2 * Compare two capture files
3 * Copyright 2008 Vincenzo Condoleo, Christophe Dirac, Reto Ruoss
4 * supported by HSR (Hochschule Rapperswil)
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 /* This module provides statistics about two merged capture files, to find packet loss,
26 * time delay, ip header checksum errors and order check to tshark.
27 * It's also detecting the matching regions of the different files.
29 * The packets are compared by the ip id. MAC or TTL is used to distinct the different files.
30 * It is only used by tshark and not wireshark
40 #include "epan/packet_info.h"
41 #include <epan/in_cksum.h>
42 #include <epan/packet.h>
44 #include <epan/stat_tap_ui.h>
45 #include <epan/dissectors/packet-ip.h>
46 #include "epan/timestats.h"
51 #define WRONG_CHKSUM 0
53 #define MERGED_FILES 2
57 void register_tap_listener_comparestat(void);
59 /* information which will be printed */
60 typedef struct _for_print {
63 nstime_t predecessor_time;
64 struct _frame_info *partner;
67 /* each tracked packet */
68 typedef struct _frame_info {
74 nstime_t abs_ts, zebra_time, delta;
77 /* used to keep track of the statistics for an entire program interface */
78 typedef struct _comparestat_t {
80 GHashTable *packet_set, *ip_id_set, *nr_set;
81 address eth_dst, eth_src;
82 nstime_t zebra_time, current_time;
86 guint32 start_ongoing_hits, stop_ongoing_hits, start_packet_nr_first, start_packet_nr_second, stop_packet_nr_first, stop_packet_nr_second;
87 guint32 first_file_amount, second_file_amount;
91 /* to call directly _init */
92 static gdouble compare_variance = 0.0;
93 static guint8 compare_start, compare_stop;
94 static gboolean TTL_method = TRUE, ON_method = TRUE;
96 /* This callback is never used by tshark but it is here for completeness. */
98 comparestat_reset(void *dummy _U_)
103 /* This callback is invoked whenever the tap system has seen a packet
104 * we might be interested in.
106 * 0: no updates, no need to call (*draw) later
107 * !0: state has changed, call (*draw) sometime later
110 comparestat_packet(void *arg, packet_info *pinfo, epan_dissect_t *edt _U_, const void *arg2)
112 comparestat_t *cs = (comparestat_t *)arg;
113 const ws_ip *ci = (const ws_ip *)arg2;
116 guint16 computed_cksum = 0;
118 /* so this get filled, usually with the first frame */
119 if (cs->eth_dst.len == 0) {
120 cs->eth_dst = pinfo->dl_dst;
121 cs->eth_src = pinfo->dl_src;
124 /* Set up the fields of the pseudo-header and create checksum */
125 cksum_vec[0].ptr = &ci->ip_v_hl;
126 cksum_vec[0].len = BYTES;
128 cksum_vec[1].ptr = &ci->ip_p;
129 cksum_vec[1].len = 1;
130 /* skip header checksum and ip's (because of NAT)*/
131 cksum_vec[2].ptr = (const guint8 *)ci->ip_dst.data;
132 cksum_vec[2].ptr = cksum_vec[2].ptr+ci->ip_dst.len;
133 /* dynamic computation */
134 cksum_vec[2].len = ci->ip_len-20;
135 computed_cksum = in_cksum(&cksum_vec[0], 3);
137 /* collect all packet infos */
138 fInfo = (frame_info*)g_malloc(sizeof(frame_info));
139 fInfo->fp = (for_print*)g_malloc(sizeof(for_print));
140 fInfo->fp->partner = NULL;
141 fInfo->fp->count = 1;
142 fInfo->fp->cksum = computed_cksum;
143 fInfo->num = pinfo->fd->num;
144 fInfo->id = ci->ip_id;
145 fInfo->ip_ttl = ci->ip_ttl;
