Packet Capture, part 3: Analysis Tools - Page 6
The program trafshow is a packet capture program of a different sort. It provides a continuous display of traffic over the network, giving repeated snapshots of traffic. It displays the source address, destination address, protocol, and number of bytes. This program would be most useful in looking for suspicious traffic or just getting a general idea of network traffic.
While trafshow can be run on a text-based terminal, it effectively takes over the display. It is best used in a separate window of a windowing system. There are a number of options, including support for packet filtering using the same filter format as tcpdump.
The xplot program is an X Windows plotting program. While it is a general purpose plotting program, it was written as part of a thesis project for TCP analysis by David Clark. As a result, some support for plotting TCP data (oriented toward network analysis) is included with the package. It is also used by tcptrace. While a powerful and useful program, it is not for the faint of heart. Due to the lack of documentation, the program is easiest to use with tcptrace rather than as a standalone program.
1.5.10. Other Packet Capture Programs
Here is an example of using snoop to capture five packets:
sol1> snoop -c5 Using device /dev/elxl (promiscuous mode) 172.16.2.210 -> sol1 TELNET C port=28863 sol1 -> 172.16.2.210 TELNET R port=28863 /dev/elxl (promiscuo 172.16.2.210 -> sol1 TELNET C port=28863 172.16.2.210 -> sloan.lander.edu TCP D=1071 S=22 Ack=143990 Seq=3737542069 Len=60 Win=17520 sloan.lander.edu -> 172.16.2.210 TCP D=22 S=1071 Ack=3737542129 Seq=143990 Len=0 Win=7908 snoop: 5 packets captured
As you can see, it is used pretty much the same way as tcpdump. (Actually, the output has a slightly more readable format.) snoop, like tcpdump, supports a wide range of options and filters. You should have no trouble learning snoop if you have ever used tcpdump.
The next segment from Network Troubleshooting Tools will cover packet analyzers.