-*- indented-text -*-

TCPDUMP Savefile Utilities (dumputils)
Swedish Institute of Computer Science
Computer & Network Architecture Laboratory
<URL:http//www.sics.se>

* mux

  This program multiplexes a number of packet streams and sends the
  packets out on a network interface or dumps it at a new tcpdump(8)
  savefile, or both. When you use mux to transfer the flows, or send
  out a file generated by mux, you get the combined bandwidth of the
  incoming packet streams.

  In particular, the mux program reads one or several tcpdump(8)
  savefiles and multiplexes the packets with regard to their
  timestamps, normalized to the file epoch (the timestamp of the first
  packet of each file). It is assumed that the timestamps of the
  tcpdump savefiles are allready in increasing order.

  The program can perform IP number rewriting if given tuples of IP
  numbers as arguments.

  Run the program with options like this:
  
    -i interface

    -r(ewrite IP number tuples like this) a.b.c.d:e.f.g.h

    -f(ile) name

    inputfilename inputfilename ...

  Please note that other processes running on the same system might
  interfer with mux when you use it to multiplex and transfer packets
  on the network. How exact the packet intervals will be depends on
  several things: 1) how many, if any, other processes are running on
  the system, 2) if your system uses memory mapped files and
  sequential read ahead in fread() et al, 3) the overhead of the
  process scheduler, and, of course, how fast your hardware is.

  The program uses a fairly tight loop around gettimeofday() to
  compare the recorded packet intervals with walltime, so it gets
  around being dependent on the implementation of usleep(). It will,
  of course, eat all CPU available on the machine.

  For best performance, you might want to run mux as the sole process
  on a system in single user mode, with no other processes what so
  ever, including the update daemon.

* shodiff

  Shows intervals (with -i) between packet timestamps. Shos offsets
  (with -o) from an epoch (the timestamp of the first packet) in a
  tcpdump(8) savefile. Use like this:

    $ shodiff -i dumpfile

  For verbose output, use -v.

* shoflo

  Show characteristics such as total number of bytes, packets and
  avarage speed of flows (identified as tuples of source address/port
  and destination address/port) from a tcpdump savefile.

---
Mikael "MC" Cardell <mc@sics.se>
1999-10-13
