# # Configuration file for pkthisto for real time capturing of Quake 3. # # grenville armitage, 9/2001 # modified by Mark Pozzobon 7/2002 # # All lines beginning with "#" are comments. Other # lines begin with a token, and optionally one or two # parameters. # # ********** # ********** traffic source # ********** # # One of realtime_capture, file_is_tcpdump, or file_is_sniffer # specifies where we get packets from for analysis. # # 'realtime_capture nnn' specifies we are performing # real time packet capture and analysis using nnn as # BPF capture interface (e.g. fxp0, xl0,....) # realtime_capture fxp0 # # 'file_is_tcpdump' specifies that rather than real time # capture, we are reading from a pre-existing tcpdump file # (raw data captured off the network by tcpdump) # #file_is_tcpdump # # 'file_is_sniffer' specifies that rather than real time # capture, we are reading from a pre-existing NAI Sniffer file # (raw data captured off the network by NAI Sniffer). Currently # this only works with tracefiles saved in ".enc" format, not # ".cap" format. # #file_is_sniffer # # 'sourcefile nnn' specifies that nnn is the raw tracefile # (only applies for file_is_tcpdump or file_is_sniffer mode). # Can be specified as a full or relative pathname, and must # use the style of the local OS (e.g. "xxx/yyy/file" under # *nix, and "xxx\yyy\file" under Win32) # #sourcefile Z:\q3traces\Q3-server-traces\both-030501 # # ********** # ********** additional parameters # ********** # # 'specific_server w.x.y.z nnn' specifies that a game # server was located on host w.x.y.z at port nnn. Packets # to and from this host/port are tracked to formulate # aggregate server histograms. There may be multiple # servers specified, and they'll be tracked concurrently. # specific_server 136.186.4.63 27963 # # 'checkpoint_interval nn' specifies that intermediate # checkpoints occur every nn minutes (minimum of 1 min, # default is 60 minutes). A checkpoint involves updating # files on disk with the latest histograms for flows # currently active and/or new since the previous checkpoint. # (Checkpoints can also be triggered by sending a SIGUSR1 # signal to the process, e.g. with "kill -USR1 " under # many *nix derived OSes.) # checkpoint_interval 5 # # 'total_pkts nnn' specifies that pkthisto should exist # after capturing nnn packets. This is primarily for # real time capture mode (activated by specifying the # realtime_capture option). # total_pkts 25000000 # # 'flow_max_milliseconds nnn' specifies that # a flow is considered to have gone idle if # more than nnn milliseconds elapses between # one packet and the next belonging to that flow # flow_max_milliseconds 800 # # 'min_pkts_in_flow nnn' specifies that a flow # is not formally locked into memory until it has # accumulated more than nnn packets (typically in # less than flow_max_milliseconds, otherwise it will # be declared idle anyway) # min_pkts_in_flow 200 # # 'max_pkts_per_histo nnn' specifies that a new histogram # begins every nnn packets for each flow. Thus, a single # checkpoint may dump multiple histograms per flow, each # histogram representing the statistics of the next nnn # packets. # max_pkts_per_histo 2000 # # 'no_promiscuous' specifies that the BPF device should # NOT be put into promiscuous mode (default is to open # promiscuous). This may reduce the local host's processing # load if the local host is also a source or destination # of the traffic under analysis. (no_promiscuous only has # meaning if realtime_capture has been set.) # no_promiscuous # # 'dump_sizes' specifies that at every checkpoint we should # create/update files containing packet size information. This # information can be re-created later, so by default it is # not dumped at checkpoints (so conserved diskspace). # #dump_sizes # # 'outfile_prefix nnn' specifies that all output filenames # be constructed using 'nnn' as the identifying string # instead of the default "gtout". # #outfile_prefix myoutput # # 'compress_output' forces the length and inter-packet # interval histograms to use compressed ASCII format # rather than the default "human readable" pure ASCII form. # (see HistoFormats.txt for further explanation.) Recommended # for long real-time capture experiments. # #compress_output #