The following is a demonstration of the tcpwdist.d script.
Here the tcpwdist.d script is run for a few seconds then Ctrl-C is hit,
# tcpwdist.d
Tracing... Hit Ctrl-C to end.
^C
PID: 15300 CMD: finger @mars\0
value ------------- Distribution ------------- count
-1 | 0
0 |@@@@@@@@@@@@@@@@@@@@ 1
1 | 0
2 |@@@@@@@@@@@@@@@@@@@@ 1
4 | 0
PID: 4967 CMD: /usr/lib/ssh/sshd\0
value ------------- Distribution ------------- count
16 | 0
32 |@@@@@@@@@@@@@@@@@@@@ 1
64 |@@@@@@@@@@@@@@@@@@@@ 1
128 | 0
PID: 9172 CMD: /usr/lib/ssh/sshd\0
value ------------- Distribution ------------- count
16 | 0
32 |@@@@@@@@ 4
64 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 14
128 | 0
256 | 0
512 |@@ 1
1024 | 0
PID: 15301 CMD: rcp 1Mb.gz mars:/tmp\0
value ------------- Distribution ------------- count
0 | 0
1 |@ 2
2 |@ 1
4 | 0
8 |@ 2
16 |@ 2
32 | 0
64 | 0
128 | 0
256 | 0
512 | 0
1024 | 0
2048 | 0
4096 | 0
8192 | 0
16384 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 64
32768 | 0
In the above output we can see the "rcp" command dominates, sending
large writes (16 to 31 Kb) 64 times. The "sshd" ssh daemons each sent
several smaller writes, from 32 to 127 bytes - which corresponds to
command line activity (eg, screen width of 80 bytes). The finger command
sent 2 bytes once, and zero data bytes once.
These values are the TCP write payload sizes.
The writes from the "rcp" command seem unusual at over 16 Kb each, when
this is an Ethernet network with an MTU of 1500 bytes. The reason is that
at this point the data has not yet been broken down into MTU sized packets,
so we are looking at the applications behaviour as it writes to TCP.