Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
YCONALYZER(1)		    General Commands Manual		 YCONALYZER(1)

NAME
       yconalyzer  -  A	 program  to analyze TCP traffic on a server or	client
       port.

SYNOPSIS
       yconalyzer -p port [ -i interface ] [ -t	seconds	] [ expression ]
       yconalyzer -p port [ -i interface ] [ -w	file ] [ -t seconds ]
	      [	expression ]
       yconalyzer -p port [ -dRTP ] [ -i interface ] [ -t seconds ]
	      [	-r file	] [ -n nbuckets	] [ -s bucket_size ]
	      [	-X nbytes ] [ -x nbytes	]
	      [	-Y nbytes ] [ -y nbytes	]
	      [	-c num_attempts	] [ -I datespec	]
	      [-P|-C|-S] [ -D bucket_id	] [ expression ]

DESCRIPTION
       Yconalyzer selects the packets on a network interface  that  match  the
       boolean expression and prints out statistics about the TCP connections.

       When  run   with	  the  -w flag (recommended mode), it saves the	packet
       data to file for	later analysis.

       When run	with the -r flag, it reads from	 a  saved  packet file	rather
       than   to   read	  packets from a network interface, and	then print out
       statistics.

       In all cases, only packets that match yconalyzer's internal  filter  as
       well  as	 the expression	will be	processed by yconalyzer.  The internal
       filter processes	only those TCP packets that have the source or	desti-
       nation  port  matching port, and	have one of SYN, FIN, or RST flags set
       in the TCP header.

       The same	permission restrictions	apply as they do for tcpdump.  As with
       tcpdump,	you must have super-user permissions in	order to invoke	ycona-
       lyzer without the -r option.  All files captured	by tcpump are readable
       by  yconalyzer and vice versa (as long as file permissions are set cor-
       rectly).

       Yconalyzer will stop capturing packets if it is interrupted by a	SIGINT
       signal  (generated,  for	 example,  by typing your interrupt character,
       typically control-C) or a SIGTERM sig- nal  (typically  generated  with
       the kill(1) command)

       When  yconalyzer	finishes capturing packets (or reading from a captured
       file), it will report statistics	regarding  the	connections  observed.
       The  report  is	in  two	parts. The first part has an overall aggegated
       statistics, and information about lost  connections,  etc.  The	second
       part is a table in which	the observed connections are placed in buckets
       according to the	duration of the	connection.  A bucket  is  defined  by
       the  minimum  and maximum duration of a connection (or, if -P option is
       chosen, then the	minimum	and maximum throughput of a connection).   For
       each bucket, the	following statistics are reported:

	      The  number  of  connections in the bucket, and a	percent	of the
	      total number of connections observed.

	      The average number of bytes sent from the	clients	for  the  con-
	      nections in the bucket.

	      The average number of bytes sent from the	server for the connec-
	      tions in the bucket

	      The average estimated Round Trip Time of the connections in  the
	      bucket  (if  -T option is	specified). See	section	on RTT ESTIMA-
	      TION.

       For a sample output, see	the section on SAMPLE OUTPUT.

       While running in	capture	mode (i.e. without the -r option),  yconalyzer
       will  also report the number of packets captured	and dropped, like tcp-
       dump (1)	does. The same notes as	in tcpdump apply for these numbers.

       It is useful to monitor the number of packets dropped after  yconalyzer
       runs.  It  should  normally  be zero, even if yconalyzer	is run for ex-
       tended period of	time (tens of minutes, or even hours). If it  is  non-
       zero,  it  could	be an indication (but not necessarily so) that running
       yconalyzer has skewed the performance of	the system.

OPTIONS
       -c     Print out	the connections	that took at  least  num_attempts  at-
	      tempts to	establish

       -C     Use  the number of bytes sent by the client to place connections
	      in buckets.

       -d     Print out	a trace	of the packets in format  similar  to  tcpdump
	      -n.   Repeating  this  option gives more information, useful for
	      debugging	yconalyzer.

       -D     Print out	the host and port numbers of all  the  connections  in
	      the  specified  bucket. The bucket_id is the first number	in the
	      bucket (which has	two numbers, or	only one if  it	 is  the  last
	      bucket).	One line is printed for	each connection	in the bucket.
	      This is printed in a format that can be cut  and	pasted	to  be
	      used as expression with either yconalyzer	or with	tcpdump. Typi-
	      cal use of this option is	to drill down on a specific bucket  to
	      list all the connections in that bucket in order to find out why
	      these are	slow. If the original data is captured using  tcpdump,
	      then  the	connection can be looked at to see how the transaction
	      happened.

       -i     Listen on	interface.  If unspecified,  yconalyzer	 searches  the
	      system interface list for	the lowest numbered, configured	up in-
	      terface (excluding loopback).  Ties are broken by	 choosing  the
	      earliest match.

       -I     Consider	packets	 later than specified time. datespec can be in
	      HH:MM:SS or YYYY-MM-DD.HH:MM:SS format. All packets that have  a
	      timestamp	before this time are discarded,	so any connections es-
	      tablished	before the specified time will not show	up in the  fi-
	      nal analysis.

       -n     Number  of buckets. Actually, one	more than nbuckets buckets are
	      printed, with the	rest of	the connections	grouped	 in  the  last
	      bucket.

       -p     The TCP port to be monitored. This should	always be specified.

       -P     Use  throughput buckets instead of response time.	The throughput
	      for each connection is computed as the  total  number  of	 bytes
	      sent  in	either	direction divided by the total duration	of the
	      connection. So, this option is meaningful	only when one side  of
	      the  connection  sends  a	 much smaller number of	bytes than the
	      other one. Connections are bucketized in terms of	the calculated
	      throughput.

       -r     Read packets from	file (which was	created	with the -w option).

       -R     Output in	raw format. Useful for piping the output to a script.

       -S     Use  the number of bytes sent by the server to place connections
	      in buckets.

       -s     Bucket size in msecs (or,	in Kbytes/sec if -P is specified).

       -T     Attempt to estimate RTT for the connections. If  the  trace  was
	      captured	on the client machine the estimated RTT	is exactly the
	      same as that experienced by the client in	the beginning  of  the
	      connection.   Variation  in  RTT as the connection progresses is
	      not tracked. If the trace	was captured on	the server side,  then
	      yconalyzer tries to estimate the RTT based on the	way connection
	      close is initiated by the	upper layer protocol. In case of HTTP,
	      this  estimate  should  be quite close to	the real RTT.  See the
	      section on RTT ESTIMATION.

       -w     Write the	raw packets to file rather than	 processing  them  and
	      printing	out  statistics.  The file can later be	processed with
	      the -r option.

       -x     Select only those	connections in which  the  client  sends  more
	      than nbytes bytes	to the server.

       -X     Select  only  those  connections	in which the server sends more
	      than nbytesP bytes to the	client.

       -y     Select only those	connections in which  the  client  sends  less
	      than nbytes bytes	to the server.

       -Y     Select  only  those  connections	in which the server sends less
	      than nbytesP bytes to the	client.

	expression
	      selects which packets will be selected for  processing.	If  no
	      expression  is given, all	packets	selected by yconalyzer will be
	      processed. Note that the expression is applied  in  addition  to
	      the  filter  than	 yconalyzer  already uses. The internal	filter
	      specifies	the TCP	port and processes only	those packets that has
	      the  SYN,	 FIN,  or RST flags set	in the TCP header. See tcpdump
	      (1).

EXAMPLES
       To capture all relevant packets on port 80 for 10 minutes and save  the
       packets in file http.1 for later	analysis:
	      yconalyzer -p 80 -w http.1 -t 600

       To print	out the	processed data from the	above file:
	      yconalyzer -p 80 -r http.1

       To  change  the	bucket	size  to 2 seconds (instead of a default of 20
       msec) and divide	into 5 buckets (instead	of deault of 20):
	      yconalyzer -p 80 -r http.1 -s2000	-n5

       To process only those connections in which the client sends  less  than
       4k bytes:
	      yconalyzer -p 80 -r http.1 -s2000	-n5 -y4096

       To process those	connections in which the server	sends more than	64k of
       data.
	      yconalyzer -p 80 -r http.1 -s2000	-n5 -X64000

       To filter out only those	connections from host 23.34.45.56
	      yconalyzer -p 80 -r http.1 -s2000	-n5 host 23.34.45.56

       To monitor only outgoing	connections from an HTTP proxy (in which  both
       incoming	and outgoing connections are on	port 80) for 3 minutes:
	      yconalyzer -p 80 -w proxy-out.1 -t180 '(src host proxy.domain.com	and dst	port 80) or (dst host proxy.domain.com and src port 80)'

