In order to use this feature, the programmer must open an adapter and put it in statistical mode. This can be done with pcap_setmode(). In particular, MODE_STAT must be used as the mode argument of this function.
With statistical mode, making an application that monitors the TCP traffic load is a matter of few lines of code. The following sample shows how to do it.
/* * Copyright (c) 1999 - 2003 * NetGroup, Politecnico di Torino (Italy) * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the Politecnico di Torino nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ #include <stdlib.h> #include <stdio.h> #include <pcap.h> void usage(); void dispatcher_handler(u_char *, const struct pcap_pkthdr *, const u_char *); void main(int argc, char **argv) { pcap_t *fp; char errbuf[PCAP_ERRBUF_SIZE]; struct timeval st_ts; u_int netmask; struct bpf_program fcode; /* Check the validity of the command line */ if (argc != 2) { usage(); return; } /* Open the output adapter */ if ( (fp= pcap_open(argv[1], 100, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf) ) == NULL) { fprintf(stderr,"\nUnable to open adapter %s.\n", errbuf); return; } /* Don't care about netmask, it won't be used for this filter */ netmask=0xffffff; //compile the filter if (pcap_compile(fp, &fcode, "tcp", 1, netmask) <0 ) { fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax.\n"); /* Free the device list */ return; } //set the filter if (pcap_setfilter(fp, &fcode)<0) { fprintf(stderr,"\nError setting the filter.\n"); /* Free the device list */ return; } /* Put the interface in statstics mode */ pcap_setmode(fp, MODE_STAT); printf("TCP traffic summary:\n"); /* Start the main loop */ pcap_loop(fp, 0, dispatcher_handler, (PUCHAR)&st_ts); return; } void dispatcher_handler(u_char *state, const struct pcap_pkthdr *header, const u_char *pkt_data) { struct timeval *old_ts = (struct timeval *)state; u_int delay; LARGE_INTEGER Bps,Pps; struct tm *ltime; char timestr[16]; /* Calculate the delay in microseconds from the last sample. */ /* This value is obtained from the timestamp that the associated with the sample. */ delay=(header->ts.tv_sec - old_ts->tv_sec) * 1000000 - old_ts->tv_usec + header->ts.tv_usec; /* Get the number of Bits per second */ Bps.QuadPart=(((*(LONGLONG*)(pkt_data + 8)) * 8 * 1000000) / (delay)); /* ^ ^ | | | | | | converts bytes in bits -- | | delay is expressed in microseconds -- */ /* Get the number of Packets per second */ Pps.QuadPart=(((*(LONGLONG*)(pkt_data)) * 1000000) / (delay)); /* Convert the timestamp to readable format */ ltime=localtime(&header->ts.tv_sec); strftime( timestr, sizeof timestr, "%H:%M:%S", ltime); /* Print timestamp*/ printf("%s ", timestr); /* Print the samples */ printf("BPS=%I64u ", Bps.QuadPart); printf("PPS=%I64u\n", Pps.QuadPart); //store current timestamp old_ts->tv_sec=header->ts.tv_sec; old_ts->tv_usec=header->ts.tv_usec; } void usage() { printf("\nShows the TCP traffic load, in bits per second and packets per second.\nCopyright (C) 2002 Loris Degioanni.\n"); printf("\nUsage:\n"); printf("\t tcptop adapter\n"); printf("\t You can use \"WinDump -D\" if you don't know the name of your adapters.\n"); exit(0); }
00001 /* 00002 * Copyright (c) 1999 - 2003 00003 * NetGroup, Politecnico di Torino (Italy) 00004 * All rights reserved. 00005 * 00006 * Redistribution and use in source and binary forms, with or without 00007 * modification, are permitted provided that the following conditions 00008 * are met: 00009 * 00010 * 1. Redistributions of source code must retain the above copyright 00011 * notice, this list of conditions and the following disclaimer. 00012 * 2. Redistributions in binary form must reproduce the above copyright 00013 * notice, this list of conditions and the following disclaimer in the 00014 * documentation and/or other materials provided with the distribution. 00015 * 3. Neither the name of the Politecnico di Torino nor the names of its 00016 * contributors may be used to endorse or promote products derived from 00017 * this software without specific prior written permission. 00018 * 00019 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 00020 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 00021 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 00022 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 00023 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 00024 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 00025 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 00026 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 00027 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 00028 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 00029 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 00030 * 00031 */ 00032 00033 #include <stdlib.h> 00034 #include <stdio.h> 00035 00036 #include <pcap.h> 00037 00038 void usage(); 00039 00040 void dispatcher_handler(u_char *, const struct pcap_pkthdr *, const u_char *); 00041 00042 00043 void main(int argc, char **argv) 00044 { 00045 pcap_t *fp; 00046 char errbuf[PCAP_ERRBUF_SIZE]; 00047 struct timeval st_ts; 00048 u_int netmask; 00049 struct bpf_program fcode; 00050 00051 /* Check the validity of the command line */ 00052 if (argc != 2) 00053 { 00054 usage(); 00055 return; 00056 } 00057 00058 /* Open the output adapter */ 00059 if ( (fp= pcap_open(argv[1], 100, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf) ) == NULL) 00060 { 00061 fprintf(stderr,"\nUnable to open adapter %s.\n", errbuf); 00062 return; 00063 } 00064 00065 /* Don't care about netmask, it won't be used for this filter */ 00066 netmask=0xffffff; 00067 00068 //compile the filter 00069 if (pcap_compile(fp, &fcode, "tcp", 1, netmask) <0 ) 00070 { 00071 fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax.\n"); 00072 /* Free the device list */ 00073 return; 00074 } 00075 00076 //set the filter 00077 if (pcap_setfilter(fp, &fcode)<0) 00078 { 00079 fprintf(stderr,"\nError setting the filter.\n"); 00080 /* Free the device list */ 00081 return; 00082 } 00083 00084 /* Put the interface in statstics mode */ 00085 pcap_setmode(fp, MODE_STAT); 00086 00087 printf("TCP traffic summary:\n"); 00088 00089 /* Start the main loop */ 00090 pcap_loop(fp, 0, dispatcher_handler, (PUCHAR)&st_ts); 00091 00092 return; 00093 } 00094 00095 void dispatcher_handler(u_char *state, const struct pcap_pkthdr *header, const u_char *pkt_data) 00096 { 00097 struct timeval *old_ts = (struct timeval *)state; 00098 u_int delay; 00099 LARGE_INTEGER Bps,Pps; 00100 struct tm *ltime; 00101 char timestr[16]; 00102 00103 /* Calculate the delay in microseconds from the last sample. */ 00104 /* This value is obtained from the timestamp that the associated with the sample. */ 00105 delay=(header->ts.tv_sec - old_ts->tv_sec) * 1000000 - old_ts->tv_usec + header->ts.tv_usec; 00106 /* Get the number of Bits per second */ 00107 Bps.QuadPart=(((*(LONGLONG*)(pkt_data + 8)) * 8 * 1000000) / (delay)); 00108 /* ^ ^ 00109 | | 00110 | | 00111 | | 00112 converts bytes in bits -- | 00113 | 00114 delay is expressed in microseconds -- 00115 */ 00116 00117 /* Get the number of Packets per second */ 00118 Pps.QuadPart=(((*(LONGLONG*)(pkt_data)) * 1000000) / (delay)); 00119 00120 /* Convert the timestamp to readable format */ 00121 ltime=localtime(&header->ts.tv_sec); 00122 strftime( timestr, sizeof timestr, "%H:%M:%S", ltime); 00123 00124 /* Print timestamp*/ 00125 printf("%s ", timestr); 00126 00127 /* Print the samples */ 00128 printf("BPS=%I64u ", Bps.QuadPart); 00129 printf("PPS=%I64u\n", Pps.QuadPart); 00130 00131 //store current timestamp 00132 old_ts->tv_sec=header->ts.tv_sec; 00133 old_ts->tv_usec=header->ts.tv_usec; 00134 } 00135 00136 00137 void usage() 00138 { 00139 00140 printf("\nShows the TCP traffic load, in bits per second and packets per second.\nCopyright (C) 2002 Loris Degioanni.\n"); 00141 printf("\nUsage:\n"); 00142 printf("\t tcptop adapter\n"); 00143 printf("\t You can use \"WinDump -D\" if you don't know the name of your adapters.\n"); 00144 00145 exit(0); 00146 }
Before enabling statistical mode, the user has the option to set a filter that defines the subset of network traffic that will be monitored. See the paragraph on the Filtering expression syntax for details. If no filter has been set, all of the traffic will be monitored.
Once
the interface descriptor starts to work in statistical mode. Notice the fourth parameter (to_ms) of pcap_open(): it defines the interval among the statistical samples. The callback function receives the samples calculated by the driver every to_ms milliseconds. These samples are encapsulated in the second and third parameters of the callback function, as shown in the following figure:
In the example, the adapter is opened with a timeout of 1000 ms. This means that dispatcher_handler() is called once per second. At this point a filter that keeps only tcp packets is compiled and set. Then pcap_setmode() and pcap_loop() are called. Note that a struct timeval pointer is passed to pcap_loop() as the user parameter. This structure will be used to store a timestamp in order to calculate the interval between two samples. dispatcher_handler()uses this interval to obtain the bits per second and the packets per second and then prints these values on the screen.
Note finally that this example is by far more efficient than a program that captures the packets in the traditional way and calculates statistics at user-level. Statistical mode requires the minumum amount of data copies and context switches and therefore the CPU is optimized. Moreover, a very small amount of memory is required.
documentation. Copyright (c) 2002-2005 Politecnico di Torino. Copyright (c) 2005
CACE technologies. All rights reserved.