Skip to content
the TCPdump network dissector
C Roff CMake Shell Objective-C M4 Other
Branch: master
Clone or download
guyharris Merge pull request #813 from fenner/rx-truncated
Don't use nd_ipv4 for non-packet data
Latest commit 35fef08 Dec 3, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Update the GitHub issue template Jul 25, 2019
cmake/Modules Remove trailing spaces Aug 16, 2019
lbl Do case-insensitive comparisons assuming ASCII strings. Jun 11, 2015
missing Remove more old-compiler compensation. Aug 9, 2019
tests Fix indentation in "make check" output Nov 27, 2019
win32/prj New ethertype protocol for Arista Networks May 23, 2019
.appveyor.yml Use PCAP_ROOT to tell CMake where to find Npcap or WinPcap. Oct 30, 2019
.gitattributes add a GitHub issue template Feb 2, 2017
.gitignore make check needs to work in build directories Aug 18, 2019
.travis-coverity-scan-build.sh Coverity: Build script: Update the upload URL for the framework change Oct 30, 2015
.travis.yml libdnet has bugs, do not use it. Nov 3, 2019
CHANGES CHANGES: Move a new change at the top of file Jun 7, 2019
CMakeLists.txt The ptp (precision time protocol) with UDP as the transport protocol. Nov 22, 2019
CONTRIBUTING Update a URL Aug 23, 2019
CREDITS New ethertype protocol for Arista Networks May 23, 2019
INSTALL.txt Remove the no more used gmt2local() function Aug 7, 2018
LICENSE Remove trailing spaces/tabs May 25, 2018
Makefile-devel-adds Rename configure.in to configure.ac. Nov 30, 2017
Makefile.in The ptp (precision time protocol) with UDP as the transport protocol. Nov 22, 2019
PLATFORMS All four BSDs. Jun 18, 2018
README add a convenience symlink for README Jan 2, 2014
README.md Refresh the CI status badges in README.md. Aug 1, 2018
Readme.Win32 Update to current reality. Aug 9, 2019
VERSION Call it 4.10.0-PRE-GIT for now. Feb 5, 2017
aclocal.m4 Use -Wpointer-sign if it's available Jul 13, 2019
addrtoname.c libdnet has bugs, do not use it. Nov 3, 2019
addrtoname.h Add GET_IP{6}ADDR_STRING() macros and get_ip{6}addr_string() functions Aug 12, 2019
addrtostr.c Remove more old-compiler compensation. Aug 9, 2019
addrtostr.h Don't require IPv6 library support in order to support IPv6 addresses. Sep 17, 2015
af.c Always include <config.h> rather than "config.h". Jan 21, 2018
af.h Use pcapng as the name of the file format. Jan 9, 2018
ah.h Use nd_ types for AH headers. Dec 14, 2017
appletalk.h Use nd_ types in AppleTalk structures, and add EXTRACT_ calls. Dec 15, 2017
ascii_strcasecmp.c Remove all storage class specifier 'register' Dec 13, 2017
ascii_strcasecmp.h Get rid of "tcpdump" in some libnetdissect codes Sep 8, 2015
atime.awk Initial revision Oct 7, 1999
atm.h remove tcpdump's own CVS keywords Jan 2, 2014
bpf_dump.c Always include <config.h> rather than "config.h". Jan 21, 2018
buildem include -Werror in cross-product build Aug 18, 2019
chdlc.h remove tcpdump's own CVS keywords Jan 2, 2014
checksum.c Always include <config.h> rather than "config.h". Jan 21, 2018
cmake_uninstall.cmake.in Add install and uninstall support for CMake. Jan 22, 2018
cmakeconfig.h.in libdnet has bugs, do not use it. Nov 3, 2019
compiler-tests.h Use more HTTPS in URLs Aug 19, 2019
config.guess Update config.{guess,sub}, timestamps 2018-07-06,2018-07-03 Jul 10, 2018
config.h.in libdnet has bugs, do not use it. Nov 3, 2019
config.sub Update config.{guess,sub}, timestamps 2018-07-06,2018-07-03 Jul 10, 2018
configure libdnet has bugs, do not use it. Nov 3, 2019
configure.ac libdnet has bugs, do not use it. Nov 3, 2019
cpack.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
cpack.h Add the ndo parameter to some functions Mar 26, 2019
ethertype.h Use more HTTPS in URLs Aug 19, 2019
extract.h Add GET_CPY_BYTES() macro and get_cpy_bytes() function Sep 9, 2019
funcattrs.h Use more HTTPS in URLs Aug 19, 2019
getservent.h __PATH_SYSROOT is not initally part of __PATH_SERVICES Oct 24, 2017
gmpls.c Always include <config.h> rather than "config.h". Jan 21, 2018
gmpls.h zero change: update Hannes Gredler's email Jul 28, 2017
in_cksum.c Squelch a warning. Dec 11, 2018
install-sh delete trailing spaces/tabs May 12, 2014
interface.h Add nd_{v}snprintf() routines/wrappers. Jan 29, 2018
ip.h Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
ip6.h Use more HTTPS in URLs Aug 19, 2019
