This is a simple tool for checking whether a pcap-format dump file is
complete after the fact i.e. does it contain every packet which flowed
over a link.  It only works if you can see both directions of every
TCP flow, and only provides a lower bound on the drop rate, but it can
be handy for some things.

The basic idea here is fairly simple: if we ever see an
acknowledgement of data which we haven't seen, and we're not in the
first thirty seconds or so of the trace file, we must have dropped a
packet. In that case, we dump the entire flow to a file in the output
directory, and increment a counter.

We don't handle packet re-ordering at all.  If you have out of order
packets in your dump files, the drop rate estimate produced will be
garbage.  Sorry about that.

This tool is supposed to provide a lower bound on the drop rate, and
so anything which looks odd in a TCP connection causes that whole
connection to be marked as anomylous, and then we don't count any more
drops on that connection.  In particular, this means that we only ever
count at most one drop per connection.

There is some provision for ignoring certain connections when we start
running low on memory.  This should only ever cause the estimated drop
rate to be lower than it should be, and so does not make the answer
actually wrong, but may reduce its accuracy somewhat.  The fraction of
packets dropped is given by the bloom rate; be suspicious if this
rises above about 0.01.

To build, just run make all.  To run, just go ./drop_check dump_file_1
dump_file_2 dump_file_3 ... .  You can also run it without arguments,
and put the file names on stdin.
