Convert Figma logo to code with AI

the-tcpdump-group logotcpdump

the TCPdump network dissector

2,669
838
2,669
109
View on GitHub

Top Related Projects

wireshark's avatar

wireshark

7,071

Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. ⚠️ GitHub won't let us disable pull requests. ⚠️ THEY WILL BE IGNORED HERE ⚠️ Upload them at GitLab instead.

ntop's avatar

nProbe

1,638

Open source components and extensions for nProbe

netsniff-ng's avatar

netsniff-ng

1,213

A Swiss army knife for your daily Linux network plumbing.

secdev's avatar

scapy

10,525

Scapy: the Python-based interactive packet manipulation program & library.

nmap's avatar

nmap

9,874

Nmap - the Network Mapper. Github mirror of official SVN repository.

google's avatar

stenographer

1,789

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at stenographer@googlegroups.com

Quick Overview

Tcpdump is a powerful command-line packet analyzer. It allows users to intercept and display TCP/IP and other packets being transmitted or received over a network interface. Tcpdump is widely used for network troubleshooting, protocol analysis, and security auditing.

Pros

  • Lightweight and efficient, with minimal system resource usage
  • Highly versatile, supporting a wide range of protocols and network types
  • Powerful filtering capabilities for precise packet capture and analysis
  • Cross-platform compatibility (Unix-like systems, including Linux and macOS)

Cons

  • Command-line interface may be intimidating for novice users
  • Limited graphical representation of captured data
  • Can be complex to use for advanced filtering and analysis
  • Requires root/administrator privileges for live packet capture

Getting Started

To get started with tcpdump:

  1. Install tcpdump (on most Unix-like systems):

    sudo apt-get install tcpdump   # Debian/Ubuntu
sudo yum install tcpdump       # CentOS/RHEL
brew install tcpdump           # macOS with Homebrew

  2. Basic usage:

    sudo tcpdump -i eth0           # Capture packets on interface eth0
sudo tcpdump -i any            # Capture packets on all interfaces
sudo tcpdump -n port 80        # Capture packets on port 80
sudo tcpdump -w capture.pcap   # Save captured packets to a file

  3. For more advanced usage and filtering options, consult the man page:

    man tcpdump

Remember to run tcpdump with appropriate permissions (usually as root or with sudo) when capturing live network traffic.

Competitor Comparisons

wireshark logo

wireshark

7,071

Read-only mirror of Wireshark's Git repository at https://gitlab.com/wireshark/wireshark. ⚠️ GitHub won't let us disable pull requests. ⚠️ THEY WILL BE IGNORED HERE ⚠️ Upload them at GitLab instead.

Pros of Wireshark

  • Graphical user interface for easier packet analysis
  • More extensive protocol support and decoding capabilities
  • Advanced filtering and search features

Cons of Wireshark

  • Larger resource footprint and slower performance on resource-constrained systems
  • More complex to use for simple capture tasks
  • Requires X11 for GUI on Unix-like systems

Code Comparison

tcpdump:

void
print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
    netdissect_options *ndo = (netdissect_options *)user;
    // ... (packet processing logic)
}

Wireshark:

static void
dissect_packet(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
    // ... (packet dissection logic)
}

Both projects use C for core functionality, but Wireshark's codebase is more extensive due to its GUI and broader feature set. tcpdump focuses on command-line capture and basic analysis, while Wireshark offers a more comprehensive packet analysis toolkit with a user-friendly interface. tcpdump is generally preferred for quick captures and lightweight analysis, whereas Wireshark is better suited for in-depth protocol analysis and visualization of network traffic.

ntop logo

nProbe

1,638

Open source components and extensions for nProbe

Pros of nProbe

  • More advanced network traffic analysis capabilities, including deep packet inspection and application protocol recognition
  • Supports exporting data in various formats like NetFlow, IPFIX, and sFlow
  • Offers a web-based interface for easier data visualization and analysis

Cons of nProbe

  • Commercial product with licensing costs, unlike the open-source tcpdump
  • May have a steeper learning curve due to its more complex features
  • Requires more system resources to run compared to the lightweight tcpdump

Code Comparison

nProbe configuration example:

nprobe -i eth0 -n none -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_BYTES %OUT_BYTES"

tcpdump command example:

tcpdump -i eth0 -nn -c 100 'tcp port 80'

Both tools can capture network traffic, but nProbe offers more advanced processing and output options, while tcpdump provides a simpler, text-based output of raw packet data.

nProbe is better suited for comprehensive network monitoring and analysis in enterprise environments, while tcpdump excels in quick troubleshooting and basic packet capture tasks. The choice between the two depends on the specific requirements of the network monitoring task at hand.

netsniff-ng logo

netsniff-ng

1,213

A Swiss army knife for your daily Linux network plumbing.

