ConChart
--------

Conchart is a tool to visualise the timing of network connections. It reads a
pcap file (output of tcpdump, wireshark, ...) to generate an SVG file. It will
show the send and received data as coloured areas which will allow an aid in
network troubleshooting.

The different connections are grouped on the destination ip / port
combination. By default the source ip / port are printed inside the connection
when available space permits.

Arguments:
 * Required:
   -r <file> : path to the cpap file to load 
   -o <file> : path of the SVG to generated

 * Optional:
   -f "filter" : pcap filter to apply (see tcpdump manual for details)
   -v          : verbose output
   -d          : debugging output
   -c <int>    : stop after analysing <int> packages
   -R          : disable showing TCP retransmits 
   -s <float>  : only packets with time-stamp after the specified value (seconds
                 since epoch) are analysed
   -e <float>  : only packets with time-stamp before the specified value are
                  analysed

      NOTE: the timestamps of the first and last analysed packet are always
            shown when conchart is run. These values are intend as starting
            point to find good -s/-e arguments

   -y          : Y-size (in pixel) of the output file, default is 1000
   -a          : draw a little triangle for every packet send and received.
                 Note that this is only useful with a short enough interval
                 specified. 
   -w          : use a fixed size triangle to indicate data packets in stead of
                 the variable size rectangles. This is intended when data is
                 plot from a capture that is taken on one side of a high(er)
                 latency link, as otherwise the sent windows will seem long,
                 (as the ack require more time to arrive) against short
                 receiving windows (as the ack is seen immediately)
   -n          : Don't print source ip/port inside the connection
   -l          : Don't add the legend on the bottom
    

This application is not intended to be thrown as much data possible and see
what comes out (such as ntop), but performes best when you zoom in as much as
possible on what you want to investigate, using timebase and tcpdump filters.

I'll be putting online a page explaining on how using this tool in more detail.

Wouter Godefroy
wouter tata belgoline.com
