FreeBSD Manual Pages
TCPSHOW(1) General Commands Manual TCPSHOW(1) NAME tcpshow - decode a tcpdump savefile SYNOPSIS tcpshow [ -b ] [ -sb ] [ -w width ] [ -noLink ] [ -noIp ] [ -noHostNames ] [ -fqdn ] [ -noEtherNames ] [ -noPortNames ] [ -noData ] [ -minHdrDecode ] [ -track ] [ -terse ] [ -verbose ] [ -cooked ] [ -pp ] [ -s ] [ -h ] [ expression ] DESCRIPTION tcpshow reads a tcpdump(1) savefile and provides a reasonably complete decode of Ethernet, ARP, RARP, IP, ICMP, UDP and TCP headers, in pack- ets that match the boolean expression. The data belonging to these packets is displayed in ASCII. Currently, protocol data is not decoded. This is not considered a se- rious problem for applications that use ASCII data streams. Also, IP and TCP options are not decoded. The input file must be in the format produced by tcpdump -enx. This file can be generated from 1. a prior run of tcpdump -w file 2. a live run of tcpdump (without -w) 3. any other program that produces a correctly formatted trace See under EXAMPLES for each of these different methods, plus a descrip- tion of the format the input file needs to be in. Except when -cooked is used, tcpdump(1) is required to be on your PATH, to process the raw savefile. OPTIONS The following options can be used in just about any sane combination. -b Do not break long lines. If this option is off (the default), then lines are wrapped at column 60. The column at which wrap- ping occurs may be changed with the -w flag. If this option is on, then wrapping does not occur. Leaving this flag off produces a neater, more readable display of the application data in most cases. -sb show line breaks When -b is not used, it may be useful to see exactly where tcp- show wrapped each line, in its display of application data. This option causes the string ``<br>'' to be displayed at the end of each wrapped line. (Lines which were not wrapped, but terminated before the page width, are not so marked.) -w width set pagewidth to width columns This determines where tcpshow will fold long lines, when the -b switch is not used. The default is at column 60. -noLink don't decode the link header The data link header (Ethernet header) is not decoded and dis- played. -noIp don't decode the IP header The IP header is not decoded and displayed. -noHostNames don't map IP addresses into host names Normally, host names are displayed if they can be resolved; oth- erwise, the IP address is displayed. This flag prevents the at- tempt to resolve the name. (See -fqdn.) -fqdn show host names as fully-qualified Normally, short host names are displayed, i.e. the domain part is omitted. If the name can't be resolved, the IP address is displayed. -noEtherNames don't map Ethernet addresses into host names Normally, host Ethernet names are displayed if they can be re- solved; otherwise, the Ethernet address is displayed. This flag prevents the attempt to resolve the name. -noPortNames don't map port numbers into port names Normally, protocol port names are displayed if they can be re- solved; otherwise, the port number is displayed. This flag pre- vents the attempt to resolve the name. -noData don't show the data The protocol data is not displayed (a count of data bytes is shown). -minHdrDecode display only a minimal decode of the protocol headers. Essentially, the header decode shows only the hostnames and ports involved. -track track TCP sequence numbers An additional field is produced in the output which shows the TCP acknowledgement number which this side of the connection should receive once the current packet has been received by its peer. -terse show the header decode in compact format This option, which is on by default, produces a display of the decoded headers in a compact format, allowing more information to be assimilated with less eye movement. -verbose show the header decode in expanded format With this option, the display of the decoded headers is verbose, occupying a lot of display-space real-estate. This is meant for users not entirely familiar with the fields in the various head- ers. -cooked don't run tcpdump(1) to pre-process the input If the input file is already in the expected format, this option must be used. See EXAMPLES below of where this flag is appro- priate. -pp point-to-point link If the input file was collected from data travelling over a point-to-point link (one which doesn't