Pros of netsniff-ng

  • High-performance packet capture and analysis tool
  • Supports zero-copy packet capture for improved efficiency
  • Offers a wider range of networking utilities beyond packet capture

Cons of netsniff-ng

  • Less widely adopted and may have a steeper learning curve
  • Documentation might not be as extensive as tcpdump
  • May require more system resources due to its advanced features

Code Comparison

netsniff-ng:

static int print_packet(struct ring *ring, unsigned int snaplen)
{
    uint8_t *packet = ring->frames[ring->frame_num].iov_base;
    uint64_t plen = ring->frames[ring->frame_num].tp_snaplen;
    return dump_packet(packet, plen, snaplen);
}

tcpdump:

void
print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
    netdissect_options *ndo = (netdissect_options *)user;
    pretty_print_packet(ndo, h, sp, packets_captured);
}

Both projects use similar function names for printing packets, but netsniff-ng's implementation appears more low-level, directly accessing ring buffer frames. tcpdump's approach is more abstracted, using pcap library structures and a separate pretty-printing function.

secdev logo

scapy

10,525

Scapy: the Python-based interactive packet manipulation program & library.

Pros of Scapy

  • More versatile and flexible for packet manipulation and creation
  • Provides an interactive Python shell for packet crafting and analysis
  • Supports a wider range of protocols and custom packet creation

Cons of Scapy

  • Slower performance compared to tcpdump for large-scale packet capture
  • Steeper learning curve due to its more complex API and Python-based interface
  • May require additional dependencies for certain functionalities

Code Comparison

Scapy:

from scapy.all import *
packets = sniff(count=10)
packets.summary()

tcpdump:

tcpdump -c 10 -n

Summary

Scapy is a powerful Python-based packet manipulation tool that offers greater flexibility and customization options for network analysis and testing. It excels in creating custom packets and provides an interactive environment for packet crafting. However, it may have slower performance for large-scale captures compared to tcpdump.

tcpdump is a lightweight, command-line packet analyzer that is faster for capturing and displaying network traffic in real-time. It's simpler to use for basic packet capture tasks but lacks the advanced packet manipulation capabilities of Scapy.

Choose Scapy for complex packet manipulation and scripting tasks, and tcpdump for quick, efficient packet capture and analysis in production environments.

nmap logo

nmap

9,874

Nmap - the Network Mapper. Github mirror of official SVN repository.

Pros of Nmap

  • More comprehensive network scanning and security auditing capabilities
  • Extensive scripting engine for customized scans and vulnerability detection
  • Broader range of protocols and services supported

Cons of Nmap

  • Steeper learning curve due to more complex features and options
  • Can be more resource-intensive, especially for large-scale scans
  • May trigger security alerts or be blocked by firewalls more frequently

Code Comparison

Tcpdump (basic packet capture):

tcpdump -i eth0 -n tcp port 80

Nmap (basic port scan):

nmap -p 80 192.168.1.0/24

Key Differences

  • Tcpdump focuses on packet capture and analysis, while Nmap specializes in network discovery and security auditing
  • Tcpdump is generally simpler to use for basic packet inspection, whereas Nmap offers more advanced scanning and enumeration features
  • Tcpdump is passive by default, capturing existing traffic, while Nmap actively probes networks and systems

Both tools are valuable for network administrators and security professionals, with Tcpdump excelling at detailed packet analysis and Nmap providing comprehensive network mapping and vulnerability assessment capabilities.

google logo

stenographer

1,789

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at stenographer@googlegroups.com

Pros of Stenographer

  • Designed for high-speed packet capture and storage
  • Efficient indexing for quick retrieval of specific packets
  • Supports continuous capture without packet loss

Cons of Stenographer

  • More complex setup and configuration
  • Limited to packet capture and storage, lacks real-time analysis
  • Requires additional tools for packet analysis

Code Comparison

Stenographer (Go):

func (s *Stenographer) Write(key []byte, val []byte) error {
    return s.db.Put(s.wo, key, val)
}

tcpdump (C):

void
pcap_dump(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
    register FILE *f;
    struct pcap_sf_pkthdr sf_hdr;

Stenographer is written in Go and focuses on efficient packet storage, while tcpdump is written in C and emphasizes real-time packet capture and analysis. Stenographer's code snippet shows a method for writing data to its database, while tcpdump's code demonstrates its packet dumping functionality.

tcpdump is a widely-used, versatile tool for packet capture and analysis, offering real-time filtering and inspection. It's lightweight and easy to use but may struggle with high-speed captures. Stenographer, on the other hand, excels at high-speed packet capture and storage but requires additional tools for analysis. The choice between them depends on specific use cases and performance requirements.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

TCPDUMP 4.x.y by The Tcpdump Group

To report a security issue please send an e-mail to security@tcpdump.org.