146 fInfo->dl_dst = pinfo->dl_dst;
147 fInfo->abs_ts = pinfo->fd->abs_ts;
149 nstime_set_zero(&fInfo->zebra_time);
150 nstime_set_zero(&fInfo->fp->predecessor_time);
151 g_hash_table_insert(cs->packet_set, GINT_TO_POINTER(pinfo->fd->num), fInfo);
158 frame_info_free(gpointer data)
160 frame_info *fInfo = (frame_info *)data;
166 /* Find equal packets, same IP-Id, count them and make time statistics */
168 call_foreach_count_ip_id(gpointer key _U_, gpointer value, gpointer arg)
170 comparestat_t *cs = (comparestat_t*)arg;
171 frame_info *fInfo = (frame_info*)value, *fInfoTemp;
175 /* we only need one value out of pinfo we use a temp one */
176 packet_info *pinfo = (packet_info*)g_malloc(sizeof(packet_info));
177 pinfo->fd = (frame_data*)g_malloc(sizeof(frame_data));
178 pinfo->fd->num = fInfo->num;
180 fInfoTemp = (frame_info *)g_hash_table_lookup(cs->ip_id_set, GINT_TO_POINTER((gint)fInfo->id));
181 if (fInfoTemp == NULL) {
182 /* Detect ongoing package loss */
183 if ((cs->last_hit == FALSE) && (cs->start_ongoing_hits > compare_start) && (cs->stop_ongoing_hits < compare_stop)) {
184 cs->stop_ongoing_hits++;
185 cs->stop_packet_nr_first = fInfo->num;
186 } else if (cs->stop_ongoing_hits < compare_stop) {
187 cs->stop_ongoing_hits = 0;
188 cs->stop_packet_nr_first = G_MAXINT32;
190 cs->last_hit = FALSE;
192 fInfo->fp->count = 1;
193 g_hash_table_insert(cs->ip_id_set, GINT_TO_POINTER((gint)fInfo->id), fInfo);
195 /* Detect ongoing package hits, special behavior if start is set to 0 */
196 if ((cs->last_hit || (compare_start == 0)) && (cs->start_ongoing_hits < compare_start || (compare_start == 0))) {
197 if ((compare_start == 0) && (cs->start_ongoing_hits != 0)) {
198 /* start from the first packet so already set */
200 cs->start_ongoing_hits++;
201 /* Take the lower number */
202 cs->start_packet_nr_first = fInfoTemp->num;
203 cs->start_packet_nr_second = fInfo->num;
205 } else if (cs->start_ongoing_hits < compare_start) {
206 cs->start_ongoing_hits = 0;
207 cs->start_packet_nr_first = G_MAXINT32;
211 fInfo->fp->count = fInfoTemp->fp->count + 1;
212 if (fInfoTemp->fp->cksum != fInfo->fp->cksum) {
213 fInfo->fp->cksum = WRONG_CHKSUM;
214 fInfoTemp->fp->cksum = WRONG_CHKSUM;
217 fInfo->fp->partner = fInfoTemp;
218 /* Create time statistic */
219 if (fInfo->fp->count == MERGED_FILES) {
220 nstime_delta(&delta, &fInfo->abs_ts, &fInfoTemp->abs_ts);
221 /* Set delta in both packets */
222 nstime_set_zero(&fInfoTemp->delta);
223 nstime_add(&fInfoTemp->delta, &delta);
224 nstime_set_zero(&fInfo->delta);
225 nstime_add(&fInfo->delta, &delta);
226 time_stat_update(&cs->stats, &delta, pinfo);
228 g_hash_table_insert(cs->ip_id_set, GINT_TO_POINTER((gint)fInfo->id), fInfo);
232 if (TTL_method && (fInfo->num < TTL_SEARCH)) {
233 for (i=0; i < cs->ip_ttl_list->len; i++) {
234 if (g_array_index(cs->ip_ttl_list, guint8, i) == fInfo->ip_ttl) {
238 g_array_append_val(cs->ip_ttl_list, fInfo->ip_ttl);
245 /*Create new numbering */
247 call_foreach_new_order(gpointer key _U_, gpointer value, gpointer arg)
249 comparestat_t *cs = (comparestat_t*)arg;
250 frame_info *fInfo = (frame_info*)value, *fInfoTemp;
252 /* overwrite Info column for new ordering */
