Packet Capture, part 2 - Page 4

In this segment from the O'Reilly book, Network Troubleshooting Tools, you will learn all abut how to use the tcpdump in relation to packet capturing.

By O'Reilly Press | Posted Nov 13, 2001
Page 4 of 10   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

1.4.2.2. Controlling how information is displayed

The -a, -n, -N, and -f options determine how address information is displayed. The -a option attempts to force network addresses into names, the -n option prevents the conversion of addresses into names, the -N option prevents domain name qualification, and the -f option prevents remote name resolution. In the following, the remote site www.cisco.com (192.31.7.130) is pinged from sloan.lander.edu (205.153.63.30) without an option, with -a, with -n, with -N, and with -f, respectively. (The options -c1 host 192.31.7.130 restricts capture to one packet to or from the host 192.31.7.130.)

bsd1# tcpdump -c1 host 192.31.7.130
tcpdump: listening on xl0
14:16:35.897342 sloan.lander.edu > cio-sys.cisco.com: icmp: echo request
bsd1# tcpdump -c1 -a host 192.31.7.130
tcpdump: listening on xl0
14:16:14.567917 sloan.lander.edu > cio-sys.cisco.com: icmp: echo request
bsd1# tcpdump -c1 -n host 192.31.7.130
tcpdump: listening on xl0
14:17:09.737597 205.153.63.30 > 192.31.7.130: icmp: echo request
bsd1# tcpdump -c1 -N host 192.31.7.130
tcpdump: listening on xl0
14:17:28.891045 sloan > cio-sys: icmp: echo request
bsd1# tcpdump -c1 -f host 192.31.7.130
tcpdump: listening on xl0
14:17:49.274907 sloan.lander.edu > 192.31.7.130: icmp: echo request

Clearly, the -a option is the default.

Not using name resolution can eliminate the overhead and produce terser output. If the network is broken, you may not be able to reach your name server and will find yourself with long delays, while name resolution times out. Finally, if you are running tcpdump interactively, name resolution will create more traffic that will have to be filtered out.

The -t and -tt options control the printing of timestamps. The -t option suppresses the display of the timestamp while -tt produces unformatted timestamps. The following shows the output for the same packet using tcpdump without an option, with the -t option, and with the -tt option, respectively:

12:36:54.772066 sloan.lander.edu.1174 > 205.153.63.238.telnet: . ack 3259091394 
win 8647 (DF)

sloan.lander.edu.1174 > 205.153.63.238.telnet: . ack 3259091394 win 8647 (DF)

934303014.772066 sloan.lander.edu.1174 > 205.153.63.238.telnet: . ack 3259091394 
win 8647 (DF)

The -t option produces a more terse output while the -tt output can simplify subsequent processing, particularly if you are writing scripts to process the data.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter