Tutorial: Timestamp Nano/Micro Seconds
Contents
Introduction
As most interfaces produce 10-100 GBit/s bandwidth it makes sense to switch to a nano second timestamp. How to switch between micro and nano second operations is described in the following chapter.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile the following plugins:
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build tranalyzer2 basicFlow tcpStates nFrstPkts txtSink
...
BUILD SUCCESSFULIf you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
$ mkdir ~/data ~/results
$The anonymized sample PCAP used in this tutorial can be downloaded here: dhcp-nanosecond.pcap Please extract it under your data folder. Now you are all set for T2 nanoseconds experience.
Switch to nanoseconds
The control constant TSTAMP_PREC for the core and plugin timestamp precision is residing in tranalyzer.h. The output format of the flow and packet files can be configured separately in bin2txt.h. By default TSTAMP_PREC=0 and B2T_NANOSECS=0are set to microseconds. Let’s set the output to nano seconds but leave the core in micro sec mode.
Now run t2 on the pcap and look at the flow and the packet file:
$ t2conf tranalyzer2 -D B2T_NANOSECS=1 && t2build -R
...
$ t2 -r ~/data/dhcp-nanosecond.pcap -w results -s
================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 28812
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
[WRN] PCAP nanosecond-resolution: for improved precision, run 't2conf tranalyzer2 -D B2T_NANOSECS=1 -D TSTAMP_PREC=1 && t2build -R'
Active plugins:
01: basicFlow, 0.8.14
02: tcpStates, 0.8.14
03: nFrstPkts, 0.8.14
04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/dhcp-nanosecond.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1102274184.317453 sec (Sun 05 Dec 2004 19:16:24 GMT)
Dump stop : 1102274184.387798 sec (Sun 05 Dec 2004 19:16:24 GMT)
Total dump duration: 0.070345 sec
Finished processing. Elapsed time: 0.000168 sec
Finished unloading flow memory. Time: 0.000198 sec
Percentage completed: 100.00%
Number of processed packets: 4
Number of processed bytes: 1312 (1.31 K)
Number of raw bytes: 1312 (1.31 K)
Number of pcap bytes: 1400 (1.40 K)
Number of IPv4 packets: 4 [100.00%]
Number of A packets: 2 [50.00%]
Number of B packets: 2 [50.00%]
Number of A bytes: 628 [47.87%]
Number of B bytes: 684 [52.13%]
Average A packet load: 314.00
Average B packet load: 342.00
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of UDP packets: 4 [100.00%]
Number of UDP bytes: 1312 (1.31 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 2
Number of processed A flows: 2 [100.00%]
Number of request flows: 1 [50.00%]
Number of reply flows: 1 [50.00%]
Total A/B flow asymmetry: 1.00
Total req/rply flow asymmetry: 0.00
Number of processed packets/flows: 2.00
Number of processed A packets/flows: 1.00
Number of processed total packets/s: 56.86
Number of processed A+B packets/s: 56.86
Number of processed A packets/s: 28.43
Number of processed B packets/s: 28.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 28.43
Average full raw bandwidth: 149207 b/s (149.21 Kb/s)
Average full bandwidth : 149207 b/s (149.21 Kb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
$The end report time stamps are in microseconds. Have a look at the warning [WRN]. T2 tells you that there is nano second precision available and what you should do to switch it on. You forgot to switch the core to ns: TSTAMP_PREC=1, damn! Only the output precision is ns now.
But first look at the output of the flow and packet file:
$ tcol dhcp-nanosecond_stb_flow.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags nFpCnt L2L3L4Pl_Iat
A 1 0x0400000000004000 1102274184.317453000 1102274184.387484000 0.070031000 1 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x00 2 272_0.000000000;272_0.070031000
A 2 0x0400000000004001 1102274184.317748000 1102274184.387798000 0.070050000 1 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 "Private network" 67 192.168.0.10 07 "Private network" 68 17 0x00 2 300_0.000000000;300_0.070050000All timestamps from basicFlow and nFrstPkts are now in nanoseconds format, but the last three digits are 0 as the internal values are still microseconds. Same for the packet file below.
$ tcol dhcp-nanosecond_stb_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags l7Content
1 1 0x0400000000004000 1102274184.317453 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2 2 0x0400000000004001 1102274184.317748 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:.....;....N3.....6................................
3 1 0x0400000000004000 1102274184.387484 0.070031 0.000000 0.070031 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4 2 0x0400000000004001 1102274184.387798 0.070050 0.000000 0.070050 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:.....;....N3.....6......................................Now switch the core to nanoseconds.
$ t2conf tranalyzer2 -D TSTAMP_PREC=1 && t2build -R
..
$ t2 -r ~/data/dhcp-nanosecond.pcap -w results -s
================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 29427
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.14
02: tcpStates, 0.8.14
03: nFrstPkts, 0.8.14
04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/dhcp-nanosecond.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1102274184.317453055 sec (Sun 05 Dec 2004 19:16:24 GMT)
Dump stop : 1102274184.387798000 sec (Sun 05 Dec 2004 19:16:24 GMT)
Total dump duration: 0.070344945 sec
Finished processing. Elapsed time: 0.000225000 sec
Finished unloading flow memory. Time: 0.000263000 sec
Percentage completed: 100.00%
...
$All core time stamps are rendered in nanoseconds and in the flow file some last three digits show now non zero values.
$ tcol dhcp-nanosecond_flow.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags nFpCnt L2L3L4Pl_Iat
A 1 0x0400000000004000 1102274184.317453055 1102274184.387484000 0.070030945 1 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x00 2 272_0.000000000;272_0.070030945
A 2 0x0400000000004001 1102274184.317748000 1102274184.387798000 0.070050000 1 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 "Private network" 67 192.168.0.10 07 "Private network" 68 17 0x00 2 300_0.000000000;300_0.070050000Same for the packet file
$ tcol dhcp-nanosecond_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags l7Content
1 1 0x0400000000004000 1102274184.317453055 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2 2 0x0400000000004001 1102274184.317748000 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:.....;....N3.....6................................
3 1 0x0400000000004000 1102274184.387484000 0.070031 0.000000 0.070031 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4 2 0x0400000000004001 1102274184.387798000 0.070050 0.000000 0.070050 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:.....;....N3.....6......................................That’s it, don’t forget to reset the nano seconds control constants for the next tutorials and recompile
$ t2conf tranalyzer2 -D B2T_NANOSECS=0 -D TSTAMP_PREC=0 && t2build -R
..
$Or use the reset command: t2conf tranalyzer2 --reset && t2build -R
Have fun!