253 fInfoTemp = (frame_info *)g_hash_table_lookup(cs->nr_set, GINT_TO_POINTER((gint)fInfo->id));
254 if (fInfoTemp == NULL) {
255 if (TTL_method == FALSE) {
256 if ((ADDRESSES_EQUAL(&cs->eth_dst, &fInfo->dl_dst)) || (ADDRESSES_EQUAL(&cs->eth_src, &fInfo->dl_dst))) {
257 g_hash_table_insert(cs->nr_set, GINT_TO_POINTER((gint)fInfo->id), fInfo);
258 fInfo->zebra_time = cs->zebra_time;
259 cs->zebra_time.nsecs = cs->zebra_time.nsecs + MERGED_FILES;
261 cs->zebra_time.nsecs++;
262 g_hash_table_insert(cs->nr_set, GINT_TO_POINTER((gint)fInfo->id), fInfo);
263 fInfo->zebra_time = cs->zebra_time;
264 cs->zebra_time.nsecs++;
267 if ((g_array_index(cs->ip_ttl_list, guint8, 0) == fInfo->ip_ttl) || (g_array_index(cs->ip_ttl_list, guint8, 1) == fInfo->ip_ttl)) {
268 g_hash_table_insert(cs->nr_set, GINT_TO_POINTER((gint)fInfo->id), fInfo);
269 fInfo->zebra_time = cs->zebra_time;
270 cs->zebra_time.nsecs = cs->zebra_time.nsecs + MERGED_FILES;
272 cs->zebra_time.nsecs++;
273 g_hash_table_insert(cs->nr_set, GINT_TO_POINTER((gint)fInfo->id), fInfo);
274 fInfo->zebra_time = cs->zebra_time;
275 cs->zebra_time.nsecs++;
280 if (TTL_method == FALSE) {
281 if (((ADDRESSES_EQUAL(&cs->eth_dst, &fInfo->dl_dst)) || (ADDRESSES_EQUAL(&cs->eth_src, &fInfo->dl_dst))) && (!fmod(fInfoTemp->zebra_time.nsecs, MERGED_FILES))) {
282 fInfo->zebra_time.nsecs = fInfoTemp->zebra_time.nsecs;
284 fInfo->zebra_time.nsecs = fInfoTemp->zebra_time.nsecs+1;
287 if (((g_array_index(cs->ip_ttl_list, guint8, 0) == fInfo->ip_ttl) || (g_array_index(cs->ip_ttl_list, guint8, 1) == fInfo->ip_ttl)) && (!fmod(fInfoTemp->zebra_time.nsecs, MERGED_FILES))) {
288 fInfo->zebra_time.nsecs = fInfoTemp->zebra_time.nsecs;
290 fInfo->zebra_time.nsecs = fInfoTemp->zebra_time.nsecs+1;
295 /* count packets of file */
296 if (fmod(fInfo->zebra_time.nsecs, MERGED_FILES)) {
297 cs->first_file_amount++;
299 cs->second_file_amount++;
303 if (!nstime_is_unset(&cs->current_time)) {
304 fInfo->fp->predecessor_time.nsecs = cs->current_time.nsecs;
307 cs->current_time.nsecs = fInfo->zebra_time.nsecs;
310 /* calculate scopes if not set yet */
312 call_foreach_merge_settings(gpointer key _U_, gpointer value, gpointer arg)
314 comparestat_t *cs = (comparestat_t*)arg;
315 frame_info *fInfo = (frame_info*)value, *fInfoTemp = NULL;
316 guint32 tot_packet_amount = cs->first_file_amount+cs->second_file_amount, swap;
318 if ((fInfo->num == tot_packet_amount) && (cs->stop_packet_nr_first != G_MAXINT32)) {
319 /* calculate missing stop number */
320 swap = cs->stop_packet_nr_first;
321 cs->stop_packet_nr_first = tot_packet_amount-cs->second_file_amount;
322 cs->stop_packet_nr_second = swap;
325 if ((fInfo->num == tot_packet_amount) && (cs->stop_packet_nr_first == G_MAXINT32) && (cs->start_packet_nr_first != G_MAXINT32)) {
326 fInfoTemp = (frame_info *)g_hash_table_lookup(cs->packet_set, GINT_TO_POINTER(cs->start_packet_nr_first));
327 if (fInfoTemp == NULL) {
328 printf("ERROR: start number not set correctly\n");
331 if (fmod(fInfoTemp->zebra_time.nsecs, 2)) {
333 cs->stop_packet_nr_first = cs->start_packet_nr_first+(cs->second_file_amount-(cs->start_packet_nr_second-cs->first_file_amount));
334 if (cs->stop_packet_nr_first > (tot_packet_amount-cs->second_file_amount)) {
