We're currently working on a program which analyzes network capture files,
collects statistics about the captured network traffic and displays the results.
In this article I'll talk a bit about the features of the program, more technical
information will follow in future articles.
What are network capture files?
With programs like wireshark and tcpdump you can record network traffic seen at a specific
network interface. These programs usually switch the network interface into promiscuous mode and
use operating system specific programming interfaces to capture the network packets received
on that interface and network packets originating on that network host and sent to the network
interface driver.
In networks which use ethernet switches the received network traffic is limited to network packets
which are either directly sent to the host the capturing process runs on or multicast traffic.
If you need to capture traffic of more than a few machines, you have to use a feature called
port mirroring on a network switch supporting this function and either use a dedicated machine
for capturing or equipment specifically designed for that (network taps).
The recorded traffic is stored in capture files by these programs and can later be used to analyze the
traffic. The capturing process is not perfect (there are quite a few influencing factors like
the mass storage write speed, how much offloading is done by the network interface, the backplane
speed of the switch etc.).
After recording, you can use e.g. wireshark to analyze the recorded traffic, use filter conditions
(using a sophisticated filter expression language) to limit the number of displayed packets,
extract content and many more use cases.
The program
The goal for our program is to analyze network capture files recorded by one of the means mentioned
above and extract many statistical counters and other data from them. The program is currently a
windows console program which analyzes a single capture file and prints the results. A GUI frontend
is currently in a very early state of development with the main goal of allowing the user to interactively
explore the results with the option to concentrate on a specific protocol or network host.
Benefits
The results the program extracts from the capture files can be used for a variety of purposes:
- use accumulated figures of network traffic and individual network protocols for informed decisions when and where you might have to purchase more network infrastructure
- pinpoint bottlenecks either in the infrastructure itself or specific services and servers
- find more information about automatic client configuration processes captured and possible configuration mistakes
Future articles will contain further, more technical, information including a list of currently supported network protocols.
We will release the first pre-alpha version of this program, called pcap-parser, at the end of the year 2019.
If you have any questions or comments, please tell us: This email address is being protected from spambots. You need JavaScript enabled to view it.