To report bugs and other problems, contribute patches, request a feature, provide generic feedback etc please see the guidelines for contributing in the tcpdump source tree root.

Anonymous Git is available via

https://github.com/the-tcpdump-group/tcpdump.git

This directory contains source code for tcpdump, a tool for network monitoring and data acquisition.

Over the past few years, tcpdump has been steadily improved by the excellent contributions from the Internet community (just browse through the change log). We are grateful for all the input.

Supported platforms

In many operating systems tcpdump is available as a native package or port, which simplifies installation of updates and long-term maintenance. However, the native packages are sometimes a few versions behind and to try a more recent snapshot it will take to compile tcpdump from the source code.

tcpdump compiles and works on at least the following platforms:

  • AIX
  • DragonFly BSD
  • FreeBSD
  • Haiku
  • HP-UX 11i
  • illumos (OmniOS, OpenIndiana)
  • GNU/Hurd
  • GNU/Linux
  • {Mac} OS X / macOS
  • NetBSD
  • OpenBSD
  • Solaris
  • Windows (requires WinPcap or Npcap, and Visual Studio with CMake)

In the past tcpdump certainly or likely worked on the following platforms:

  • 4.3BSD
  • BSD/386, later BSD/OS
  • DEC OSF/1, later Digital UNIX, later Tru64 UNIX
  • DOS
  • IRIX
  • LynxOS
  • QNX
  • SINIX
  • SunOS
  • Ultrix
  • UnixWare

Dependency on libpcap

tcpdump uses libpcap, a system-independent interface for user-level packet capture. If your operating system does not provide libpcap, or if it provides a libpcap that does not support the APIs from libpcap 1.0 or later, you must first retrieve and build libpcap before building tcpdump,

Once libpcap is built (either install it or make sure it's in ../libpcap), you can build tcpdump using the procedure in the installation notes.

Origins of tcpdump

The program is loosely based on SMI's "etherfind" although none of the etherfind code remains. It was originally written by Van Jacobson as part of an ongoing research project to investigate and improve TCP and Internet gateway performance. The parts of the program originally taken from Sun's etherfind were later re-written by Steven McCanne of LBL. To insure that there would be no vestige of proprietary code in tcpdump, Steve wrote these pieces from the specification given by the manual entry, with no access to the source of tcpdump or etherfind.

formerly from	Lawrence Berkeley National Laboratory
		Network Research Group <tcpdump@ee.lbl.gov>
		ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)

See also

Richard Stevens gives an excellent treatment of the Internet protocols in his book "TCP/IP Illustrated, Volume 1". If you want to learn more about tcpdump and how to interpret its output, pick up this book.

Another tool that tcpdump users might find useful is tcpslice. It is a program that can be used to extract portions of tcpdump binary trace files.

The original LBL README by Steve McCanne, Craig Leres and Van Jacobson

This directory also contains some short awk programs intended as
examples of ways to reduce tcpdump data when you're tracking
particular network problems:

send-ack.awk
	Simplifies the tcpdump trace for an ftp (or other unidirectional
	tcp transfer).  Since we assume that one host only sends and
	the other only acks, all address information is left off and
	we just note if the packet is a "send" or an "ack".

	There is one output line per line of the original trace.
	Field 1 is the packet time in decimal seconds, relative
	to the start of the conversation.  Field 2 is delta-time
	from last packet.  Field 3 is packet type/direction.
	"Send" means data going from sender to receiver, "ack"
	means an ack going from the receiver to the sender.  A
	preceding "*" indicates that the data is a retransmission.
	A preceding "-" indicates a hole in the sequence space
	(i.e., missing packet(s)), a "#" means an odd-size (not max
	seg size) packet.  Field 4 has the packet flags
	(same format as raw trace).  Field 5 is the sequence
	number (start seq. num for sender, next expected seq number
	for acks).  The number in parens following an ack is
	the delta-time from the first send of the packet to the
	ack.  A number in parens following a send is the
	delta-time from the first send of the packet to the
	current send (on duplicate packets only).  Duplicate
	sends or acks have a number in square brackets showing
	the number of duplicates so far.

