SUBJECT: Announcing tcpview: A Motif-based TCP/IP protocol analyzer Tcpview is the result of several problems we had at UW. We have several Network General Sniffers which are heavily used to help debug problems on several hundred subnets. These are good tools, but they are 1) heavy, 2) hard to find when you need one, 3) limited in their software expandibility, 4) difficult to use to upload data for analysis, 5) cannot be remotely operated, and 6) cannot resolve names with DNS, requiring much manual manipulation of the name table. We also sometimes use tcpdump, but we found it 1) too difficult for most people, 2) did not have enough information for many protocols, 3) could not be used interactively, 4) could not handle TCP streams and 5) could not read Sniffer files. However, tcpdump did do a reasonable job of decoding a large number of protocols, and could be easily modified. Tcpview is an attempt to resolve these problems by adding a Motif interface to tcpdump and expanding its features. Tcpview has been tested on a DECstation 5000 and Sun 4 under Ultrix 4.2 and SunOS 4.1 respectively. It should work on the same systems as tcpdump. It compiles with cc and gcc on the DEC and Sun. To build tcpview you will need Motif 1.1 or better. The following files are available for anonymous ftp from ftp.cac.washington.edu in /pub/networking tcpview-1.0.tar.Z tcpview and tcpdump source code tcpview-1.0.sun.tar.Z Sun4 binaries tcpview-1.0.dec.tar.Z DEC Mips Ultrix 4.2 binaries What tcpview adds to tcpdump: - easier interface - enhanced protocol decoding - hex display of frame - capture based on time, number of frames, or user interrupt - can show ethernet addresses with manufacturer's name - ethernet address host table - can easily follow a stream, highlighting out-of-order frames - can send TCP data to an external file or filter for additional processing. ------------------------------------------------------------------------------- CHANGES TO TCPDUMP 2.2.1 New features: Now reads and writes Network General Sniffer files. When used with '-r', the file type will be automatically detected. Can now read in (and use) an SNMP MIB file. The hex format has been changed. New time options have been added. Options were added to allow viewing and processing of the data in TCP packets. Bugs were fixed in the relative TCP sequence numbers. (-S flag) New flags: -R read Sniffer file. Not usually needed, except for reading from stdin -ttt prints delta times -tttt prints times relative to the first frame -W write a Sniffer save file (use with -w) -x print frame (minus link-level header) in hexdump format. Sample output: 16:36:23.349851 jeff.cac.washington.edu.1285 > nic.funet.fi.ftp: S 0:0(0) win 16384 0000 45 00 00 28 8a 98 00 00 3c 06 7c 9c 80 5f 70 02 | E..(....<.|.._p. 0010 80 d6 06 64 05 05 00 15 5b 19 4a 00 00 00 00 00 | ...d....[.J..... 0020 50 02 40 00 4e 13 00 00 00 00 00 00 00 00 | P.@.N......... -X print TCP data in hexdump format (used with -Z) -z write TCP data to stdout (use with -t to eliminate timestamp) -Z write frames and TCP data to stdout Martin M. Hunt martinh@cac.washington.edu Networks & Distributed Computing University of Washington