Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
TCPSHOW(1)		    General Commands Manual		    TCPSHOW(1)

       tcpshow - decode	a tcpdump savefile

       tcpshow [ -b ] [	-sb ] [	-w width ] [ -noLink ] [ -noIp ]
	       [ -noHostNames ]	[ -fqdn	] [ -noEtherNames ]
	       [ -noPortNames ]	[ -noData ] [ -minHdrDecode ]
	       [ -track	] [ -terse ] [ -verbose	] [ -cooked ]
	       [ -pp ] [ -s ] [	-h ] [ expression ]

       tcpshow	reads a	tcpdump(1) savefile and	provides a reasonably complete
       decode of Ethernet, ARP,	RARP, IP, ICMP,	UDP and	TCP headers, in	 pack-
       ets  that  match	 the  boolean expression.  The data belonging to these
       packets is displayed in ASCII.

       Currently, protocol data	is not decoded.	 This is not considered	a  se-
       rious problem for applications that use ASCII data streams.

       Also, IP	and TCP	options	are not	decoded.

       The  input  file	 must be in the	format produced	by tcpdump -enx.  This
       file can	be generated from
       1. a prior run of tcpdump -w file
       2. a live run of	tcpdump	(without -w)
       3. any other program that produces a correctly formatted
       See under EXAMPLES for each of these different methods, plus a descrip-
       tion of the format the input file needs to be in.

       Except when -cooked is used, tcpdump(1) is required to be on your PATH,
       to process the raw savefile.

       The following options can be used in just about any sane	combination.

       -b     Do not break long	lines.	If this	option is off  (the  default),
	      then  lines are wrapped at column	60.  The column	at which wrap-
	      ping occurs may be changed with the -w flag.  If this option  is
	      on, then wrapping	does not occur.

	      Leaving  this  flag off produces a neater, more readable display
	      of the application data in most cases.

       -sb    show line	breaks

	      When -b is not used, it may be useful to see exactly where  tcp-
	      show  wrapped  each  line,  in  its display of application data.
	      This option causes the string ``<br>'' to	be  displayed  at  the
	      end  of  each  wrapped line.  (Lines which were not wrapped, but
	      terminated before	the page width,	are not	so marked.)

       -w width
	      set pagewidth to width columns

	      This determines where tcpshow will fold long lines, when the  -b
	      switch is	not used.  The default is at column 60.

	      don't decode the link header

	      The  data	 link header (Ethernet header) is not decoded and dis-

       -noIp  don't decode the IP header

	      The IP header is not decoded and displayed.

	      don't map	IP addresses into host names

	      Normally,	host names are displayed if they can be	resolved; oth-
	      erwise, the IP address is	displayed.  This flag prevents the at-
	      tempt to resolve the name.  (See -fqdn.)

       -fqdn  show host	names as fully-qualified

	      Normally,	short host names are displayed,	i.e. the  domain  part
	      is  omitted.   If	 the name can't	be resolved, the IP address is

	      don't map	Ethernet addresses into	host names

	      Normally,	host Ethernet names are	displayed if they can  be  re-
	      solved; otherwise, the Ethernet address is displayed.  This flag
	      prevents the attempt to resolve the name.

	      don't map	port numbers into port names

	      Normally,	protocol port names are	displayed if they can  be  re-
	      solved; otherwise, the port number is displayed.	This flag pre-
	      vents the	attempt	to resolve the name.

	      don't show the data

	      The protocol data	is not displayed (a count  of  data  bytes  is

	      display only a minimal decode of the protocol headers.

	      Essentially,  the	 header	 decode	 shows	only the hostnames and
	      ports involved.

       -track track TCP	sequence numbers

	      An additional field is produced in the output  which  shows  the
	      TCP  acknowledgement  number  which  this	side of	the connection
	      should receive once the current packet has been received by  its

       -terse show the header decode in	compact	format

	      This  option,  which is on by default, produces a	display	of the
	      decoded headers in a compact format, allowing  more  information
	      to be assimilated	with less eye movement.

	      show the header decode in	expanded format

	      With this	option,	the display of the decoded headers is verbose,
	      occupying	a lot of display-space real-estate.  This is meant for
	      users not	entirely familiar with the fields in the various head-

	      don't run	tcpdump(1) to pre-process the input

	      If the input file	is already in the expected format, this	option
	      must  be	used.  See EXAMPLES below of where this	flag is	appro-

       -pp    point-to-point link

	      If the input file	was collected  from  data  travelling  over  a
	      point-to-point  link  (one which doesn't make an Ethernet	header
	      available), this option needs to be used.

