基于libpcap的抓包库只能抓到tso, gso优化之前或gro, lro优化之后的包,也就是组装后的包。由于抓包库很多时候需要准确统计包,因此这个问题需要解决。
来看一个例子:
1351581859.215208 client:59799 server:80 seq:0 ack:0 len:0 win:131070 [S]
MSS 1460 TCPOPT_NOP wscale: 2 TCPOPT_NOP TCPOPT_NOP timestamp: 228254262 0 SACK permitted TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_NOP TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_NOP
1351581859.215223 server:80 client:59799 seq:0 ack:1 len:0 win:7475200 [SA] MSS 1460 TCPOPT_NOP TCPOPT_NOP SACK permitted TCPOPT_NOP wscale: 512
1351581860.261139 client:59799 server:80 seq:0 ack:2482697881 len:0 win:131070 [S] MSS 1460 TCPOPT_NOP wscale: 2 TCPOPT_NOP TCPOPT_NOP timestamp: 228255325 0 SACK permitted TCPOPT_EOL TCPOPT_EOL timestamp: TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL timestamp: timestamp: TCPOPT_NOP TCPOPT_EOL timestamp: TCPOPT_EOL TCPOPT_EOL timestamp: TCPOPT_EOL timestamp: TCPOPT_EOL TCPOPT_NOP
1351581860.261148 server:80 client:59799 seq:0 ack:1 len:0 win:7475200 [SA] MSS 1460 TCPOPT_NOP TCPOPT_NOP SACK permitted TCPOPT_NOP wscale: 512
1351581861.240784 client:59799 server:80 seq:1 ack:1 len:0 win:65700 [A]
1351581861.300309 client:59799 server:80 seq:1 ack:1 len:675 win:65700 [AP]
1351581861.300419 server:80 client:59799 seq:1 ack:676 len:0 win:16384 [A]
1351581861.300838 server:80 client:59799 seq:1 ack:676 len: 14600 win:16384 [A]
1351581861.955197 client:59799 server:80 seq:676 ack:1 len:0 win:65700 [A]
1351581862.514834 client:59799 server:80 seq:1 ack:1 len:675 win:65700 [AP]
1351581862.514848 server:80 client:59799 seq:14601 ack:676 len:0 win:16384 [A] TCPOPT_NOP TCPOPT_NOP
1351581863.66748 client:59799 server:80 seq:676 ack:2921 len:0 win:64240 [A]
1351581863.139901 client:59799 server:80 seq:676 ack:4381 len:0 win:65700 [A]
1351581863.139920 server:80 client:59799 seq:14601 ack:676 len: 7300 win:16384 [A]
1351581863.226443 client:59799 server:80 seq:676 ack:7301 len:0 win:64240 [A]
1351581863.259703 client:59799 server:80 seq:676 ack:8761 len:0 win:65700 [A]
1351581863.259724 server:80 client:59799 seq:21901 ack:676 len:7300 win:16384 [A]
1351581863.319948 client:59799 server:80 seq:676 ack:11681 len:0 win:64240 [A]
1351581863.353794 client:59799 server:80 seq:676 ack:13141 len:0 win:65700 [A]
1351581863.353815 server:80 client:59799 seq:29201 ack:676 len:7300 win:16384 [A]
1351581863.546935 client:59799 server:80 seq:676 ack:14601 len:0 win:65700 [A]
1351581865.100724 client:59799 server:80 seq:676 ack:17521 len:0 win:64240 [A]
1351581865.100742 server:80 client:59799 seq:36501 ack:676 len:7300 win:16384 [A]
1351581865.134807 client:59799 server:80 seq:676 ack:18981 len:0 win:65700 [A]
1351581865.134825 server:80 client:59799 seq:43801 ack:676 len:2920 win:16384 [A]
1351581865.200662 client:59799 server:80 seq:676 ack:21901 len:0 win:64240 [A]
1351581865.252728 client:59799 server:80 seq:676 ack:23361 len:0 win:65700 [A]
1351581865.252748 server:80 client:59799 seq:46721 ack:676 len:7300 win:16384 [A]
1351581865.339913 client:59799 server:80 seq:676 ack:26281 len:0 win:64240 [A]
1351581865.339931 server:80 client:59799 seq:54021 ack:676 len:451 win:16384 [AP]
1351581865.367165 client:59799 server:80 seq:676 ack:27741 len:0 win:65700 [A]
1351581865.480705 client:59799 server:80 seq:676 ack:30661 len:0 win:64240 [A]
1351581865.506653 client:59799 server:80 seq:676 ack:32121 len:0 win:65700 [A]
1351581865.546772 client:59799 server:80 seq:676 ack:35041 len:0 win:64240 [A]
1351581865.594454 client:59799 server:80 seq:676 ack:36501 len:0 win:65700 [A]
