Sockets: Advanced Topics 1277and destination IP address and port number, and a range of other criteria. Full
details are provided in the tcpdump manual page.
The wireshark (formerly ethereal; http://www.wireshark.org/) program performs a
similar task to tcpdump, but displays traffic information via a graphical interface.For each TCP segment, tcpdump displays a line of the following form:
src > dst: flags data-seqno ack window urg
These fields have the following meanings:
z src: This is the source IP address and port.
z dst: This is the destination IP address and port.
z flags: This field contains zero or more of the following letters, each of which
corresponds to one of the TCP control bits described in Section 61.6.1: S (SYN),
F (FIN), P (PSH), R (RST), E (ECE), and C (CWR).
z data-seqno: This is the range of the sequence-number space covered by the bytes
in this packet.
By default, the sequence-number range is displayed relative to the first byte
monitored for this direction of the data stream. The tcpdump –S option causes
sequence numbers to be displayed in absolute format.
z ack: This is a string of the form “ack num” indicating the sequence number of
the next byte expected from the other direction on this connection.
z window: This is a string of the form “win num” indicating the number of bytes of
receive buffer space available for transmission in the opposite direction on this
connection.
z urg: This is a string of the form “urg num” indicating that this segment contains
urgent data at the specified offset within the segment.
z options: This string describes any TCP options contained in the segment.
The src, dst, and flags fields always appear. The remaining fields are displayed only if
appropriate.
The shell session below shows how tcpdump can be used to monitor the traffic
between a client (running on the host pukaki) and a server (running on tekapo). In
this shell session, we use two tcpdump options that make the output less verbose.
The –t option suppresses the display of timestamp information. The –N option
causes hostnames to be displayed without a qualifying domain name. Furthermore,
for brevity, and because we don’t describe the details of TCP options, we have
removed the options fields from the lines of tcpdump output.
The server operates on port 55555, so our tcpdump command selects traffic for
that port. The output shows the three segments exchanged during connection
establishment:
$ tcpdump -t -N 'port 55555'
IP pukaki.60391 > tekapo.55555: S 3412991013:3412991013(0) win 5840
IP tekapo.55555 > pukaki.60391: S 1149562427:1149562427(0) ack 3412991014 win 5792
IP pukaki.60391 > tekapo.55555:. ack 1 win 5840