ipproto.c Always include <config.h> rather than "config.h". Jan 21, 2018
ipproto.h Make nd_uint8_t and nd_int8_t arrays, to catch direct references. Dec 11, 2017
l2vpn.c Use more HTTPS in URLs Aug 19, 2019
l2vpn.h zero change: update Hannes Gredler's email Jul 28, 2017
llc.h remove tcpdump's own CVS keywords Jan 2, 2014
machdep.c Put back an #endif. Jan 30, 2018
machdep.h Get rid of "tcpdump" in some libnetdissect codes Sep 8, 2015
makemib delete trailing spaces/tabs May 12, 2014
mib.h Declare some variables as static Sep 11, 2016
mkdep mkdep: It uses now the build environment PATH Jan 18, 2015
mpls.h remove tcpdump's own CVS keywords Jan 2, 2014
nameser.h Add support for decoding DNS URI RR (typecode 256, RFC7553) Apr 13, 2019
netdissect-alloc.c Include conditionally <config.h> in netdissect-alloc.c Jun 5, 2018
netdissect-alloc.h Add a malloc/free process with garbage collector Mar 14, 2018
netdissect-ctype.h Don't use <ctype.h> macros. Sep 1, 2019
netdissect-stdinc.h We no longer use isascii(), so we don't need to define it with MSVC. Sep 1, 2019
netdissect.c Remove more old-compiler compensation. Aug 9, 2019
netdissect.h The ptp (precision time protocol) with UDP as the transport protocol. Nov 22, 2019
nfs.h Get rid of no-longer-used nfsuint64. Jun 23, 2018
nfsfh.h Add the ndo parameter to some functions Mar 26, 2019
nlpid.c Always include <config.h> rather than "config.h". Jan 21, 2018
nlpid.h zero change: update Hannes Gredler's email Jul 28, 2017
openflow.h OpenFlow: add vendor name printing Dec 13, 2014
ospf.h Use nd_ipv4 rather than struct in_addr. Jan 30, 2018
oui.c Resync SMI list against Wireshark May 2, 2018
oui.h Use more HTTPS in URLs Aug 19, 2019
packetdat.awk Initial revision Oct 7, 1999
parsenfsfh.c Don't use <ctype.h> macros. Sep 1, 2019
pcap-missing.h Get rid of "tcpdump" in some libnetdissect codes Sep 8, 2015
ppp.h remove tcpdump's own CVS keywords Jan 2, 2014
print-802_11.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-802_15_4.c Fix spaces Aug 5, 2019
print-ah.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ahcp.c Use nd_print_protocol_caps() to print the protocol name Jun 17, 2019
print-aodv.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-aoe.c CVE-2017-16808/AoE: Add a missing bounds check. Jun 5, 2019
print-ap1394.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-arcnet.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-arista.c Use quoted include netdissect-stdinc.h instead of angle-bracketed one Sep 2, 2019
print-arp.c InfiniBand support for tcpdump. Apr 17, 2019
print-ascii.c Don't use <ctype.h> macros. Sep 1, 2019
print-atalk.c Remove more old-compiler compensation. Aug 9, 2019
print-atm.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-babel.c Babel: Add a missing length check. Oct 28, 2019
print-beep.c Add the ndo_protocol field in the netdissect_options structure Mar 16, 2018
print-bfd.c Add BFD multihop and lag decoding Apr 26, 2019
print-bgp.c Don't run past the end of an MP_REACH_NLRI attribute. Nov 10, 2019
print-bootp.c Use more HTTPS in URLs Aug 19, 2019
print-brcmtag.c Handle switch tags more cleanly. Apr 23, 2019
print-bt.c Remove some unneeded '&' when getting a pointer to a nd_ type Apr 21, 2019
print-calm-fast.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-carp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-cdp.c Squelch more warnings. Apr 18, 2019
print-cfm.c More use of %zu to print sizeof values. Aug 11, 2019
print-chdlc.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-cip.c Add more nd_print_trunc() calls May 10, 2018
print-cnfp.c Use more HTTPS in URLs Aug 19, 2019
print-dccp.c Use nd_print_protocol_caps() to print the protocol name Jun 17, 2019
print-decnet.c libdnet has bugs, do not use it. Nov 3, 2019
print-dhcp6.c DNS: Rename a printer Apr 3, 2019
print-domain.c Use more HTTPS in URLs Aug 19, 2019
print-dsa.c Fix trailing spaces May 23, 2019
print-dtp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-dvmrp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-eap.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-egp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-eigrp.c EIGRP: Use GET_CPY_BYTES to do bounds checking Sep 10, 2019
print-enc.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-esp.c Don't use <ctype.h> macros. Sep 1, 2019
