Linux tcpshow(1) Manual Page
Table of Contents
tcpshow - decode a tcpdump savefile
tcpshow [ -b ] [ -sb ] [ -w width ] [ -nolink ] [ -noip ]
[ -nodata ] [ -data ] [ -track ] [ -terse ]
[ -cooked ] [ -pp ] [ -s ] [ -h ]
[ expression ]
tcpshow reads a tcpdump(1) savefile and provides a reasonably
complete decode of Ethernet, IP, ICMP, UDP and TCP
headers, in packets that match the boolean expression.
The data belonging to these packets is displayed in ASCII.
Currently, protocol data is not decoded. This is not considered
a serious problem for applications that use ASCII
Also, IP and TCP options are not decoded.
The input file must be in the format produced by tcpdump
-enx. This file can be generated from
See under EXAMPLES for each of these different methods,
plus a description of the format the input file needs to
- a prior run of tcpdump -w file
- a live run of tcpdump (without -w)
- any other program that produces a correctly formatted
Except when -cooked is used, tcpdump(1) is required to be
on your PATH, to process the raw savefile.
The following options can be used in just about any sane
This produces a neater, more readable display of
the application data. The default width is 60
columns. See the -w flag for how to change this
- break long lines so they don't wrap
When -b is used, it may be useful to see exactly
where tcpshow wrapped each line, in its display of
application data. This option causes the string
``<break>'' to be displayed at the end of each
wrapped line. (Lines which were not wrapped, but
terminated before the page width, are not so
- show line breaks
This determines where tcpshow will fold long lines,
when the -b switch is used.
- -w width
set pagewidth to width columns
The data link header (Ethernet header) is not
decoded and displayed.
don't decode the link header
The IP header is not decoded and displayed.
- don't decode the IP header
The protocol data is not displayed (a count of data
bytes is shown).
don't show the data
The data, plus a minimal decode of the IP and
transport/ICMP headers, is displayed.
- display only the data
An additional field is produced in the output which
shows the TCP acknowledgement number which this
side of the connection should receive once the current
packet has been received by its peer.
- -track track TCP sequence numbers
Without this option, the display of the decoded
header is verbose, occupying a lot of display-space
real-estate. With this option, the decoded header
information is much more compact and terse. Once
you're familiar with the meanings of the header
fields, you'll probably always use this option.
(Maybe this should be the default, with a -verbose
flag to get long-winded header decodes?)
- -terse show the header decode in compact format
If the input file is already in the expected format,
this option must be used. See EXAMPLES below
of where this flag is appropriate.
don't run tcpdump(1) to pre-process the input
If the input file was collected from data travelling
over a point-to-point link (one which doesn't
make an Ethernet header available), this option
needs to be used.
- point-to-point link
For a reason unknown to the author, tcpdump(1) output
sometimes contains data at the end of packets
which don't belong to those packets. This spurious
data is suppressed from the output, except when
this option is used.
- also display a hex dump of spurious data at packetend
This list of options is displayed, with one-liner
- display a help summary
filter the input file using a tcpdump(1) expression
If the -cooked option is not used, then tcpdump(1)
is required to be on your PATH. It is used to read
the raw savefile, producing output in the format
tcpshow expects. The expression should be a valid
tcpdump(1) expression. It is not parsed or interpreted
by tcpshow, but passed on to tcpdump(1) for
In the following examples, where tcpdump(1) is used, the
flag -s 1518 is used to be sure of saving the complete
Also, where tcpdump(1) expressions are used, these could
equally have been given to tcpdump(1) directly, if it was
known at this time what data you're interested in.
Capture a raw savefile and decode it later.
# tcpdump -s 1518 -w savefile
# tcpshow < savefile
Decode the data as quickly as tcpdump(1) gives it to us.
# tcpdump -s 1518 -lenx | tcpshow
Display headers only.
# tcpshow -nodata < savefile
Display data only (minimal header decode).
# tcpshow -data
Display a decode of Telnet traffic only, omitting the link
and IP headers.
# tcpdump -s 1518 -w savefile
# tcpshow -nolink -noip tcp port telnet < savefile
Give a compact display of the TCP headers, and a full display
of the data, for all packets going into or coming
from the host "sam" -- this host is on a LAN accessible
through a PPP link.
# tcpdump -i ppp0 -s 1518 -w savefile
# tcpshow -pp -terse host sam < savefile
Show all SMTP mail transfers, omitting the headers and
wrapping the message bodies to make it easy to read them
(you're not supposed to do this).
# tcpdump -s 1518 -w savefile
# tcpshow -b -w 40 -data port smtp < savefile
To display a decode of data not captured via tcpdump(1),
you would typically use the application that captured the
trace to dump that trace into a file in ASCII-hex format.
You feed that file into a Perl/sh/awk script (that you
write), which produces a file in the format tcpshow
expects. Such scripts are easy to write. For example, if
your application is "capture" and your script is "convert",
then tcpshow might be used as follows.
# capture -hexoutput | convert | tcpshow
A loose definition of the format tcpshow expects is: the
1st line of each packet must begin in column 1. All other
lines must begin with a TAB. The hex bytes can be separated
from each other by any amount of whitespace, including
When using -cooked, the first field should be the time the
packet was captured (or a string like "no-time-recorded"
if the time isn't available). The remaining fields should
be the bytes of the IP datagram.
When -cooked is not used, the first field should be as
above, with the next three fields being the Ethernet
source address, the Ethernet destination address and the
DIX Ethernet Type field.
tcpshow reads from standard input and writes to standard
tcpdump(1), nit(4P), bpf(4)
Mike Ryan <mike@NetworX.ie>
This program and its source code are freely available.
See the Conditions governing their use in the source code.
It should decode IP and TCP options.
It should decode data from application protocols that
don't send their data in ASCII (e.g. DNS/BIND).
It should not depend on tcpdump(1) as much as it does. It
should be modified to use pcap(3) directly.
It doesn't bother mapping IP addresses into their host
names. The option to do this should be provided.
The -terse option should be a default, with -verbose avaiable
to produce a verbose display of the headers.