       -s     also display a hex dump of spurious data at packet-end

	      For a reason unknown to the author, tcpdump(1) output  sometimes
	      contains	data at	the end	of packets which don't belong to those
	      packets.	This spurious data is suppressed from the output,  ex-
	      cept when	this option is used.

       -h     display a	help summary

	      This list	of options is displayed, with one-liner	descriptions.

	      filter the input file using a tcpdump(1) expression

	      If  the  -cooked option is not used, then	tcpdump(1) is required
	      to be on your PATH.  It is used to read the raw  savefile,  pro-
	      ducing  output  in  the  format tcpshow expects.	The expression
	      should be	a valid	tcpdump(1) expression.	It is  not  parsed  or
	      interpreted by tcpshow, but passed on to tcpdump(1) for its con-

       In the following	examples, where	tcpdump(1) is used, the	flag  -s  1518
       is used to be sure of saving the	complete Ethernet frame.

       Also,  where  tcpdump(1)	expressions are	used, these could equally have
       been given to tcpdump(1)	directly, if it	was known at  this  time  what
       data you're interested in.

       Capture a raw savefile and decode it later.

	      #	tcpdump	-s 1518	-w savefile
	      #	tcpshow	< savefile

       Decode the data as quickly as tcpdump(1)	gives it to us.

	      #	tcpdump	-s 1518	-lenx |	tcpshow	-cooked

       Display headers only.

	      #	tcpshow	-noData	< savefile

       Display data only (minimal header decode).

	      #	tcpshow	-minHdrDecode

       Display a decode	of Telnet traffic only,	omitting the link and IP head-

	      #	tcpdump	-s 1518	-w savefile
	      #	tcpshow	-noLink	-noIp tcp port telnet <	savefile

       Give a verbose display of the headers, and a full display of the	 data,
       for  all	 packets going into or coming from the host "sam" -- this host
       is on a LAN accessible through a	PPP link (interface "ppp0").

	      #	tcpdump	-i ppp0	-s 1518	-w savefile
	      #	tcpshow	-pp -verbose host sam <	savefile

       Show all	SMTP mail transfers, omitting the headers (you're not supposed
       to do this).

	      #	tcpdump	-s 1518	-w savefile
	      #	tcpshow	-minHdrDecode port smtp	< savefile

       To display a decode of data not captured	via tcpdump(1),	you would typ-
       ically use the application that captured	the trace to dump  that	 trace
       into a file in ASCII-hex	format.	 You feed that file into a Perl/sh/awk
       script (that you	write),	which produces a file in  the  format  tcpshow
       expects.	  Such scripts are easy	to write.  For example,	if your	appli-
       cation is "capture" and your script is "convert", then tcpshow might be
       used as follows.

	      #	capture	-hexoutput | convert | tcpshow -cooked

       Note  that  -cooked  is	required,  to  prevent	tcpdump(1)  from being

       A loose definition of the format	tcpshow	expects	is:

	      The 1st line of each packet must begin in	column 1 and  contains
	      the  following  whitespace-separated fields: timestamp, Ethernet
	      source address, Ethernet	destination  address,  Ethernet	 type.
	      The  Ethernet  addresses	must be	in the form aa:bb:cc:dd:ee:ff.
	      If -pp is	used, only the timestamp is required.  The  format  of
	      the  timestamp  is  hh:mm:ss:fff...   where hh=hourOfDay,	mm=mi-
	      nOfHour, ss=secOfMin and the 'f' digits are the  fraction	 of  a
	      second  at  which	the packet arrived (resolution varies from ma-
	      chine to machine).  If timestamp	information  isn't  available,
	      any text string will do (no embedded whitespace and it shouldn't
	      look like	a valid	timestamp).  The Ethernet  type	 field	is  an
	      ASCII-hex	 string; for example, "0800" means an IP packet	is en-

	      The 2nd and subsequent lines of each packet must	begin  with  a
	      TAB.   They  consist  of	an ASCII-hex dump of the Ethernet data
	      field.  The hex bytes can	be separated from each	other  by  any
	      amount of	whitespace, including none.

       tcpshow reads from standard input and writes to standard	output.

       tcpdump(1), nit(4P), bpf(4)

       Mike Ryan <>

       This  program and its source code are freely available.	See the	Condi-
       tions governing their use in the	source code.

       It should decode	IP and TCP options.

       It should decode	data from application protocols	that don't send	 their
       data in ASCII (e.g. DNS/BIND).

       It  should  not	depend on tcpdump(1) as	much as	it does.  It should be
       modified	to use pcap(3) directly.

				  2 Feb	1998			    TCPSHOW(1)


Want to link to this manual page? Use this URL:

home | help