Reading pcap files with tcpshow on Linux

tcpshow reads a pcap file created from utilities like tcpdump , tshark , wireshark etc , and provides the headers in packets that match the boolean expression . The headers belonging to protocols like  Ethernet , IP , ICMP , UDP and TCP  are decoded . It represents an alternative to using tcpdump to decode data. The primary advantage of tcpshow is much nicer formatting for output. For example, here is the tcpdump  output for 3 packets:

On RedHat based distributions , tcpshow can be installed through yum if rpmforge is on the repository list .

The following options can be used in just about any  combination

-b	break long lines so they don’t wrap  This produces a neater, more readable display of the application data. The default width is 60 columns. See the -w flag for how to change this default
-sb	show line breaks  When -b is used, it may be useful to see exactly where tcpshow wrapped each line, in its display of application data. This option causes the string ”<break>” to be displayed at the end of each wrapped line. (Lines which were not wrapped, but terminated before the page width, are not so marked.)
-w width	set pagewidth to width columns This determines where tcpshow will fold long lines, when the -b switch is used.
-nolink	don’t decode the link header The data link header (Ethernet header) is not decoded and displayed.
-noip	don’t decode the IP header
-nodata	don’t show the data The protocol data is not displayed (a count of data bytes is shown).
-track	track TCP sequence numbers  An additional field is produced in the output which shows the TCP acknowledgement number which this side of the connection should receive once the current packet has been received by its peer.
-terse	show the header decode in compact format  Without this option, the display of the decoded header is verbose, occupying a lot of display-space real-estate. With this option, the decoded header information is much more compact and terse. Once you’re familiar with the meanings of the header fields, you’ll probably always use this option. (Maybe this should be the default, with a -verbose flag to get long-winded header decodes?)
-s	also display a hex dump of spurious data at packet-end  For a reason unknown to the author, tcpdump(1) output sometimes contains data at the end of packets which don’t belong to those packets. This spurious data is suppressed from the output, except when this option is used.

.

About these ads