	Here is a short sample from near the start of an ftp:
		3.00    0.20   send . 512
		3.20    0.20    ack . 1024  (0.20)
		3.20    0.00   send P 1024
		3.40    0.20    ack . 1536  (0.20)
		3.80    0.40 * send . 0  (3.80) [2]
		3.82    0.02 *  ack . 1536  (0.62) [2]
	Three seconds into the conversation, bytes 512 through 1023
	were sent.  200ms later they were acked.  Shortly thereafter
	bytes 1024-1535 were sent and again acked after 200ms.
	Then, for no apparent reason, 0-511 is retransmitted, 3.8
	seconds after its initial send (the round trip time for this
	ftp was 1sec, +-500ms).  Since the receiver is expecting
	1536, 1536 is re-acked when 0 arrives.

packetdat.awk
	Computes chunk summary data for an ftp (or similar
	unidirectional tcp transfer). [A "chunk" refers to
	a chunk of the sequence space -- essentially the packet
	sequence number divided by the max segment size.]

	A summary line is printed showing the number of chunks,
	the number of packets it took to send that many chunks
	(if there are no lost or duplicated packets, the number
	of packets should equal the number of chunks) and the
	number of acks.

	Following the summary line is one line of information
	per chunk.  The line contains eight fields:
	   1 - the chunk number
	   2 - the start sequence number for this chunk
	   3 - time of first send
	   4 - time of last send
	   5 - time of first ack
	   6 - time of last ack
	   7 - number of times chunk was sent
	   8 - number of times chunk was acked
	(all times are in decimal seconds, relative to the start
	of the conversation.)

	As an example, here is the first part of the output for
	an ftp trace:

	# 134 chunks.  536 packets sent.  508 acks.
	1       1       0.00    5.80    0.20    0.20    4       1
	2       513     0.28    6.20    0.40    0.40    4       1
	3       1025    1.16    6.32    1.20    1.20    4       1
	4       1561    1.86    15.00   2.00    2.00    6       1
	5       2049    2.16    15.44   2.20    2.20    5       1
	6       2585    2.64    16.44   2.80    2.80    5       1
	7       3073    3.00    16.66   3.20    3.20    4       1
	8       3609    3.20    17.24   3.40    5.82    4       11
	9       4097    6.02    6.58    6.20    6.80    2       5

	This says that 134 chunks were transferred (about 70K
	since the average packet size was 512 bytes).  It took
	536 packets to transfer the data (i.e., on the average
	each chunk was transmitted four times).  Looking at,
	say, chunk 4, we see it represents the 512 bytes of
	sequence space from 1561 to 2048.  It was first sent
	1.86 seconds into the conversation.  It was last
	sent 15 seconds into the conversation and was sent
	a total of 6 times (i.e., it was retransmitted every
	2 seconds on the average).  It was acked once, 140ms
	after it first arrived.

stime.awk
atime.awk
	Output one line per send or ack, respectively, in the form
		<time> <seq. number>
	where <time> is the time in seconds since the start of the
	transfer and <seq. number> is the sequence number being sent
	or acked.  I typically plot this data looking for suspicious
	patterns.


The problem I was looking at was the bulk-data-transfer
throughput of medium delay network paths (1-6 sec.  round trip
time) under typical DARPA Internet conditions.  The trace of the
ftp transfer of a large file was used as the raw data source.
The method was:

  - On a local host (but not the Sun running tcpdump), connect to
    the remote ftp.

  - On the monitor Sun, start the trace going.  E.g.,
      tcpdump host local-host and remote-host and port ftp-data >tracefile

  - On local, do either a get or put of a large file (~500KB),
    preferably to the null device (to minimize effects like
    closing the receive window while waiting for a disk write).

  - When transfer is finished, stop tcpdump.  Use awk to make up
    two files of summary data (maxsize is the maximum packet size,
    tracedata is the file of tcpdump tracedata):
      awk -f send-ack.awk packetsize=avgsize tracedata >sa
      awk -f packetdat.awk packetsize=avgsize tracedata >pd

  - While the summary data files are printing, take a look at
    how the transfer behaved:
      awk -f stime.awk tracedata | xgraph
    (90% of what you learn seems to happen in this step).

  - Do all of the above steps several times, both directions,
    at different times of day, with different protocol
    implementations on the other end.

  - Using one of the Unix data analysis packages (in my case,
    S and Gary Perlman's Unix|Stat), spend a few months staring
    at the data.

  - Change something in the local protocol implementation and
    redo the steps above.

  - Once a week, tell your funding agent that you're discovering
    wonderful things and you'll write up that research report
    "real soon now".