Real-time TCP CWND monitoring and analysis toolkit using eBPF

3 weeks ago 3

Comprehensive TCP congestion window monitoring and analysis toolkit using eBPF for kernel-level monitoring with advanced filtering, visualization, and reporting capabilities.

Real-time eBPF monitoring of TCP CWND directly from kernel
Unified command interface through single ./run.sh script
Session-based organization with automatic timestamped folders
Advanced filtering by PID, addresses, ports, CWND ranges
Multiple chart types (timeline, connections, heatmap, overview)
Interactive HTML reports with Plotly visualization
Comprehensive HTML analysis reports with embedded charts and statistics
Live monitoring with real-time updates
Multiple report formats (text, JSON, HTML)
Automatic session management with cleanup functionality
Historical analysis of previously collected data
Automatic permission handling for seamless operation

# Install BCC and Python dependencies sudo apt update sudo apt install python3-bpfcc python3-pip # Install Python packages pip3 install pandas matplotlib seaborn plotly numpy

git clone <repository> cd dzajtcper chmod +x install.sh ./install.sh

git clone <repository> cd dzajtcper chmod +x *.py *.sh

Output Directory Structure

All TCP CWND data is automatically organized in session directories with unified structure:

out/ ├── session_20250911_143025/ │ ├── cwnd_log.csv # 📊 Raw TCP monitoring data │ ├── charts/ │ │ ├── chart_20250911_143225_timeline.png # 📈 Timeline chart │ │ ├── chart_20250911_143225_connections.png # 🔗 Connection analysis │ │ ├── chart_20250911_143225_heatmap.png # 🌡️ Traffic heatmap │ │ ├── chart_20250911_143225_timeline_interactive.html # 🎯 Interactive charts │ │ └── tcp_analysis_20250911_143225.html # 📋 Comprehensive HTML report │ └── analysis_20250911_145030/ # � Alternative analysis folder │ ├── chart_20250911_145030_timeline.png # 📈 Filtered analysis │ └── chart_20250911_145030_connections.png # 🔗 Filtered analysis ├── session_20250911_145123/ │ └── cwnd_log.csv # 📊 Session with data only └── session_20250911_150245/ ├── cwnd_log.csv # 📊 Raw data ├── charts/ # 📈 Quick analysis charts + HTML report └── analysis_*_... # 📈 Additional analysis files

# List all sessions with data summary ./run.sh list # Clean up empty session directories ./run.sh clean

1. Monitor TCP for 30 seconds and analyze

./run.sh monitor --duration 30 # Automatically handles permissions ./run.sh analyze # Analyze latest session

2. Monitor and analyze in one command with HTML report

./run.sh quick --duration 60 # Monitor + analyze + generate HTML report automatically

📋 HTML Report Features:

📊 Complete statistics (connections, processes, CWND analysis)
📈 Embedded interactive charts
🔗 Connection analysis tables
📡 Per-process activity breakdown
Location: out/session_*/charts/tcp_analysis_*.html

3. Generate comprehensive report

./run.sh report # Generate HTML report from latest session

🚀 Pro tip: See QUICK_START.md for complete HTML report guide!

# Monitor indefinitely (Ctrl+C to stop) ./run.sh monitor # Monitor for specific duration ./run.sh monitor --duration 300

Analyzing Previous Sessions

# Analyze latest session automatically ./run.sh analyze # Analyze specific session ./run.sh analyze session_20250911_143025 # List available sessions ./run.sh list # Clean empty sessions ./run.sh clean

# Filter by destination port (HTTPS traffic) ./run.sh analyze --dport 443 --charts timeline connections # Filter by source port (SSH traffic) ./run.sh analyze --sport 22 --charts heatmap # Filter by PID (specific process) ./run.sh analyze --pid 1234 --charts timeline # Filter by IP addresses ./run.sh analyze --saddr 192.168.1.100 --daddr 10.0.0.1 # Filter by CWND range ./run.sh analyze --cwnd-min 10 --cwnd-max 100 # Combine multiple filters ./run.sh analyze --dport 443 --cwnd-min 20 --charts timeline connections

# Generate specific chart types ./run.sh analyze --charts timeline # Only timeline ./run.sh analyze --charts connections # Only connections ./run.sh analyze --charts heatmap # Only heatmap ./run.sh analyze --charts overview # Only overview ./run.sh analyze --charts timeline connections heatmap # Multiple # All charts (default behavior when no --charts specified) ./run.sh analyze

# Quick monitoring: collect data + analyze + generate charts + HTML report ./run.sh quick --duration 60 # What Quick Start does: # 1. Monitors TCP connections for specified duration (default: 60s) # 2. Automatically analyzes collected data # 3. Generates overview charts (timeline, connections, heatmap) # 4. Creates comprehensive HTML analysis report in charts folder # 5. Shows quick statistics summary

# Comprehensive HTML report ./run.sh report # Report from specific session ./run.sh report session_20250911_143025 # Report with custom output name ./run.sh report session_20250911_143025 custom_analysis.html # Quick monitoring with immediate report ./run.sh quick --duration 30 && ./run.sh report

