Packet Capture, part 3: Analysis Tools - Page 6
1.5.8. trafshow
The program trafshow is a packet capture program of a different sort. It provides a continuous display of traffic over the network, giving repeated snapshots of traffic. It displays the source address, destination address, protocol, and number of bytes. This program would be most useful in looking for suspicious traffic or just getting a general idea of network traffic.
While trafshow can be run on a text-based terminal, it effectively takes over the display. It is best used in a separate window of a windowing system. There are a number of options, including support for packet filtering using the same filter format as tcpdump.
1.5.9. xplot
The xplot program is an X Windows plotting program. While it is a general purpose plotting program, it was written as part of a thesis project for TCP analysis by David Clark. As a result, some support for plotting TCP data (oriented toward network analysis) is included with the package. It is also used by tcptrace. While a powerful and useful program, it is not for the faint of heart. Due to the lack of documentation, the program is easiest to use with tcptrace rather than as a standalone program.
1.5.10. Other Packet Capture Programs
We have discussed tcpdump in detail because it is the most widely available packet capture program for Unix. Many implementations of Unix have proprietary packet capture programs that are comparable to tcpdump. For example, Sun Microsystems' Solaris provides snoop. (This is a replacement for etherfind, which was supplied with earlier versions of the Sun operating system.)
Here is an example of using snoop to capture five packets:
sol1> snoop -c5 Using device /dev/elxl (promiscuous mode) 172.16.2.210 -> sol1 TELNET C port=28863 sol1 -> 172.16.2.210 TELNET R port=28863 /dev/elxl (promiscuo 172.16.2.210 -> sol1 TELNET C port=28863 172.16.2.210 -> sloan.lander.edu TCP D=1071 S=22 Ack=143990 Seq=3737542069 Len=60 Win=17520 sloan.lander.edu -> 172.16.2.210 TCP D=22 S=1071 Ack=3737542129 Seq=143990 Len=0 Win=7908 snoop: 5 packets captured
As you can see, it is used pretty much the same way as tcpdump. (Actually, the output has a slightly more readable format.) snoop, like tcpdump, supports a wide range of options and filters. You should have no trouble learning snoop if you have ever used tcpdump.
Other systems will provide their own equivalents (for example, AIX provides iptrace ). While the syntax is different, these tools are used in much the same way.

The next segment from Network Troubleshooting Tools will cover packet analyzers.