Analyze the ARP packets in a trace file. Calculates the ARP response time and idenifies ARP requests with no replies, gratuitous ARPs, duplicate IPs and duplicate MACs. See analyze-arps.sh.html.

Average a value returned by tshark. See average.sh.html.

Builds a tshark filter by ANDing or ORing the values in a list with a tshark variable. See build-filter.sh.html.

Calcuate the bytes in flight after each ACK. See bytes-in-flight.sh.html.

Checks to see an IP address is part of a subnet or not. See check-subnet.sh.html.

Create a table of DNS server query response times and list of unanswered queries. See dns-time.sh.html.

Find TCP connection attempts that have a failed. There are 6 failure scenarios, See failed-connection-attempts.sh.html.

Uses egrep to list all strings in a file that match an IPv4 address format and the sort -u to get a unique list. Really just a one-liner by this way I do not have to remember (or type) the egrep string. Its useful with build-filter.sh to create a filter to display all the IPs listed in say a log file. See find-ips.sh.html.

Analyze a packet trace for packets where the sequence number in the ACK field does not match the sequence numbers in the selective acknowledgement blocks. See find-mangled-sequence-numbers.sh.html.

Find TCP connections that have been reset without being closed. See find-reset-connections.sh.html.

Find TCP connections that appear to have failed because of retransmission failures. See find-retran-failures.sh.html.

Removes a partial packet at the end of a packet trace file. See fix-pcap.sh.html.

For each retransmitted TCP segment determine if the segment is seen more than once. See local-drops.sh.html.

Compares IP ID and absolute TCP sequence and ACK numbers between two traces to match up TCP segments where the IP addresses and or TCP have been changed (i.e. NAT). See packet-matcher-faster.sh.html.

Extracts byte strings from a TCP stream in a template trace and looks for the strings in a target trace. The goal is to find a match TCP stream in the target trace file. See packet-matcher.sh.html.

For every connection in the trace file calculate the percentage of retransmissions for every source IP address as retransmissions / not-retransmitted source segments. segments must contain data, i.e.will not identify retransmitted SYNs or FINs without data. See percent-retransmissions.sh.html.

Send an ICMP echo request (ping) with a 16 character message embedded in it instead of the standard sequence of ascii characaters. See ping-message.sh.html.

Send an ICMP echo request (ping) with a 16 character time stamp (HH:MM:SS.sssssssss) embedded in it instead of the standard sequence of ascii characaters. See ping-time.sh.html.

Reads X.pcap and creates a set of X.pcap_IP1-Port1_IP2-Port2_split.pcap files, one for each TCP four-tuple. Reads only pcap files not pcapng. Requires Python and the scapy module. See split-pcap.py.html.

Runs tcpdump in the background with 10 files of 100 Meg each. See start-packet-tracing.sh.html.

Calculate the throughput of all TCP streams in a trace file. See stream-throughput.sh.html.

Calculate throughput per second of a specific stream at resolutions of 1, 1/10, 1/100, and 1/1000 of a second. results are suitable for graphing. See throughput-per-sec.sh.html.

Finds all files in the current directory and any sub directories and displays then start and end times in sorted order. See time-summary.sh.html.

Find TCP connections that have not been closed or reset. See unterminated-connections.sh.html.