print-ether.c Use more HTTPS in URLs Aug 19, 2019
print-fddi.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-forces.c Clean up rounding up. Nov 11, 2019
print-fr.c FRF.16: Add a length check before the bounds check Oct 28, 2019
print-frag6.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ftp.c Use the ndo->ndo_protocol field instead of the protoname parameter Mar 8, 2019
print-geneve.c Geneve: Add a length check Jun 9, 2019
print-geonet.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-gre.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-hncp.c Clean up rounding up. Nov 11, 2019
print-hsrp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-http.c Use the ndo->ndo_protocol field instead of the protoname parameter Mar 8, 2019
print-icmp.c Remove more old-compiler compensation. Aug 9, 2019
print-icmp6.c Remove more old-compiler compensation. Aug 9, 2019
print-igmp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-igrp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ip-demux.c Fix duplicate IP protocol printing May 3, 2019
print-ip.c raw IP: Assign ndo_protocol in lowercases like in most similar cases Jun 11, 2019
print-ip6.c IPv6: Use GET_CPY_BYTES macro calls to add bounds checks Sep 12, 2019
print-ip6opts.c Add more checks. May 3, 2019
print-ipcomp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ipfc.c Print truncations with nd_print_trunc() instead of tstr[] strings May 4, 2018
print-ipnet.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ipoib.c Use quoted include netdissect-stdinc.h instead of angle-bracketed one Sep 2, 2019
print-ipx.c Remove more old-compiler compensation. Aug 9, 2019
print-isakmp.c Don't use <ctype.h> macros. Sep 1, 2019
print-isoclns.c IS-IS: Use %zu to print sizeof values Nov 9, 2019
print-juniper.c Juniper: Fix an undefined behavior at runtime Jul 25, 2019
print-krb.c Use more HTTPS in URLs Aug 19, 2019
print-l2tp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-lane.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ldp.c LDP: Fix a length check Oct 21, 2019
print-lisp.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-llc.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-lldp.c Remove more old-compiler compensation. Aug 9, 2019
print-lmp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-loopback.c Use more HTTPS in URLs Aug 19, 2019
print-lspping.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-lwapp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-lwres.c Squelch more narrowing warnings. Apr 18, 2019
print-m3ua.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-mobile.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-mobility.c Use more HTTPS in URLs Aug 19, 2019
print-mpcp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-mpls.c Use nd_print_protocol_caps() to print the protocol name Jun 17, 2019
print-mptcp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-msdp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-msnlb.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-nflog.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-nfs.c Clean up rounding up. Nov 11, 2019
print-nsh.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-ntp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-null.c NULL/LOOP: Use GET_HE_U_4() call Apr 28, 2019
print-olsr.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-openflow-1.0.c Remove more old-compiler compensation. Aug 9, 2019
print-openflow.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ospf.c More use of %zu to print sizeof values. Aug 11, 2019
print-ospf6.c OSPFv3: Fix a bounds check Apr 19, 2019
print-otv.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-pflog.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-pgm.c PGM: Fix order when printing PGM_OPT_REDIRECT_FIXED_LEN and opt_len Oct 24, 2019
print-pim.c PIM: Fix some length checks Nov 9, 2019
print-pktap.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ppi.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-ppp.c Use more HTTPS in URLs Aug 19, 2019
print-pppoe.c Don't use <ctype.h> macros. Sep 1, 2019
print-pptp.c Add some needed '&' when using a nd_byte type array struct member ... Jun 7, 2019
print-ptp.c The ptp (precision time protocol) with UDP as the transport protocol. Nov 22, 2019
