2 * Compare two capture files
3 * Copyright 2008 Vincenzo Condoleo, Christophe Dirac, Reto Ruoss
4 * supported by HSR (Hochschule Rapperswil)
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /* This module provides statistics about two merged capture files, to find packet loss,
28 * time delay, ip header checksum errors and order check to tshark.
29 * It's also detecting the matching regions of the different files.
31 * The packets are compared by the ip id. MAC or TTL is used to distinct the different files.
32 * It is only used by tshark and not wireshark
42 #ifdef HAVE_SYS_TYPES_H
43 # include <sys/types.h>
47 #include "epan/packet_info.h"
48 #include <epan/in_cksum.h>
49 #include <epan/packet.h>
51 #include <epan/timestamp.h>
52 #include <epan/stat_cmd_args.h>
53 #include <epan/dissectors/packet-ip.h>
55 #include "timestats.h"
60 #define WRONG_CHKSUM 0
62 #define MERGED_FILES 2
66 /* information which will be printed */
67 typedef struct _for_print {
70 nstime_t predecessor_time;
71 struct _frame_info *partner;
74 /* each tracked packet */
75 typedef struct _frame_info {
81 nstime_t abs_ts, zebra_time, delta;
84 /* used to keep track of the statistics for an entire program interface */
85 typedef struct _comparestat_t {
87 emem_tree_t *packet_tree, *ip_id_tree, *nr_tree;
88 address eth_dst, eth_src;
89 nstime_t zebra_time, current_time;
93 guint32 start_ongoing_hits, stop_ongoing_hits, start_packet_nr_first, start_packet_nr_second, stop_packet_nr_first, stop_packet_nr_second;
94 guint32 first_file_amount, second_file_amount;
98 /* to call directly _init */
99 static gdouble compare_variance=0.0;
100 static guint8 compare_start, compare_stop;
101 static gboolean TTL_method=TRUE, ON_method=TRUE;
103 /* This callback is never used by tshark but it is here for completeness. */
105 comparestat_reset(void *dummy _U_)
110 /* This callback is invoked whenever the tap system has seen a packet
111 * we might be interested in.
113 * 0: no updates, no need to call (*draw) later
114 * !0: state has changed, call (*draw) sometime later
117 comparestat_packet(void *arg, packet_info *pinfo, epan_dissect_t *edt _U_, const void *arg2)
119 comparestat_t *cs=arg;
120 const ws_ip *ci=arg2;
123 guint16 computed_cksum=0;
125 /* so this get filled, usually with the first frame */
126 if(cs->eth_dst.len==0) {
127 cs->eth_dst=pinfo->dl_dst;
128 cs->eth_src=pinfo->dl_src;
131 /* Set up the fields of the pseudo-header and create checksum */
132 cksum_vec[0].ptr=&ci->ip_v_hl;
133 cksum_vec[0].len=BYTES;
135 cksum_vec[1].ptr=&ci->ip_p;
137 /* skip header checksum and ip's (because of NAT)*/
138 cksum_vec[2].ptr=ci->ip_dst.data;
139 cksum_vec[2].ptr=cksum_vec[2].ptr+ci->ip_dst.len;
140 /* dynamic computation */
141 cksum_vec[2].len=pinfo->iphdrlen-20;
142 computed_cksum=in_cksum(&cksum_vec[0], 3);
144 /* collect all packet infos */
145 fInfo=(frame_info*)se_alloc(sizeof(frame_info));
146 fInfo->fp=(for_print*)se_alloc(sizeof(for_print));
147 fInfo->fp->partner=NULL;
149 fInfo->fp->cksum=computed_cksum;
150 fInfo->num=pinfo->fd->num;
152 fInfo->ip_ttl=ci->ip_ttl;
153 fInfo->dl_dst=pinfo->dl_dst;
154 fInfo->abs_ts=pinfo->fd->abs_ts;
156 nstime_set_zero(&fInfo->zebra_time);
157 nstime_set_zero(&fInfo->fp->predecessor_time);
158 se_tree_insert32(cs->packet_tree, pinfo->fd->num, fInfo);
163 /* Find equal packets, same IP-Id, count them and make time statistics */
165 call_foreach_count_ip_id(gpointer value, gpointer arg)
167 comparestat_t *cs=(comparestat_t*)arg;
168 frame_info *fInfo=(frame_info*)value, *fInfoTemp;
172 /* we only need one value out of pinfo we use a temp one */
173 packet_info *pinfo=(packet_info*)ep_alloc(sizeof(packet_info));
174 pinfo->fd=(frame_data*)ep_alloc(sizeof(frame_data));
175 pinfo->fd->num = fInfo->num;
177 fInfoTemp=se_tree_lookup32(cs->ip_id_tree, fInfo->id);
179 /* Detect ongoing package loss */
180 if((cs->last_hit==FALSE)&&(cs->start_ongoing_hits>compare_start)&&(cs->stop_ongoing_hits<compare_stop)){
181 cs->stop_ongoing_hits++;
182 cs->stop_packet_nr_first=fInfo->num;
183 } else if(cs->stop_ongoing_hits<compare_stop){
184 cs->stop_ongoing_hits=0;
185 cs->stop_packet_nr_first=G_MAXINT32;
190 se_tree_insert32(cs->ip_id_tree, fInfo->id, fInfo);
192 /* Detect ongoing package hits, special behavior if start is set to 0 */
193 if((cs->last_hit||(compare_start==0))&&(cs->start_ongoing_hits<compare_start||(compare_start==0))){
194 if((compare_start==0)&&(cs->start_ongoing_hits!=0)){
195 /* start from the first packet so allready set */
197 cs->start_ongoing_hits++;
198 /* Take the lower number */
199 cs->start_packet_nr_first=fInfoTemp->num;
200 cs->start_packet_nr_second=fInfo->num;
202 } else if(cs->start_ongoing_hits<compare_start){
203 cs->start_ongoing_hits=0;
204 cs->start_packet_nr_first=G_MAXINT32;
208 fInfo->fp->count=fInfoTemp->fp->count + 1;
209 if(fInfoTemp->fp->cksum!=fInfo->fp->cksum){
210 fInfo->fp->cksum=WRONG_CHKSUM;
211 fInfoTemp->fp->cksum=WRONG_CHKSUM;
214 fInfo->fp->partner=fInfoTemp;
215 /* Create time statistic */
216 if(fInfo->fp->count==MERGED_FILES){
217 nstime_delta(&delta, &fInfo->abs_ts, &fInfoTemp->abs_ts);
218 /* Set delta in both packets */
219 nstime_set_zero(&fInfoTemp->delta);
220 nstime_add(&fInfoTemp->delta, &delta);
221 nstime_set_zero(&fInfo->delta);
222 nstime_add(&fInfo->delta, &delta);
223 time_stat_update(&cs->stats, &delta, pinfo);
225 se_tree_insert32(cs->ip_id_tree, fInfo->id, fInfo);
229 if(TTL_method && (fInfo->num<TTL_SEARCH)){
230 for(i=0; i < cs->ip_ttl_list->len; i++){
231 if(g_array_index(cs->ip_ttl_list, guint8, i) == fInfo->ip_ttl){
235 g_array_append_val(cs->ip_ttl_list, fInfo->ip_ttl);
241 /*Create new numbering */
243 call_foreach_new_order(gpointer value, gpointer arg)
245 comparestat_t *cs=(comparestat_t*)arg;
246 frame_info *fInfo=(frame_info*)value, *fInfoTemp;
248 /* overwrite Info column for new ordering */
249 fInfoTemp=se_tree_lookup32(cs->nr_tree, fInfo->id);
251 if(TTL_method==FALSE){
252 if((ADDRESSES_EQUAL(&cs->eth_dst, &fInfo->dl_dst)) || (ADDRESSES_EQUAL(&cs->eth_src, &fInfo->dl_dst))){
253 se_tree_insert32(cs->nr_tree, fInfo->id, fInfo);
254 fInfo->zebra_time=cs->zebra_time;
255 cs->zebra_time.nsecs=cs->zebra_time.nsecs + MERGED_FILES;
257 cs->zebra_time.nsecs++;
258 se_tree_insert32(cs->nr_tree, fInfo->id, fInfo);
259 fInfo->zebra_time=cs->zebra_time;
260 cs->zebra_time.nsecs=cs->zebra_time.nsecs++;
263 if((g_array_index(cs->ip_ttl_list, guint8, 0)==fInfo->ip_ttl) || (g_array_index(cs->ip_ttl_list, guint8, 1)==fInfo->ip_ttl)){
264 se_tree_insert32(cs->nr_tree, fInfo->id, fInfo);
265 fInfo->zebra_time=cs->zebra_time;
266 cs->zebra_time.nsecs=cs->zebra_time.nsecs + MERGED_FILES;
268 cs->zebra_time.nsecs++;
