|Read in the tcpdump or Sniffer data file.|
|-display||Use display for output.|
|-iconic||Start with output window in iconic form.|
The main display is a window with three resizeable panes. The top pane contains a summary line describing each packet. This line is identical to the output of tcpdump. Selecting a line in the top pane activates the middle and bottom panes.
The middle pane contains a detailed decoding of the selected frame. Information will only be included here if the appropriate protocol decoders are present. If a line is selected in this pane, the corresponding line will be at the top of this pane for all subsequent frames decoded.
The bottom pane is a hexdump of the entire frame. Data will be highlighted when a line is selected in the middle pane.
Open will allow you to select a new data file to load.
Save allows you to save the current data in tcpdump or Sniffer format. You have the choice of saving all the frames in the workspace or just the ones that are currently displayed.
Print allows you to print the frames using the configured print command (see CONFIGURATION) or to a file. You have the option of printing all the frames or just the ones currently displayed. You can also choose between printing just the summary lines (tcpdump format) or the detailed decoding.
Exit quits tcpview.
Device Name click on this to select the name of the device to use for capturing data. The default will be the first network interface found or the one specified in the configuration options.
Promiscuous Mode determines if the interface is set to promiscuous mode or not. If promiscuous mode is not enabled, you will only be able to capture braodcasts and traffic addressed to the selected device (on some computers).
Number of Frames sets a limit on the number of frames that will be captured. Numbers <= 0 and invalid entries will reset the limit to Infinite.
Time Limit sets a limit of the number of seconds that data will be captured. Numbers <= 0 and invalid entries will reset the limit to Infinite.
Max Bytes Per Frame sets the maximum number of bytes that will be captured per frame. Sizes smaller than the minimum (normally 68) will not be accepted.
GO starts the capture process. One of three things can stop the capture. The user can hit the Stop button that will appear, the maximum time can be reached, or the maximum number of packets to capture can be reached.
There are two address filters. To activate one, click on the OFF button. If both filters are activated, the second line toggle button will switch to AND. Clicking it again will change it to OR.
The filters can filter on either DLC or IP addresses. To change the address, click on the button that says ANY. A requester will appear asking for the new DLC or IP address. Use the address filter to select the DLC or IP addresses to apply to the current data or the data to be captured. Clicking on any of the buttons will either toggle the buttons state or bring up a requester for new information.
Enter "ANY" or "ALL" (case is not important) to set a filter back to the ANY state. For numeric ethernet addresses, enter the address in hex format either starting with "0x" or as six bytes separated by colons (for example, 0x08202b000002 or 08:20:2b:00:00:02). For IP addresses, enter a name or a numeric address such as 126.96.36.199.
Select the protocols you want to see.
If you use a port filter, all packets with that port as a source or destination will be selected. You can enter either a port number or name. If the port name cannot be found, the filter will be reset back to "ANY".
The CLEAR FILTER button resets the filter back to its initial state.
Apply To All will apply your filter to all the data in the tcpview workspace. Selecting this with no filter will display all the frames.
Apply to Current will apply your filter to only those frames in the summary window (top pane).
To use this filter, first select (click on) a UDP or TCP packet in the summary window. This filter will filter based on the source and destination addresses and ports and the protocol type. It is only supported for TCP and UDP.
Selecting unidirectional or bidirectional will determine if you see only traffic in one direction or both directions.
Assemble Out-Of-Order Packets. This will attempt to reassemble the original data stream, correctly handling out-of-order packets and duplicates. It will not be able to handle missing packets.
Highlight Timeouts. This is currently a very simplistic function that looks at the time between packets (delta time) and highlights any that exceed the selected interval. This is mostly useful for spotting timeouts in large transfers. You can change the timeout interval by clicking on the button in the next line. Entering invalid times resets the timeout interval to 1 second.
The external filter section allows you to do additional processing of TCP data. Tcpview will reassemble the TCP stream then send the data (and optionally, the frame description) to an external filter, window, or file. You can elect to see the data in either binary or hexdump format.
External filters can be used to further decode protocols that use TCP as a transport layer. Some sample filters are included with tcpview.
Name tells tcpview to use the name of a host rather than the address in the summary window.
Number tells tcpview to use a hosts IP or DLC number instead of its name.
Use full domain name. Selecting this with cause tcpview to display a hosts full domain name in the summary line. The default is to just display the local part of the name.
Use manuf. name in DLC addresses. When ethernet addresses are displayed, this will cause the first three bytes to be replaced by the ethernet manufacturers name. For example, Cisco_003462 instead of 00000c003462.
Absolute prints the frame arrival time in the format "hh:mm:ss.ssssss".
Unix Timestamp prints the Unix timestamp, which is number of seconds since 00:00:00 GMT, Jan. 1, 1970.
Delta prints the number of seconds between frames.
Relative prints the number of seconds from the first frame.
None disables the printing of frame times.
Verbose. (Slightly more) verbose output. For example, the time to live and type of service information in an IP packet is printed.
Brief. Prints less protocol information.
Display DLC header will display the DLC source, destination, and protocol type in the summary line.
Use relative TCP sequence numbers will reset each TCP connections sequence to 0 to make it easier to follow.
Display line numbers will number the displayed frames for reference.
The location of configuration files and the initial values of many variables can be set in the Tcpview X resource file. This should be located in the application defaults directory, usually /usr/lib/X11/app-defaults. Users can keep their own copy in the directory named by the environment variable XAPPLRESDIR. The sample resources file contains a description of the configuration variables. The configuration files are as follows:
Resource name Default
The hostnames file contains DLC-to-name mappings. It is in the same format as Sniffer name files. This allows you to share the same file. A sample line is:
station "akbar.cac" = addrtype"DLC" 08002b178d2c
Only lines with addrtype"DLC" are used.
The manuf file contains the information to associate certain ethernet manufacturers with the first three bytes of an ethernet address. This file is also in Sniffer format. A sample file is included. See ETHERNET VENDOR ADDRESS COMPONENTS in RFC1340 for more information.
The services file is just a copy of the /etc/services file. You may modify it to change the tcpview TCP or UDP service mappings without affecting the system you are using.
Martin Hunt (firstname.lastname@example.org)
University of Washington, Seattle, WA.
TCP and UDP checksums are not checked. Some errors will cause tcpview to exit.
|-->||TCPVIEW (1)||9 Nov 1992|