RE: http sniffer

Bruce Barnett (
Thu, 27 May 1999 16:30:46 -0400 (EDT)

I wrote:

> It's called WinDump. See

"Krasinski, Linda M" <> wrote:

> What does this do that Netmon does not do?
> This is an Italian web site and product and the user guide appears to be
> written in Italian.

TCPDUMP is a standard, public domain network sniffing tool that runs on UNIX.
Many researchers use it, and have tools to analyze the ASCII data it generates.

I'll try to give a summary of the UNIX version. I haven't been able to
get WINDUMP to work myself.

TCPDUMP generates (typically) a single line per packet, with all of the
critical information on that line. Here is the opening portion of an
rlogin from host rtsg to host csam.

rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
rtsg.1023 > csam.login: . ack 1 win 4096
rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
csam.login > rtsg.1023: . ack 2 win 4096
rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1

I like it because of the terse format, so I can see a lot of
information in a few lines. This also makes it easy to write parsers
for it, and data extraction programs. For instance, I wrote a program
in PERL that can examine a trace of a TCP-based file transfer, and
specify what percentage of the time was spent transmitting waiting,
refilling buffers, timeouts, receive buffer filled, etc. It does this
by examining the delays between packets of a single session, analyzing
the advertised buffer space, detecting retransmission, etc.

TCPDUMP has a complete grammar, and allows you to capture data in a
file, and later extract the headers you are interested in. I've used it
to collect data from a 25 hour period, and analyzed information from
847 Mbyte file, containing the headers of 8.6 million packets.

You can use commands like:

tcpdump host \( snoopy or host woodstock \) and \(proto tcp and src
port 1247 \) or \( proto udp and dst port 444 \)

Here are some other examples:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

to print IP broadcast or multicast packets that were not
sent via ethernet broadcast or multicast.

tcpdump 'gateway snup and (port ftp or ftp-data)'

to print all ftp traffic through internet gateway snup.

As you can imagine, it is very flexible, and useful in research.
It does not have any graphic output, but I find it easy to convert the
data I want into the numbers for the graphs using AWK or PERL.

Bruce Barnett
GE Corporate Research and Development Center