269 se_tree_insert32(cs->nr_tree, fInfo->id, fInfo);
270 fInfo->zebra_time=cs->zebra_time;
271 cs->zebra_time.nsecs=cs->zebra_time.nsecs++;
276 if(TTL_method==FALSE){
277 if(((ADDRESSES_EQUAL(&cs->eth_dst, &fInfo->dl_dst)) || (ADDRESSES_EQUAL(&cs->eth_src, &fInfo->dl_dst)))&&(!fmod(fInfoTemp->zebra_time.nsecs,MERGED_FILES))){
278 fInfo->zebra_time.nsecs=fInfoTemp->zebra_time.nsecs;
280 fInfo->zebra_time.nsecs=fInfoTemp->zebra_time.nsecs+1;
283 if(((g_array_index(cs->ip_ttl_list, guint8, 0)==fInfo->ip_ttl) || (g_array_index(cs->ip_ttl_list, guint8, 1)==fInfo->ip_ttl))&&(!fmod(fInfoTemp->zebra_time.nsecs,MERGED_FILES))){
284 fInfo->zebra_time.nsecs=fInfoTemp->zebra_time.nsecs;
286 fInfo->zebra_time.nsecs=fInfoTemp->zebra_time.nsecs+1;
291 /* count packets of file */
292 if(fmod(fInfo->zebra_time.nsecs, MERGED_FILES)){
293 cs->first_file_amount++;
295 cs->second_file_amount++;
299 if(!nstime_is_unset(&cs->current_time)){
300 fInfo->fp->predecessor_time.nsecs=cs->current_time.nsecs;
303 cs->current_time.nsecs=fInfo->zebra_time.nsecs;
308 /* calculate scopes if not set yet */
310 call_foreach_merge_settings(gpointer value, gpointer arg)
312 comparestat_t *cs=(comparestat_t*)arg;
313 frame_info *fInfo=(frame_info*)value, *fInfoTemp=NULL;
314 guint32 tot_packet_amount=cs->first_file_amount+cs->second_file_amount, swap;
316 if((fInfo->num==tot_packet_amount)&&(cs->stop_packet_nr_first!=G_MAXINT32)){
317 /* calculate missing stop number */
318 swap=cs->stop_packet_nr_first;
319 cs->stop_packet_nr_first=tot_packet_amount-cs->second_file_amount;;
320 cs->stop_packet_nr_second=swap;
323 if((fInfo->num==tot_packet_amount)&&(cs->stop_packet_nr_first==G_MAXINT32)&&(cs->start_packet_nr_first!=G_MAXINT32)){
324 fInfoTemp=se_tree_lookup32(cs->packet_tree, cs->start_packet_nr_first);
326 printf("ERROR: start number not set correctly\n");
328 if(fmod(fInfoTemp->zebra_time.nsecs, 2)){
330 cs->stop_packet_nr_first=cs->start_packet_nr_first+abs(cs->second_file_amount-(cs->start_packet_nr_second-cs->first_file_amount));
331 if(cs->stop_packet_nr_first>(tot_packet_amount-cs->second_file_amount)){
332 cs->stop_packet_nr_first=tot_packet_amount-cs->second_file_amount;
334 /*this only happens if we have too many MAC's or TTL*/
335 if(cs->stop_packet_nr_first>cs->start_packet_nr_second){
336 cs->stop_packet_nr_first=cs->start_packet_nr_second-1;
338 fInfoTemp=se_tree_lookup32(cs->packet_tree, cs->stop_packet_nr_first);
339 while((fInfoTemp!=NULL)?fmod(!fInfoTemp->zebra_time.nsecs, 2):TRUE){
340 cs->stop_packet_nr_first--;
341 fInfoTemp=se_tree_lookup32(cs->packet_tree, cs->stop_packet_nr_first);
344 /*this only happens if we have too many MAC's or TTL*/
345 cs->stop_packet_nr_first=cs->first_file_amount+cs->start_packet_nr_first;
346 if(cs->stop_packet_nr_first>tot_packet_amount-cs->first_file_amount){
347 cs->stop_packet_nr_first=tot_packet_amount-cs->first_file_amount;
349 fInfoTemp=se_tree_lookup32(cs->packet_tree, cs->stop_packet_nr_first);
350 while((fInfoTemp!=NULL)?fmod(fInfoTemp->zebra_time.nsecs, 2):TRUE){
351 cs->stop_packet_nr_first--;
352 fInfoTemp=se_tree_lookup32(cs->packet_tree, cs->stop_packet_nr_first);
355 /* set second stop location */
356 cs->stop_packet_nr_second=cs->start_packet_nr_second+abs(cs->stop_packet_nr_first-cs->start_packet_nr_first);
357 if(cs->stop_packet_nr_second>tot_packet_amount){
