1The following is a demonstration of the tcpwdist.d script. 2 3 4Here the tcpwdist.d script is run for a few seconds then Ctrl-C is hit, 5 6 # tcpwdist.d 7 Tracing... Hit Ctrl-C to end. 8 ^C 9 PID: 15300 CMD: finger @mars\0 10 11 value ------------- Distribution ------------- count 12 -1 | 0 13 0 |@@@@@@@@@@@@@@@@@@@@ 1 14 1 | 0 15 2 |@@@@@@@@@@@@@@@@@@@@ 1 16 4 | 0 17 18 PID: 4967 CMD: /usr/lib/ssh/sshd\0 19 20 value ------------- Distribution ------------- count 21 16 | 0 22 32 |@@@@@@@@@@@@@@@@@@@@ 1 23 64 |@@@@@@@@@@@@@@@@@@@@ 1 24 128 | 0 25 26 PID: 9172 CMD: /usr/lib/ssh/sshd\0 27 28 value ------------- Distribution ------------- count 29 16 | 0 30 32 |@@@@@@@@ 4 31 64 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 14 32 128 | 0 33 256 | 0 34 512 |@@ 1 35 1024 | 0 36 37 PID: 15301 CMD: rcp 1Mb.gz mars:/tmp\0 38 39 value ------------- Distribution ------------- count 40 0 | 0 41 1 |@ 2 42 2 |@ 1 43 4 | 0 44 8 |@ 2 45 16 |@ 2 46 32 | 0 47 64 | 0 48 128 | 0 49 256 | 0 50 512 | 0 51 1024 | 0 52 2048 | 0 53 4096 | 0 54 8192 | 0 55 16384 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 64 56 32768 | 0 57 58In the above output we can see the "rcp" command dominates, sending 59large writes (16 to 31 Kb) 64 times. The "sshd" ssh daemons each sent 60several smaller writes, from 32 to 127 bytes - which corresponds to 61command line activity (eg, screen width of 80 bytes). The finger command 62sent 2 bytes once, and zero data bytes once. 63 64These values are the TCP write payload sizes. 65 66The writes from the "rcp" command seem unusual at over 16 Kb each, when 67this is an Ethernet network with an MTU of 1500 bytes. The reason is that 68at this point the data has not yet been broken down into MTU sized packets, 69so we are looking at the applications behaviour as it writes to TCP. 70 71