Advanced Filtering

The -f option can be used to perform more sophisticated filtering of connections, based on various parameters. The supported filter variables are listed below :

Beluga:/Users/mani/tcptrace-manual> tcptrace -hfilter
Filter Variables:
  variable name      type      description
  -----------------  --------  -----------------------
  hostname           STRING    FQDN host name (unless -n)
  portname           STRING    service name of the port (unless -n)
  port               UNSIGNED  port NUMBER
  mss                SIGNED    maximum segment size
  f1323_ws           BOOL      1323 window scaling requested
  f1323_ts           BOOL      1323 time stampts requested
  fsack_req          BOOL      SACKs requested
  window_scale       BOOL      window scale factor
  bad_behavior       BOOL      bad TCP behavior
  data_bytes         UNSIGNED  bytes of data
  data_segs          UNSIGNED  segments of data
  data_segs_push     UNSIGNED  segments with PUSH set
  unique_bytes       UNSIGNED  non-retransmitted bytes
  rexmit_bytes       UNSIGNED  retransmitted bytes
  rexmit_segs        UNSIGNED  segments w/ retransmitted data
  ack_segs           UNSIGNED  segments containing ACK
  pureack_segs       UNSIGNED  segments containing PURE ACK (no data/syn/fin/reset)
  win_max            UNSIGNED  MAX window advertisement
  win_min            UNSIGNED  MIN window advertisement
  win_zero_ct        UNSIGNED  number of ZERO windows advertised
  min_seq            UNSIGNED  smallest sequence number
  max_seq            UNSIGNED  largest sequence number
  num_sacks          UNSIGNED  number of ACKs carrying SACKs
  max_sacks          UNSIGNED  most SACK blocks in a single ACK
  segs               UNSIGNED  total segments
  packets            UNSIGNED  total segments
  syn_count          UNSIGNED  SYNs sent
  fin_count          UNSIGNED  FINs sent
  reset_count        UNSIGNED  RESETs sent
  min_seg_size       UNSIGNED  smallest amount of data in a segment (not 0)
  max_seg_size       UNSIGNED  largest amount of data in a segment
  out_order_segs     UNSIGNED  out of order segments
  sacks_sent         UNSIGNED  SACKs sent
  ipv6_segs          UNSIGNED  number of IPv6 segments sent
  max_idle           UNSIGNED  maximum idle time (usecs)
  num_hw_dups        UNSIGNED  number of hardware-level duplicates
  initwin_bytes      UNSIGNED  number of bytes in initial window
  initwin_segs       UNSIGNED  number of segments in initial window
  rtt_min            UNSIGNED  MIN round trip time (usecs)
  rtt_max            UNSIGNED  MAX round trip time (usecs)
  rtt_count          UNSIGNED  number of RTT samples
  rtt_min_last       UNSIGNED  MIN round trip time (usecs) (from last rexmit)
  rtt_max_last       UNSIGNED  MAX round trip time (usecs) (from last rexmit)
  rtt_count_last     UNSIGNED  number of RTT samples (from last rexmit)
  rtt_amback         UNSIGNED  number of ambiguous ACKs
  rtt_cumack         UNSIGNED  number of cumulative ACKs
  rtt_unkack         UNSIGNED  number of unknown ACKs
  rtt_dupack         UNSIGNED  number of duplicate ACKs
  rtt_nosample       UNSIGNED  ACKs that generate no valid RTT sample
  rtt_triple_dupack  UNSIGNED  number of triple duplicate ACKs (fast rexmit)
  retr_max           UNSIGNED  MAX rexmits of a single segment
  retr_min_tm        UNSIGNED  MIN time until rexmit (usecs)
  retr_max_tm        UNSIGNED  MAX time until rexmit (usecs)
  trunc_bytes        UNSIGNED  number of bytes not in the file
  trunc_segs         UNSIGNED  number of segments not in the file
  num_zwnd_probes    UNSIGNED  number of zero window probes
  zwnd_probe_bytes   UNSIGNED  number of window probe bytes
  urg_data_pkts      UNSIGNED  Number of packets with URGENT bit set
  urg_data_bytes     UNSIGNED  Number of bytes of urgent data
  hostaddr           IPADDR    IP Address (v4 or v6 in standard textual notation
  thruput            UNSIGNED  thruput (bytes/sec)

All of the variables listed above can be used for filtering purposes.

