next up previous
Next: tcpdpriv Up: Methods Previous: Methods

tcpdump

We use tcpdump to obtain traffic traces because tcpdump is widely used, and installed as part of the default tools on many systems. In addition, there are many tools that integrates the pcap library and be able to read tcpdump output files. Those tools include tcptrace, tcpslice, tcpdstat and ttt.

tcpdump, by default, puts the network interface into promiscuous mode to capture every packet going across the wire. In the BSD-derived kernel, BPF is implemented as a packet capture mechanism. When BPF is enabled, the network driver in the kernel passes both sending and receiving data-link level frames to BPF. BPF performs packet filtering if necessary, adds timestamp, and copies the fixed length from the head of the frame into the store buffer. tcpdump in the user space can read multiple frames in a single read from the store buffer in the kernel in an efficient manner. tcpdump, by default, prints the header information of each packet in a text format. With -w option, tcpdump writes out the packet frames into a specified file. With -r option, tcpdump reads from a saved file instead of a network interface to replay a saved file. The pcap library is used to read or write data in the raw format. Thus, it is easy to write a program to read or write packets in the tcpdump format.

Figure 1 shows the format of raw tcpdump output. In the BSD systems, the kernel uses microtime() for timestamp; the precision of the timestamp is 1 usec on the PC architecture. Timestamp is taken when a packet is passed to BPF from the network driver so that it is the time that the driver sees that packet.


  
Figure 1: Pcap header format
\includegraphics[width=6.5cm,clip]{pcap.eps}


next up previous
Next: tcpdpriv Up: Methods Previous: Methods
Kenjiro Cho
2000-04-23