The latest network routers, software, management tools and information for enterprise IT administrators.

Packet Capture, part 3: Analysis Tools - Page 3

By O'Reilly Press

Page 3 of 6 | Back to Page 1

1.5.4. tcp-reduce

The program tcp-reduce invokes a collection of shell scripts to reduce the packet capture information in a tcpdump trace file to one-line summaries for each connection. That is, an entire Telnet session would be summarized by a single line. This could be extremely useful in getting an overall picture of how the traffic over a link breaks down or for looking quickly at very large files.

The syntax is quite simple.

bsd1# tcp-reduce tracefile > outfile

will reduce tracefile, putting the output in outfile. The program tcp-summary, which comes with tcp-reduce, will further summarize the results. For example, on my system I traced a system briefly with tcpdump. This process collected 741 packets. When processed with tcp-reduce, this revealed 58 TCP connections. Here is an example when results were passed to tcp-summary :

bsd1# tcp-reduce out-file | tcp-summary

This example produced the following five-line summary:

proto        # conn   KBytes    % SF % loc % ngh
-----        ------   ------    ---- ----- -----
www              56       35      25     0     0
telnet            1        1     100     0     0
pop-3             1        0     100     0     0

In this instance, this clearly shows that the HTTP traffic dominated the local network traffic.

1.5.5. tcpshow

The program tcpshow decodes a tcpdump trace file. It represents an alternative to using tcpdump to decode data. The primary advantage of tcpshow is much nicer formatting for output. For example, here is the tcpdump output for a packet:

 12:36:54.772066 sloan.lander.edu.1174 > 205.153.63.238.telnet: . ack 
3259091394 win 8647 (DF) b

Here is corresponding output from tcpshow for the same packet:

-----------------------------------------------------------------------
Packet 1
TIME:   12:36:54.772066
LINK:   00:10:5A:A1:E9:08 -> 00:10:5A:E3:37:0C type=IP
  IP:   sloan -> 205.153.63.238 hlen=20 TOS=00 dgramlen=40 id=B30C
        MF/DF=0/1 frag=0 TTL=128 proto=TCP cksum=2D84
 TCP:   port 1174 -> telnet seq=0016775603 ack=3259091394
        hlen=20 (data=0) UAPRSF=010000 wnd=8647 cksum=E869 urg=0
DATA:   <No data>
-----------------------------------------------------------------------

The syntax is:

bsd1# tcpshow < trace-file

There are numerous options.

This article was originally published on Nov 20, 2001

jfreund@internet.com

Get the Latest Scoop with Networking Update Newsletter

Thanks for your registration, follow us on our social networks to keep up-to-date