335 cs->stop_packet_nr_first = tot_packet_amount-cs->second_file_amount;
337 /*this only happens if we have too many MAC's or TTL*/
338 if (cs->stop_packet_nr_first > cs->start_packet_nr_second) {
339 cs->stop_packet_nr_first = cs->start_packet_nr_second-1;
341 fInfoTemp = (frame_info *)g_hash_table_lookup(cs->packet_set, GINT_TO_POINTER(cs->stop_packet_nr_first));
342 while ((fInfoTemp != NULL) ? fmod(!fInfoTemp->zebra_time.nsecs, 2) : TRUE) {
343 cs->stop_packet_nr_first--;
344 fInfoTemp = (frame_info *)g_hash_table_lookup(cs->packet_set, GINT_TO_POINTER(cs->stop_packet_nr_first));
347 /*this only happens if we have too many MAC's or TTL*/
348 cs->stop_packet_nr_first = cs->first_file_amount+cs->start_packet_nr_first;
349 if (cs->stop_packet_nr_first > tot_packet_amount-cs->first_file_amount) {
350 cs->stop_packet_nr_first = tot_packet_amount-cs->first_file_amount;
352 fInfoTemp = (frame_info *)g_hash_table_lookup(cs->packet_set, GINT_TO_POINTER(cs->stop_packet_nr_first));
353 while ((fInfoTemp != NULL) ? fmod(fInfoTemp->zebra_time.nsecs, 2) : TRUE) {
354 cs->stop_packet_nr_first--;
355 fInfoTemp = (frame_info *)g_hash_table_lookup(cs->packet_set, GINT_TO_POINTER(cs->stop_packet_nr_first));
358 /* set second stop location */
359 cs->stop_packet_nr_second = cs->start_packet_nr_second+(cs->stop_packet_nr_first-cs->start_packet_nr_first);
360 if (cs->stop_packet_nr_second > tot_packet_amount) {
361 cs->stop_packet_nr_second = tot_packet_amount;
366 if (fInfo->num == tot_packet_amount && compare_start != 0 && compare_stop != 0) {
367 if (cs->start_packet_nr_first == G_MAXINT32) {
368 printf("Start point couldn't be set, choose a lower compare start");
374 call_foreach_print_ip_tree(gpointer key _U_, gpointer value, gpointer user_data)
376 frame_info *fInfo = (frame_info*)value;
377 comparestat_t *cs = (comparestat_t*)user_data;
378 gdouble delta, average;
379 gboolean show_it = FALSE;
381 delta = fabs(get_average(&fInfo->delta, 1));
382 average = fabs(get_average(&cs->stats.tot, cs->stats.num));
384 /* special case if both are set to zero ignore start and stop numbering */
385 if (compare_start != 0 && compare_stop != 0) {
386 /* check out if packet is in searched scope */
387 if ((cs->start_packet_nr_first < fInfo->num)&&(cs->stop_packet_nr_first > fInfo->num)) {
390 /* so we won't miss the other file */
391 if ((fInfo->num > cs->start_packet_nr_second)&&(fInfo->num < cs->stop_packet_nr_second)) {
400 if (fInfo->fp->count < MERGED_FILES) {
401 printf("Packet id :%u, count:%u Problem:", fInfo->id, fInfo->fp->count);
402 printf("Packet lost\n");
404 if (fInfo->fp->count > MERGED_FILES) {
405 printf("Packet id :%u, count:%u Problem:", fInfo->id, fInfo->fp->count);
406 printf("More than two packets\n");
407 if (fInfo->fp->cksum == WRONG_CHKSUM) {
408 printf("Checksum error over IP header\n");
411 if (fInfo->fp->count == MERGED_FILES) {
412 if (fInfo->fp->cksum == WRONG_CHKSUM) {
413 printf("Packet id :%u, count:%u Problem:", fInfo->id, fInfo->fp->count);
414 printf("Checksum error over IP header\n");
415 if (((delta < (average-cs->stats.variance)) || (delta > (average+cs->stats.variance))) && (delta > 0.0) && (cs->stats.variance != 0)) {
416 printf("Not arrived in time\n");
418 if ((nstime_cmp(&fInfo->fp->predecessor_time, &fInfo->zebra_time) > 0||nstime_cmp(&fInfo->fp->partner->fp->predecessor_time, &fInfo->fp->partner->zebra_time) > 0) && (fInfo->zebra_time.nsecs != MERGED_FILES) && ON_method) {
419 printf("Not correct order\n");
421 } else if (((delta < (average-cs->stats.variance)) || (delta > (average+cs->stats.variance))) && (delta > 0.0) && (cs->stats.variance != 0)) {
422 printf("Packet id :%u, count:%u Problem:", fInfo->id, fInfo->fp->count);
423 printf("Package not arrived in time\n");
424 if ((nstime_cmp(&fInfo->fp->predecessor_time, &fInfo->zebra_time) > 0 || nstime_cmp(&fInfo->fp->partner->fp->predecessor_time, &fInfo->fp->partner->zebra_time) > 0) && fInfo->zebra_time.nsecs != MERGED_FILES && ON_method) {
425 printf("Not correct order\n");
427 } else if ((nstime_cmp(&fInfo->fp->predecessor_time, &fInfo->zebra_time) > 0 || nstime_cmp(&fInfo->fp->partner->fp->predecessor_time, &fInfo->fp->partner->zebra_time) > 0) && fInfo->zebra_time.nsecs != MERGED_FILES && ON_method) {
428 printf("Packet id :%u, count:%u Problem:", fInfo->id, fInfo->fp->count);
429 printf("Not correct order\n");
436 /* This callback is used when tshark wants us to draw/update our
437 * data to the output device. Since this is tshark only output is
439 * TShark will only call this callback once, which is when tshark has
440 * finished reading all packets and exists.
441 * If used with wireshark this may be called any time, perhaps once every 3
443 * This function may even be called in parallell with (*reset) or (*draw)
444 * so make sure there are no races. The data in the rpcstat_t can thus change
445 * beneath us. Beware.
448 comparestat_draw(void *prs)
450 comparestat_t *cs = (comparestat_t *)prs;
451 GString *filter_str = g_string_new("");
452 const gchar *statis_string;
453 guint32 first_file_amount, second_file_amount;
455 /* initial steps, clear all data before start*/
456 cs->zebra_time.secs = 0;
457 cs->zebra_time.nsecs = 1;
458 nstime_set_unset(&cs->current_time);
459 cs->ip_ttl_list = g_array_new(FALSE, FALSE, sizeof(guint8));
460 cs->last_hit = FALSE;
461 cs->start_ongoing_hits = 0;
462 cs->stop_ongoing_hits = 0;
463 cs->start_packet_nr_first = G_MAXINT32;
464 cs->start_packet_nr_second = G_MAXINT32;
465 cs->stop_packet_nr_first = G_MAXINT32;
466 cs->stop_packet_nr_second = G_MAXINT32;
467 cs->first_file_amount = 0;
468 cs->second_file_amount = 0;
470 time_stat_init(&cs->stats);
471 cs->ip_id_set = g_hash_table_new(NULL, NULL);
472 g_hash_table_foreach(cs->packet_set, call_foreach_count_ip_id, cs);
474 /* set up TTL choice if only one number found */
475 if (TTL_method&&cs->ip_ttl_list->len == 1) {
476 g_array_append_val(cs->ip_ttl_list, g_array_index(cs->ip_ttl_list, guint8, 1));
479 g_hash_table_foreach(cs->packet_set, call_foreach_new_order, cs);
480 g_hash_table_foreach(cs->packet_set, call_foreach_merge_settings, cs);
482 /* remembering file amounts */
483 first_file_amount = cs->first_file_amount;
484 second_file_amount = cs->second_file_amount;
485 /* reset after numbering */
486 g_hash_table_remove_all(cs->nr_set);
489 cs->stats.variance = compare_variance;
491 /* add statistic string */
492 statis_string = g_strdup_printf("Compare Statistics: \nFilter: %s\nNumber of packets total:%i 1st file:%i, 2nd file:%i\nScopes:\t start:%i stop:%i\nand:\t start:%i stop:%i\nEqual packets: %i \nAllowed variation: %f \nAverage time difference: %f\n", cs->filter ? cs->filter : "", (first_file_amount+second_file_amount), first_file_amount, second_file_amount, cs->start_packet_nr_first, cs->stop_packet_nr_first, cs->start_packet_nr_second, cs->stop_packet_nr_second, cs->stats.num, cs->stats.variance, fabs(get_average(&cs->stats.tot, cs->stats.num)));
495 printf("===================================================================\n");
496 printf("%s", statis_string);
497 g_hash_table_foreach(cs->ip_id_set, call_foreach_print_ip_tree, cs);
498 printf("===================================================================\n");
499 g_string_free(filter_str, TRUE);
500 g_hash_table_destroy(cs->ip_id_set);
501 g_array_free(cs->ip_ttl_list, TRUE);
504 /* When called, this function will create a new instance of comparestat.
505 * This function is called from tshark when it parses the -z compare, arguments
506 * and it creates a new instance to store statistics in and registers this
507 * new instance for the compare tap.
510 comparestat_init(const char *opt_arg, void *userdata _U_)
513 const char *filter = NULL;
514 GString *error_string;
515 gint start, stop, ttl, order, pos = 0;
518 if (sscanf(opt_arg, "compare,%d,%d,%d,%d,%lf%n", &start, &stop, &ttl, &order, &variance, &pos) == 5) {
520 if (*(opt_arg+pos) == ',')
521 filter = opt_arg+pos+1;
523 filter = opt_arg+pos;
528 fprintf(stderr, "tshark: invalid \"-z compare,<start>,<stop>,<ttl[0|1]>,<order[0|1]>,<variance>[,<filter>]\" argument\n");
532 compare_variance = variance;
533 compare_start = start;
538 cs = g_new(comparestat_t, 1);
539 nstime_set_unset(&cs->current_time);
540 cs->ip_ttl_list = g_array_new(FALSE, FALSE, sizeof(guint8));
541 cs->last_hit = FALSE;
542 cs->start_ongoing_hits = 0;
543 cs->stop_ongoing_hits = 0;
544 cs->start_packet_nr_first = G_MAXINT32;
545 cs->start_packet_nr_second = G_MAXINT32;
546 cs->stop_packet_nr_first = G_MAXINT32;
547 cs->stop_packet_nr_second = G_MAXINT32;
548 cs->first_file_amount = 0;
549 cs->second_file_amount = 0;
551 cs->zebra_time.secs = 0;
552 cs->zebra_time.nsecs = 1;
553 cs->nr_set = g_hash_table_new(NULL, NULL);
556 cs->filter = g_strdup(filter);
561 /* create a Hash to count the packets with the same ip.id */
562 cs->packet_set = g_hash_table_new_full(NULL, NULL, NULL, frame_info_free);
564 error_string = register_tap_listener("ip", cs, filter, 0, comparestat_reset, comparestat_packet, comparestat_draw);
566 /* error, we failed to attach to the tap. clean up */
568 g_hash_table_destroy(cs->packet_set);
571 fprintf(stderr, "tshark: Couldn't register compare tap: %s\n", error_string->str);
572 g_string_free(error_string, TRUE);
577 static stat_tap_ui comparestat_ui = {
578 REGISTER_STAT_GROUP_GENERIC,
588 register_tap_listener_comparestat(void)
590 register_stat_tap_ui(&comparestat_ui, NULL);
594 * Editor modelines - http://www.wireshark.org/tools/modelines.html
599 * indent-tabs-mode: t
602 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
603 * :indentSize=8:tabSize=8:noTabs=false:
git.samba.org / metze / wireshark / wip.git / blob