FreeBSD Manual Pages
TCPVIEW(1) General Commands Manual TCPVIEW(1) NAME tcpview - view network traffic SYNOPSIS tcpview [ filename ] [ -display display ] [ -iconic ] DESCRIPTION Tcpview can capture network traffic or read tcpdump and Sniffer data files. Tcpview was derived from tcpdump and shares many characteris- tics with it. Under SunOS: You must be root to capture frames with tcpview or it must be installed setuid to root. Under Ultrix: Any user can capture frames tcpview once the super-user has enabled promiscuous- mode operation using pfconfig(8). Under BSD: Access is controlled by the permissions on /dev/bpf0, etc. OPTIONS filename Read in the tcpdump or Sniffer data file. -display Use display for output. -iconic Start with output window in iconic form. DISPLAY FORMAT The main display is a window with three resizeable panes. The top pane contains a summary line describing each packet. This line is identical to the output of tcpdump. Selecting a line in the top pane activates the middle and bottom panes. The middle pane contains a detailed decoding of the selected frame. Information will only be included here if the appropriate protocol de- coders are present. If a line is selected in this pane, the corre- sponding line will be at the top of this pane for all subsequent frames decoded. The bottom pane is a hexdump of the entire frame. Data will be high- lighted when a line is selected in the middle pane. FILE MENU Open will allow you to select a new data file to load. Save allows you to save the current data in tcpdump or Sniffer format. You have the choice of saving all the frames in the workspace or just the ones that are currently displayed. Print allows you to print the frames using the configured print command (see CONFIGURATION) or to a file. You have the option of printing all the frames or just the ones currently displayed. You can also choose between printing just the summary lines (tcpdump format) or the de- tailed decoding. Exit quits tcpview. CAPTURE MENU Set Options Device Name click on this to select the name of the device to use for capturing data. The default will be the first network interface found or the one specified in the configuration op- tions. Promiscuous Mode determines if the interface is set to promiscu- ous mode or not. If promiscuous mode is not enabled, you will only be able to capture braodcasts and traffic addressed to the selected device (on some computers). Number of Frames sets a limit on the number of frames that will be captured. Numbers <= 0 and invalid entries will reset the limit to Infinite. Time Limit sets a limit of the number of seconds that data will be captured. Numbers <= 0 and invalid entries will reset the limit to Infinite. Max Bytes Per Frame sets the maximum number of bytes that will be captured per frame. Sizes smaller than the minimum (normally 68) will not be accepted. GO GO starts the capture process. One of three things can stop the capture. The user can hit the Stop button that will appear, the maximum time can be reached, or the maximum number of packets to capture can be reached. FILTER Edit Address Filter There are two address filters. To activate one, click on the OFF button. If both filters are activated, the second line tog- gle button will switch to AND. Clicking it again will change it to OR. The filters can filter on either DLC or IP addresses. To change the address, click on the button that says ANY. A requester will appear asking for the new DLC or IP address. Use the ad- dress filter to select the DLC or IP addresses to apply to the current data or the data to be captured. Clicking on any of the buttons will either toggle the button's state or bring up a re- quester for new information. Enter "ANY" or "ALL" (case is not important) to set a filter back to the ANY state. For numeric ethernet addresses, enter the address in hex format either starting with "0x" or as six bytes separated by colons (for example, 0x08202b000002 or 08:20:2b:00:00:02). For IP addresses, enter a name or a numeric address such as 128.95.112.1. Protocol Filter Select the protocols you want to see. Port Filter If you use a port filter, all packets with that port as a source or destination will be selected. You can enter either a port number or name. If the port name cannot be found, the filter will be reset back to "ANY". Clear Filter The CLEAR FILTER button resets the filter back to its initial state. Apply To All will apply your filter to all the data in the tcpview workspace. Selecting this with no filter will display all the frames. Apply to Current will apply your filter to only those