tcpdump analysis for delayed packets

slow-packets.py

import sys, re, os, math
import dpkt
import socket
from collections import defaultdict

def ip_str(ip):
	return socket.inet_ntoa(ip)

class Connection(object):
	def __init__(self):
		self.packets = []
	def add(self, ts, tcp):
		self.packets.append((ts, tcp))
	def connect(self, conn):
		self.conn = conn
		return self
	def pauses(self):
		o = sorted([ts for (ts,p) in self.packets])
		if len(o) == 1:
			return 0
		# diff between adjacent packets 
		return max([y - x for x,y in zip(o,o[1:])])
	def __repr__(self):
		return 'Connection-%s:%d->%s:%d' % (
			ip_str(self.conn[0]), 
			self.conn[1], 
			ip_str(self.conn[2]), 
			self.conn[3])

def main(args):
	f = open(args[0], 'rb')
	pcap = dpkt.pcap.Reader(f)
	conns = defaultdict(lambda : Connection())
	for ts, buf in pcap:
		eth = dpkt.ethernet.Ethernet(buf)
		if eth.type != dpkt.ethernet.ETH_TYPE_IP:
			continue
		ip = eth.data
		if ip.p != dpkt.ip.IP_PROTO_TCP:
			continue
		tcp = ip.data
		conn = (ip.src, tcp.sport, ip.dst, tcp.dport)
		conns[conn].connect(conn).add(ts, tcp)
	slowest=sorted([(-1*v.pauses(), v) for v in conns.values()])[:100]
	src_port = 13562
	for slow in slowest:
		c = slow[1].conn 
		src_dst = (c[1] == src_port and (c[0], c[2])) or (c[3] == src_port and (c[2], c[0]))
		print ",".join(map(str, [slow[0], ip_str(src_dst[0]), ip_str(src_dst[1]), slow[1]]))


if __name__ == '__main__':
	main(sys.argv[1:])