Measurement tools

Windows 95/98/NT traffic monitors
"Ethereal is a network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the ASCII contents of a TCP connection."
"EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network." (For Linux only)
ntop shows network statistics such as source and destination distribution via an embedded web server.
NetFlow Monitor
NetFlow Monitor (NF) is tool for processing and evaluating NetFlow Exports from CISCO routers, now commercialized by Caligare.
"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc."
"NIM software is a tool for processing and evaluating network traffic, using network packet export statistics from the router. It is also a user-friendly application used for network diagnostics."
cflowd is a flow analysis tool currently used for analyzing Cisco's NetFlow enabled switching method. The current release (described below) includes the collections, storage, and basic analysis modules for cflowd and for arts++ libraries. This analysis package permits data collection and analysis by ISPs and network engineers in support of capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Other areas where cflowd may prove useful include usage tracking for Web hosting, accounting and billing, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations.
"STAB is a new active probing tool for locating thin links on a network path. A thin link is a link with less available bandwidth than all links preceding it on the path. The last thin link on the path is the link with the minimum available bandwidth or tight link. STAB combines the concept of "self-induced congestion", the probing technique of "packet tailgating", and special probing trains called "chirps" to efficiently locate the thin links."
FlowScan is a network analysis and reporting tool. It processes IP flows recorded cflowd-format raw flow files and reports on what it finds.
Packet Factory security tools
router config check, network scanner, IP stack integrity checker, portable IP stack, GNU grep for the network, next-generation traceroute, ...
"dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI."
Robostats is a program for computing so-call robust statistics (in particular, order statistics) on a set of data such as median, the interquartile range (IQR), the 10th percentile, the 90th percentile. It uses a novel algorithm which allows it to scale in the number of values in the data set without using overly excessive amounts of memory (it uses O(log N) memory). These order statistics are useful when looking at measurements from the Internet. Included in the distribution is a programmatic library, as well as a small tutorial.
MGEN provides programs for sourcing and sinking real-time multicast/unicast UDP/IP traffic flows with optional support for RSVP operation with ISI's rsvpd. The MGEN tools transmit and receive (and log) time-stamped, sequence numbered packets. Post-test analyses of the log files can be performed to assess network or network component ability to support the given traffic load in terms of packet loss, delay, delay jitter, etc. Transmitted traffic patterns, receiver group joins/leaves, and RSVP operations can be dynamically controlled via a simple script file format.
Dumps selected packets, possibly parsed, to file or display. Windows version, ASCII output
TCP statistic and analysis tool which allows to collect network performance metrics from passive traffic analysis. In particular, Tstat allows to derive measurements at both the network (IP) layer and at the transport (TCP/UDP/RTP/RTCP) layer. It can be used to monitor a link, thanks to the integration with a RRD database.
"ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop."
IPgrab is a verbose packet sniffer for UNIX hosts.
Actively measures network performance.
New version of ttcp, with enhancements.
Measures TCP and UDP throughput.
"FREEping is a free ping software utility which will ping all your 2003-XP-2000-NT servers (or any other IP address) in free-definable intervals. FREEping will send you a popup when one of the 2003-XP-2000-NT servers stops responding. Take a look at the FREEping overview window to view all important statistics."
"TPing stands for TCP Ping or Turbo Ping. TPing is similar to the ping tool, with two differences. First, TPing uses TCP technique to figure out the round-trip time (RTT) to target hosts. Second, TPing can ping more than one host at a time. The target hosts can be specified on the command line or can be as a list in a file. TPing sends a probe to a target host and moves to the next one in the list in a round-robin fashion. If a target replies, it will be removed from the list (unless you specify a number of probes for each target)."
"HTPing stands for Hurricane TCP Ping. Unlike tping, this tool directs probe packets to a single target, but with fine inter-probe intervals (on the order of milliseconds). This tool uses the TCP technique in measuring the RTT to a target host. So, you don't need any super-user privileges to run this tool."
"RTTometer is a measurement tool to estimate path minimum RTT along with a measure of path condition. Similar to traditional ping(8), it sends a set of probes and reports the RTT experienced by each probe. Moreover, RTTometer makes use of all information gathered about the path revealed in all probes to estimate path condition. It associates a confidence measure with the captured minimum RTT."
The sentinel project is an implementation of effective remote promiscuous detection techniques. For portability purposes, the sentinel application uses the libpcap and libnet libraries.
mtr combines the functionality of the 'traceroute' and 'ping' programs in a single network diagnostic tool. As mtr starts, it investigates the network connection between the host mtr runs on and a user-specified destination host. After it determines the address of each network hop between the machines, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each machine. As it does this, it prints running statistics about each machine.
VisualRoute is a visual, fast, and integrated ping, whois, and traceroute program that automatically analyzes connectivity problems, displaying the results on a world map.
