the TCPdump network dissector
C C++ Shell Makefile Awk Perl
Latest commit 49b23c5 Jan 18, 2017 @guyharris guyharris committed on GitHub Merge pull request #500 from atsampson/master
Don't drop CAP_SYS_CHROOT before chrooting.
Permalink
Failed to load latest commit information.
lbl Do case-insensitive comparisons assuming ASCII strings. Jun 11, 2015
missing Don't require IPv6 library support in order to support IPv6 addresses. Sep 17, 2015
tests Implement IANA OUI and LLDP MUD option Dec 31, 2016
win32 Update Visual Studio files. Sep 18, 2015
.gitattributes gitattributes: Update the attributes for tests/*.out Feb 21, 2015
.gitignore add libnetdissect.a to .gitignore Jan 2, 2014
.travis-coverity-scan-build.sh Coverity: Build script: Update the upload URL for the framework change Oct 30, 2015
.travis.yml Travis: Fold the 'configure' and 'make install' outputs Sep 7, 2016
CHANGES Use the word 'invalid' for 'malformed' or 'corrupted' packets Sep 6, 2015
CONTRIBUTING Just fixes a few typos and grammatical issues: Apr 26, 2016
CREDITS amend CREDITS Sep 30, 2016
INSTALL.txt Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
LICENSE added license file Oct 9, 2000
Makefile-devel-adds The configure script depends on aclocal.m4. May 12, 2013
Makefile.in Add a target in Makefile.in for Exuberant Ctags use Oct 21, 2016
PLATFORMS Delete trailing spaces/tabs Jun 4, 2015
README add a convenience symlink for README Jan 2, 2014
README.md update the ITA URL in README Mar 24, 2014
Readme.Win32 Added a readme that explains how to compile tcpdump under Win32. Aug 9, 2002
VERSION bumped version Jul 21, 2016
aclocal.m4 Compile with '-Wpedantic' in devel mode instead of '-pedantic' Nov 1, 2016
addrtoname.c Improve code readability: A pointer should not be compared to zero Aug 25, 2016
addrtoname.h Don't require IPv6 library support in order to support IPv6 addresses. Sep 17, 2015
addrtostr.c Do the addrtostr6() bounds checking while we're generating the string. Aug 8, 2016
addrtostr.h Don't require IPv6 library support in order to support IPv6 addresses. Sep 17, 2015
af.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015
af.h Fix up some comments. Sep 15, 2016
ah.h More fixes for uint8_t being shorter than u_int8_t. Apr 23, 2014
appletalk.h More fixes for uint8_t being shorter than u_int8_t. Apr 23, 2014
ascii_strcasecmp.c Use hex constants so compilers don't whine about negative initializers. Sep 17, 2015
ascii_strcasecmp.h Get rid of "tcpdump" in some libnetdissect codes Sep 8, 2015
atime.awk Initial revision Oct 7, 1999
atm.h remove tcpdump's own CVS keywords Jan 2, 2014
bpf_dump.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015
chdlc.h remove tcpdump's own CVS keywords Jan 2, 2014
checksum.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015
config.guess Update config.{sub,guess}, timestamp='2015-02-2[23]' Mar 1, 2015
config.h.in Handle OpenSSL 1.1.x. Jun 23, 2016
config.sub Update config.{sub,guess}, timestamp='2015-02-2[23]' Mar 1, 2015
configure Compile with '-Wpedantic' in devel mode instead of '-pedantic' Nov 1, 2016
configure.in Allow building with libcrypto not in the default directory. Jul 14, 2016
cpack.c Rename 'tcpdump-stdinc.h' to 'netdissect-stdinc.h' Sep 10, 2015
cpack.h Fix a bunch of de-constifications. Apr 27, 2015
ether.h The last 2 bytes of an Ethernet header are the "length/type field". Dec 17, 2015
ethertype.h Add support for the Marvell Extended Distributed Switch Architecture … Apr 25, 2015
extract.h Remove unnecessary backslashes Aug 29, 2016
getopt_long.h delete trailing spaces/tabs May 12, 2014
gmpls.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015
gmpls.h remove tcpdump's own CVS keywords Jan 2, 2014
gmt2local.c Rename 'tcpdump-stdinc.h' to 'netdissect-stdinc.h' Sep 10, 2015
gmt2local.h remove tcpdump's own CVS keywords Jan 2, 2014
in_cksum.c Use uintptr_t to look at the bits of a pointer. Dec 15, 2015
install-sh delete trailing spaces/tabs May 12, 2014
interface.h Move some code around. Aug 4, 2016
ip.h Use the nd_uintN_t types more. Oct 7, 2015
ip6.h Don't overwrite the destination IPv6 address for routing headers. Feb 13, 2016
ipproto.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015
