TCPVIEW(1)TCPVIEW(1)NAMEtcpview - view network traffic
SYNOPSIStcpview [ filename ] [ -display display ] [ -iconic ]
DESCRIPTION
Tcpview can capture network traffic or read tcpdump and Sniffer data
files. Tcpview was derived from tcpdump and shares many characteris‐
tics with it. Under SunOS: You must be root to capture frames with
tcpview or it must be installed setuid to root. Under Ultrix: Any user
can capture frames tcpview once the super-user has enabled promiscuous-
mode operation using pfconfig(8). Under BSD: Access is controlled by
the permissions on /dev/bpf0, etc.
OPTIONS
filename
Read in the tcpdump or Sniffer data file.
-display
Use display for output.
-iconic
Start with output window in iconic form.
DISPLAY FORMAT
The main display is a window with three resizeable panes. The top pane
contains a summary line describing each packet. This line is identical
to the output of tcpdump. Selecting a line in the top pane activates
the middle and bottom panes.
The middle pane contains a detailed decoding of the selected frame.
Information will only be included here if the appropriate protocol
decoders are present. If a line is selected in this pane, the corre‐
sponding line will be at the top of this pane for all subsequent frames
decoded.
The bottom pane is a hexdump of the entire frame. Data will be high‐
lighted when a line is selected in the middle pane.
FILE MENU
Open will allow you to select a new data file to load.
Save allows you to save the current data in tcpdump or Sniffer format.
You have the choice of saving all the frames in the workspace or just
the ones that are currently displayed.
Print allows you to print the frames using the configured print command
(see CONFIGURATION) or to a file. You have the option of printing all
the frames or just the ones currently displayed. You can also choose
between printing just the summary lines (tcpdump format) or the
detailed decoding.
Exit quits tcpview.
CAPTURE MENU
Set Options
Device Name click on this to select the name of the device to
use for capturing data. The default will be the first network
interface found or the one specified in the configuration
options.
Promiscuous Mode determines if the interface is set to promiscu‐
ous mode or not. If promiscuous mode is not enabled, you will
only be able to capture braodcasts and traffic addressed to the
selected device (on some computers).
Number of Frames sets a limit on the number of frames that will
be captured. Numbers <= 0 and invalid entries will reset the
limit to Infinite.
Time Limit sets a limit of the number of seconds that data will
be captured. Numbers <= 0 and invalid entries will reset the
limit to Infinite.
Max Bytes Per Frame sets the maximum number of bytes that will
be captured per frame. Sizes smaller than the minimum (normally
68) will not be accepted.
GO
GO starts the capture process. One of three things can stop the
capture. The user can hit the Stop button that will appear, the
maximum time can be reached, or the maximum number of packets to
capture can be reached.
FILTER
Edit
Address Filter
There are two address filters. To activate one, click on the
OFF button. If both filters are activated, the second line tog‐
gle button will switch to AND. Clicking it again will change it
to OR.
The filters can filter on either DLC or IP addresses. To change
the address, click on the button that says ANY. A requester
will appear asking for the new DLC or IP address. Use the
address filter to select the DLC or IP addresses to apply to the
current data or the data to be captured. Clicking on any of the
buttons will either toggle the button's state or bring up a
requester for new information.
Enter "ANY" or "ALL" (case is not important) to set a filter
back to the ANY state. For numeric ethernet addresses, enter
the address in hex format either starting with "0x" or as six
bytes separated by colons (for example, 0x08202b000002 or
08:20:2b:00:00:02). For IP addresses, enter a name or a numeric
address such as 128.95.112.1.
Protocol Filter
Select the protocols you want to see.
Port Filter
If you use a port filter, all packets with that port as a source
or destination will be selected. You can enter either a port
number or name. If the port name cannot be found, the filter
will be reset back to "ANY".
Clear Filter
The CLEAR FILTER button resets the filter back to its initial
state.
Apply To All will apply your filter to all the data in the
tcpview workspace. Selecting this with no filter will display
all the frames.
Apply to Current will apply your filter to only those frames in
the summary window (top pane).
