Timestamp nano-/micro-seconds

interface timestamp

Introduction
Preparation
Going beyond 2038
Nanoseconds -> microseconds

Introduction

As most interfaces produce 10-100 GBit/s bandwidth the default timestamp precision is set nano second since version 0.9.0. Moreover the internal timestamp processing is simplified and extended beyond 2038. How to switch between micro and nano second operations is described in the following chapter.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y


Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the following plugins:

t2build tranalyzer2 basicFlow tcpStates nFrstPkts txtSink


...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAPs used in this tutorial can be downloaded here:

Please save them in your ~/data folder.

Now you are all set.

Going beyond 2038

t2 -r ~/data/SIP_IPv6.pcap -w ~/results


================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 16230, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpStates, 0.9.1
    03: nFrstPkts, 0.9.1
    04: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/SIP_IPv6.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1328589362.251758000 sec (Tue 07 Feb 2012 04:36:02 GMT)
Dump stop : 3867576602.251758000 sec (Tue 22 Jul 2092 14:50:02 GMT)
Total dump duration: 2538987240.000000000 sec (80y 186d 10h 14m)
Finished processing. Elapsed time: 0.000110101 sec
Finished unloading flow memory. Time: 0.000118849 sec
Percentage completed: 100.00%
Number of processed packets: 6
Number of processed bytes: 3586 (3.59 K)
Number of raw bytes: 3586 (3.59 K)
Number of pcap bytes: 3706 (3.71 K)
Number of IPv6 packets: 6 [100.00%]
Number of A packets: 6 [100.00%]
Number of A bytes: 3586 (3.59 K) [100.00%]
<A packet load>: 597.67
<B packet load>: 0.00
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of UDP packets: 6 [100.00%]
Number of UDP bytes: 3586 (3.59 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 5
Number of processed IPv6 flows: 5 [100.00%]
Number of processed A    flows: 5 [100.00%]
Number of request        flows: 5 [100.00%]
Total   A/B    flow asymmetry: 1.00
Total req/rply flow asymmetry: 1.00
Number of processed A+B packets/A+B flows: 1.20
Number of processed A   packets/A   flows: 1.20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Max number of flows in memory: 1 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0800000000008000
[INF] IPv6 flows

You will notice the 80 year duration of the pcap from 2012 to 2092.

Nanoseconds -> microseconds

t2 -r ~/data/dhcp-nanosecond.pcap -w ~/results -s


================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 15797, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpStates, 0.9.1
    03: nFrstPkts, 0.9.1
    04: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/dhcp-nanosecond.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1102274184.317453055 sec (Sun 05 Dec 2004 19:16:24 GMT)
Dump stop : 1102274184.387798000 sec (Sun 05 Dec 2004 19:16:24 GMT)
Total dump duration: 0.070344945 sec
Finished processing. Elapsed time: 0.000111162 sec
Finished unloading flow memory. Time: 0.000138058 sec
Percentage completed: 100.00%
Number of processed packets: 4
Number of processed bytes: 1312 (1.31 K)
Number of raw bytes: 1312 (1.31 K)
Number of pcap bytes: 1400 (1.40 K)
Number of IPv4 packets: 4 [100.00%]
Number of A packets: 2 [50.00%]
Number of B packets: 2 [50.00%]
Number of A bytes: 628 [47.87%]
Number of B bytes: 684 [52.13%]
<A packet load>: 314.00
<B packet load>: 342.00
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of UDP packets: 4 [100.00%]
Number of UDP bytes: 1312 (1.31 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 2
Number of processed IPv4 flows: 2 [100.00%]
Number of processed A    flows: 2 [100.00%]
Number of request        flows: 1 [50.00%]
Number of reply          flows: 1 [50.00%]
Total   A/B    flow asymmetry: 1.00
Total req/rply flow asymmetry: 0.00
Number of processed A+B packets/A+B flows: 2.00
Number of processed A   packets/A   flows: 1.00
Number of processed total packets/s: 56.86
Number of processed A+B   packets/s: 56.86
Number of processed A     packets/s: 28.43
Number of processed   B   packets/s: 28.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 28.43
<Bandwidth>: 149208 b/s (149.21 Kb/s)
<Raw bandwidth>: 149208 b/s (149.21 Kb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

