{"id":261,"date":"2010-08-19T17:44:19","date_gmt":"2010-08-19T21:44:19","guid":{"rendered":"http:\/\/www.eg.bucknell.edu\/~perrone\/?p=261"},"modified":"2010-08-27T21:17:35","modified_gmt":"2010-08-28T01:17:35","slug":"looking-at-ns-3-packet-traces","status":"publish","type":"post","link":"https:\/\/www.eg.bucknell.edu\/~perrone\/2010\/08\/19\/looking-at-ns-3-packet-traces\/","title":{"rendered":"Looking at ns-3 packet traces"},"content":{"rendered":"<p>The <a href=\"http:\/\/www.nsnam.org\/docs\/tutorial\/tutorial_23.html#Using-the-Tracing-System\">ns-3 tutorial<\/a> indicates that you can inspect the pcap files generated by simulations using two different tools: <code>tcpdump<\/code> and Wireshark (see section 5.3.2 Pcap Tracing).<\/p>\n<p>Since <code>tcpdump<\/code> is a Unix tool that you&#8217;re most likely to find in your installation, let&#8217;s start there (<code>tcpdump<\/code> normally lives in <code>\/usr\/sbin<\/code>). \u00a0The tutorial recommends you to open your pcap files using the following command line:<\/p>\n<pre> <code>tcpdump -nn -tt -r filename.pcap<\/code><\/pre>\n<p>Where <code>filename.pcap<\/code> is obviously the name of a pcap file generated by some experiment. A quick look at the man page for tcpdump will tell you that the command line flags used above have the following meaning (quoted directly from Mac OS 10.5.8):<\/p>\n<ul>\n<li><code>-n<\/code> &#8220;Don&#8217;t convert addresses (i.e., host addresses, port numbers, etc.) to names.&#8221; This is the ideal choice in viewing simulation output because real world names won&#8217;t mean anything in the analysis of your experiment, where you address nodes by internal ns-3 identifiers or IP addresses. I haven&#8217;t been able to discover if there&#8217;s a difference between <code>-nn<\/code> and <code>-n<\/code>; both work the same way for me.<\/li>\n<li><code>-r<\/code> &#8220;Read  packets  from file (which was created with the -w option).  Standard input is used if file is &#8220;-&#8221;.&#8221; Another obvious choice, since what you&#8217;re looking at is a packet trace that&#8217;s been recorded to a file.<\/li>\n<li><code>-tt<\/code> &#8220;Print an unformatted timestamp on each dump line.&#8221; The alternatives here are <code>-t<\/code>, which shows no timestamp on each line, or <code>-ttt<\/code>, which shows a time increment relative for the preceding line, or yet\u00a0<code>-tttt<\/code>, which would precede timestamp by a date (the canonical Jan. 1st, 1970) that is meaningless to your experiment.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\">Bottom line<\/span>: use the recommended flags. Running this on a pcap file generated by an ns-3 simulation would give you output such as:<\/p>\n<pre>1.008192 arp who-has 10.1.1.2 (Broadcast) tell 10.1.1.1\r\n1.016602 arp reply 10.1.1.2 is-at 00:00:00:00:00:03\r\n1.016602 IP 10.1.1.1.49153 &gt; 10.1.1.2.discard: UDP, length 512\r\n1.017515 IP 10.1.1.1.49153 &gt; 10.1.1.2.discard: UDP, length 512\r\n...<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-271\" title=\"Wireshark ns-3 trace screenshot\" src=\"http:\/\/www.eg.bucknell.edu\/~perrone\/wp-content\/uploads\/2010\/08\/Wireshark-300x287.png\" alt=\"\" width=\"300\" height=\"287\" srcset=\"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-content\/uploads\/2010\/08\/Wireshark-300x287.png 300w, https:\/\/www.eg.bucknell.edu\/~perrone\/wp-content\/uploads\/2010\/08\/Wireshark-150x143.png 150w, https:\/\/www.eg.bucknell.edu\/~perrone\/wp-content\/uploads\/2010\/08\/Wireshark-400x383.png 400w, https:\/\/www.eg.bucknell.edu\/~perrone\/wp-content\/uploads\/2010\/08\/Wireshark.png 661w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>While <code>tcpdump<\/code> might suffice for many use cases, using <a href=\"http:\/\/www.wireshark.org\">Wireshark<\/a> gives more detail through a very usable GUI. If you have it in your system, give it a spin, if not, it&#8217;s easily available for Windows and Unix systems (you can get binaries for Mac OS X &gt;= 10.5.5, otherwise you need to use MacPorts). It&#8217;s a great application to capture packets on a live network, but also to analyze pre-recorded pcap traces. The added value in using Wireshark on ns-3 pcap traces is that you can inspect those nested protocol data units in all their glorious details. The screenshot provided here should give you a taste of it.<\/p>\n<p>This is all fine and dandy, you say, but the question is: <em>how can I make my simulation run generate a packet trace? <\/em>The honest answer is that simulation runs don&#8217;t generate the pcap traces by default (remember that I\/O has a performance cost?) At the same time, it&#8217;s nearly trivial to make it happen. Say that you have created an instance of a <em>helper<\/em> for the device in your network model. All you&#8217;d have to do is use this instance to call methods like <code>EnablePcap<\/code> or <code>EnablePcapAll<\/code> before starting the simulation run. For more details, you should check out the documentation for the <code>ns3:PcapHelperForDevice<\/code> class, which in inherited by the various device helper classes. If you want to see examples of code that enable pcap trace generation, change directory to the root of your ns-3 installation and run:<\/p>\n<pre>grep -r \"EnablePcap\" examples\/<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>The ns-3 tutorial indicates that you can inspect the pcap files generated by simulations using two different tools: tcpdump and Wireshark (see section 5.3.2 Pcap Tracing). Since tcpdump is a Unix tool that you&#8217;re most likely to find in your installation, let&#8217;s start there (tcpdump normally lives in \/usr\/sbin). \u00a0The tutorial recommends you to open&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[15,12],"class_list":["post-261","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ns-3","tag-simulation"],"_links":{"self":[{"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/posts\/261"}],"collection":[{"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/comments?post=261"}],"version-history":[{"count":16,"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/posts\/261\/revisions"}],"predecessor-version":[{"id":346,"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/posts\/261\/revisions\/346"}],"wp:attachment":[{"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/media?parent=261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/categories?post=261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.eg.bucknell.edu\/~perrone\/wp-json\/wp\/v2\/tags?post=261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}