TCPDUMP 4.x.y by The Tcpdump Group

To report a security issue please send an e-mail to security@tcpdump.org.

To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the guidelines for contributing in the tcpdump source tree root.

Anonymous Git is available via

https://github.com/the-tcpdump-group/tcpdump.git

This directory contains source code for tcpdump, a tool for network monitoring and data acquisition.

Over the past few years, tcpdump has been steadily improved by the excellent contributions from the Internet community (just browse through the change log). We are grateful for all the input.

Supported platforms

In many operating systems tcpdump is available as a native package or port, which simplifies installation of updates and long-term maintenance. However, the native packages are sometimes a few versions behind and to try a more recent snapshot it will take to compile tcpdump from the source code.

tcpdump compiles and works on at least the following platforms:

• AIX
• DragonFly BSD
• FreeBSD
• Haiku
• HP-UX 11i
• illumos (OmniOS, OpenIndiana)
• GNU/Hurd
• GNU/Linux
• {Mac} OS X / macOS
• NetBSD
• OpenBSD
• Solaris
• Windows (requires WinPcap or Npcap, and Visual Studio with CMake)

In the past tcpdump certainly or likely worked on the following platforms:

• 4.3BSD
• BSD/386, later BSD/OS
• DEC OSF/1, later Digital UNIX, later Tru64 UNIX
• DOS
• IRIX
• LynxOS
• QNX
• SINIX
• SunOS
• Ultrix
• UnixWare

Dependency on libpcap

tcpdump uses libpcap, a system-independent interface for user-level packet capture. If your operating system does not provide libpcap, or if it provides a libpcap that does not support the APIs from libpcap 1.0 or later, you must first retrieve and build libpcap before building tcpdump,

Once libpcap is built (either install it or make sure it's in ../libpcap), you can build tcpdump using the procedure in the installation notes.

Origins of tcpdump

The program is loosely based on SMI's "etherfind" although none of the etherfind code remains. It was originally written by Van Jacobson as part of an ongoing research project to investigate and improve TCP and Internet gateway performance. The parts of the program originally taken from Sun's etherfind were later re-written by Steven McCanne of LBL. To insure that there would be no vestige of proprietary code in tcpdump, Steve wrote these pieces from the specification given by the manual entry, with no access to the source of tcpdump or etherfind.

formerly from	Lawrence Berkeley National Laboratory
		Network Research Group <tcpdump@ee.lbl.gov>
		ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)

See also

Richard Stevens gives an excellent treatment of the Internet protocols in his book "TCP/IP Illustrated, Volume 1". If you want to learn more about tcpdump and how to interpret its output, pick up this book.

Another tool that tcpdump users might find useful is tcpslice. It is a program that can be used to extract portions of tcpdump binary trace files.

The original LBL README by Steve McCanne, Craig Leres and Van Jacobson

This directory also contains some short awk programs intended as
examples of ways to reduce tcpdump data when you're tracking
particular network problems:

send-ack.awk
	Simplifies the tcpdump trace for an ftp (or other unidirectional
	tcp transfer).  Since we assume that one host only sends and
	the other only acks, all address information is left off and
	we just note if the packet is a "send" or an "ack".

	There is one output line per line of the original trace.
	Field 1 is the packet time in decimal seconds, relative
	to the start of the conversation.  Field 2 is delta-time
	from last packet.  Field 3 is packet type/direction.
	"Send" means data going from sender to receiver, "ack"
	means an ack going from the receiver to the sender.  A
	preceding "*" indicates that the data is a retransmission.
	A preceding "-" indicates a hole in the sequence space
	(i.e., missing packet(s)), a "#" means an odd-size (not max
	seg size) packet.  Field 4 has the packet flags
	(same format as raw trace).  Field 5 is the sequence
	number (start seq. num for sender, next expected seq number
	for acks).  The number in parens following an ack is
	the delta-time from the first send of the packet to the
	ack.  A number in parens following a send is the
	delta-time from the first send of the packet to the
	current send (on duplicate packets only).  Duplicate
	sends or acks have a number in square brackets showing
	the number of duplicates so far.

	Here is a short sample from near the start of an ftp:
		3.00    0.20   send . 512
		3.20    0.20    ack . 1024  (0.20)
		3.20    0.00   send P 1024
		3.40    0.20    ack . 1536  (0.20)
		3.80    0.40 * send . 0  (3.80) [2]
		3.82    0.02 *  ack . 1536  (0.62) [2]
	Three seconds into the conversation, bytes 512 through 1023
	were sent.  200ms later they were acked.  Shortly thereafter
	bytes 1024-1535 were sent and again acked after 200ms.
	Then, for no apparent reason, 0-511 is retransmitted, 3.8
	seconds after its initial send (the round trip time for this
	ftp was 1sec, +-500ms).  Since the receiver is expecting
	1536, 1536 is re-acked when 0 arrives.

packetdat.awk
	Computes chunk summary data for an ftp (or similar
	unidirectional tcp transfer). [A "chunk" refers to
	a chunk of the sequence space -- essentially the packet
	sequence number divided by the max segment size.]

	A summary line is printed showing the number of chunks,
	the number of packets it took to send that many chunks
	(if there are no lost or duplicated packets, the number
	of packets should equal the number of chunks) and the
	number of acks.

	Following the summary line is one line of information
	per chunk.  The line contains eight fields:
	   1 - the chunk number
	   2 - the start sequence number for this chunk
	   3 - time of first send
	   4 - time of last send
	   5 - time of first ack
	   6 - time of last ack
	   7 - number of times chunk was sent
	   8 - number of times chunk was acked
	(all times are in decimal seconds, relative to the start
	of the conversation.)

	As an example, here is the first part of the output for
	an ftp trace:

	# 134 chunks.  536 packets sent.  508 acks.
	1       1       0.00    5.80    0.20    0.20    4       1
	2       513     0.28    6.20    0.40    0.40    4       1
	3       1025    1.16    6.32    1.20    1.20    4       1
	4       1561    1.86    15.00   2.00    2.00    6       1
	5       2049    2.16    15.44   2.20    2.20    5       1
	6       2585    2.64    16.44   2.80    2.80    5       1
	7       3073    3.00    16.66   3.20    3.20    4       1
	8       3609