make an Ethernet header available), this option needs to be used. -s also display a hex dump of spurious data at packet-end For a reason unknown to the author, tcpdump(1) output sometimes contains data at the end of packets which don't belong to those packets. This spurious data is suppressed from the output, ex- cept when this option is used. -h display a help summary This list of options is displayed, with one-liner descriptions. expression filter the input file using a tcpdump(1) expression If the -cooked option is not used, then tcpdump(1) is required to be on your PATH. It is used to read the raw savefile, pro- ducing output in the format tcpshow expects. The expression should be a valid tcpdump(1) expression. It is not parsed or interpreted by tcpshow, but passed on to tcpdump(1) for its con- sumption. EXAMPLES In the following examples, where tcpdump(1) is used, the flag -s 1518 is used to be sure of saving the complete Ethernet frame. Also, where tcpdump(1) expressions are used, these could equally have been given to tcpdump(1) directly, if it was known at this time what data you're interested in. Capture a raw savefile and decode it later. # tcpdump -s 1518 -w savefile # tcpshow < savefile Decode the data as quickly as tcpdump(1) gives it to us. # tcpdump -s 1518 -lenx | tcpshow -cooked Display headers only. # tcpshow -noData < savefile Display data only (minimal header decode). # tcpshow -minHdrDecode Display a decode of Telnet traffic only, omitting the link and IP head- ers. # tcpdump -s 1518 -w savefile # tcpshow -noLink -noIp tcp port telnet < savefile Give a verbose display of the headers, and a full display of the data, for all packets going into or coming from the host "sam" -- this host is on a LAN accessible through a PPP link (interface "ppp0"). # tcpdump -i ppp0 -s 1518 -w savefile # tcpshow -pp -verbose host sam < savefile Show all SMTP mail transfers, omitting the headers (you're not supposed to do this). # tcpdump -s 1518 -w savefile # tcpshow -minHdrDecode port smtp < savefile To display a decode of data not captured via tcpdump(1), you would typ- ically use the application that captured the trace to dump that trace into a file in ASCII-hex format. You feed that file into a Perl/sh/awk script (that you write), which produces a file in the format tcpshow expects. Such scripts are easy to write. For example, if your appli- cation is "capture" and your script is "convert", then tcpshow might be used as follows. # capture -hexoutput | convert | tcpshow -cooked Note that -cooked is required, to prevent tcpdump(1) from being spawned. A loose definition of the format tcpshow expects is: The 1st line of each packet must begin in column 1 and contains the following whitespace-separated fields: timestamp, Ethernet source address, Ethernet destination address, Ethernet type. The Ethernet addresses must be in the form aa:bb:cc:dd:ee:ff. If -pp is used, only the timestamp is required. The format of the timestamp is hh:mm:ss:fff... where hh=hourOfDay, mm=mi- nOfHour, ss=secOfMin and the 'f' digits are the fraction of a second at which the packet arrived (resolution varies from ma- chine to machine). If timestamp information isn't available, any text string will do (no embedded whitespace and it shouldn't look like a valid timestamp). The Ethernet type field is an ASCII-hex string; for example, "0800" means an IP packet is en- capsulated. The 2nd and subsequent lines of each packet must begin with a TAB. They consist of an ASCII-hex dump of the Ethernet data field. The hex bytes can be separated from each other by any amount of whitespace, including none. FILES tcpshow reads from standard input and writes to standard output. SEE ALSO tcpdump(1), nit(4P), bpf(4) AUTHOR Mike Ryan <mike@NetworX.ie> RESTRICTIONS This program and its source code are freely available. See the Condi- tions governing their use in the source code. BUGS It should decode IP and TCP options. It should decode data from application protocols that don't send their data in ASCII (e.g. DNS/BIND). It should not depend on tcpdump(1) as much as it does. It should be modified to use pcap(3) directly. 2 Feb 1998 TCPSHOW(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | FILES | SEE ALSO | AUTHOR | RESTRICTIONS | BUGS
Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=tcpshow&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>