98 data xmit time: 28.479 secs data xmit time: 27.446 secs idletime max: 6508.6 ms idletime max: 6709.0 ms throughput: 4 Bps throughput: 42 Bps This was produced by using tcpdump to capture all traffic into the file telnet.trace and then executing tcptrace to process the data. Here is the syntax required to produce this output: bsd1 tcptrace -l telnet.trace Similar output is produced for each TCP connection recorded in the trace file. Obviously, a protocol like HTTP that uses many different sessions may overwhelm you with output. There is a lot more to this program than covered in this brief discussion. If your primary goal is analysis of network performance and related problems rather than individual packet analysis, this is a very useful tool.

5.5.8 trafshow

The program trafshow is a packet capture program of a different sort. It provides a continuous display of traffic over the network, giving repeated snapshots of traffic. It displays the source address, destination address, protocol, and number of bytes. This program would be most useful in looking for suspicious traffic or just getting a general idea of network traffic. While trafshow can be run on a text-based terminal, it effectively takes over the display. It is best used in a separate window of a windowing system. There are a number of options, including support for packet filtering using the same filter format as tcpdump.

5.5.9 xplot

The xplot program is an X Windows plotting program. While it is a general purpose plotting program, it was written as part of a thesis project for TCP analysis by David Clark. As a result, some support for plotting TCP data oriented toward network analysis is included with the package. It is also used by tcptrace. While a powerful and useful program, it is not for the faint of heart. Due to the lack of documentation, the program is easiest to use with tcptrace rather than as a standalone program.

5.5.10 Other Packet Capture Programs

We have discussed tcpdump in detail because it is the most widely available packet capture program for Unix. Many implementations of Unix have proprietary packet capture programs that are comparable to tcpdump. For example, Sun Microsystems Solaris provides snoop. This is a replacement for etherfind, which was supplied with earlier versions of the Sun operating system. Here is an example of using snoop to capture five packets: sol1 snoop -c5 Using device develxl promiscuous mode 172.16.2.210 - sol1 TELNET C port=28863 sol1 - 172.16.2.210 TELNET R port=28863 develxl promiscuo 172.16.2.210 - sol1 TELNET C port=28863 172.16.2.210 - sloan.lander.edu TCP D=1071 S=22 Ack=143990 Seq=3737542069 Len=60 Win=17520 99 sloan.lander.edu - 172.16.2.210 TCP D=22 S=1071 Ack=3737542129 Seq=143990 Len=0 Win=7908 snoop: 5 packets captured As you can see, it is used pretty much the same way as tcpdump. Actually, the output has a slightly more readable format. snoop, like tcpdump, supports a wide range of options and filters. You should have no trouble learning snoop if you have ever used tcpdump. Other systems will provide their own equivalents for example, AIX provides iptrace . While the syntax is different, these tools are used in much the same way.

5.6 Packet Analyzers