ipproto.h remove tcpdump's own CVS keywords Jan 2, 2014
l2vpn.c Update to match the registry. Oct 9, 2016
l2vpn.h Support two separate layer 2 type registries. Oct 8, 2016
llc.h remove tcpdump's own CVS keywords Jan 2, 2014
machdep.c Rename 'tcpdump-stdinc.h' to 'netdissect-stdinc.h' Sep 10, 2015
machdep.h Get rid of "tcpdump" in some libnetdissect codes Sep 8, 2015
makemib delete trailing spaces/tabs May 12, 2014
mib.h Declare some variables as static Sep 11, 2016
mkdep mkdep: It uses now the build environment PATH Jan 18, 2015
mpls.h remove tcpdump's own CVS keywords Jan 2, 2014
nameser.h refine use of nameser.h Jul 13, 2015
netdissect-stdinc.h Fix a file mode Sep 26, 2016
netdissect.c Use strlcpy(), rather than snprintf(), to avoid null format string wa… Aug 6, 2016
netdissect.h Move more libsmi stuff to netdissect.c. Aug 4, 2016
nfs.h More getting rid of old u_intN_t. Apr 23, 2014
nfsfh.h More getting rid of old u_intN_t. Apr 23, 2014
nlpid.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015
nlpid.h remove tcpdump's own CVS keywords Jan 2, 2014
openflow.h OpenFlow: add vendor name printing Dec 13, 2014
ospf.h More getting rid of old u_intN_t. Apr 23, 2014
oui.c Clean up white space. Jan 14, 2017
oui.h Clean up indentation. Jan 14, 2017
packetdat.awk Initial revision Oct 7, 1999
parsenfsfh.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015
pcap-missing.h Get rid of "tcpdump" in some libnetdissect codes Sep 8, 2015
pcap_dump_ftell.c remove tcpdump's own CVS keywords Jan 2, 2014
ppp.h remove tcpdump's own CVS keywords Jan 2, 2014
print-802_11.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-802_15_4.c Add a summary comment in all other printers Aug 15, 2016
print-ah.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ahcp.c Add a summary comment in all other printers Aug 15, 2016
print-aodv.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-aoe.c Add a summary comment in all other printers Aug 15, 2016
print-ap1394.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-arcnet.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-arp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ascii.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-atalk.c Add a summary comment in all other printers Aug 15, 2016
print-atm.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-babel.c Add a summary comment in all other printers Aug 15, 2016
print-beep.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-bfd.c BFD: Update to print optional authentication field Aug 17, 2016
print-bgp.c BGP: Update LARGE_COMMUNITY Path Attribute early allocation IANA value Oct 27, 2016
print-bootp.c Updated print-bootp.c with corrected options for TZ and added option … Dec 8, 2016
print-bt.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-calm-fast.c Add a summary comment in all other printers Aug 15, 2016
print-carp.c Add a summary comment in all other printers Aug 15, 2016
print-cdp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-cfm.c Declare some variables as static Sep 11, 2016
print-chdlc.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-cip.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-cnfp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-dccp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-decnet.c make minor cleanups to print-decnet.c Oct 7, 2016
print-dhcp6.c Don't cast away constness. Jan 14, 2017
print-domain.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-dtp.c Add a summary comment in all other printers Aug 15, 2016
print-dvmrp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-eap.c Fix used but marked unused parameters Aug 18, 2016
print-egp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-eigrp.c Add a summary comment in all other printers Aug 15, 2016
print-enc.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-esp.c Don't use OpenSSL_add_all_algorithms() in OpenSSL 1.1.0 or later. Jan 18, 2017
print-ether.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-fddi.c Declare some variables as static Sep 11, 2016
print-forces.c fix alignment issues with GCC on Solaris 10 SPARC Oct 9, 2016
print-fr.c Clean up "invalid IE" messages. Sep 24, 2016
