man tcpstat (Commandes) - tcpstat

NAME

tcpstat - report network interface statistics

SYNOPSIS

tcpstat [-?haeFlp] [-B bps] [-b bps] [-f filter expr] [-i interface] [-o output] [-R seconds] [-r filename] [-s seconds] [interval]

DESCRIPTION

reports certain network interface statistics much like vmstat() does for system statistics. Statistics include bandwidth being used, number of packets, average packet size, and much more.

collects network information either by reading data from filename , or it can collect information by directly monitoring the network interface interface . The default action for is to automatically search for an appropriate interface, and to show current statistics on it.

interval is the sample interval, in seconds, in which the statistics are based upon and when in default mode, how often the display is updated. If -1 is given, then the interval is taken to be the entire length of the sample. Default is 5 seconds.

When reading data from filename , will exit immediately after the entire file has been procesed. When collecting data from interface , will exit upon recieving a SIGINT, or (if the -s option is specified) after seconds seconds, which ever comes first.

OPTIONS

The options are as follows:

-a
Accounting mode. Displays the estimated number of bytes per second, minute, hour, day, and month.
-b bps
Bandwidth mode. Displays the total number of seconds the data-throughput exceded bps , and the percentage of total time this was, as if the interface were limited to bps bits per second. See the section below to see how the interval affects bandwidth calculation.
-B bps
"Dumb" bandwidth mode. Displays the total number of seconds the data-throughput exceded bps , and the percentage of total time this was. See the section below to see difference between "dumb" and normal bandwidth modes.
-e
Supresses the display of empty intervals.
-F
Flush the output streams after printing each interval. Sometimes useful when redirecting output into a file, or piping tcpstat into another program like grep(1) .
-f filter expr
Filter the packets according the rules given by filter expr . For the syntax of these rules, see tcpdump(1) .
-h , -?
Display version and a brief help message.
-i interface
Do a live capture (rather than read from a file) on the interface interface given on the command line. If interface is "auto" then tries to find an appropriate one by itself.
-l
Include the size of the linklayer header when calculating statistics. (Ethernet only, right now. Usually 14 bytes per packet.)
-p
Set the interface into non-promiscuous mode (promiscuous is the default) when doing live captures.
-o format
Set the output format when displaying statistics. See the section below for a description of the syntax.
-R seconds
Show the timestamp relative to seconds . Avoid this option, because it will most likely go away in future versions.
-r filename
Read all data from filename , which may be a regular file, a named pipe or "-" to read it's data from standard input. Acceptable file formats include pcap (tcpdump() files) and "snoop" format files. filename is usually a file created by the tcpdump() command using the "-w" option.
-s seconds
When monitoring an interface, tcpdump runs for only seconds seconds, and then quits. Has no effect when reading data from a file.

OUTPUT FORMAT

The output string is any quoted string, and will write this string to the stdout. In addition, will substitute certain values for substrings which begin with a "%", as well as most standard printf() "\" escape characters. Here is a list of all substitution strings:

% Ns A
the number of ARP packets
% Ns a
the average packet size
% Ns B
the number of bytes per second
% Ns b
the number of bits per second
% Ns C
the number of ICMP and ICMPv6 packets
% Ns d
the standard deviation of the size of each packet
% Ns I
the number of IPv4 packets
% Ns l
the network "load" over the last minute, like in uptime()
% Ns M
the maximum packet size
% Ns m
the minimum packet size
% Ns N
the number of bytes
% Ns n
the number of packets
% Ns p
the number of packets per second
% Ns R
same as %S, but relative to the first packet seen
% Ns r
same as %s, but relative to the first packet seen
% Ns S
the timestamp for the interval in seconds after the "UNIX epoch"
% Ns s
the timestamp for the interval in seconds.microseconds after the "UNIX epoch"
% Ns T
the number of TCP packets
% Ns U
the number of UDP packets
% Ns V
the number of IPv6 packets
% Ns number
switch the output to the file desciptor number at this point in the string. All output for each interval before this parameter is by default the standard output (file descriptor 1). Usefull when redirecting the output into more than one file (or fifo) for separate statisics. Be sure you know where they are going. Writing to "dangling" file descriptors (without directing them to a specific destination) may produce unexpected results.
% Ns %
the "%" character

The default format string for is:

"Time:%S\tn=%n\tavg=%a\tstddev=%d\tbps=%b\n"

which will produce an output which would look similar to: Time:940948785 n=107 avg=251.81 stddev=422.45 bps=43110.40 Time:940948790 n=99 avg=400.21 stddev=539.39 bps=63393.60 Time:940948795 n=43 avg=257.16 stddev=352.83 bps=17692.80

It is worth noting for example, that many of the protocol filters (%T, %U, etc.) might be seen as being redundant because protocols can be filtered using -f (see above)

FILES

/dev/bpf Ns Sy n
the packet filter device

EXAMPLES

Displays the default statistics every 5 seconds of all traffic currently passing through the fxp0 network interface.

Displays the default statistics every 5 seconds from the tcpdump() generated file "file.dump".

Displays every 2.3 seconds the timestamp together with smtp and http traffic throughput of the data from "file.dump", in a format which would be suitable for gnuplot(1) .

Displays what percentage of the traffic in file.dump exceeded the speed of my modem (28800 bits per second.)

SEE ALSO

tcpdump(1) ,pcap(3) ,bpf(4) ,printf()

NOTES

Interval size affects bandwidth

Due to the nature of how bandwidth is actually measured (from discrete samples of data), the bandwidth numbers displayed will vary according to the interval variable. Generally speaking, if you often have rapid bursts of packet data, the bandwidth reported will not reflect this when interval is sufficently large. This results in an "averaging" effect, which may or may not be desired. On the other hand, if interval is too small (say < 0.01), this results in unrealisticaly large bandwidths for very short amounts of time.

The reason for the latter is that most network interfaces do not hand over packets bit by bit, but rather packet by packet. Thus, each packet is reported as being tranfered "instantaneously", resulting in "infinite" (or rather indeterminable) bandwidth. Thus, when counting single bits on the wire, there really is no such thing as "bandwidth" because they aren't really moving from the network stack's point of view (cf. Zeno's Paradox.)

A possible solution is to internaly spline the packet sizes together and report the bandwidth as the scalar integral over the given interval, but this has yet to be implimented, and to be honest, would be the proverbial cruise missle to destroy an ant hill.

That being said (whew!), a "good value" for interval is usualy somewhere between 0.5 and 2.

Difference between normal and 'dumb' bandwidth modes.

In normal bandwidth mode, when an interval exceeds the given bandwidth, the extra bytes are "moved" into the next interval. This has the effect of trying to imagine how overloaded an interface would be if the interface had a smaller bandwidth, yet same amount of data tried to get through.

In "dumb" bandwidth mode, each interval which exceeds the given bandwidth is simply counted. Nothin' else.

HISTORY

was first written in Winter 1998 using and then finaly retrofited for Linux in Spring 2000.

AUTHORS

Paul Herman Aq pherman@frenchfries.net

Cologne, Germany.

Please send all bug reports to this address.

BUGS

Not tested with link types other than Ethernet, PPP, and "None" types.

There may be problems reading non-IPv4 packets across platforms when reading null type link layers. This is due to a lack of a standardized packet type descriptor in libpcap for this link type.

Snoop file formats cannot be read from stdin or named pipes.