print-radius.c Don't use <ctype.h> macros. Sep 1, 2019
print-raw.c Add the ndo_protocol field in the netdissect_options structure Mar 16, 2018
print-resp.c Use more HTTPS in URLs Aug 19, 2019
print-rip.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-ripng.c Squelch a "const object should be initialized" warning. Apr 18, 2019
print-rpki-rtr.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-rrcp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-rsvp.c add rsvp capability object rfc5063 Sep 19, 2019
print-rt6.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-rtsp.c Use the ndo->ndo_protocol field instead of the protoname parameter Mar 8, 2019
print-rx.c Don't use nd_ipv4 for non-packet data Dec 2, 2019
print-sctp.c Clean up types to squelch narrowing warnings. Apr 18, 2019
print-sflow.c Use more HTTPS in URLs Aug 19, 2019
print-sip.c Use the ndo->ndo_protocol field instead of the protoname parameter Mar 8, 2019
print-sl.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-sll.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-slow.c More use of %zu to print sizeof values. Aug 11, 2019
print-smb.c SMB: Remove blank lines in output Aug 15, 2019
print-smtp.c Use the ndo->ndo_protocol field instead of the protoname parameter Mar 8, 2019
print-snmp.c Don't use <ctype.h> macros. Sep 1, 2019
print-ssh.c Don't use <ctype.h> macros. Sep 1, 2019
print-stp.c STP: Remove blank lines in output Aug 15, 2019
print-sunatm.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-sunrpc.c Remove more old-compiler compensation. Aug 9, 2019
print-symantec.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-syslog.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-tcp.c More use of %zu to print sizeof values. Aug 11, 2019
print-telnet.c Remove more old-compiler compensation. Aug 9, 2019
print-tftp.c Use nd_print_protocol_caps() to print the protocol name Jun 17, 2019
print-timed.c Use more HTTPS in URLs Aug 19, 2019
print-tipc.c Correct the extraction of the TIPC message size field. Jul 15, 2019
print-token.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-udld.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-udp.c The ptp (precision time protocol) with UDP as the transport protocol. Nov 22, 2019
print-usb.c USB: Print the protocol name Aug 15, 2019
print-vjc.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-vqp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-vrrp.c Use the new GET_ macros instead of the EXTRACT_ ones Mar 26, 2019
print-vsock.c Always include <config.h> rather than "config.h". Apr 25, 2019
print-vtp.c Use more HTTPS in URLs Aug 19, 2019
print-vxlan-gpe.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-vxlan.c Fix some narrowing warnings on LP64/LLP64 platforms. Apr 18, 2019
print-wb.c Clean up rounding up. Nov 11, 2019
print-zep.c Fix spaces Aug 5, 2019
print-zephyr.c Don't use <ctype.h> macros. Sep 1, 2019
print-zeromq.c ZeroMQ: Remove blank lines in output Aug 15, 2019
print.c Treat the length field in an Ethernet header as such. Apr 23, 2019
print.h Fix local time printing Aug 7, 2018
rpc_auth.h Use nd_ types for ONC RPC. Dec 15, 2017
rpc_msg.h Use nd_ types for ONC RPC. Dec 15, 2017
send-ack.awk Initial revision Oct 7, 1999
signature.c Remove useless comments Mar 19, 2018
signature.h zero change: update Hannes Gredler's email Jul 28, 2017
slcompress.h remove tcpdump's own CVS keywords Jan 2, 2014
smb.h SMB: Move smb_data_print() declaration in smb.h Nov 1, 2019
smbutil.c Fix a compiler warning. Oct 29, 2019
status-exit-codes.h More status exit codes for a program using libnetdissect Sep 9, 2018
stime.awk Initial revision Oct 7, 1999
strtoaddr.c Get rid of useless test. Sep 3, 2019
strtoaddr.h Don't require IPv6 library support in order to support IPv6 addresses. Sep 17, 2015
tcp.h Add dissector for SSH version exchange May 8, 2019
tcpdump.1.in Fixup a roff warning in tcpdump.1.in Sep 15, 2019
tcpdump.c Move some code to better show how to handle pcap_activate() failure. Nov 24, 2019
timeval-operations.h Fix spaces Aug 6, 2018
udp.h The ptp (precision time protocol) with UDP as the transport protocol. Nov 22, 2019
update-test.sh Use UTC/GMT time when building/checking tests files Aug 9, 2018
util-print.c Don't use <ctype.h> macros. Sep 1, 2019
varattrs.h Don't test for __attribute__ in the configure script. Jan 22, 2018