tcol ~/results/dhcp-nanosecond_flows.txt

%dir  flowInd  flowStat            timeFirst             timeLast              duration     numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP            dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  nFpCnt  L2L3L4Pl_Iat
A     1        0x0400000000004000  1102274184.317453055  1102274184.387484000  0.070030945  1           3        eth:ipv4:udp  00:0b:82:01:fc:42  ff:ff:ff:ff:ff:ff  0x0800           0.0.0.0      -        "-"                68       255.255.255.255  11       "Broadcast"        67       17       0x00             2       272_0.000000000;272_0.070030945
A     2        0x0400000000004001  1102274184.317748000  1102274184.387798000  0.070050000  1           3        eth:ipv4:udp  00:08:74:ad:f1:9b  00:0b:82:01:fc:42  0x0800           192.168.0.1  07       "Private network"  67       192.168.0.10     07       "Private network"  68       17       0x00             2       300_0.000000000;300_0.070050000

tcol ~/results/dhcp-nanosecond_flows.txt

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP        srcIPCC  srcIPOrg         srcPort  dstIP            dstIPCC  dstIPOrg         dstPort  l4Proto  tcpStatesAFlags  l7Content
1       1        0x0400000000004000  1102274184.317453055  0.000000000  0.000000000  0.000000000   3        eth:ipv4:udp          00:0b:82:01:fc:42  ff:ff:ff:ff:ff:ff  0x0800   0.0.0.0      -        -                68       255.255.255.255  11       Broadcast        67       17       0x00             ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2       2        0x0400000000004001  1102274184.317748000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:udp          00:08:74:ad:f1:9b  00:0b:82:01:fc:42  0x0800   192.168.0.1  07       Private network  67       192.168.0.10     07       Private network  68       17       0x00             ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:....\b;...\fN3.....6................................
3       1        0x0400000000004000  1102274184.387484000  0.070030945  0.000000000  0.070030945   3        eth:ipv4:udp          00:0b:82:01:fc:42  ff:ff:ff:ff:ff:ff  0x0800   0.0.0.0      -        -                68       255.255.255.255  11       Broadcast        67       17       0x00             ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4       2        0x0400000000004001  1102274184.387798000  0.070050000  0.000000000  0.070050000   3        eth:ipv4:udp          00:08:74:ad:f1:9b  00:0b:82:01:fc:42  0x0800   192.168.0.1  07       Private network  67       192.168.0.10     07       Private network  68       17       0x00             ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:....\b;...\fN3.....6......................................

Now switch the core and plugins to microseconds.

t2conf tranalyzer2 -D TSTAMP_PREC=0 && t2build -R

t2 -r ~/data/dhcp-nanosecond.pcap -w ~/results -s


================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 16853, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
[WRN] PCAP nanosecond-resolution: for improved precision, run 't2conf tranalyzer2 -D TSTAMP_PREC=1 && t2build -R'
Active plugins:
    01: basicFlow, 0.9.1
    02: tcpStates, 0.9.1
    03: nFrstPkts, 0.9.1
    04: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/data/dhcp-nanosecond.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1102274184.317453 sec (Sun 05 Dec 2004 19:16:24 GMT)
Dump stop : 1102274184.387798 sec (Sun 05 Dec 2004 19:16:24 GMT)
Total dump duration: 0.070345 sec
Finished processing. Elapsed time: 0.000103 sec
Finished unloading flow memory. Time: 0.000128 sec
Percentage completed: 100.00%
Number of processed packets: 4
Number of processed bytes: 1312 (1.31 K)
Number of raw bytes: 1312 (1.31 K)
Number of pcap bytes: 1400 (1.40 K)
Number of IPv4 packets: 4 [100.00%]
Number of A packets: 2 [50.00%]
Number of B packets: 2 [50.00%]
Number of A bytes: 628 [47.87%]
Number of B bytes: 684 [52.13%]
<A packet load>: 314.00
<B packet load>: 342.00
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, avg: 3.00
Number of UDP packets: 4 [100.00%]
Number of UDP bytes: 1312 (1.31 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 2
Number of processed IPv4 flows: 2 [100.00%]
Number of processed A    flows: 2 [100.00%]
Number of request        flows: 1 [50.00%]
Number of reply          flows: 1 [50.00%]
Total   A/B    flow asymmetry: 1.00
Total req/rply flow asymmetry: 0.00
Number of processed A+B packets/A+B flows: 2.00
Number of processed A   packets/A   flows: 1.00
Number of processed total packets/s: 56.86
Number of processed A+B   packets/s: 56.86
Number of processed A     packets/s: 28.43
Number of processed   B   packets/s: 28.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 28.43
<Bandwidth>: 149207 b/s (149.21 Kb/s)
<Raw bandwidth>: 149207 b/s (149.21 Kb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