       To  monitor  only  incoming connections to an HTTP proxy	(in which both
       incoming	and outgoing connections are on	port 80) for 3 minutes:
	      yconalyzer -p 80 -w proxy-out.1 -t180 '(dst port 80 and dst host proxy.domain.com) or (src port 80 and src host proxy.domain.com)'

       To have yconalyzer estimate RTT to the clients.
	      yconalyzer -p 80 -r http.1 -s2000	-n5 -T

       To print	details	about connections that took between 500	and 600	msecs
	      yconalyzer -p 80 -r http.1 -s100 -D500

       To get the percentage of	 connections  that  had	 a  response  time  of
       400msecs
	      yconalyzer -p 80 -r http.1 -n1 -s400

SAMPLE OUTPUT
  yconalyzer -p	80 -r http.1 -T

  Results of monitoring	port 80	for 599.930000 seconds
  Start	time: Thu Jan  4 10:35:55 2007
  End time: Thu	Jan  4 10:45:55	2007
  Total	Connections (terminated	by FIN): 6291
  Avg Client Data: 3025	bytes
  Avg Server Data: 23066 bytes
  Avg conn time: 865 msecs
  Avg Round Trip Time: 152 msecs
  Total	number of SYNs:	6382 (duplicates: 88)
  Connections terminated by RESET: 37
  Number of SYNs taken to establish connections: 6319
  Avg no. of SYNs to establish a connection:  1.00
  Number of unique connections that never completed: 0
  Number of SYNs from incomplete connections: 0
  Number  of  established  connections	in progress: 33	(12 may	have been dis-
carded)
  Number of connections	in closing state: 7
  Distribution	 of   SYNs    to    establsh	connections    (nSYNs:nConns):
1:6283,2:2,3:1,4:1,5:2,7:1,8:1,

  Duration	 NumConns	 AvClient    AvServer	EstRtt	AvThruput
  (msecs)			 (bytes)     (bytes)	(msecs)	 (KB/s)
    0 -	20	    40(	0.64%)	    903	     7412	  3	1613.58
   20 -	40	   109(	1.73%)	    628	     2257	 30	89.67
   40 -	60	   181(	2.88%)	   1350	     3671	 60	101.32
   60 -	80	   324(	5.15%)	   1507	     1273	 66	39.25
   80 -	100	   279(	4.43%)	   1352	     4460	 77	62.40
  100 -	120	   196(	3.12%)	   1504	     2856	 93	38.85
  120 -	140	   183(	2.91%)	   1528	    10695	 76	91.69
  140 -	160	   172(	2.73%)	   1515	     6077	 84	49.94
  160 -	180	   155(	2.46%)	   2407	     5362	 90	44.55
  180 -	200	   208(	3.31%)	   1316	     9759	104	58.02
  200 -	220	   162(	2.58%)	   1672	    14240	124	75.02
  220 -	240	   155(	2.46%)	   4169	    11908	136	69.50
  240 -	260	   157(	2.50%)	   2592	    18188	140	82.02
  260 -	280	   131(	2.08%)	   2249	    16619	142	69.07
  280 -	300	   137(	2.18%)	   6110	    11858	143	61.67
  300 -	320	   131(	2.08%)	   1748	    14579	130	52.05
  320 -	340	   124(	1.97%)	   1783	    17429	147	57.65
  340 -	360	   136(	2.16%)	   1910	    16969	164	53.03
  360 -	380	   139(	2.21%)	   3945	    20649	157	65.37
  380 -	400	   116(	1.84%)	   1896	    17909	156	50.16
  400+		  3056(48.58%)	   4057	    37201	203	47.08

RTT ESTIMATION
       If  we  make  the assumption that the server side closes	the connection
       first, and the client side closes the connection	when it	 is  done  re-
       ceiving	all  data,  then the RTT can be	estimated on the server	as the
       difference between the time the server's	 FIN  is  sent	and  when  the
       client's	FIN is received.

SEE ALSO
       tcpdump(1)

BUGS
       When  a machine has very	low or no traffic on the port being monitored,
       it is possible that yconalyzer does not respond to ^C.

       yconalyzer prints negative value	for time when there is no  traffic  on
       the machine in which it is run.

				5 January 2007			 YCONALYZER(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SAMPLE OUTPUT | RTT ESTIMATION | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=yconalyzer&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help