frames in the summary window (top pane). Follow Stream To use this filter, first select (click on) a UDP or TCP packet in the summary window. This filter will filter based on the source and desti- nation addresses and ports and the protocol type. It is only supported for TCP and UDP. STREAM OPTIONS Selecting unidirectional or bidirectional will determine if you see only traffic in one direction or both directions. TCP Options Assemble Out-Of-Order Packets. This will attempt to reassemble the original data stream, correctly handling out-of-order pack- ets and duplicates. It will not be able to handle missing pack- ets. Highlight Timeouts. This is currently a very simplistic func- tion that looks at the time between packets (delta time) and highlights any that exceed the selected interval. This is mostly useful for spotting timeouts in large transfers. You can change the timeout interval by clicking on the button in the next line. Entering invalid times resets the timeout interval to 1 second. External Filter The external filter section allows you to do additional process- ing of TCP data. Tcpview will reassemble the TCP stream then send the data (and optionally, the frame description) to an ex- ternal filter, window, or file. You can elect to see the data in either binary or hexdump format. External filters can be used to further decode protocols that use TCP as a transport layer. Some sample filters are included with tcpview. SUMMARY OPTIONS ADDRESS OPTIONS Name tells tcpview to use the name of a host rather than the ad- dress in the summary window. Number tells tcpview to use a hosts IP or DLC number instead of its name. Use full domain name. Selecting this with cause tcpview to dis- play a host's full domain name in the summary line. The default is to just display the local part of the name. Use manuf. name in DLC addresses. When ethernet addresses are displayed, this will cause the first three bytes to be replaced by the ethernet manufacturer's name. For example, Cisco_003462 instead of 00000c003462. TIME OPTIONS Absolute prints the frame arrival time in the format "hh:mm:ss.ssssss". Unix Timestamp prints the Unix timestamp, which is number of seconds since 00:00:00 GMT, Jan. 1, 1970. Delta prints the number of seconds between frames. Relative prints the number of seconds from the first frame. None disables the printing of frame times. MISC OPTIONS Verbose. (Slightly more) verbose output. For example, the time to live and type of service information in an IP packet is printed. Brief. Prints less protocol information. Display DLC header will display the DLC source, destination, and protocol type in the summary line. Use relative TCP sequence numbers will reset each TCP connec- tion's sequence to 0 to make it easier to follow. Display line numbers will number the displayed frames for refer- ence. CONFIGURATION The location of configuration files and the initial values of many variables can be set in the Tcpview X resource file. This should be located in the application defaults directory, usually /usr/lib/X11/app-defaults. Users can keep their own copy in the direc- tory named by the environment variable XAPPLRESDIR. The sample re- sources file contains a description of the configuration variables. The configuration files are as follows: Resource name Default Tcpview.hostnames: /usr/local/lib/tcpview/ethers Tcpview.manuf: /usr/local/lib/tcpview/manuf Tcpview.services: /etc/services The hostnames file contains DLC-to-name mappings. It is in the same format as Sniffer name files. This allows you to share the same file. A sample line is: station "akbar.cac" = addrtype"DLC" 08002b178d2c Only lines with addrtype"DLC" are used. The manuf file contains the information to associate certain ethernet manufacturers with the first three bytes of an ethernet address. This file is also in Sniffer format. A sample file is included. See ETHERNET VENDOR ADDRESS COMPONENTS in RFC1340 for more information. The services file is just a copy of the /etc/services file. You may modify it to change the tcpview TCP or UDP service mappings without affecting the system you are using. SEE ALSO tcpdump(1), nit(4P), bpf(4) AUTHOR Martin Hunt (martinh@cac.washington.edu) University of Washington, Seattle, WA. BUGS TCP and UDP checksums are not checked. Some errors will cause tcpview to exit. 9 Nov 1992 TCPVIEW(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | DISPLAY FORMAT | FILE MENU | CAPTURE MENU | FILTER | SUMMARY OPTIONS | CONFIGURATION | SEE ALSO | AUTHOR | BUGS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tcpview&sektion=1&manpath=FreeBSD+Ports+15.0>