print-frag6.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ftp.c Add a summary comment in all other printers Aug 15, 2016
print-geneve.c Add a summary comment in all other printers Aug 15, 2016
print-geonet.c Add a summary comment in all other printers Aug 15, 2016
print-gre.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-hncp.c Further IPv4-mapped IPv6 address cleanups. Oct 30, 2016
print-hsrp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-http.c Add a summary comment in all other printers Aug 15, 2016
print-icmp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-icmp6.c fix alignment issues with GCC on Solaris 10 SPARC Oct 9, 2016
print-igmp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-igrp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ip.c Clean up the switch statement for the ToS. Dec 10, 2016
print-ip6.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ip6opts.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ipcomp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ipfc.c Add a summary comment in all other printers Aug 15, 2016
print-ipnet.c Add a summary comment in all other printers Aug 15, 2016
print-ipx.c Add a summary comment in all other printers Aug 15, 2016
print-isakmp.c Declare some variables as static Sep 11, 2016
print-isoclns.c Avoid reinventing ND_TCHECK or ND_TCHECK2 Sep 24, 2016
print-juniper.c initialize a structure in print-juniper.c Oct 8, 2016
print-krb.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-l2tp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-lane.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ldp.c Fix some names for MPLS PW types, and use that table for LDP. Oct 9, 2016
print-lisp.c Add a summary comment in all other printers Aug 15, 2016
print-llc.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-lldp.c Clean up white space. Jan 14, 2017
print-lmp.c Remove unnecessary semicolons Aug 29, 2016
print-loopback.c Add a summary comment in all other printers Aug 15, 2016
print-lspping.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-lwapp.c Add a summary comment in all other printers Aug 15, 2016
print-lwres.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-m3ua.c Add a summary comment in all other printers Aug 15, 2016
print-medsa.c Add a summary comment in all other printers Aug 15, 2016
print-mobile.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-mobility.c IPv6 mobility: Fix printing of 'truncated' string Oct 9, 2016
print-mpcp.c Add a summary comment in all other printers Aug 15, 2016
print-mpls.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-mptcp.c Add a summary comment in all other printers Aug 15, 2016
print-msdp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-msnlb.c Add a summary comment in all other printers Aug 15, 2016
print-nflog.c Add a summary comment in all other printers Aug 15, 2016
print-nfs.c Declare some variables as static Sep 11, 2016
print-nsh.c Add a summary comment in all other printers Aug 15, 2016
print-ntp.c Add a summary comment in all other printers Aug 15, 2016
print-null.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-olsr.c Add a summary comment in all other printers Aug 15, 2016
print-openflow-1.0.c Add a summary comment in all other printers Aug 15, 2016
print-openflow.c Add a summary comment in all other printers Aug 15, 2016
print-ospf.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ospf6.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-otv.c Add a summary comment in all other printers Aug 15, 2016
print-pflog.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-pgm.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-pim.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-pktap.c PKTAP,PPI: Fix printing NULL string pointers Oct 13, 2016
print-ppi.c PKTAP,PPI: Fix printing NULL string pointers Oct 13, 2016
print-ppp.c PPP: check PAP AREQ length too, see commit 32118c6 Oct 25, 2016
print-pppoe.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-pptp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-radius.c Declare some variables as static Sep 11, 2016
