The latest network routers, software, management tools and information for enterprise IT administrators.

Packet Capture, part 3: Analysis Tools - Page 6

By O'Reilly Press

Page 6 of 6 | Back to Page 1

1.5.8. trafshow

The program trafshow is a packet capture program of a different sort. It provides a continuous display of traffic over the network, giving repeated snapshots of traffic. It displays the source address, destination address, protocol, and number of bytes. This program would be most useful in looking for suspicious traffic or just getting a general idea of network traffic.

While trafshow can be run on a text-based terminal, it effectively takes over the display. It is best used in a separate window of a windowing system. There are a number of options, including support for packet filtering using the same filter format as tcpdump.

1.5.9. xplot

The xplot program is an X Windows plotting program. While it is a general purpose plotting program, it was written as part of a thesis project for TCP analysis by David Clark. As a result, some support for plotting TCP data (oriented toward network analysis) is included with the package. It is also used by tcptrace. While a powerful and useful program, it is not for the faint of heart. Due to the lack of documentation, the program is easiest to use with tcptrace rather than as a standalone program.

1.5.10. Other Packet Capture Programs

We have discussed tcpdump in detail because it is the most widely available packet capture program for Unix. Many implementations of Unix have proprietary packet capture programs that are comparable to tcpdump. For example, Sun Microsystems' Solaris provides snoop. (This is a replacement for etherfind, which was supplied with earlier versions of the Sun operating system.)

Here is an example of using snoop to capture five packets:

 sol1> snoop -c5
 Using device /dev/elxl (promiscuous mode)
 172.16.2.210 -> sol1         TELNET C port=28863
         sol1 -> 172.16.2.210 TELNET R port=28863 /dev/elxl (promiscuo
 172.16.2.210 -> sol1         TELNET C port=28863
 172.16.2.210 -> sloan.lander.edu TCP D=1071 S=22     Ack=143990 Seq=3737542069 Len=60 Win=17520
 sloan.lander.edu -> 172.16.2.210 TCP D=22 S=1071     Ack=3737542129 Seq=143990 Len=0 Win=7908
 snoop: 5 packets captured

As you can see, it is used pretty much the same way as tcpdump. (Actually, the output has a slightly more readable format.) snoop, like tcpdump, supports a wide range of options and filters. You should have no trouble learning snoop if you have ever used tcpdump.

Other systems will provide their own equivalents (for example, AIX provides iptrace ). While the syntax is different, these tools are used in much the same way.

Network Troubleshooting Tools - click to go to publisher's site

--
The next segment from Network Troubleshooting Tools will cover packet analyzers.

This article was originally published on Nov 20, 2001

jfreund@internet.com

Get the Latest Scoop with Networking Update Newsletter

Thanks for your registration, follow us on our social networks to keep up-to-date