1351581859.215223 server:80 client:59799 seq:0 ack:1 len:0 win:7475200 [SA] MSS 1460 TCPOPT_NOP TCPOPT_NOP SACK permitted TCPOPT_NOP wscale: 512
1351581860.261139 client:59799 server:80 seq:0 ack:2482697881 len:0 win:131070 [S] MSS 1460 TCPOPT_NOP wscale: 2 TCPOPT_NOP TCPOPT_NOP timestamp: 228255325 0 SACK permitted TCPOPT_EOL TCPOPT_EOL timestamp: TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL TCPOPT_EOL timestamp: timestamp: TCPOPT_NOP TCPOPT_EOL timestamp: TCPOPT_EOL TCPOPT_EOL timestamp: TCPOPT_EOL timestamp: TCPOPT_EOL TCPOPT_NOP
1351581860.261148 server:80 client:59799 seq:0 ack:1 len:0 win:7475200 [SA] MSS 1460 TCPOPT_NOP TCPOPT_NOP SACK permitted TCPOPT_NOP wscale: 512
1351581861.240784 client:59799 server:80 seq:1 ack:1 len:0 win:65700 [A]
1351581861.300309 client:59799 server:80 seq:1 ack:1 len:675 win:65700 [AP]
1351581861.300419 server:80 client:59799 seq:1 ack:676 len:0 win:16384 [A]
1351581861.300838 server:80 client:59799 seq:1 ack:676 len: 14600 win:16384 [A]
1351581861.955197 client:59799 server:80 seq:676 ack:1 len:0 win:65700 [A]
1351581862.514834 client:59799 server:80 seq:1 ack:1 len:675 win:65700 [AP]
1351581862.514848 server:80 client:59799 seq:14601 ack:676 len:0 win:16384 [A] TCPOPT_NOP TCPOPT_NOP
1351581863.66748 client:59799 server:80 seq:676 ack:2921 len:0 win:64240 [A]
1351581863.139901 client:59799 server:80 seq:676 ack:4381 len:0 win:65700 [A]
1351581863.139920 server:80 client:59799 seq:14601 ack:676 len: 7300 win:16384 [A]
1351581863.226443 client:59799 server:80 seq:676 ack:7301 len:0 win:64240 [A]
1351581863.259703 client:59799 server:80 seq:676 ack:8761 len:0 win:65700 [A]
1351581863.259724 server:80 client:59799 seq:21901 ack:676 len:7300 win:16384 [A]
1351581863.319948 client:59799 server:80 seq:676 ack:11681 len:0 win:64240 [A]
1351581863.353794 client:59799 server:80 seq:676 ack:13141 len:0 win:65700 [A]
1351581863.353815 server:80 client:59799 seq:29201 ack:676 len:7300 win:16384 [A]
1351581863.546935 client:59799 server:80 seq:676 ack:14601 len:0 win:65700 [A]
1351581865.100724 client:59799 server:80 seq:676 ack:17521 len:0 win:64240 [A]
1351581865.100742 server:80 client:59799 seq:36501 ack:676 len:7300 win:16384 [A]
1351581865.134807 client:59799 server:80 seq:676 ack:18981 len:0 win:65700 [A]
1351581865.134825 server:80 client:59799 seq:43801 ack:676 len:2920 win:16384 [A]
1351581865.200662 client:59799 server:80 seq:676 ack:21901 len:0 win:64240 [A]
1351581865.252728 client:59799 server:80 seq:676 ack:23361 len:0 win:65700 [A]
1351581865.252748 server:80 client:59799 seq:46721 ack:676 len:7300 win:16384 [A]
1351581865.339913 client:59799 server:80 seq:676 ack:26281 len:0 win:64240 [A]
1351581865.339931 server:80 client:59799 seq:54021 ack:676 len:451 win:16384 [AP]
1351581865.367165 client:59799 server:80 seq:676 ack:27741 len:0 win:65700 [A]
1351581865.480705 client:59799 server:80 seq:676 ack:30661 len:0 win:64240 [A]
1351581865.506653 client:59799 server:80 seq:676 ack:32121 len:0 win:65700 [A]
1351581865.546772 client:59799 server:80 seq:676 ack:35041 len:0 win:64240 [A]
1351581865.594454 client:59799 server:80 seq:676 ack:36501 len:0 win:65700 [A]
这个例子中,可以看到很多len > MSS的包。这里是网卡开启了tso, gso, gro, lro等优化项造成的。
ethtool -k eth0
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: on
Offload parameters for eth0:
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp-segmentation-offload: on
udp-fragmentation-offload: off
generic-segmentation-offload: on
generic-receive-offload: on
large-receive-offload: on
解决办法:
抓包函数解析TCP建立连接时双方协商的MSS(本例中client_MSS=server_MSS=1460),计算包数时,如果出现IP包的长度> MSS的情况,一条dump记录对应的包数=len/MSS。