jump to navigation

Reading pcap files with tcpshow on Linux March 4, 2011

Posted by Tournas Dimitrios in Linux admin tools.

tcpshow reads a pcap file created from utilities like tcpdump , tshark , wireshark etc , and provides the headers in packets that match the boolean expression . The headers belonging to protocols like  Ethernet , IP , ICMP , UDP and TCP  are decoded . It represents an alternative to using tcpdump to decode data. The primary advantage of tcpshow is much nicer formatting for output. For example, here is the tcpdump  output for 3 packets:

On RedHat based distributions , tcpshow can be installed through yum if rpmforge is on the repository list .

The following options can be used in just about any  combination
-b break long lines so they don’t wrap 

This produces a neater, more readable display of the application data. The default width is 60 columns. See the -w flag for how to change this default

show line breaks 

When -b is used, it may be useful to see exactly where tcpshow wrapped each line, in its display of application data. This option causes the string ”<break>” to be displayed at the end of each wrapped line. (Lines which were not wrapped, but terminated before the page width, are not so marked.)
-w width
set pagewidth to width columns
This determines where tcpshow will fold long lines, when the -b switch is used.
don’t decode the link header
The data link header (Ethernet header) is not decoded and displayed.
-noip don’t decode the IP header
don’t show the data
The protocol data is not displayed (a count of data bytes is shown).
track TCP sequence numbers 

An additional field is produced in the output which shows the TCP acknowledgement number which this side of the connection should receive once the current packet has been received by its peer.
show the header decode in compact format 

Without this option, the display of the decoded header is verbose, occupying a lot of display-space real-estate. With this option, the decoded header information is much more compact and terse. Once you’re familiar with the meanings of the header fields, you’ll probably always use this option. (Maybe this should be the default, with a -verbose flag to get long-winded header decodes?)
also display a hex dump of spurious data at packet-end 

For a reason unknown to the author, tcpdump(1) output sometimes contains data at the end of packets which don’t belong to those packets. This spurious data is suppressed from the output, except when this option is used.




No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s