify the merging of
Tstat with other tools.
- Added a new compact format for log files
- Improved Endace DAG card support
- Lot of bug fixes and code optimizations.
Version 1.01 contains several bug fixes and few novelties; among others
- fixed a bug in address.c that caused wrong hit counter updates
- fixed some #ifdef errors when GROK_TCPDUMP was not defined
- fixed some problems when reading from a pipe
New features in version 1.01:
- updated erf.c so that also VLAN encapsulation over SDH should be correctly
decoded
- experimental and quick patch that allows to read from two separate files
when using the ERF file formats. This is useful when using two separate
trace files (one file for each directions). To enable this, add the -2 switch,
and then pass two files at tstat, e.g., tstat -2 in.erf out.erf
Warning: the first file may be compressed, while the second one must not;
use a pipe to avoid this limitation.
Version 1.0
Since version 0.92, Tstat has been deeply developed.
Among the most important novelties, you'll find
- Integration with RRDtool
- Live analysis with libpcap and DAG interface
- multithread to support live analysis on high-speed links
- new measurement indexes
- TCP out-of-sequence and duplicate classification
- RTP/RTCP flow analysis
- UDP flow analysis
- other changes and tune-up
- updated code to TCPTrace ver 6.6.x
- many bug fixes
- uniformed naming to English (possibly) language
- many more...
Post Process
Apart from the statistics directly browsable through the Web interface,
researcher may want to post-process the collected dataset
with the maximum degree of freedom. In this case, the following tools may prove useful:
|
 |
plot_cum.pl
plot_time.pl
These Perl scripts, useful to produce either i) time or ii)
aggregated plots over different time spans, allow to gather
the data shown in the old web interface.
|
|
|
DiaNa is an open source software developed to deal with huge amount
of data, of which Tstat trace represent a very good example,
performing from very easy to very complex tasks in a very efficient way.
Some of the previously published
results have been gathered through the use of DiaNa.
|
|
|
