Packet Capture, part 3: Analysis Tools - Page 6

By  O'Reilly Press | Nov 20, 2001
Page 6 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

1.5.8. trafshow

The program trafshow is a packet capture program of a different sort. It provides a continuous display of traffic over the network, giving repeated snapshots of traffic. It displays the source address, destination address, protocol, and number of bytes. This program would be most useful in looking for suspicious traffic or just getting a general idea of network traffic.

While trafshow can be run on a text-based terminal, it effectively takes over the display. It is best used in a separate window of a windowing system. There are a number of options, including support for packet filtering using the same filter format as tcpdump.

1.5.9. xplot

The xplot program is an X Windows plotting program. While it is a general purpose plotting program, it was written as part of a thesis project for TCP analysis by David Clark. As a result, some support for plotting TCP data (oriented toward network analysis) is included with the package. It is also used by tcptrace. While a powerful and useful program, it is not for the faint of heart. Due to the lack of documentation, the program is easiest to use with tcptrace rather than as a standalone program.

1.5.10. Other Packet Capture Programs

We have discussed tcpdump in detail because it is the most widely available packet capture program for Unix. Many implementations of Unix have proprietary packet capture programs that are comparable to tcpdump. For example, Sun Microsystems' Solaris provides snoop. (This is a replacement for etherfind, which was supplied with earlier versions of the Sun operating system.)

Here is an example of using snoop to capture five packets: 

 sol1> snoop -c5
 Using device /dev/elxl (promiscuous mode)
 172.16.2.210 -> sol1         TELNET C port=28863
         sol1 -> 172.16.2.210 TELNET R port=28863 /dev/elxl (promiscuo
 172.16.2.210 -> sol1         TELNET C port=28863
 172.16.2.210 -> sloan.lander.edu TCP D=1071 S=22     Ack=143990 Seq=3737542069 Len=60 Win=17520
 sloan.lander.edu -> 172.16.2.210 TCP D=22 S=1071     Ack=3737542129 Seq=143990 Len=0 Win=7908
 snoop: 5 packets captured

As you can see, it is used pretty much the same way as tcpdump. (Actually, the output has a slightly more readable format.) snoop, like tcpdump, supports a wide range of options and filters. You should have no trouble learning snoop if you have ever used tcpdump.

Other systems will provide their own equivalents (for example, AIX provides iptrace ). While the syntax is different, these tools are used in much the same way.

Network Troubleshooting Tools - click to go to publisher's site

--
The next segment from Network Troubleshooting Tools will cover packet analyzers.


jfreund@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >