TCP-Reduce

Description
TCP-Reduce is a collection of Bourne shell scripts for reducing tcpdump traces to one-line summaries of each TCP connection present in the trace. The scripts are:

Requirements
The scripts are written using Bourne shell, tcpdump, and the common Unix utilities sed, sort, and awk. The author doesn't know if the scripts will work with "old" awk (please let me know), so you may need to bring up a version of "new" awk such as mawk (I don't have an FTP site for this) or gawk,
Limitations
The scripts look only at TCP SYN/FIN/RST packets. Connections without SYN packets in the trace (such as those on-going at the beginning of the trace) will not appear in the summary. Garbaged packets (those missing some of their contents) are reported to stderr as bogon's and are discarded. Occasionally the script gets fooled by retransmissions with altered sequence numbers, and reports erroneous huge connection sizes - always check large connections (say 100 MB or more) for plausibility.
Acknowledgements
Written by Vern Paxson. No acknowledgement in publications is necessary. Report bugs to vern@ee.lbl.gov.
Version
The current release is 1.0. It has been derived from a similar script that I've been using for a long time, which is quite solid. The derivation process however may have introduced some bugs. Updates will appear directly in the Internet Traffic Archive.
Restrictions
The software is copyrighted by the U.C. Regents (a "BSD-style" copyright). See the file COPYING either here or at the beginning of the tcp-conn script for details. This copyright means you can redistribute the software freely, provided you keep the authorship information intact.
Documentation
Distribution
Available from the Archive in compressed tar format (14 KB).


Up to Software In The Internet Traffic Archive.