print-raw.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-resp.c Remove NETDISSECT_REWORKED macro Sep 1, 2016
print-rip.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-ripng.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-rpki-rtr.c RPKI-RTR: Remove printing when truncated condition already detected Aug 18, 2016
print-rrcp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-rsvp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-rt6.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-rtsp.c Add a summary comment in all other printers Aug 15, 2016
print-rx.c Remove unnecessary semicolons Aug 29, 2016
print-sctp.c Remove parenthesis following immediately a #if Sep 1, 2016
print-sflow.c Add a summary comment in all other printers Aug 15, 2016
print-sip.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-sl.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-sll.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-slow.c Declare some variables as static Sep 11, 2016
print-smb.c Declare some variables as static Sep 11, 2016
print-smtp.c Add a summary comment in all other printers Aug 15, 2016
print-snmp.c Declare some variables as static Sep 11, 2016
print-stp.c Add a summary comment in all other printers Aug 15, 2016
print-sunatm.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-sunrpc.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-symantec.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-syslog.c Add a summary comment in all other printers Aug 15, 2016
print-tcp.c TCP: put TCP-AO option decoding right Nov 1, 2016
print-telnet.c Telnet: Add a bounds check Oct 12, 2016
print-tftp.c Add a summary comment in all other printers Aug 15, 2016
print-timed.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-tipc.c Add a summary comment in all other printers Aug 15, 2016
print-token.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-udld.c Add a summary comment in all other printers Aug 15, 2016
print-udp.c Fetch RTP option and extension data using EXTRACT_32BITS(). Jan 14, 2017
print-usb.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-vjc.c Add a summary comment in all other printers Aug 15, 2016
print-vqp.c Add a summary comment in all other printers Aug 15, 2016
print-vrrp.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-vtp.c VTP: Add a test on Mgmt Domain Name length Sep 12, 2016
print-vxlan-gpe.c Add a summary comment in all other printers Aug 15, 2016
print-vxlan.c Add a summary comment in all other printers Aug 15, 2016
print-wb.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-zephyr.c Move the printer summaries from INSTALL.txt to each printer Aug 14, 2016
print-zeromq.c Add a summary comment in all other printers Aug 15, 2016
print.c Fix NDOization Oct 21, 2016
print.h Eliminate some remaining uses of u_int32_t. Sep 18, 2015
rpc_auth.h More getting rid of old u_intN_t. Apr 23, 2014
rpc_msg.h More getting rid of old u_intN_t. Apr 23, 2014
rpl.h Fix warnings as "comma at end of enumerator list" Aug 19, 2015
send-ack.awk Initial revision Oct 7, 1999
setsignal.c Rename 'tcpdump-stdinc.h' to 'netdissect-stdinc.h' Sep 10, 2015
setsignal.h remove tcpdump's own CVS keywords Jan 2, 2014
signature.c Get rid of last uses of/mentions of u_intN_t. Oct 6, 2016
signature.h Have signature_verify() do the copying and clearing. Dec 28, 2015
slcompress.h remove tcpdump's own CVS keywords Jan 2, 2014
smb.h Fix a bunch of de-constifications. Apr 27, 2015
smbutil.c Rename print_data() to smb_print_data() Sep 18, 2015
stime.awk Initial revision Oct 7, 1999
strtoaddr.c Get rid of last uses of/mentions of u_intN_t. Oct 6, 2016
strtoaddr.h Don't require IPv6 library support in order to support IPv6 addresses. Sep 17, 2015
tcp.h TCP: put TCP-AO option decoding right Nov 1, 2016
tcpdump.1.in Note that interfaces may have numerical names. Aug 9, 2016
tcpdump.c Merge pull request #500 from atsampson/master Jan 18, 2017
timeval-operations.h Get rid of "tcpdump" in some libnetdissect codes Sep 8, 2015
udp.h BFD: Update to print optional authentication field Aug 17, 2016
util-print.c Squelch a signed array subscript warning. Aug 7, 2016
vfprintf.c libnetdissect code must include 'netdissect.h', not 'interface.h' Sep 11, 2015

README.md

tcpdump

Build
Status

TCPDUMP 4.x.y
Now maintained by "The Tcpdump Group"
See www.tcpdump.org

Please send inquiries/comments/reports to:

Anonymous Git is available via:

git clone git://bpf.tcpdump.org/tcpdump

Please submit patches by forking the branch on GitHub at:

and issuing a pull request.

formerly from Lawrence Berkeley National Laboratory
Network Research Group tcpdump@ee.lbl.gov
ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)

This directory contains source code for tcpdump, a tool for network monitoring and data acquisition. This software was originally developed by the Network Research Group at the Lawrence Berkeley National Laboratory. The original distribution is available via anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z. More recent development is performed at tcpdump.org, http://www.tcpdump.org/

Tcpdump uses libpcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also originally from LBL and now being maintained by tcpdump.org; see http://www.tcpdump.org/ .

Once libpcap is built (either install it or make sure it's in ../libpcap), you can build tcpdump using the procedure in the INSTALL.txt file.

The program is loosely based on SMI's "etherfind" although none of the etherfind code remains. It was originally written by Van Jacobson as part of an ongoing research project to investigate and improve tcp and internet gateway performance. The parts of the program originally taken from Sun's etherfind were later re-written by Steven McCanne of LBL. To insure that there would be no vestige of proprietary code in tcpdump, Steve wrote these pieces from the specification given by the manual entry, with no access to the source of tcpdump or etherfind.

Over the past few years, tcpdump has been steadily improved by the excellent contributions from the Internet community (just browse through the CHANGES file). We are grateful for all the input.

Richard Stevens gives an excellent treatment of the Internet protocols in his book "TCP/IP Illustrated, Volume 1". If you want to learn more about tcpdump and how to interpret its output, pick up this book.

Some tools for viewing and analyzing tcpdump trace files are available from the Internet Traffic Archive:

Another tool that tcpdump users might find useful is tcpslice:

It is a program that can be used to extract portions of tcpdump binary trace files. See the above distribution for further details and documentation.

Problems, bugs, questions, desirable enhancements, etc. should be sent to the address "tcpdump-workers@lists.tcpdump.org". Bugs, support requests, and feature requests may also be submitted on the GitHub issue tracker for tcpdump at:

Source code contributions, etc. should be sent to the email address above or submitted by forking the branch on GitHub at:

and issuing a pull request.

Current versions can be found at www.tcpdump.org.

  • The TCPdump team

original text by: Steve McCanne, Craig Leres, Van Jacobson


This directory also contains some short awk programs intended as
examples of ways to reduce tcpdump data when you're tracking
particular network problems:

send-ack.awk
    Simplifies the tcpdump trace for an ftp (or other unidirectional
    tcp transfer).  Since we assume that one host only sends and
    the other only acks, all address information is left off and
    we just note if the packet is a "send" or an "ack".

    There is one output line per line of the original trace.
    Field 1 is the packet time in decimal seconds, relative
    to the start of the conversation.  Field 2 is delta-time
    from last packet.  Field 3 is packet type/direction.
    "Send" means data going from sender to receiver, "ack"
    means an ack going from the receiver to the sender.  A
    preceding "*" indicates that the data is a retransmission.
    A preceding "-" indicates a hole in the sequence space
    (i.e., missing packet(s)), a "#" means an odd-size (not max
    seg size) packet.  Field 4 has the packet flags
    (same format as raw trace).  Field 5 is the sequence
    number (start seq. num for sender, next expected seq number
    for acks).  The number in parens following an ack is
    the delta-time from the first send of the packet to the
    ack.  A number in parens following a send is the
    delta-time from the first send of the packet to the
    current send (on duplicate packets only).  Duplicate
    sends or acks have a number in square brackets showing
    the number of duplicates so far.

    Here is a short sample from near the start of an ftp:
        3.00    0.20   send . 512
        3.20    0.20    ack . 1024  (0.20)
        3.20    0.00   send P 1024
        3.40    0.20    ack . 1536  (0.20)
        3.80    0.40 * send . 0  (3.80) [2]
        3.82    0.02 *  ack . 1536  (0.62) [2]
    Three seconds into the conversation, bytes 512 through 1023
    were sent.  200ms later they were acked.  Shortly thereafter
    bytes 1024-1535 were sent and again acked after 200ms.
    Then, for no apparent reason, 0-511 is retransmitted, 3.8
    seconds after its initial send (the round trip time for this
    ftp was 1sec, +-500ms).  Since the receiver is expecting
    1536, 1536 is re-acked when 0 arrives.

packetdat.awk
    Computes chunk summary data for an ftp (or similar
    unidirectional tcp transfer). [A "chunk" refers to
    a chunk of the sequence space -- essentially the packet
    sequence number divided by the max segment size.]