"NeoTrace Pro by NeoWorx, Inc. delivers a powerful tool for checking information on Internet sites. You can trace any computer on the internet simply by entering an email, IP address or URL. The display shows you the route between you and the remote site including all intermediate nodes and their registrant information."
VisualPulse is a server-based ping engine and reporting tool designed for network administrators, web-hosting companies, Applications Service Providers (ASPs), and Internet Service Providers (ISPs) who need a fast, visual way to see how their service offering is running, and where problems occur.
Portqry.exe is a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows 2000-based computers, on Windows XP-based computers, and on Windows Server 2003-based computers. The utility reports the port status of TCP and UDP ports on a computer that you select.
Summary of traceroute tools, including, a set of servers for doing traceroute from various places.
Distributed set of traceroute monitors.
"tcptraceroute is a traceroute implementation using TCP packets. The more traditional traceroute(8) sends out either UDP or ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets are taking to reach the destination."
Treno (Traceroute RENO) is a network testing tool designed to test network performance under load similar to that of TCP, the most commonly used Transport Protocol in the Internet today
pchar is a reimplementation of Van Jacobson's pathchar utility for characterizing the individual hops of a path between two network hosts. pchar works on both IPv4 and IPv6 networks.
Initial Gap Increasing
IGI is an available bandwith measurement tool using active probing, which can be used to measure the available bandwith between two end points on Internet.
sting, a new end-to-end loss measurement tool. Sting is unique because it can estimate "one-way" loss rates through careful manipulation and observation of TCP behavior. In addition, using TCP allows it to leverage the existing Internet infrastructure -- any TCP server can be used as a de facto measurement service -- and it avoids increasing problems with ICMP-based network measurement (blocking, spoofing, rate limiting).
emulates packet loss
Empirix PacketSphere
Emulates packet loss and delay
RTP reflector that emulates loss, jitter and packet duplication.
"The NIST Network Emulation Tool (NIST Net) is a general-purpose tool for emulating performance dynamics in IP networks. The tool is designed to allow controlled, reproducible experiments with network performance sensitive/adaptive applications and control protocols in a simple laboratory setting. By operating at the IP level, NIST Net can emulate the critical end-to-end performance characteristics imposed by various wide area network situations (e.g., congestion loss) or by various underlying subnetwork technologies (e.g., asymmetric bandwidth situations of xDSL and cable modems)." Runs on Linux 2.2 kernels.
WANDS stands for Wide-Area Network Delay Simulator. The WANDS tools allow document designers to view their documents locally while experiencing realistic network delays similar to those their users may experience if they are across the hall, across the country, or across an ocean. The WANDS tools work by collecting statistics about real network delays, processing the data, and using the results to drive an instrumented WWW server.
"netem provides Network Emulation functionality for testing protocols by emulating the properties of wide area networks. The current version emulates variable delay, loss, duplication and re-ordering. If you run a current 2.6 distribution, (Fedora, OpenSuse, Gentoo, Debian, Mandriva, Ubuntu), then netem is already enabled in the kernel and a current version of iproute2 is included."
"dummynet is a flexible tool for bandwidth management and for testing networking protocols. It is implemented in FreeBSD but is easily portable to other protocol stacks. There is also a one-floppy version of FreeBSD which includes dummynet and a lot of other goodies, see below. dummynet works by intercepting packets in their way through the protocol stack, and passing them through one or more pipes which simulate the effects of bandwidth limitations, propagation delays, bounded-size queues, packet losses, etc."
Simulation software links
simulators, emulators, ...
Emulab, the Utah Network Testbed, contains 128 PCs that can be configured into a test network
Harvard networking simulator
"The Harvard TCP/IP network simulator, based on a simulation methodology proposed by S.Y. Wang and H.T. Kung at INFOCOM'99, uses existing real-world BSD code (including the TCP/IP stack, application programs, utilities and tools, etc.) to provide high-fidelity and extensible TCP/IP network simulation."
Link-line Emulator
"Part of the laboratory contribution to GO-NII is to establish a local testbed based on the BBN Long Links Emulator. This provides up to five circuits of programmable delay and error characteristics that will be used to emulate nationwide networks within a more controlled testing environment, eliminating the need for long-haul communication lines in the early stages of testing and development. The Long-Link Emulator (LLE) is a stand-alone VME-based system that emulates two or more unidirectional SONET-compatible OC-3 fiber-optic links. Both delay and error characteristics of the link may be controlled. Delays of over 200 milliseonds (800 ms with optional memory upgrade) can be programmed in increments of approximately one microsecond. Various error patterns and rates can be selected."
pkt is a TCL based protocol test tool. Packets are defined using ASCII strings and written directly to a network interface.
Network probe daemon (based on work by Vern Paxson)
estimates bottleneck bandwidth through packet spacing
teletraffic analysis software package
IPMA tools
provider-oriented measurement tools

Internet Technical Notes and Resources
Last updated by Henning Schulzrinne