Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
TCPVIEW(1)		    General Commands Manual		    TCPVIEW(1)

NAME
       tcpview - view network traffic

SYNOPSIS
       tcpview [ filename ] [ -display display ] [ -iconic ]

DESCRIPTION
       Tcpview	can  capture  network traffic or read tcpdump and Sniffer data
       files.  Tcpview was derived from	tcpdump	and shares  many  characteris-
       tics  with  it.	 Under	SunOS: You must	be root	to capture frames with
       tcpview or it must be installed setuid to root.	Under Ultrix: Any user
       can capture frames tcpview once the super-user has enabled promiscuous-
       mode operation using pfconfig(8).  Under	BSD: Access is	controlled  by
       the permissions on /dev/bpf0, etc.

OPTIONS
       filename
	      Read in the tcpdump or Sniffer data file.

       -display
	      Use display for output.

       -iconic
	      Start with output	window in iconic form.

DISPLAY	FORMAT
       The main	display	is a window with three resizeable panes.  The top pane
       contains	a summary line describing each packet.	This line is identical
       to  the	output of tcpdump.  Selecting a	line in	the top	pane activates
       the middle and bottom panes.

       The middle pane contains	a detailed decoding  of	 the  selected	frame.
       Information  will only be included here if the appropriate protocol de-
       coders are present.  If a line is selected in  this  pane,  the	corre-
       sponding	line will be at	the top	of this	pane for all subsequent	frames
       decoded.

       The bottom pane is a hexdump of the entire frame.  Data will  be	 high-
       lighted when a line is selected in the middle pane.

FILE MENU
       Open will allow you to select a new data	file to	load.

       Save  allows you	to save	the current data in tcpdump or Sniffer format.
       You have	the choice of saving all the frames in the workspace  or  just
       the ones	that are currently displayed.

       Print allows you	to print the frames using the configured print command
       (see CONFIGURATION) or to a file.  You have the option of printing  all
       the  frames  or just the	ones currently displayed.  You can also	choose
       between printing	just the summary lines (tcpdump	 format)  or  the  de-
       tailed decoding.

       Exit quits tcpview.

CAPTURE	MENU
   Set Options
	      Device  Name  click  on this to select the name of the device to
	      use for capturing	data.  The default will	be the	first  network
	      interface	 found	or  the	one specified in the configuration op-
	      tions.

	      Promiscuous Mode determines if the interface is set to promiscu-
	      ous  mode	 or not.  If promiscuous mode is not enabled, you will
	      only be able to capture braodcasts and traffic addressed to  the
	      selected device (on some computers).

	      Number  of Frames	sets a limit on	the number of frames that will
	      be captured. Numbers <= 0	and invalid  entries  will  reset  the
	      limit to Infinite.

	      Time  Limit sets a limit of the number of	seconds	that data will
	      be captured. Numbers <= 0	and invalid  entries  will  reset  the
	      limit to Infinite.

	      Max  Bytes  Per Frame sets the maximum number of bytes that will
	      be captured per frame.  Sizes smaller than the minimum (normally
	      68) will not be accepted.

   GO
	      GO starts	the capture process.  One of three things can stop the
	      capture.	The user can hit the Stop button that will appear, the
	      maximum time can be reached, or the maximum number of packets to
	      capture can be reached.

FILTER
   Edit
   Address Filter
	      There are	two address filters.  To activate one,	click  on  the
	      OFF button.  If both filters are activated, the second line tog-
	      gle button will switch to	AND.  Clicking it again	will change it
	      to OR.

	      The filters can filter on	either DLC or IP addresses.  To	change
	      the address, click on the	button that  says  ANY.	  A  requester
	      will  appear  asking for the new DLC or IP address.  Use the ad-
	      dress filter to select the DLC or	IP addresses to	apply  to  the
	      current data or the data to be captured.	Clicking on any	of the
	      buttons will either toggle the button's state or bring up	a  re-
	      quester for new information.

	      Enter  "ANY"  or	"ALL"  (case is	not important) to set a	filter
	      back to the ANY state.  For numeric  ethernet  addresses,	 enter
	      the  address  in	hex format either starting with	"0x" or	as six
	      bytes  separated	by  colons  (for  example,  0x08202b000002  or
	      08:20:2b:00:00:02).  For IP addresses, enter a name or a numeric
	      address such as 128.95.112.1.

   Protocol Filter
	      Select the protocols you want to see.

   Port	Filter
	      If you use a port	filter,	all packets with that port as a	source
	      or  destination  will  be	selected.  You can enter either	a port
	      number or	name.  If the port name	cannot be  found,  the	filter
	      will be reset back to "ANY".

   Clear Filter
	      The  CLEAR  FILTER  button resets	the filter back	to its initial
	      state.

	      Apply To All will	apply your filter  to  all  the	 data  in  the
	      tcpview  workspace.   Selecting this with	no filter will display
	      all the frames.

	      Apply to Current will apply your filter to only those frames  in
	      the summary window (top pane).

