1 # tcpdump 2 3 [](https://travis-ci.org/the-tcpdump-group/tcpdump) 5 6 TCPDUMP 4.x.y 7 Now maintained by "The Tcpdump Group" 8 See www.tcpdump.org 9 10 Please send inquiries/comments/reports to: 11 12 * tcpdump-workers (a] lists.tcpdump.org 13 14 Anonymous Git is available via: 15 16 git clone git://bpf.tcpdump.org/tcpdump 17 18 Please submit patches by forking the branch on GitHub at: 19 20 * http://github.com/the-tcpdump-group/tcpdump/tree/master 21 22 and issuing a pull request. 23 24 formerly from Lawrence Berkeley National Laboratory 25 Network Research Group <tcpdump (a] ee.lbl.gov> 26 ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4) 27 28 This directory contains source code for tcpdump, a tool for network 29 monitoring and data acquisition. This software was originally 30 developed by the Network Research Group at the Lawrence Berkeley 31 National Laboratory. The original distribution is available via 32 anonymous ftp to `ftp.ee.lbl.gov`, in `tcpdump.tar.Z`. More recent 33 development is performed at tcpdump.org, http://www.tcpdump.org/ 34 35 Tcpdump uses libpcap, a system-independent interface for user-level 36 packet capture. Before building tcpdump, you must first retrieve and 37 build libpcap, also originally from LBL and now being maintained by 38 tcpdump.org; see http://www.tcpdump.org/ . 39 40 Once libpcap is built (either install it or make sure it's in 41 `../libpcap`), you can build tcpdump using the procedure in the `INSTALL.txt` 42 file. 43 44 The program is loosely based on SMI's "etherfind" although none of the 45 etherfind code remains. It was originally written by Van Jacobson as 46 part of an ongoing research project to investigate and improve tcp and 47 internet gateway performance. The parts of the program originally 48 taken from Sun's etherfind were later re-written by Steven McCanne of 49 LBL. To insure that there would be no vestige of proprietary code in 50 tcpdump, Steve wrote these pieces from the specification given by the 51 manual entry, with no access to the source of tcpdump or etherfind. 52 53 Over the past few years, tcpdump has been steadily improved by the 54 excellent contributions from the Internet community (just browse 55 through the `CHANGES` file). We are grateful for all the input. 56 57 Richard Stevens gives an excellent treatment of the Internet protocols 58 in his book *"TCP/IP Illustrated, Volume 1"*. If you want to learn more 59 about tcpdump and how to interpret its output, pick up this book. 60 61 Some tools for viewing and analyzing tcpdump trace files are available 62 from the Internet Traffic Archive: 63 64 * http://www.sigcomm.org/ITA/ 65 66 Another tool that tcpdump users might find useful is tcpslice: 67 68 * https://github.com/the-tcpdump-group/tcpslice 69 70 It is a program that can be used to extract portions of tcpdump binary 71 trace files. See the above distribution for further details and 72 documentation. 73 74 Problems, bugs, questions, desirable enhancements, etc. should be sent 75 to the address "tcpdump-workers (a] lists.tcpdump.org". Bugs, support 76 requests, and feature requests may also be submitted on the GitHub issue 77 tracker for tcpdump at: 78 79 * https://github.com/the-tcpdump-group/tcpdump/issues 80 81 Source code contributions, etc. should be sent to the email address 82 above or submitted by forking the branch on GitHub at: 83 84 * http://github.com/the-tcpdump-group/tcpdump/tree/master 85 86 and issuing a pull request. 87 88 Current versions can be found at www.tcpdump.org. 89 90 - The TCPdump team 91 92 original text by: Steve McCanne, Craig Leres, Van Jacobson 93 94 ------------------------------------- 95 ``` 96 This directory also contains some short awk programs intended as 97 examples of ways to reduce tcpdump data when you're tracking 98 particular network problems: 99 100 send-ack.awk 101 Simplifies the tcpdump trace for an ftp (or other unidirectional 102 tcp transfer). Since we assume that one host only sends and 103 the other only acks, all address information is left off and 104 we just note if the packet is a "send" or an "ack". 105 106 There is one output line per line of the original trace. 107 Field 1 is the packet time in decimal seconds, relative 108 to the start of the conversation. Field 2 is delta-time 109 from last packet. Field 3 is packet type/direction. 110 "Send" means data going from sender to receiver, "ack" 111 means an ack going from the receiver to the sender. A 112 preceding "*" indicates that the data is a retransmission. 113 A preceding "-" indicates a hole in the sequence space 114 (i.e., missing packet(s)), a "#" means an odd-size (not max 115 seg size) packet. Field 4 has the packet flags 116 (same format as raw trace). Field 5 is the sequence 117 number (start seq. num for sender, next expected seq number 118 for acks). The number in parens following an ack is 119 the delta-time from the first send of the packet to the 120 ack. A number in parens following a send is the 121 delta-time from the first send of the packet to the 122 current send (on duplicate packets only). Duplicate 123 sends or acks have a number in square brackets showing 124 the number of duplicates so far. 125 126 Here is a short sample from near the start of an ftp: 127 3.00 0.20 send . 