Tutorial Number 2: Using tcpdump and Ethereal with
DICOM.
Authors: Ron Sweeney on 12/10/2004
References: tcpdump ( http://www.tcpdump.org )
Ethereal ( http://www.ethereal.com )
David Clunie ( http://www.dclunie.com )
If there are any errors in this tutorial plase send them ron.sweeney@gmail.com.
Getting down and dirty with DICOM on the wire can be helpful
in spotting problems between modalities and systems, and also be an
educational plight into DICOM communications. When you are
troubleshooting connections nothing beats a raw look at what is going
on in the network, despite what the shells and GUIS are telling you.
Tcpdump and Ethereal provide this visibility.
This tutorial will be split into two parts. One, a simple look
into the use of tcpdump and patching tcpdump to become DICOM “aware.”
Secondly, take a look at using the industry standard, Open Source,
network analysis tool Ethereal.
Part One: Meet tcpdump and modify it to your needs.
In its simplest form, you can simply type tcpdump at a command/shell prompt and it'll start spewing traffic onto the screen on most Linux or BSD based systems. For purposes of this tutorial, we are going to take a look at simple DICOM transactions on how you can see what is going on through the use of tcpdump. But first, lets get tcpdump, and patch it with David Clunies magic ( http://www.dclunie.com/dicom-tcpdump/ ) to make it “dicom aware.”
Below, we are going to:
Grab the software
Grab David's patch for the software
patch the software
build and install it
Easy money right? Woot!
On to actually using it...
Now I want to show you some very basic functionality of tcpdump.
Advice to you is that you get some quick background of sniffing on a network before you get started, but it should go without saying that you are going to have to be running tcpdump on a hub that is between the devices you wish to see traffic, or a spanned port on a switch that broadcasts all traffic to the port you are sniffing on.
As an example, let's say we want to sniff the traffic from Paul Nagy and Michael Warnock's example from Tutorial #1.
1. Setup a listener on one host (192.168.23.3):
2. Get tcpdump setup between the hosts:
The following command line will give us all tcp traffic between the host 192.168.23.3 and 10.101.0.3.
Send something to it from another host (10.101.0.3):
4. Check out the network dump
The dump on the left is our “patched” version of tcpdump showing the output. We captured the entire conversation of the FreeBSD laptop, 10.101.0.3 sending images to the inferior Micorosoft Windows DICOM listener, 192.168.23.3. In case you were wondering what you would see without it being patched, I ran the dump concurrently with the unpatched version on the right.
As you can see, you have plenty of information telling you about the transfer of the images to the receiving host. You can clearly see tcp responses, AETITLES, ports, SOP Class information, SCP and SCU roles and even header information.
Finally, a way to point the finger at a single vendor instead of them pointing fingers at eachother on connectivity issues!
Part Two: Using Ethereal to analyze DICOM
Ethereal has become a staple Open Source Network Analysis Tool. Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It runs on all popular computing platforms, including Unix, Linux, and Windows.
I am going to quickly show you how to use Ethereal to take a peak at your DICOM transactions, and how to use it guage the performance of your PACS.
First, go out and get it at http://www.ethereal.com .
Let's open the application, and capture the same transaction we sent in the first example for tcpdump.
Open the Ethereal and we are going to add a filter, check “update packets in real time” and check “automatic scrolling in live capture.”
We'll select start capture and send in the same image in the previous example. Now that we have a full dump, we can search the packets for strings, analyze packet order, etc.
The real value add to Ethereal is the time sequence graphs for TCP connections. Simply select a packet from the DICOM transaction you are interested in the summary window and then select Tools->TCP Stream Analysis and then select one of the graphs. I find that the tcptrace style graph produces the most useful information.
Here is an example from a trace I took from our previous capture:
This graph shows that the DICOM send to the node 192.168.23.3. The actual transmissions I highlighted was the SCP provider back to the SCU. Everyone of those horizontal lines is where sequence numbers did not advance for a period of time, typically things going on on the host for processing and handling. The frames are represented by the left hand side, the time is represented at the bottom. You can see the total time of the transaction along the bottom and see where the stalls are. What you are seeing in this graph is an association time of about 4.5 seconds, and a release of about 1.5 seconds.
Take a look at the following graph. This was a transfer of a 100MB CT study, over a wireless connection, and tunnelled through ssh. What you want to pay attention to in the graphs you generate on transfers of large data is that the frames over time go gradually upward. It would be problematic if the transfer looked a lot like stairs with horizontal stalls, this is an indication that perhaps the window size is not large enough, and the window is filling up causing the sender to have to stop and wait before sending any more. However the case in the below graph looks pretty good (considering the transport!).
Another nice feature is the throughput graph, which shows where in your data stream is transferring the most data. In the throughput graph below, you can see the average transfer rate was about 5MB/s over the entire 150 second transfer.
Well, you may think that these features in Ethereal are rudimentary and do not offer the same visibility as commercial products such as Ehterpeak. You are wrong, Ethereal's graphing for quick troubleshooting is not even available in most commercial packages and you would be hard pressed to see any network engineer without Ethereal loaded on their arsenal of troubleshooting tools.
Thats all tutorial #2. Have fun on the “ether” sniffing that DICOM.