As a system architect, you may need a tool beyond a simple "ping" to help you
analyze the traffic on your network interface. A dump can be useful in tracking
down abusive use of the system(s), crack attempts, or other performance issues.
, a command line tool, will accomplish this quickly and easily. As
shown in Figure A
, the most basic usage simply requires you to call the
program, and the dump will be displayed on stdout
Tcpdump displayed on stdout
In Figure A, note the extract of a browser session (note the "www"). I use
sudo to be able to run the program as a normal user. Because of the
nature of tcpdump, you'll need to run it as root, or by using sudo
to assume the root role for the duration of the command. As with most UNIX
programs, mantcpdump will give you a rundown of all the various
Tcpdump output can be convoluted, but several wrappers are available
that make it more manageable. For the remainder of the article, we'll examine
some of these wrappers and look at the pros and cons of each. First, we'll
examine two that are limited to text mode, which could be useful if you happen
to be working at the command line or across a Secure Shell (SSH) connection to a
is a text mode wrapper around tcpdump. It color codes and formats the
tcpdump output to make it a little more readable, as shown in Figure
B. To try it, just untar the tar archive and run it. To see the options,
type sniff -h. Because you also call tcpdump when you run sniff,
all the tcpdump options need to come after the double dash (--).
The -l /usr/local/sbin tells sniff the path to tcpdump.
Sniff requires Perl, and as far as I can tell, the author does not offer the
source for download—only Linux binaries. There is also no install program, so
you must manually copy the binary to /usr/local/sbin or wherever you'd
like it to reside. If binary files are an issue with you, you may want to try
some of the other tcpdump wrappers. Aside from the colorization and a
slight refinement of the output, sniff doesn't do much more than you can do with
judicious use of tcpdump's command-line options.
Another basic filtering program is tcpdfilter.
As shown in Figure C, the build routine is very straightforward.
Tcpdfilter build routine
As shown in Figure D, you can just pipe the output of tcpdump
straight through tcpdfilter.
Tcpdfilter build routine
Like sniff, tcpdfilter has some command-line options, but they are fairly
limited. The -d, or decode, option is the most useful, because it adds a
packet analysis to the output, as illustrated in Figure E.
Packet analysis added to the output
Packet analysis, plus the availability of source code, makes me lean more toward
tcpdfilter than sniff for text-based use.
If you prefer GUI tools for tcpdump output analysis, check out Netdude.
In addition to the latest
version of Netdude, you will need tcpdump and GTK, the gimp toolkit
to build the GUI interface. As shown in Figure F, the build is similar to
It's important to note that you need to dump your logs from tcpdump using
the -w option, as shown in Figure G, or Netdude will complain that
the file is not a tcpdump save file. This output is not very readable,
because it is raw binary; but Netdude can read it, letting you drill down to
Ethernet, IP, and TCP information on each packet, as well as allowing you to
The –w option in Netdude
Netdude combines the capabilities of tcpdump and tcpdfilter, and
its GUI is easy to work with. Development has slowed a bit in recent months due
to the author's other obligations, but the program is usable as it stands now.
The TCP filter is shown in Figure H.
Ethereal is an advanced sniffer in its
own right, but it can also read dumps from tcpdump (see Figure I).
Ethereal is available for both UNIX and Windows. Download the most recent
build process is the same as for the other wrappers: untar the source,
configure, make, make install. Again, you should use tcpdump files
created with the -w flag.
Like Netdude, Ethereal lets you look at
an individual line and apply filters and a multitude of other options, such as
sorting by packet number, time, source, destination, or protocol. This package
is definitely the best-of-class of the various programs I looked at. If you have
the luxury of being able to use a GUI for your analysis, I highly recommend
That sums up the functioning wrappers I found for tcpdump
. I’ve covered
everything from basic pipeline filters to fancy GUIs, along with some related
packages. One of these or a combination should meet your needs when you’re
analyzing your network traffic.