README.md

tcpdump

Build Status

Build Status

To report a security issue please send an e-mail to security@tcpdump.org.

To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the file CONTRIBUTING in the tcpdump source tree root.

TCPDUMP 4.x.y Now maintained by "The Tcpdump Group" See https://www.tcpdump.org

Anonymous Git is available via:

git clone git://bpf.tcpdump.org/tcpdump

formerly from Lawrence Berkeley National Laboratory Network Research Group tcpdump@ee.lbl.gov ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)

This directory contains source code for tcpdump, a tool for network monitoring and data acquisition. This software was originally developed by the Network Research Group at the Lawrence Berkeley National Laboratory. The original distribution is available via anonymous ftp to ftp.ee.lbl.gov, in tcpdump.tar.Z. More recent development is performed at tcpdump.org, https://www.tcpdump.org/.

Tcpdump uses libpcap, a system-independent interface for user-level packet capture. Before building tcpdump, you must first retrieve and build libpcap, also originally from LBL and now being maintained by tcpdump.org; see https://www.tcpdump.org/.

Once libpcap is built (either install it or make sure it's in ../libpcap), you can build tcpdump using the procedure in the INSTALL.txt file.

The program is loosely based on SMI's "etherfind" although none of the etherfind code remains. It was originally written by Van Jacobson as part of an ongoing research project to investigate and improve tcp and internet gateway performance. The parts of the program originally taken from Sun's etherfind were later re-written by Steven McCanne of LBL. To insure that there would be no vestige of proprietary code in tcpdump, Steve wrote these pieces from the specification given by the manual entry, with no access to the source of tcpdump or etherfind.

Over the past few years, tcpdump has been steadily improved by the excellent contributions from the Internet community (just browse through the CHANGES file). We are grateful for all the input.

Richard Stevens gives an excellent treatment of the Internet protocols in his book "TCP/IP Illustrated, Volume 1". If you want to learn more about tcpdump and how to interpret its output, pick up this book.

Some tools for viewing and analyzing tcpdump trace files are available from the Internet Traffic Archive:

Another tool that tcpdump users might find useful is tcpslice:

It is a program that can be used to extract portions of tcpdump binary trace files. See the above distribution for further details and documentation.

Current versions can be found at https://www.tcpdump.org.

  • The TCPdump group

original text by: Steve McCanne, Craig Leres, Van Jacobson


This directory also contains some short awk programs intended as
examples of ways to reduce tcpdump data when you're tracking
particular network problems:

send-ack.awk
	Simplifies the tcpdump trace for an ftp (or other unidirectional
	tcp transfer).  Since we assume that one host only sends and
	the other only acks, all address information is left off and
	we just note if the packet is a "send" or an "ack".

	There is one output line per line of the original trace.
	Field 1 is the packet time in decimal seconds, relative
	to the start of the conversation.  Field 2 is delta-time
	from last packet.  Field 3 is packet type/direction.
	"Send" means data going from sender to receiver, "ack"
	means an ack going from the receiver to the sender.  A
	preceding "*" indicates that the data is a retransmission.
	A preceding "-" indicates a hole in the sequence space
	(i.e., missing packet(s)), a "#" means an odd-size (not max
	seg size) packet.  Field 4 has the packet flags
	(same format as raw trace).  Field 5 is the sequence
	number (start seq. num for sender, next expected seq number
	for acks).  The number in parens following an ack is
	the delta-time from the first send of the packet to the
	ack.  A number in parens following a send is the
	delta-time from the first send of the packet to the
	current send (on duplicate packets only).  Duplicate
	sends or acks have a number in square brackets showing
	the number of duplicates so far.