tcol ~/results/dhcp-nanosecond_flows.txt

%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP        srcIPCC  srcIPOrg           srcPort  dstIP            dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  nFpCnt  L2L3L4Pl_Iat
A     1        0x0400000000004000  1102274184.317453  1102274184.387484  0.070031  1           3        eth:ipv4:udp  00:0b:82:01:fc:42  ff:ff:ff:ff:ff:ff  0x0800           0.0.0.0      -        "-"                68       255.255.255.255  11       "Broadcast"        67       17       0x00             2       272_0.000000;272_0.070031
A     2        0x0400000000004001  1102274184.317748  1102274184.387798  0.070050  1           3        eth:ipv4:udp  00:08:74:ad:f1:9b  00:0b:82:01:fc:42  0x0800           192.168.0.1  07       "Private network"  67       192.168.0.10     07       "Private network"  68       17       0x00             2       300_0.000000;300_0.070050

Same for the packet file:

tcol ~/results/dhcp-nanosecond_packets.txt

%pktNo  flowInd  flowStat            time               pktIAT    pktTrip   flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP        srcIPCC  srcIPOrg         srcPort  dstIP            dstIPCC  dstIPOrg         dstPort  l4Proto  tcpStatesAFlags  l7Content
1       1        0x0400000000004000  1102274184.317453  0.000000  0.000000  0.000000      3        eth:ipv4:udp          00:0b:82:01:fc:42  ff:ff:ff:ff:ff:ff  0x0800   0.0.0.0      -        -                68       255.255.255.255  11       Broadcast        67       17       0x00             ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2       2        0x0400000000004001  1102274184.317748  0.000000  0.000000  0.000000      3        eth:ipv4:udp          00:08:74:ad:f1:9b  00:0b:82:01:fc:42  0x0800   192.168.0.1  07       Private network  67       192.168.0.10     07       Private network  68       17       0x00             ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:....\b;...\fN3.....6................................
3       1        0x0400000000004000  1102274184.387484  0.070031  0.000000  0.070031      3        eth:ipv4:udp          00:0b:82:01:fc:42  ff:ff:ff:ff:ff:ff  0x0800   0.0.0.0      -        -                68       255.255.255.255  11       Broadcast        67       17       0x00             ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4       2        0x0400000000004001  1102274184.387798  0.070050  0.000000  0.070050      3        eth:ipv4:udp          00:08:74:ad:f1:9b  00:0b:82:01:fc:42  0x0800   192.168.0.1  07       Private network  67       192.168.0.10     07       Private network  68       17       0x00             ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:....\b;...\fN3.....6......................................

Looks like the good ol’ Anteater, right? All plugins report time in micro sec precision.

That’s it, don’t forget to reset TSTAMP_PREC for the next tutorials and recompile

t2conf tranalyzer2 -D TSTAMP_PREC=1 && t2build -R

Or use the --reset option:

t2conf tranalyzer2 --reset && t2build -R

Have fun!

Timestamp nano-/micro-seconds

Contents

Introduction

Preparation

Going beyond 2038

Nanoseconds -> microseconds