.\" @(#) $Header: tcpdump.1,v 1.40 92/01/29 16:56:02 mccanne Exp $ (UW) .\" .TH TCPVIEW 1 "9 Nov 1992" .SH NAME tcpview \- view network traffic .SH SYNOPSIS .na .B tcpview [ .B .I filename ] [ .B \-display .I display ] [ .B \-iconic ] .br .ad .SH DESCRIPTION .PP \fITcpview\fP can capture network traffic or read \fItcpdump\fP and \fISniffer\fP data files. \fITcpview\fP was derived from \fItcpdump\fP and shares many characteristics with it. .B Under SunOS: You must be root to capture frames with \fItcpview\fP or it must be installed setuid to root. .B Under Ultrix: Any user can capture frames \fItcpview\fP once the super-user has enabled promiscuous-mode operation using .IR pfconfig (8). .B Under BSD: Access is controlled by the permissions on .I /dev/bpf0, etc. .SH OPTIONS .TP .B \fIfilename\fP Read in the \fItcpdump\fP or \fISniffer\fP data file. .TP .B \-display Use \fIdisplay\fP for output. .TP .B \-iconic Start with output window in iconic form. .SH DISPLAY FORMAT .PP The main display is a window with three resizeable panes. The top pane contains a summary line describing each packet. This line is identical to the output of \fItcpdump\fP. Selecting a line in the top pane activates the middle and bottom panes. The middle pane contains a detailed decoding of the selected frame. Information will only be included here if the appropriate protocol decoders are present. If a line is selected in this pane, the corresponding line will be at the top of this pane for all subsequent frames decoded. The bottom pane is a hexdump of the entire frame. Data will be highlighted when a line is selected in the middle pane. .SH FILE MENU .PP \fIOpen\fP will allow you to select a new data file to load. \fISave\fP allows you to save the current data in \fItcpdump\fP or \fISniffer\fP format. You have the choice of saving all the frames in the workspace or just the ones that are currently displayed. \fIPrint\fP allows you to print the frames using the configured print command (see \fICONFIGURATION\fP) or to a file. You have the option of printing all the frames or just the ones currently displayed. You can also choose between printing just the summary lines (\fItcpdump\fP format) or the detailed decoding. \fIExit\fP quits \fItcpview\fP. .SH CAPTURE MENU .SS Set Options .RS \fIDevice Name\fP click on this to select the name of the device to use for capturing data. The default will be the first network interface found or the one specified in the configuration options. .PP \fIPromiscuous Mode\fP determines if the interface is set to promiscuous mode or not. If promiscuous mode is not enabled, you will only be able to capture braodcasts and traffic addressed to the selected device (on some computers). .PP \fINumber of Frames\fP sets a limit on the number of frames that will be captured. Numbers <= 0 and invalid entries will reset the limit to \fIInfinite\fP. .PP \fITime Limit\fP sets a limit of the number of seconds that data will be captured. Numbers <= 0 and invalid entries will reset the limit to \fIInfinite\fP. .PP \fIMax Bytes Per Frame\fP sets the maximum number of bytes that will be captured per frame. Sizes smaller than the minimum (normally 68) will not be accepted. .RE .SS GO .RS \fIGO\fP starts the capture process. One of three things can stop the capture. The user can hit the \fIStop\fP button that will appear, the maximum time can be reached, or the maximum number of packets to capture can be reached. .RE .SH FILTER .SS Edit .RS .SS "Address Filter" .RS There are two address filters. To activate one, click on the \fIOFF\fP button. If both filters are activated, the second line toggle button will switch to \fIAND\fP. Clicking it again will change it to \fIOR\fP. .PP The filters can filter on either DLC or IP addresses. To change the address, click on the button that says \fIANY\fP. A requester will appear asking for the new DLC or IP address. Use the address filter to select the DLC or IP addresses to apply to the current data or the data to be captured. Clicking on any of the buttons will either toggle the button's state or bring up a requester for new information. .PP Enter "ANY" or "ALL" (case is not important) to set a filter back to the \fIANY\fP state. For numeric ethernet addresses, enter the address in hex format either starting with "0x" or as six bytes separated by colons (for example, 0x08202b000002 or 08:20:2b:00:00:02). For IP addresses, enter a name or a numeric address such as 128.95.112.1. .SS "Protocol Filter" .RS Select the protocols you want to see. .PP .SS "Port Filter" .RS If you use a port filter, all packets with that port as a source or destination will be selected. You can enter either a port number or name. If the port name cannot be found, the filter will be reset back to "ANY". .PP .SS "Clear Filter" .RS The \fICLEAR FILTER\fP button resets the filter back to its initial state. .PP \fIApply To All\fP will apply