tcptrace(1)tcptrace(1)NAMEtcptrace - a TCP connection analysis tool
SYNOPSIStcptrace [options] filename
DESCRIPTIONtcptrace takes a tcpdump file specified on the command line (or from
standard input) and produces a summarization of the connections.
OPTIONS
Output format options
-b brief output format
-l long output format
-r print rtt statistics (slower for large files)
-W report on estimated congestion window (not generally useful)
-q no output (if you just want modules output)
Graphing options
-T create throughput graph[s], (average over 10 segments, see -A)
-R create rtt sample graph[s]
-S create time sequence graph[s]
-N create owin graph[s] (_o_utstanding data on _N_etwork)
-F create segsize graph[s]
-G create ALL graphs
Output format detail options
-D print in decimal
-X print in hexadecimal
-n don't resolve host or service names (much faster)
-s use short names (list "picard.cs.ohiou.edu" as just "picard")
Connection filtering options
-iN ignore connection N (can use multiple times)
-oN[-M]
only connection N (or N through M). Arg can be used many times.
In N is a file rather than a number, read list from file instead.
-c ignore non-complete connections (didn't see syn's and fin's)
-BN first segment number to analyze (default 1)
-EN last segment number to analyze (default last in file)
Graphing detail options
-C produce color plot[s]
-M produce monochrome (b/w) plot[s]
-AN Average N segments for throughput graphs, default is 10
-z zero axis options:
-z plot time axis from 0 rather than wall clock time (backward com‐
pat)
-zx plot time axis from 0 rather than wall clock time
-zy plot sequence numbers from 0 (time sequence graphs only)
-zxy plot both axes from 0
-y omit the (yellow) instantaneous throughput points in tput graph
Misc options
-Z dump raw rtt sample times to file[s]
-p print all packet contents (can be very long)
-P print packet contents for selected connections
-t ´tick' off the packet numbers as a progress indication
-v print version information and exit
-w print various warning messages
-d whistle while you work (enable debug, use -d -d for more output)
-e extract contents of each TCP stream into file
-h print help messages
-u print minimal UDP information too
-Ofile
dump matched packets to tcpdump file 'file'
+[v] reverse the setting of the -[v] flag (for booleans)
Extended boolean options (unambiguous prefixes also work)
--showsacks
show SACK blocks on time sequence graphs (default)
--noshowsacks
DON'T show SACK blocks on time sequence graphs
--showrexmit
mark retransmits on time sequence graphs (default)
--noshowrexmit
DON'T mark retransmits on time sequence graphs
--showoutorder
mark out-of-order on time sequence graphs (default)
--noshowoutorder
DON'T mark out-of-order on time sequence graphs
--showzerowindow
mark zero windows on time sequence graphs (default)
--noshowzerowindow
DON'T mark zero windows on time sequence graphs
--showurg
mark packets with URGENT bit set on the time sequence graphs
(default)
--noshowurg
DON'T mark packets with URGENT bit set on the time sequence graphs
--showrttdongles
mark non-RTT-generating ACKs with special symbols
--noshowrttdongles
DON'T mark non-RTT-generating ACKs with special symbols (default)
--showdupack3
mark triple dupacks on time sequence graphs (default)
--noshowdupack3
DON'T mark triple dupacks on time sequence graphs
--showzerolensegs
show zero length packets on time sequence graphs (default)
--noshowzerolensegs
DON'T show zero length packets on time sequence graphs
--showzwndprobes
show zero window probe packets on time sequence graphs (default)
--noshowzwndprobes
DON'T show zero window probe packets on time sequence graphs
--showtitle
show title on the graphs (default)
--noshowtitle
DON'T show title on the graphs
--res_addr
resolve IP addresses into names (may be slow) (default)
--nores_addr
DON'T resolve IP addresses into names (may be slow)
--res_port
resolve port numbers into names (default)
--nores_port
DON'T resolve port numbers into names
--checksum
verify IP and TCP checksums
--nochecksum
DON'T verify IP and TCP checksums (default)
--dupack3_data
count a duplicate ACK carrying data as a triple dupack
--nodupack3_data
DON'T count a duplicate ACK carrying data as a triple dupack
(default)
--check_hwdups
check for 'hardware' dups (default)
--nocheck_hwdups
DON'T check for 'hardware' dups
--warn_ooo
print warnings when packets timestamps are out of order