# Live monitoring of latest session ./run.sh live # Live monitoring for specific duration ./run.sh live --duration 60

Command Description Example

monitor	Start eBPF monitoring	./run.sh monitor --duration 60
analyze	Analyze existing data	./run.sh analyze --dport 443
live	Live monitoring dashboard	./run.sh live --duration 60
quick	Monitor + analyze + charts + HTML report	./run.sh quick --duration 30
report	Generate comprehensive report	./run.sh report
list	List all sessions	./run.sh list
clean	Clean empty sessions	./run.sh clean

Option Type Description Example

--duration	int	Monitoring duration in seconds	--duration 300
--help	flag	Show command help	./run.sh --help

Option Type Description Example

--pid	int	Filter by process ID	--pid 1234
--saddr	string	Source address pattern	--saddr 192.168.1.*
--daddr	string	Destination address pattern	--daddr 10.0.0.1
--sport	int	Source port	--sport 22
--dport	int	Destination port	--dport 443
--cwnd-min	int	Minimum CWND value	--cwnd-min 10
--cwnd-max	int	Maximum CWND value	--cwnd-max 100

Chart Type Description Use Case

timeline	CWND evolution over time	Overall performance analysis
connections	Per-connection statistics	Connection comparison
heatmap	Activity intensity map	Pattern identification
overview	Summary statistics	Quick overview

Format Description Use Case

HTML	Rich formatted report with embedded charts	Detailed analysis and presentation
Text	Plain text summary	Quick review
JSON	Machine readable data	Automation/scripting

# Problem: Permission conflicts between root monitoring and user analysis # Solution: run.sh automatically handles permissions ./run.sh monitor --duration 60 # Handles sudo automatically ./run.sh analyze # Handles file permissions automatically

# Check if there's active TCP traffic ss -tuln # Use longer monitoring duration ./run.sh monitor --duration 120 # Check specific process sudo netstat -tlnp | grep :80

# Install missing dependencies sudo apt install python3-pandas python3-matplotlib python3-seaborn python3-plotly # Use installation script ./install.sh

# Clean up empty sessions ./run.sh clean # Check if monitoring collected data ./run.sh list

# Ensure analysis runs properly ./run.sh analyze --charts timeline # Check session data ./run.sh list

6. Filter Returns No Results

# Check available sessions first ./run.sh list # Verify data exists ./run.sh analyze # Without filters first

# Check available sessions ./run.sh list # Analyze without filters first ./run.sh analyze # Generate comprehensive report for debugging ./run.sh report

Short analysis: 15-30 seconds monitoring
Performance testing: 2-5 minutes monitoring
Long-term analysis: 10+ minutes monitoring
Live monitoring: Use with active network traffic
Large datasets: Use filters to focus analysis

Scenario 1: Web Server Performance

# Monitor during load test ./run.sh monitor --duration 300 # Analyze HTTP traffic ./run.sh analyze --dport 80 --charts timeline connections # Generate comprehensive report ./run.sh report

Scenario 2: SSH Connection Analysis

# Monitor SSH activity ./run.sh monitor --duration 120 # Analyze SSH connections ./run.sh analyze --sport 22 --charts connections heatmap

Scenario 3: Database Connection Monitoring

# Monitor database traffic ./run.sh monitor --duration 180 # Analyze MySQL connections ./run.sh analyze --dport 3306 # Generate MySQL analysis report ./run.sh report

Scenario 4: Application-Specific Analysis

# Find application PID pgrep nginx # Monitor and analyze application traffic ./run.sh quick --duration 60 ./run.sh analyze --pid 1234 --charts timeline connections

dzajtcper/ ├── run.sh # 🎯 Unified command interface ├── tcp_monitor.py # 🔧 Core monitoring engine ├── src/ # 📦 Core modules │ ├── __init__.py # Package initialization │ ├── data_loader.py # 📊 Data loading and validation │ ├── data_filter.py # 🔍 Advanced filtering capabilities │ ├── visualizer.py # 📈 Chart generation │ ├── monitor.py # 📡 Live monitoring functionality │ ├── reporter.py # 📄 Report generation │ └── log_manager.py # 📁 Session management ├── out/ # 💾 Session data storage ├── install.sh # ⚙️ Installation script ├── uninstall.sh # 🗑️ Uninstallation script ├── README.md # 📚 This documentation └── CHEAT_SHEET.md # ⚡ Quick reference

Session Manager (src/log_manager.py)
- Automatic session creation with timestamps
- Empty session cleanup
- Session listing and selection
DataLoader (src/data_loader.py)
- CSV data loading and validation
- Connection string creation
- Data integrity checks
DataFilter (src/data_filter.py)
- Method chaining for complex filters
- PID, address, port, CWND range filtering
- Time-based and connection-based filtering
ChartGenerator (src/visualizer.py)
- Timeline plots with high-contrast colors
- Connection analysis charts
- Activity heatmaps
- Interactive HTML charts
ReportGenerator (src/reporter.py)
- Comprehensive analysis reports
- Multiple output formats (text, JSON, HTML)
- Performance metrics calculation