Follow Stream
To use this filter, first select (click on) a UDP or TCP packet in the
summary window. This filter will filter based on the source and desti‐
nation addresses and ports and the protocol type. It is only supported
for TCP and UDP.
STREAM OPTIONS
Selecting unidirectional or bidirectional will determine if you
see only traffic in one direction or both directions.
TCP Options
Assemble Out-Of-Order Packets. This will attempt to reassemble
the original data stream, correctly handling out-of-order pack‐
ets and duplicates. It will not be able to handle missing pack‐
ets.
Highlight Timeouts. This is currently a very simplistic func‐
tion that looks at the time between packets (delta time) and
highlights any that exceed the selected interval. This is
mostly useful for spotting timeouts in large transfers. You can
change the timeout interval by clicking on the button in the
next line. Entering invalid times resets the timeout interval
to 1 second.
External Filter
The external filter section allows you to do additional process‐
ing of TCP data. Tcpview will reassemble the TCP stream then
send the data (and optionally, the frame description) to an
external filter, window, or file. You can elect to see the data
in either binary or hexdump format.
External filters can be used to further decode protocols that
use TCP as a transport layer. Some sample filters are included
with tcpview.
SUMMARY OPTIONS
ADDRESS OPTIONS
Name tells tcpview to use the name of a host rather than the
address in the summary window.
Number tells tcpview to use a hosts IP or DLC number instead of
its name.
Use full domain name. Selecting this with cause tcpview to dis‐
play a host's full domain name in the summary line. The default
is to just display the local part of the name.
Use manuf. name in DLC addresses. When ethernet addresses are
displayed, this will cause the first three bytes to be replaced
by the ethernet manufacturer's name. For example, Cisco_003462
instead of 00000c003462.
TIME OPTIONS
Absolute prints the frame arrival time in the format
"hh:mm:ss.ssssss".
Unix Timestamp prints the Unix timestamp, which is number of
seconds since 00:00:00 GMT, Jan. 1, 1970.
Delta prints the number of seconds between frames.
Relative prints the number of seconds from the first frame.
None disables the printing of frame times.
MISC OPTIONS
Verbose. (Slightly more) verbose output. For example, the time
to live and type of service information in an IP packet is
printed.
Brief. Prints less protocol information.
Display DLC header will display the DLC source, destination, and
protocol type in the summary line.
Use relative TCP sequence numbers will reset each TCP connec‐
tion's sequence to 0 to make it easier to follow.
Display line numbers will number the displayed frames for refer‐
ence.
CONFIGURATION
The location of configuration files and the initial values of many
variables can be set in the Tcpview X resource file. This should be
located in the application defaults directory, usually
/usr/lib/X11/app-defaults. Users can keep their own copy in the direc‐
tory named by the environment variable XAPPLRESDIR. The sample
resources file contains a description of the configuration variables.
The configuration files are as follows:
Resource name Default
Tcpview.hostnames: /usr/local/lib/tcpview/ethers
Tcpview.manuf: /usr/local/lib/tcpview/manuf
Tcpview.services: /etc/services
The hostnames file contains DLC-to-name mappings. It is in the
same format as Sniffer name files. This allows you to share the
same file. A sample line is:
station "akbar.cac" = addrtype"DLC" 08002b178d2c
Only lines with addrtype"DLC" are used.
The manuf file contains the information to associate certain
ethernet manufacturers with the first three bytes of an ethernet
address. This file is also in Sniffer format. A sample file is
included. See ETHERNET VENDOR ADDRESS COMPONENTS in RFC1340 for
more information.
The services file is just a copy of the /etc/services file. You
may modify it to change the tcpview TCP or UDP service mappings
without affecting the system you are using.
SEE ALSOtcpdump(1), nit(4P), bpf(4)AUTHOR
Martin Hunt (martinh@cac.washington.edu)
University of Washington, Seattle, WA.
BUGS
TCP and UDP checksums are not checked. Some errors will cause tcpview
to exit.
9 Nov 1992 TCPVIEW(1)