512 128 3.20 0.20 ack . 1024 (0.20) 129 3.20 0.00 send P 1024 130 3.40 0.20 ack . 1536 (0.20) 131 3.80 0.40 * send . 0 (3.80) [2] 132 3.82 0.02 * ack . 1536 (0.62) [2] 133 Three seconds into the conversation, bytes 512 through 1023 134 were sent. 200ms later they were acked. Shortly thereafter 135 bytes 1024-1535 were sent and again acked after 200ms. 136 Then, for no apparent reason, 0-511 is retransmitted, 3.8 137 seconds after its initial send (the round trip time for this 138 ftp was 1sec, +-500ms). Since the receiver is expecting 139 1536, 1536 is re-acked when 0 arrives. 140 141 packetdat.awk 142 Computes chunk summary data for an ftp (or similar 143 unidirectional tcp transfer). [A "chunk" refers to 144 a chunk of the sequence space -- essentially the packet 145 sequence number divided by the max segment size.] 146 147 A summary line is printed showing the number of chunks, 148 the number of packets it took to send that many chunks 149 (if there are no lost or duplicated packets, the number 150 of packets should equal the number of chunks) and the 151 number of acks. 152 153 Following the summary line is one line of information 154 per chunk. The line contains eight fields: 155 1 - the chunk number 156 2 - the start sequence number for this chunk 157 3 - time of first send 158 4 - time of last send 159 5 - time of first ack 160 6 - time of last ack 161 7 - number of times chunk was sent 162 8 - number of times chunk was acked 163 (all times are in decimal seconds, relative to the start 164 of the conversation.) 165 166 As an example, here is the first part of the output for 167 an ftp trace: 168 169 # 134 chunks. 536 packets sent. 508 acks. 170 1 1 0.00 5.80 0.20 0.20 4 1 171 2 513 0.28 6.20 0.40 0.40 4 1 172 3 1025 1.16 6.32 1.20 1.20 4 1 173 4 1561 1.86 15.00 2.00 2.00 6 1 174 5 2049 2.16 15.44 2.20 2.20 5 1 175 6 2585 2.64 16.44 2.80 2.80 5 1 176 7 3073 3.00 16.66 3.20 3.20 4 1 177 8 3609 3.20 17.24 3.40 5.82 4 11 178 9 4097 6.02 6.58 6.20 6.80 2 5 179 180 This says that 134 chunks were transferred (about 70K 181 since the average packet size was 512 bytes). It took 182 536 packets to transfer the data (i.e., on the average 183 each chunk was transmitted four times). Looking at, 184 say, chunk 4, we see it represents the 512 bytes of 185 sequence space from 1561 to 2048. It was first sent 186 1.86 seconds into the conversation. It was last 187 sent 15 seconds into the conversation and was sent 188 a total of 6 times (i.e., it was retransmitted every 189 2 seconds on the average). It was acked once, 140ms 190 after it first arrived. 191 192 stime.awk 193 atime.awk 194 Output one line per send or ack, respectively, in the form 195 <time> <seq. number> 196 where <time> is the time in seconds since the start of the 197 transfer and <seq. number> is the sequence number being sent 198 or acked. I typically plot this data looking for suspicious 199 patterns. 200 201 202 The problem I was looking at was the bulk-data-transfer 203 throughput of medium delay network paths (1-6 sec. round trip 204 time) under typical DARPA Internet conditions. The trace of the 205 ftp transfer of a large file was used as the raw data source. 206 The method was: 207 208 - On a local host (but not the Sun running tcpdump), connect to 209 the remote ftp. 210 211 - On the monitor Sun, start the trace going. E.g., 212 tcpdump host local-host and remote-host and port ftp-data >tracefile 213 214 - On local, do either a get or put of a large file (~500KB), 215 preferably to the null device (to minimize effects like 216 closing the receive window while waiting for a disk write). 217 218 - When transfer is finished, stop tcpdump. Use awk to make up 219 two files of summary data (maxsize is the maximum packet size, 220 tracedata is the file of tcpdump tracedata): 221 awk -f send-ack.awk packetsize=avgsize tracedata >sa 222 awk -f packetdat.awk packetsize=avgsize tracedata >pd 223 224 - While the summary data files are printing, take a look at 225 how the transfer behaved: 226 awk -f stime.awk tracedata | xgraph 227 (90% of what you learn seems to happen in this step). 228 229 - Do all of the above steps several times, both directions, 230 at different times of day, with different protocol 231 implementations on the other end. 232 233 - Using one of the Unix data analysis packages (in my case, 234 S and Gary Perlman's Unix|Stat), spend a few months staring 235 at the data. 236 237 - Change something in the local protocol implementation and 238 redo the steps above. 239 240 - Once a week, tell your funding agent that you're discovering 241 wonderful things and you'll write up that research report 242 "real soon now". 243 ``` 244