358 cs->stop_packet_nr_second=tot_packet_amount;
363 if(fInfo->num==tot_packet_amount&&compare_start!=0&&compare_stop!=0){
364 if(cs->start_packet_nr_first==G_MAXINT32){
365 printf("Start point couldn't be set, choose a lower compare start");
373 call_foreach_print_ip_tree(gpointer value, gpointer user_data)
375 frame_info *fInfo=(frame_info*)value;
376 comparestat_t *cs=(comparestat_t*)user_data;
377 gdouble delta, average;
378 gboolean show_it=FALSE;
380 delta=fabs(get_average(&fInfo->delta,1));
381 average=fabs(get_average(&cs->stats.tot, cs->stats.num));
383 /* special case if both are set to zero ignore start and stop numbering */
384 if(compare_start!=0&&compare_stop!=0){
385 /* check out if packet is in searched scope */
386 if((cs->start_packet_nr_first<fInfo->num)&&(cs->stop_packet_nr_first>fInfo->num)){
389 /* so we won't miss the other file */
390 if((fInfo->num>cs->start_packet_nr_second)&&(fInfo->num<cs->stop_packet_nr_second)){
399 if(fInfo->fp->count < MERGED_FILES){
400 printf("Packet id :%i, count:%i Problem:", fInfo->id, fInfo->fp->count);
401 printf("Packet lost\n");
403 if(fInfo->fp->count > MERGED_FILES){
404 printf("Packet id :%i, count:%i Problem:", fInfo->id, fInfo->fp->count);
405 printf("More than two packets\n");
406 if(fInfo->fp->cksum == WRONG_CHKSUM){
407 printf("Checksum error over IP header\n");
410 if(fInfo->fp->count == MERGED_FILES){
411 if(fInfo->fp->cksum == WRONG_CHKSUM){
412 printf("Packet id :%i, count:%i Problem:", fInfo->id, fInfo->fp->count);
413 printf("Checksum error over IP header\n");
414 if(((delta < (average-cs->stats.variance)) || (delta > (average+cs->stats.variance))) && (delta > 0.0) && (cs->stats.variance!=0)){
415 printf("Not arrived in time\n");
417 if((nstime_cmp(&fInfo->fp->predecessor_time, &fInfo->zebra_time)>0||nstime_cmp(&fInfo->fp->partner->fp->predecessor_time, &fInfo->fp->partner->zebra_time)>0) && (fInfo->zebra_time.nsecs!=MERGED_FILES) && ON_method){
418 printf("Not correct order\n");
420 } else if(((delta < (average-cs->stats.variance)) || (delta > (average+cs->stats.variance))) && (delta > 0.0) && (cs->stats.variance!=0)) {
421 printf("Packet id :%i, count:%i Problem:", fInfo->id, fInfo->fp->count);
422 printf("Package not arrived in time\n");
423 if((nstime_cmp(&fInfo->fp->predecessor_time, &fInfo->zebra_time)>0||nstime_cmp(&fInfo->fp->partner->fp->predecessor_time, &fInfo->fp->partner->zebra_time)>0) && fInfo->zebra_time.nsecs != MERGED_FILES && ON_method){
424 printf("Not correct order\n");
426 } else if((nstime_cmp(&fInfo->fp->predecessor_time, &fInfo->zebra_time)>0||nstime_cmp(&fInfo->fp->partner->fp->predecessor_time, &fInfo->fp->partner->zebra_time)>0) && fInfo->zebra_time.nsecs != MERGED_FILES && ON_method){
427 printf("Packet id :%i, count:%i Problem:", fInfo->id, fInfo->fp->count);
428 printf("Not correct order\n");
436 /* This callback is used when tshark wants us to draw/update our
437 * data to the output device. Since this is tshark only output is
439 * TShark will only call this callback once, which is when tshark has
440 * finished reading all packets and exists.
441 * If used with wireshark this may be called any time, perhaps once every 3
443 * This function may even be called in parallell with (*reset) or (*draw)
444 * so make sure there are no races. The data in the rpcstat_t can thus change
445 * beneath us. Beware.