    A summary line is printed showing the number of chunks,
    the number of packets it took to send that many chunks
    (if there are no lost or duplicated packets, the number
    of packets should equal the number of chunks) and the
    number of acks.

    Following the summary line is one line of information
    per chunk.  The line contains eight fields:
       1 - the chunk number
       2 - the start sequence number for this chunk
       3 - time of first send
       4 - time of last send
       5 - time of first ack
       6 - time of last ack
       7 - number of times chunk was sent
       8 - number of times chunk was acked
    (all times are in decimal seconds, relative to the start
    of the conversation.)

    As an example, here is the first part of the output for
    an ftp trace:

    # 134 chunks.  536 packets sent.  508 acks.
    1       1       0.00    5.80    0.20    0.20    4       1
    2       513     0.28    6.20    0.40    0.40    4       1
    3       1025    1.16    6.32    1.20    1.20    4       1
    4       1561    1.86    15.00   2.00    2.00    6       1
    5       2049    2.16    15.44   2.20    2.20    5       1
    6       2585    2.64    16.44   2.80    2.80    5       1
    7       3073    3.00    16.66   3.20    3.20    4       1
    8       3609    3.20    17.24   3.40    5.82    4       11
    9       4097    6.02    6.58    6.20    6.80    2       5

    This says that 134 chunks were transferred (about 70K
    since the average packet size was 512 bytes).  It took
    536 packets to transfer the data (i.e., on the average
    each chunk was transmitted four times).  Looking at,
    say, chunk 4, we see it represents the 512 bytes of
    sequence space from 1561 to 2048.  It was first sent
    1.86 seconds into the conversation.  It was last
    sent 15 seconds into the conversation and was sent
    a total of 6 times (i.e., it was retransmitted every
    2 seconds on the average).  It was acked once, 140ms
    after it first arrived.

stime.awk
atime.awk
    Output one line per send or ack, respectively, in the form
        <time> <seq. number>
    where <time> is the time in seconds since the start of the
    transfer and <seq. number> is the sequence number being sent
    or acked.  I typically plot this data looking for suspicious
    patterns.


The problem I was looking at was the bulk-data-transfer
throughput of medium delay network paths (1-6 sec.  round trip
time) under typical DARPA Internet conditions.  The trace of the
ftp transfer of a large file was used as the raw data source.
The method was:

  - On a local host (but not the Sun running tcpdump), connect to
    the remote ftp.

  - On the monitor Sun, start the trace going.  E.g.,
      tcpdump host local-host and remote-host and port ftp-data >tracefile

  - On local, do either a get or put of a large file (~500KB),
    preferably to the null device (to minimize effects like
    closing the receive window while waiting for a disk write).

  - When transfer is finished, stop tcpdump.  Use awk to make up
    two files of summary data (maxsize is the maximum packet size,
    tracedata is the file of tcpdump tracedata):
      awk -f send-ack.awk packetsize=avgsize tracedata >sa
      awk -f packetdat.awk packetsize=avgsize tracedata >pd

  - While the summary data files are printing, take a look at
    how the transfer behaved:
      awk -f stime.awk tracedata | xgraph
    (90% of what you learn seems to happen in this step).

  - Do all of the above steps several times, both directions,
    at different times of day, with different protocol
    implementations on the other end.

  - Using one of the Unix data analysis packages (in my case,
    S and Gary Perlman's Unix|Stat), spend a few months staring
    at the data.

  - Change something in the local protocol implementation and
    redo the steps above.

  - Once a week, tell your funding agent that you're discovering
    wonderful things and you'll write up that research report
    "real soon now".