your filter to all the data in the tcpview workspace. Selecting this with no filter will display all the frames. .PP \fIApply to Current\fP will apply your filter to only those frames in the summary window (top pane). .PP .RE .RE .SS "Follow Stream" To use this filter, first select (click on) a UDP or TCP packet in the summary window. This filter will filter based on the source and destination addresses and ports and the protocol type. It is only supported for TCP and UDP. .SS "STREAM OPTIONS" .RS Selecting \fIunidirectional\fP or \fIbidirectional\fP will determine if you see only traffic in one direction or both directions. .RE .SS "TCP Options" .RS \fIAssemble Out-Of-Order Packets\fP. This will attempt to reassemble the original data stream, correctly handling out-of-order packets and duplicates. It will not be able to handle missing packets. .PP \fIHighlight Timeouts\fP. This is currently a very simplistic function that looks at the time between packets (delta time) and highlights any that exceed the selected interval. This is mostly useful for spotting timeouts in large transfers. You can change the timeout interval by clicking on the button in the next line. Entering invalid times resets the timeout interval to 1 second. .PP .RE .SS "External Filter" .RS The external filter section allows you to do additional processing of TCP data. \fITcpview\fP will reassemble the TCP stream then send the data (and optionally, the frame description) to an external filter, window, or file. You can elect to see the data in either binary or hexdump format. .PP External filters can be used to further decode protocols that use TCP as a transport layer. Some sample filters are included with \fItcpview\fP. .RE .RE .SH "SUMMARY OPTIONS" .SS "ADDRESS OPTIONS" .RS \fIName\fP tells \fItcpview\fP to use the name of a host rather than the address in the summary window. .PP \fINumber\fP tells \fItcpview\fP to use a hosts IP or DLC number instead of its name. .PP \fIUse full domain name\fP. Selecting this with cause \fItcpview\fP to display a host's full domain name in the summary line. The default is to just display the local part of the name. .PP \fIUse manuf. name in DLC addresses\fP. When ethernet addresses are displayed, this will cause the first three bytes to be replaced by the ethernet manufacturer's name. For example, Cisco_003462 instead of 00000c003462. .RE .SS "TIME OPTIONS" .RS \fIAbsolute\fP prints the frame arrival time in the format "hh:mm:ss.ssssss". .PP \fIUnix Timestamp\fP prints the Unix timestamp, which is number of seconds since 00:00:00 GMT, Jan. 1, 1970. .PP \fIDelta\fP prints the number of seconds between frames. .PP \fIRelative\fP prints the number of seconds from the first frame. .PP \fINone\fP disables the printing of frame times. .RE .SS "MISC OPTIONS" .RS \fIVerbose\fP. (Slightly more) verbose output. For example, the time to live and type of service information in an IP packet is printed. .PP \fIBrief\fP. Prints less protocol information. .PP \fIDisplay DLC header\fP will display the DLC source, destination, and protocol type in the summary line. .PP \fIUse relative TCP sequence numbers\fP will reset each TCP connection's sequence to 0 to make it easier to follow. .PP \fIDisplay line numbers\fP will number the displayed frames for reference. .RE .SH CONFIGURATION The location of configuration files and the initial values of many variables can be set in the \fITcpview\fP X resource file. This should be located in the application defaults directory, usually /usr/lib/X11/app-defaults. Users can keep their own copy in the directory named by the environment variable XAPPLRESDIR. The sample resources file contains a description of the configuration variables. The configuration files are as follows: .PP .RS \fIResource name\fP \fIDefault\fP .PP Tcpview.hostnames: /usr/local/lib/tcpview/ethers .PP Tcpview.manuf: /usr/local/lib/tcpview/manuf .PP Tcpview.services: /etc/services .PP The hostnames file contains DLC-to-name mappings. It is in the same format as \fISniffer\fP name files. This allows you to share the same file. A sample line is: .br station "akbar.cac" = addrtype"DLC" 08002b178d2c .br Only lines with addrtype"DLC" are used. .PP The manuf file contains the information to associate certain ethernet manufacturers with the first three bytes of an ethernet address. This file is also in \fISniffer\fP format. A sample file is included. See \fIETHERNET VENDOR ADDRESS COMPONENTS\fP in RFC1340 for more information. .PP The services file is just a copy of the /etc/services file. You may modify it to change the \fItcpview\fP TCP or UDP service mappings without affecting the system you are using. .SH "SEE ALSO" tcpdump(1), nit(4P), bpf(4) .SH AUTHOR Martin Hunt (martinh@cac.washington.edu) .PP University of Washington, Seattle, WA. .PP .SH BUGS TCP and UDP checksums are not checked. Some errors will cause \fItcpview\fP to exit.