448 comparestat_draw(void *prs)
450 comparestat_t *cs=prs;
451 GString *filter_str = g_string_new("");
452 const gchar *statis_string;
453 guint32 first_file_amount, second_file_amount;
455 /* inital steps, clear all data before start*/
456 cs->zebra_time.secs=0;
457 cs->zebra_time.nsecs=1;
458 nstime_set_unset(&cs->current_time);
459 cs->ip_ttl_list=g_array_new(FALSE, FALSE, sizeof(guint8));
461 cs->start_ongoing_hits=0;
462 cs->stop_ongoing_hits=0;
463 cs->start_packet_nr_first=G_MAXINT32;
464 cs->start_packet_nr_second=G_MAXINT32;
465 cs->stop_packet_nr_first=G_MAXINT32;
466 cs->stop_packet_nr_second=G_MAXINT32;
467 cs->first_file_amount=0;
468 cs->second_file_amount=0;
470 time_stat_init(&cs->stats);
471 /* not using g_free, because struct is managed by binarytrees */
472 cs->ip_id_tree=se_tree_create(EMEM_TREE_TYPE_RED_BLACK, "ip_id_tree");
473 emem_tree_foreach(cs->packet_tree, call_foreach_count_ip_id, cs);
475 /* set up TTL choice if only one number found */
476 if(TTL_method&&cs->ip_ttl_list->len==1){
477 g_array_append_val(cs->ip_ttl_list, g_array_index(cs->ip_ttl_list, guint8, 1));
480 emem_tree_foreach(cs->packet_tree, call_foreach_new_order,cs);
481 emem_tree_foreach(cs->packet_tree, call_foreach_merge_settings, cs);
483 /* remembering file amounts */
484 first_file_amount=cs->first_file_amount;
485 second_file_amount=cs->second_file_amount;
486 /* reset after numbering */
487 cs->nr_tree=se_tree_create(EMEM_TREE_TYPE_RED_BLACK, "nr_tree");
490 cs->stats.variance=compare_variance;
492 /* add statistic string */
493 statis_string=g_strdup_printf("Compare Statistics: \nNumber of packets total:%i 1st file:%i, 2nd file:%i\nScopes:\t start:%i stop:%i\nand:\t start:%i stop:%i\nEqual packets: %i \nAllowed variation: %f \nAverage time difference: %f\n", (first_file_amount+second_file_amount), first_file_amount, second_file_amount, cs->start_packet_nr_first, cs->stop_packet_nr_first, cs->start_packet_nr_second, cs->stop_packet_nr_second, cs->stats.num, cs->stats.variance, fabs(get_average(&cs->stats.tot, cs->stats.num)));
496 printf("===================================================================\n");
497 printf("%s", statis_string);
498 emem_tree_foreach(cs->ip_id_tree, call_foreach_print_ip_tree, cs);
499 printf("===================================================================\n");
500 g_string_free(filter_str, TRUE);
501 g_array_free(cs->ip_ttl_list, TRUE);
504 /* When called, this function will create a new instance of comparestat.
505 * This function is called from tshark when it parses the -z compare, arguments
506 * and it creates a new instance to store statistics in and registers this
507 * new instance for the compare tap.
510 comparestat_init(const char *optarg, void* userdata _U_)
513 const char *filter=NULL;
514 GString *error_string;
515 gint start, stop,ttl, order, pos=0;
518 if(sscanf(optarg,"compare,%d,%d,%d,%d,%lf,%n",&start, &stop, &ttl, &order, &variance, &pos)==5){
525 fprintf(stderr, "tshark: invalid \"-z compare,<start>,<stop>,<ttl[0|1]>,<order[0|1]>,<variance>[,<filter>]\" argument\n");
529 compare_variance=variance;
535 cs=g_malloc(sizeof(comparestat_t));
536 nstime_set_unset(&cs->current_time);
537 cs->ip_ttl_list=g_array_new(FALSE, FALSE, sizeof(guint8));
539 cs->start_ongoing_hits=0;
540 cs->stop_ongoing_hits=0;
541 cs->start_packet_nr_first=G_MAXINT32;
542 cs->start_packet_nr_second=G_MAXINT32;
543 cs->stop_packet_nr_first=G_MAXINT32;
544 cs->stop_packet_nr_second=G_MAXINT32;
545 cs->first_file_amount=0;
546 cs->second_file_amount=0;
548 cs->zebra_time.secs=0;
549 cs->zebra_time.nsecs=1;
550 cs->nr_tree=se_tree_create(EMEM_TREE_TYPE_RED_BLACK, "nr_tree");
551 /* microsecond precision */
552 timestamp_set_precision(TS_PREC_AUTO_NSEC);
555 cs->filter=g_strdup(filter);
560 /* create a Hash to count the packets with the same ip.id */
561 cs->packet_tree=se_tree_create(EMEM_TREE_TYPE_RED_BLACK, "Packet_info_tree");
563 error_string=register_tap_listener("ip", cs, filter, 0, comparestat_reset, comparestat_packet, comparestat_draw);
565 /* error, we failed to attach to the tap. clean up */
569 fprintf(stderr, "tshark: Couldn't register compare tap: %s\n", error_string->str);
570 g_string_free(error_string, TRUE);
577 register_tap_listener_comparestat(void)
579 register_stat_cmd_arg("compare,", comparestat_init,NULL);