	Here is a short sample from near the start of an ftp:
		3.00    0.20   send . 512
		3.20    0.20    ack . 1024  (0.20)
		3.20    0.00   send P 1024
		3.40    0.20    ack . 1536  (0.20)
		3.80    0.40 * send . 0  (3.80) [2]
		3.82    0.02 *  ack . 1536  (0.62) [2]
	Three seconds into the conversation, bytes 512 through 1023
	were sent.  200ms later they were acked.  Shortly thereafter
	bytes 1024-1535 were sent and again acked after 200ms.
	Then, for no apparent reason, 0-511 is retransmitted, 3.8
	seconds after its initial send (the round trip time for this
	ftp was 1sec, +-500ms).  Since the receiver is expecting
	1536, 1536 is re-acked when 0 arrives.

packetdat.awk
	Computes chunk summary data for an ftp (or similar
	unidirectional tcp transfer). [A "chunk" refers to
	a chunk of the sequence space -- essentially the packet
	sequence number divided by the max segment size.]

	A summary line is printed showing the number of chunks,
	the number of packets it took to send that many chunks
	(if there are no lost or duplicated packets, the number
	of packets should equal the number of chunks) and the
	number of acks.

	Following the summary line is one line of information
	per chunk.  The line contains eight fields:
	   1 - the chunk number
	   2 - the start sequence number for this chunk
	   3 - time of first send
	   4 - time of last send
	   5 - time of first ack
	   6 - time of last ack
	   7 - number of times chunk was sent
	   8 - number of times chunk was acked
	(all times are in decimal seconds, relative to the start
	of the conversation.)

	As an example, here is the first part of the output for
	an ftp trace:

	# 134 chunks.  536 packets sent.  508 acks.
	1       1       0.00    5.80    0.20    0.20    4       1
	2       513     0.28    6.20    0.40    0.40    4       1
	3       1025    1.16    6.32    1.20    1.20    4       1
	4       1561    1.86    15.00   2.00    2.00    6       1
	5       2049    2.16    15.44   2.20    2.20    5       1
	6       2585    2.64    16.44   2.80    2.80    5       1
	7       3073    3.00    16.66   3.20    3.20    4       1
	8       3609    3.20    17.24   3.40    5.82    4       11
	9       4097    6.02    6.58    6.20    6.80    2       5

	This says that 134 chunks were transferred (about 70K
	since the average packet size was 512 bytes).  It took
	536 packets to transfer the data (i.e., on the average
	each chunk was transmitted four times).  Looking at,
	say, chunk 4, we see it represents the 512 bytes of
	sequence space from 1561 to 2048.  It was first sent
	1.86 seconds into the conversation.  It was last
	sent 15 seconds into the conversation and was sent
	a total of 6 times (i.e., it was retransmitted every
	2 seconds on the average).  It was acked once, 140ms
	after it first arrived.

stime.awk
atime.awk
	Output one line per send or ack, respectively, in the form
		<time> <seq. number>
	where <time> is the time in seconds since the start of the
	transfer and <seq. number> is the sequence number being sent
	or acked.  I typically plot this data looking for suspicious
	patterns.


The problem I was looking at was the bulk-data-transfer
throughput of medium delay network paths (1-6 sec.  round trip
time) under typical DARPA Internet conditions.  The trace of the
ftp transfer of a large file was used as the raw data source.
The method was:

  - On a local host (but not the Sun running tcpdump), connect to
    the remote ftp.

  - On the monitor Sun, start the trace going.  E.g.,
      tcpdump host local-host and remote-host and port ftp-data >tracefile

  - On local, do either a get or put of a large file (~500KB),
    preferably to the null device (to minimize effects like
    closing the receive window while waiting for a disk write).

  - When transfer is finished, stop tcpdump.  Use awk to make up
    two files of summary data (maxsize is the maximum packet size,
    tracedata is the file of tcpdump tracedata):
      awk -f send-ack.awk packetsize=avgsize tracedata >sa
      awk -f packetdat.awk packetsize=avgsize tracedata >pd

  - While the summary data files are printing, take a look at
    how the transfer behaved:
      awk -f stime.awk tracedata | xgraph
    (90% of what you learn seems to happen in this step).

  - Do all of the above steps several times, both directions,
    at different times of day, with different protocol
    implementations on the other end.

  - Using one of the Unix data analysis packages (in my case,
    S and Gary Perlman's Unix|Stat), spend a few months staring
    at the data.

  - Change something in the local protocol implementation and
    redo the steps above.

  - Once a week, tell your funding agent that you're discovering
    wonderful things and you'll write up that research report
    "real soon now".
You can’t perform that action at this time.