Tutorial: Timestamp Nano/Micro Seconds
Introduction
As most interfaces produce 10-100 GBit/s bandwidth it makes sense to switch to a nano second timestamp. How to switch between micro and nano second operations is described in the following chapter.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the following plugins:
t2build tranalyzer2 basicFlow tcpStates nFrstPkts txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The anonymized sample PCAP used in this tutorial can be downloaded here: dhcp-nanosecond.pcap.
Please save it in your ~/data folder.
Now you are all set for T2 nanoseconds experience.
Switch to nanoseconds
The control constant TSTAMP_PREC for the core and plugin timestamp precision is residing in tranalyzer.h. The output format of the flow and packet files can be configured separately in bin2txt.h. By default TSTAMP_PREC=0 and B2T_NANOSECS=0 are set to microseconds. Let’s set the output to nano seconds but leave the core in micro sec mode:
t2conf tranalyzer2 -D B2T_NANOSECS=1 && t2build -R
Now run t2 on the pcap and look at the flow and the packet file:
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 28812 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 [WRN] PCAP nanosecond-resolution: for improved precision, run 't2conf tranalyzer2 -D B2T_NANOSECS=1 -D TSTAMP_PREC=1 && t2build -R' Active plugins: 01: basicFlow, 0.8.14 02: tcpStates, 0.8.14 03: nFrstPkts, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/dhcp-nanosecond.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1102274184.317453 sec (Sun 05 Dec 2004 19:16:24 GMT) Dump stop : 1102274184.387798 sec (Sun 05 Dec 2004 19:16:24 GMT) Total dump duration: 0.070345 sec Finished processing. Elapsed time: 0.000168 sec Finished unloading flow memory. Time: 0.000198 sec Percentage completed: 100.00% Number of processed packets: 4 Number of processed bytes: 1312 (1.31 K) Number of raw bytes: 1312 (1.31 K) Number of pcap bytes: 1400 (1.40 K) Number of IPv4 packets: 4 [100.00%] Number of A packets: 2 [50.00%] Number of B packets: 2 [50.00%] Number of A bytes: 628 [47.87%] Number of B bytes: 684 [52.13%] Average A packet load: 314.00 Average B packet load: 342.00 -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of UDP packets: 4 [100.00%] Number of UDP bytes: 1312 (1.31 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 2 Number of processed A flows: 2 [100.00%] Number of request flows: 1 [50.00%] Number of reply flows: 1 [50.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: 0.00 Number of processed packets/flows: 2.00 Number of processed A packets/flows: 1.00 Number of processed total packets/s: 56.86 Number of processed A+B packets/s: 56.86 Number of processed A packets/s: 28.43 Number of processed B packets/s: 28.43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 28.43 Average full raw bandwidth: 149207 b/s (149.21 Kb/s) Average full bandwidth : 149207 b/s (149.21 Kb/s) Max number of flows in memory: 2 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
The end report time stamps are in microseconds. Have a look at the warning [WRN]. T2 tells you that there is nano second precision available and what you should do to switch it on. You forgot to switch the core to ns: TSTAMP_PREC=1, damn! Only the output precision is ns now.
But first look at the output of the flow and packet file:
tcol ~/results/dhcp-nanosecond_stb_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags nFpCnt L2L3L4Pl_Iat
A 1 0x0400000000004000 1102274184.317453000 1102274184.387484000 0.070031000 1 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x00 2 272_0.000000000;272_0.070031000
A 2 0x0400000000004001 1102274184.317748000 1102274184.387798000 0.070050000 1 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 "Private network" 67 192.168.0.10 07 "Private network" 68 17 0x00 2 300_0.000000000;300_0.070050000All timestamps from basicFlow and nFrstPkts are now in nanoseconds format, but the last three digits are 0 as the internal values are still microseconds. Same for the packet file below.
tcol ~/results/dhcp-nanosecond_stb_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags l7Content
1 1 0x0400000000004000 1102274184.317453 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2 2 0x0400000000004001 1102274184.317748 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:.....;....N3.....6................................
3 1 0x0400000000004000 1102274184.387484 0.070031 0.000000 0.070031 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4 2 0x0400000000004001 1102274184.387798 0.070050 0.000000 0.070050 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:.....;....N3.....6......................................Now switch the core to nanoseconds.
t2conf tranalyzer2 -D TSTAMP_PREC=1 && t2build -R
t2 -r ~/data/dhcp-nanosecond.pcap -w results -s================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 29427 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: tcpStates, 0.8.14 03: nFrstPkts, 0.8.14 04: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/dhcp-nanosecond.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1102274184.317453055 sec (Sun 05 Dec 2004 19:16:24 GMT) Dump stop : 1102274184.387798000 sec (Sun 05 Dec 2004 19:16:24 GMT) Total dump duration: 0.070344945 sec Finished processing. Elapsed time: 0.000225000 sec Finished unloading flow memory. Time: 0.000263000 sec Percentage completed: 100.00% ...
All core time stamps are rendered in nanoseconds and in the flow file some last three digits show now non zero values.
tcol ~/results/dhcp-nanosecond_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags nFpCnt L2L3L4Pl_Iat
A 1 0x0400000000004000 1102274184.317453055 1102274184.387484000 0.070030945 1 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x00 2 272_0.000000000;272_0.070030945
A 2 0x0400000000004001 1102274184.317748000 1102274184.387798000 0.070050000 1 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 "Private network" 67 192.168.0.10 07 "Private network" 68 17 0x00 2 300_0.000000000;300_0.070050000Same for the packet file:
tcol ~/results/dhcp-nanosecond_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStatesAFlags l7Content
1 1 0x0400000000004000 1102274184.317453055 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2 2 0x0400000000004001 1102274184.317748000 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:.....;....N3.....6................................
3 1 0x0400000000004000 1102274184.387484000 0.070031 0.000000 0.070031 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4 2 0x0400000000004001 1102274184.387798000 0.070050 0.000000 0.070050 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:.....;....N3.....6......................................Conclusion
That’s it, don’t forget to reset the nano seconds control constants for the next tutorials and recompile
t2conf tranalyzer2 -D B2T_NANOSECS=0 -D TSTAMP_PREC=0 && t2build -R
Or use the --reset option:
t2conf tranalyzer2 --reset && t2build -R
Have fun!