C.5 tcpdump Program

An invaluable tool when dealing with network programming is a tool like tcpdump. This program reads packets from a network and prints lots of information about the packets. It also has the capability of printing only those packets that match some criteria that we specify. For example,

% tcpdump '(udp and port daytime) or icmp'

prints only the UDP datagrams with a source or destination port of 13 (the daytime server), or ICMP packets. The following command:

% tcpdump 'tcp and port 80 and tcp[13:1] & 2 != 0'

prints only the TCP segments with a source or destination port of 80 (the HTTP server) that have the SYN flag set. The SYN flag has a value of 2 in the byte with an offset of 13 from the start of the TCP header. The following command:

% tcpdump 'tcp and tcp[0:2] > 7000 and tcp[0:2] <= 7005'

prints only TCP segments with a source port between 7001 and 7005. The source port starts at byte offset 0 in the TCP header and occupies 2 bytes.

Appendix A of TCPv1 details the operation of this program in more detail.

This program is available from http://www.tcpdump.org/ and works under many different flavors of Unix. It was originally written by Van Jacobson, Craig Leres, and Steven McCanne at LBL, and is now maintained by a team at tcpdump.org.

Some vendors supply a program of their own with similar functionality. For example, Solaris 2.x provides the snoop program. The advantage of tcpdump is that it works under so many versions of Unix, and using a single tool in a heterogeneous environment, instead of a different tool for each environment, is a big advantage.