For example, consider the file tigris.dmp.gz having the following two connections:

Beluga:/Users/mani> tcptrace tigris.dmp.gz
. . .
TCP connection info:
  1: pride.cs.ohiou.edu:54735 - elephus.cs.ohiou.edu:ssh (a2b)        30>   30<  (complete)
  2: pride.cs.ohiou.edu:54736 - a17-112-152-32.apple.com:http (c2d)   12>   15<  (complete)

The filter variable segs can be used to filter out connections having a specified amount of segments in either direction as shown below.

Beluga:/Users/mani> tcptrace -f'segs>=30' tigris.dmp.gz
Output filter: ((c_segs>=30)OR(s_segs>=30))
1 arg remaining, starting with 'tigris.dmp.gz'
. . .
TCP connection info:
  1: pride.cs.ohiou.edu:54735 - elephus.cs.ohiou.edu:ssh (a2b)   30>   30<  (complete)

Note the Output filter line in the above example. The term c_segs stands for the client segs (client2server direction) and s_segs stands for the server segs (server2client direction). We filter out only those connections that had at least 30 or more segments seen in either direction. You may specify the segments in the server2client direction alone as in :

Beluga:/Users/mani> tcptrace -f's_segs==15' tigris.dmp.gz
Output filter: (s_segs==15)
. . .
TCP connection info:
  2: pride.cs.ohiou.edu:54736 - a17-112-152-32.apple.com:http (c2d)   12>   15<  (complete)

The ``c_'' and ``s_'' prefixes can be applied analogously for all the filter variables cited above. The prefix ``b_'' meaning ``both'' can be applied to the variables if you want the filter to be applied to both directions. For the sake of completeness, the prefix ``e_'' meaning ``either'' is also supported, requiring the filter variable to be applied to either of the directions (which is of course the default case).

Boolean variables listed above can be used as flags as in

tcptrace -f'f1323_ws' file.dmp
to filter out only those connections that had window scaling requested in their SYN segments.

The constant value to which the STRING type variables (hostname/portname) are matched need to be enclosed in double quotes. The following example illustrates the case when we are filtering out connections for the host elephus.cs.ohiou.edu and port ssh.

Beluga:/Users/mani> tcptrace -f'hostname=="elephus.cs.ohiou.edu" and portname=="ssh"'
tigris.dmp.gz
Output filter: (((c_hostname==elephus.cs.ohiou.edu)OR
(s_hostname==elephus.cs.ohiou.edu))AND((c_portname==ssh)OR(s_portname==ssh)))
. . .
TCP connection info:
  1: pride.cs.ohiou.edu:54735 - elephus.cs.ohiou.edu:ssh (a2b)   30>   30<  (complete)

Note that as in the example above, commonly used boolean operators AND, OR, NOT and their common synonyms (-a, -o, &&, ||, !) can be used to combine boolean expressions. You may also use parenthesis if you are not sure of the precedence of operators. Arithmetic operators (+, -, *, /) with their normal precedence and relational operators ( <, >, =, !=, <=, >= ) can be applied to SIGNED/UNSIGNED variables. For example, the following are valid :

tcptrace -f`(c_segs+10) < s_segs' file.dmp
tcptrace -f`b_segs>10 && thruput>10000' file.dmp

The connection numbers that passed the filtering criteria specified in the -f option are stored in a file named PF in the working directory. Note that, if you are graphing along with the -f option with say the -G option, graphs will be generated for all the connections and not just the filtered ones. You might want to filter first with the -f option and graph the filtered connections with the PF file later, as in :

tcptrace -oPF -G file.dmp

Super-User 2003-08-29