First of all thanks to all those who responded.
I asked a leading question mostly to find out what tools were available for
monitoring network traffic, and what protocols were being used. I got the
following types of replies.
1) Solaris 1, use etherfind I know about, and use this, but I am looking for
something different.
Solaris 2, use snoop (etherfind replacement?). News to me, but I am
using Solaris 1 for the foreseeable future.
2) Use ethertop, I know of this and use it.
3) Try using tcpdump. A new one to me, I will check it out.
4) xnetmon. An x based thingie that I will look into.
5) tcpview is a new program which is an X version of tcpdump. I will look at
it also.
For anyone who is interested I am including a copy of the readme file for
TCPVIEW, which Jim Hand (hand@cc.bellcore.com) was nice enough to send.
TCPVIEW - An Interactive Motif-Based Protocol Analyzer
This archive contains the source to tcpview and an enhanced tcpdump 2.2.1.
The two programs share much of the same source code.
Tcpview is the result of several problems we had at UW. We have several
Network General Sniffers which are heavily used to help debug problems on
several hundred subnets. These are good tools, but they are 1) heavy,
2) hard to find when you need one, 3) limited in their software expandibility,
4) difficult to use to upload data for analysis, 5) cannot be remotely
operated, and 6) cannot resolve names with DNS, requiring much manual
manipulation of the name table. We also sometimes use tcpdump, but we found
it 1) too difficult for most people, 2) did not have enough information for
many protocols, 3) could not be used interactively, 4) could not handle
TCP streams and 5) could not read Sniffer files. However, tcpdump did do
a reasonable job of decoding a large number of protocols, and had superior
filtering to the Sniffer. Tcpview is an attempt to resolve these problems
by adding a Motif interface to tcpdump and expanding its features.
Tcpview has been tested on a DECstation 5000 and Sun 4 under Ultrix 4.2 and
SunOS 4.1 respectively. It should work on the same systems as tcpdump.
It compiles with cc and gcc on the DEC and Sun. To build tcpview you will
need Motif 1.1 or better.
What tcpview adds to tcpdump:
- easier interface
- enhanced protocol decoding
- hex display of frame
- capture based on time, number of frames, or user interrupt
- can show ethernet addresses with manufacturer's name
- ethernet address host table
- can easily follow a stream, highlighting out-of-order frames
- can send TCP data to an external file or filter for additional
processing.
-------------------------------------------------------------------------------
CHANGES TO TCPDUMP 2.2.1
New features:
Now reads and writes Network General Sniffer files. When used with '-r', the
file type will be automatically detected.
Can now read in (and use) an SNMP MIB file.
The hex format has been changed.
New time options have been added.
Options were added to allow viewing and processing of the data in TCP packets.
Bugs were fixed in the relative TCP sequence numbers. (-S flag)
New flags:
-R read Sniffer file. Not usually needed, except for reading from stdin
-ttt prints delta times
-tttt prints times relative to the first frame
-W write a Sniffer save file (use with -w)
-x print frame (minus link-level header) in hexdump format.
Sample output:
16:36:23.349851 jeff.cac.washington.edu.1285 > nic.funet.fi.ftp: S 0:0(0) win 16384
0000 45 00 00 28 8a 98 00 00 3c 06 7c 9c 80 5f 70 02 | E..(....<.|.._p.
0010 80 d6 06 64 05 05 00 15 5b 19 4a 00 00 00 00 00 | ...d....[.J.....
0020 50 02 40 00 4e 13 00 00 00 00 00 00 00 00 | P.@.N.........
-X print TCP data in hexdump format (used with -Z)
-z write TCP data to stdout (use with -t to eliminate timestamp)
-Z write frames and TCP data to stdout
FUTURE ENHANCEMENTS:
New and better detailed protocol decoders need to be written. I'm
only planning to add those as we need them here at UW. I'm hoping
others will find this tool useful enough to help out with enhancing
the protocol support. I'm planning on expanding the visualization
options to include graphical representations of protocol traces. I'm
also interested in adding in some intelligent protocol analysis. How
far I get in this depends on the level of interest in it and how much time
I have available.
Please send me any bug reports you have. Also suggestions are always
welcome. If you do write any new protocol decoders or add any enhancements,
let me know and I will include them in the next release.
Martin M. Hunt
martinh@cac.washington.edu
University of Washington
/*
*
* Copyright 1992 by the University of Washington
*
* Permission to use, copy, modify, and distribute this software and its
* documentation for any purpose and without fee is hereby granted, provided
* that the above copyright notice appears in all copies and that both the
* above copyright notice and this permission notice appear in supporting
* documentation, and that the name of the University of Washington not be
* used in advertising or publicity pertaining to distribution of the software
* without specific, written prior permission. This software is made
* available "as is", and
* THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
* WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN
* NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL,
* INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT
* (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
*/
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:07:46 CDT