/usr/share/doc/tcpdump/examples/send-ack.awk is in tcpdump 4.2.1-1ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | BEGIN {
# we need the number of bytes in a packet to do the output
# in packet numbers rather than byte numbers.
if (packetsize <= 0)
packetsize = 512
expectNext = 1
lastwin = -1
}
{
# convert tcp trace to send/ack form.
n = split ($1,t,":")
tim = t[1]*3600 + t[2]*60 + t[3]
if (NR <= 1) {
tzero = tim
ltim = tim
OFS = "\t"
}
if ($6 != "ack") {
# we have a data packet record:
# ignore guys with syn, fin or reset 'cause we
# can't handle their sequence numbers. Try to
# detect and add a flag character for 'anomalies':
# * -> re-sent packet
# - -> packet after hole (missing packet(s))
# # -> odd size packet
if ($5 !~ /[SFR]/) {
i = index($6,":")
j = index($6,"(")
strtSeq = substr($6,1,i-1)
endSeq = substr($6,i+1,j-i-1)
len = endSeq - strtSeq
id = endSeq
if (! timeOf[id])
timeOf[id] = tim
if (endSeq - expectNext < 0)
flag = "*"
else {
if (strtSeq - expectNext > 0)
flag = "-"
else if (len != packetsize)
flag = "#"
else
flag = " "
expectNext = endSeq
}
printf "%7.2f\t%7.2f\t%s send %s %d", tim-tzero, tim-ltim,\
flag, $5, strtSeq
if (++timesSent[id] > 1)
printf " (%.2f) [%d]", tim - timeOf[id], timesSent[id]
if (len != packetsize)
printf " <%d>", len
}
} else {
id = $7
printf "%7.2f\t%7.2f\t%s ack %s %d", tim-tzero, tim-ltim,\
flag, $5, id
if ($9 != lastwin) {
printf " win %d", $9
lastwin = $9
}
printf " (%.2f)", tim - timeOf[id]
if (++timesAcked[id] > 1)
printf " [%d]", timesAcked[id]
}
printf "\n"
ltim = tim
}
|