This plugin implements control blocks for connections running over IP. The semantics of "connection" depend on the transport protocol: the plugin models TCP connection endpoints using a TCP connection state machine, UDP and other protocols are supported by a timeout mechanism. The plugin provides connection tables to store and retrieve connections conveniently, including an age list to track the most and least recently used flows.

The plugin can also be run by itself to illustrate how the connection state machine works on a given trace. This is done by augmenting tcpdump output with a connection's state (notice the output at the end of each line):

128.232.110.120.34855 > 66.35.250.204.80: S 3201037957:3201037957(0) win 5840  (DF) [SYN_SENT*]
66.35.250.204.80 > 128.232.110.120.34855: S 2888831847:2888831847(0) ack 3201037958 win 5792  (DF) [SYN_ACK_SENT]
128.232.110.120.34855 > 66.35.250.204.80: . ack 2888831848 win 5840  (DF) [ESTABLISHED]
128.232.110.120.34855 > 66.35.250.204.80: P 3201037958:3201038454(496) ack 2888831848 win 5840  (DF) [ESTABLISHED]
66.35.250.204.80 > 128.232.110.120.34855: . ack 3201038454 win 6432  (DF) [ESTABLISHED]
66.35.250.204.80 > 128.232.110.120.34855: . 2888831848:2888833296(1448) ack 3201038454 win 6432  (DF) [ESTABLISHED]
128.232.110.120.34855 > 66.35.250.204.80: . ack 2888833296 win 8688  (DF) [ESTABLISHED]
66.35.250.204.80 > 128.232.110.120.34855: P 2888833296:2888833579(283) ack 3201038454 win 6432  (DF) [ESTABLISHED]
128.232.110.120.34855 > 66.35.250.204.80: . ack 2888833579 win 11584  (DF) [ESTABLISHED]
66.35.250.204.80 > 128.232.110.120.34855: F 2888833579:2888833579(0) ack 3201038454 win 6432  (DF) [SHUTDOWN]
128.232.110.120.34855 > 66.35.250.204.80: F 3201038454:3201038454(0) ack 2888833580 win 11584  (DF) [SHUTDOWN]
66.35.250.204.80 > 128.232.110.120.34855: . ack 3201038455 win 6432  (DF) [TIME_WAIT]

This plugin lets you count TCP and UDP flows in traces. For TCP you can adjust when a connection is to be considered a flow. You can require seeing (i) a TCP handshake, (ii) a FIN/RST shutdown, (iii) payload be transmitted. For UDP, you can require seeing payload going in both directions.

This plugin scans a set of input traces and creates a separate pcap trace file for each flow contained in the input traces. The output is placed in a directory tree whose first level differentiates by IP protocol, the second by source IP address, and the third by destination IP address. Arbitrarily many input traces are supported.

This plugin reports packet inter-arrival times (IATs). It can use a BPF filtering expression to focus on subsets of packets, report accumulative or original timestamps of packets along with the IATs, and can also in- clude tcpdump output alongside.

This plugin reads packets from a set of trace files and multiplexes them into one pcap-compatible output stream. There can be *arbitrarily* many traces in the set, in particular, there can be more files than a process can have open file descriptors at any one time. The output stream can be saved to a pcap file, or printed to stdout for processing by another program.

This plugin sorts packets in chronological order. It scales to large flows. It proceeds in two steps: first a separate temporary trace file is created for every chronologically increasing subsequence of packets in the input trace(s). Using the multiplexing plugin "Mux", these temp traces are then merged chronologically into a single output stream. The plugin can also be used just to check whether a trace is sorted or not. See the --check option for details.

This plugin gathers simple statistics from one or more trace files and allows you to save the results in a user-provided output stream. The analysis steps performed are as follows:

• Basic counts:
  Counts the total number of packets scanned and the number of non-IP packets.
• IP protocol usage:
  Counts the number of packets and the number of bytes per IP protocol type.
• UDP/TCP port usage:
  Counts the number of packets and the number of bytes for each pair of TCP source and destination port numbers seen. You can also get aggregate counts for source ports and for destination ports.
• UDP/TCP flow usage:
  Counts the number of packets and the number of bytes for each individual TCP flow encountered.

The resulting numbers can be written to a separate output stream for each analysis category, or be combined arbitrarily. The resulting output contains absolute numbers and percentage values, and contains comments starting with a "#" at the beginning of the line.

The Trace Set plugin provides an abstraction for a set of inut traces. These traces can be opened trace files, filenames, or files containing a list of file names. The API provides a way to iterate over these traces, providing the opened trace file as an LND_Trace * to the callback. Many plugins want to operate on a number of traces; this plugin provides the right data structures for this purpose.

This plugin demuxes flows into separate output files based on the appli- cation-layer protocol that the flows contain. The oracle used for deter- mining this is tethereal. The plugin buffers packets until tethereal determines that a flow belongs to a certain application-layer protocol. At this point, all buffered and future packets belonging to the flow are written to an output tracefile for this protocol.

The TCP Filter plugin removes incomplete TCP flows from a trace. "incomplete" here means flows that have not seen complete three-way handshakes and connection teardowns (through RSTs or FINs). The plugin can operate on one or more plugins, and provides a command line interface via lndtool.