   Follow Stream
       To  use this filter, first select (click	on) a UDP or TCP packet	in the
       summary window.	This filter will filter	based on the source and	desti-
       nation addresses	and ports and the protocol type.  It is	only supported
       for TCP and UDP.

   STREAM OPTIONS
	      Selecting	unidirectional or bidirectional	will determine if  you
	      see only traffic in one direction	or both	directions.

   TCP Options
	      Assemble	Out-Of-Order Packets.  This will attempt to reassemble
	      the original data	stream,	correctly handling out-of-order	 pack-
	      ets and duplicates.  It will not be able to handle missing pack-
	      ets.

	      Highlight	Timeouts.  This	is currently a very  simplistic	 func-
	      tion  that  looks	 at  the time between packets (delta time) and
	      highlights any that  exceed  the	selected  interval.   This  is
	      mostly useful for	spotting timeouts in large transfers.  You can
	      change the timeout interval by clicking on  the  button  in  the
	      next  line.   Entering invalid times resets the timeout interval
	      to 1 second.

   External Filter
	      The external filter section allows you to	do additional process-
	      ing  of  TCP  data.  Tcpview will	reassemble the TCP stream then
	      send the data (and optionally, the frame description) to an  ex-
	      ternal  filter,  window, or file.	 You can elect to see the data
	      in either	binary or hexdump format.

	      External filters can be used to further  decode  protocols  that
	      use  TCP as a transport layer.  Some sample filters are included
	      with tcpview.

SUMMARY	OPTIONS
   ADDRESS OPTIONS
	      Name tells tcpview to use	the name of a host rather than the ad-
	      dress in the summary window.

	      Number  tells tcpview to use a hosts IP or DLC number instead of
	      its name.

	      Use full domain name.  Selecting this with cause tcpview to dis-
	      play a host's full domain	name in	the summary line.  The default
	      is to just display the local part	of the name.

	      Use manuf. name in DLC addresses.	 When ethernet	addresses  are
	      displayed,  this will cause the first three bytes	to be replaced
	      by the ethernet manufacturer's name.  For	example,  Cisco_003462
	      instead of 00000c003462.

   TIME	OPTIONS
	      Absolute	 prints	  the	frame	arrival	 time  in  the	format
	      "hh:mm:ss.ssssss".

	      Unix Timestamp prints the	Unix timestamp,	 which	is  number  of
	      seconds since 00:00:00 GMT, Jan. 1, 1970.

	      Delta prints the number of seconds between frames.

	      Relative prints the number of seconds from the first frame.

	      None disables the	printing of frame times.

   MISC	OPTIONS
	      Verbose.	(Slightly more)	verbose	output.	 For example, the time
	      to live and type of service  information	in  an	IP  packet  is
	      printed.

	      Brief.  Prints less protocol information.

	      Display DLC header will display the DLC source, destination, and
	      protocol type in the summary line.

	      Use relative TCP sequence	numbers	will reset  each  TCP  connec-
	      tion's sequence to 0 to make it easier to	follow.

	      Display line numbers will	number the displayed frames for	refer-
	      ence.

CONFIGURATION
       The location of configuration files and	the  initial  values  of  many
       variables  can  be  set in the Tcpview X	resource file.	This should be
       located	 in    the    application    defaults	 directory,    usually
       /usr/lib/X11/app-defaults.  Users can keep their	own copy in the	direc-
       tory named by the environment variable  XAPPLRESDIR.   The  sample  re-
       sources	file  contains	a  description of the configuration variables.
       The configuration files are as follows:

	      Resource name	  Default

	      Tcpview.hostnames: /usr/local/lib/tcpview/ethers

	      Tcpview.manuf:	 /usr/local/lib/tcpview/manuf

	      Tcpview.services:	 /etc/services

	      The hostnames file contains DLC-to-name mappings.	 It is in  the
	      same format as Sniffer name files.  This allows you to share the
	      same file.  A sample line	is:
	      station "akbar.cac" = addrtype"DLC"  08002b178d2c
	      Only lines with addrtype"DLC" are	used.

	      The manuf	file contains the  information	to  associate  certain
	      ethernet manufacturers with the first three bytes	of an ethernet
	      address.	This file is also in Sniffer format.  A	sample file is
	      included.	 See ETHERNET VENDOR ADDRESS COMPONENTS	in RFC1340 for
	      more information.

	      The services file	is just	a copy of the /etc/services file.  You
	      may  modify it to	change the tcpview TCP or UDP service mappings
	      without affecting	the system you are using.

SEE ALSO
       tcpdump(1), nit(4P), bpf(4)

AUTHOR
       Martin Hunt (martinh@cac.washington.edu)

       University of Washington, Seattle, WA.

BUGS
       TCP and UDP checksums are not checked.  Some errors will	cause  tcpview
       to exit.

				  9 Nov	1992			    TCPVIEW(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | DISPLAY FORMAT | FILE MENU | CAPTURE MENU | FILTER | SUMMARY OPTIONS | CONFIGURATION | SEE ALSO | AUTHOR | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=tcpview&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help