[c-nsp] OT: Sniffing TCP connection quality

[Peter Rathlev]

Hi,

Since TCP works the way it does a passive observer is able to see packet
loss by looking for e.g. duplicate ACKs. For some time I've had a
dumpcap process picking out traffic to/from specific destinations and
running it through tshark to get the wireshark "Expert Info" output.
This turns out to be very interesting data.

The problem is that I'd like to do some further data mining to see if
certain sources/destinations are more troubled than others. For this I'd
have to isolate each flow and analyse them one by one. Even though this
would be possible (and not too hard) with a few scripts, I'd like to
know if there might exist some tool/appliance that does this: Looks at
traffic (e.g. from a SPAN port) and collects statistics about the flows
including analysis of packet loss et cetera. The important part is that
it looks at the seperate flows.

I've been looking at tstat (http://tstat.tlc.polito.it/index.shtml) and
this looks very promising, but it doesn't seem to be able to analyze the
different flows seperately.

Anybody know of such tool/appliance? Preferably either appliance or
something that runs on Linux, but commercial solutions as well as open
source.

Regards,
Peter