--nowarn_ooo
DON'T print warnings when packets timestamps are out of order
(default)
--warn_printtrunc
print warnings when packets are too short to analyze
--nowarn_printtrunc
DON'T print warnings when packets are too short to analyze
(default)
--warn_printbadmbz
print warnings when MustBeZero TCP fields are NOT 0
--nowarn_printbadmbz
DON'T print warnings when MustBeZero TCP fields are NOT 0
(default)
--warn_printhwdups
print warnings for hardware duplicates
--nowarn_printhwdups
DON'T print warnings for hardware duplicates (default)
--warn_printbadcsum
print warnings when packets with bad checksums
--nowarn_printbadcsum
DON'T print warnings when packets with bad checksums (default)
--warn_printbad_syn_fin_seq
print warnings when SYNs or FINs rexmitted with different sequence
numbers
--nowarn_printbad_syn_fin_seq
DON'T print warnings when SYNs or FINs rexmitted with different
sequence numbers (default)
--dump_packet_data
print all packets AND dump the TCP/UDP data
--nodump_packet_data
DON'T print all packets AND dump the TCP/UDP data (default)
--continuous
run continuously and don't provide a summary
--nocontinuous
DON'T run continuously and don't provide a summary (default)
--print_seq_zero
print sequence numbers as offset from initial sequence number
--noprint_seq_zero
DON'T print sequence numbers as offset from initial sequence num‐
ber (default)
--limit_conn_num
limit the maximum number of connections kept at a time in real-
time mode
--nolimit_conn_num
DON'T limit the maximum number of connections kept at a time in
real-time mode (default)
--xplot_all_files
display all generated xplot files at the end
--noxplot_all_files
DON'T display all generated xplot files at the end (default)
--ns_hdrs
assume that ns has the useHeaders_flag true (uses IP+TCP headers)
(default)
--nons_hdrs
DON'T assume that ns has the useHeaders_flag true (uses IP+TCP
headers)
--csv
display the long output as comma separated values
--nocsv
DON'T display the long output as comma separated values (default)
--tsv
display the long output as tab separated values
--notsv
DON'T display the long output as tab separated values (default)
Extended variable options (unambiguous prefixes also work)
--output_dir=``STR''
directory where all output files are placed (default: '<NULL>')
--output_prefix=``STR''
prefix all output files with this string (default: '<NULL>')
--xplot_title_prefix=``STR''
prefix to place in the titles of all xplot files (default:
'<NULL>')
--update_interval=``STR''
time interval for updates in real-time mode (default: '<NULL>')
--max_conn_num=``STR''
maximum number of connections to keep at a time in real-time mode
(default: '<NULL>')
--remove_live_conn_interval=``STR''
idle time after which an open connection is removed in real-time
mode (default: '<NULL>')
--remove_closed_conn_interval=``STR''
time interval after which a closed connection is removed in real-
time mode (default: '<NULL>')
--xplot_args=``STR''
arguments to pass to xplot, if we are calling xplot from here
(default: '<NULL>')
--sv=``STR''
separator to use for long output with <STR>-separated-values
(default: '<NULL>')
Included Modules
http Http analysis package
tcplib TCPLib analysis package
traffic traffic analysis package
slice traffic efficiency data by time slices
rttgraph round trip time analysis graphs
collie connection summary package
realtime example real-time package
For module-specific options, please use `tcptrace -hxargs`
Filter Variables:
Please use 'tcptrace -hfilter' for the complete listing of filter vari‐
ables.
Filter Syntax:
Please use 'tcptrace -hfilter' for filter syntax.
ENVIRONMENT
Options are first read from the file $HOME/.tcptracerc (if it exists),
and then from the environment variable TCPTRACEOPTS (if it exists), and
finally from the command line.
AUTHOR
Shawn Ostermann (ostermann@cs.ohiou.edu)
CREDITS
Thanks to Mark Foster (mafoster@george.arc.nasa.gov) for writing this
manual page. Thanks to Avinash Lakhiani (alakhian@irg.cs.ohiou.edu) for
updating it.
FILES
Dump File Names
Trailing (unrecognized) arguments are taken to be one or more file‐
names. The files can be compressed, see compress.h for configuration.
If the dump file name is 'stdin', then we read from standard input
rather than from a file.
SEE ALSO
xplot an interactive tool for examining .xpl files output by tcp‐
trace.
jPlot a Java version of xplot.
14 Oct 2002 tcptrace(1)
