Linux tcpshow(1) Manual Page

Table of Contents


tcpshow - decode a tcpdump savefile


tcpshow [ -b ] [ -sb ] [ -w width ] [ -nolink ] [ -noip ] [ -nodata ] [ -data ] [ -track ] [ -terse ] [ -cooked ] [ -pp ] [ -s ] [ -h ] [ expression ]


tcpshow reads a tcpdump(1) savefile and provides a reasonably complete decode of Ethernet, IP, ICMP, UDP and TCP headers, in packets that match the boolean expression. The data belonging to these packets is displayed in ASCII.

Currently, protocol data is not decoded. This is not considered a serious problem for applications that use ASCII data streams.

Also, IP and TCP options are not decoded.

The input file must be in the format produced by tcpdump -enx. This file can be generated from

  1. a prior run of tcpdump -w file
  2. a live run of tcpdump (without -w)
  3. any other program that produces a correctly formatted trace
See under EXAMPLES for each of these different methods, plus a description of the format the input file needs to be in.

Except when -cooked is used, tcpdump(1) is required to be on your PATH, to process the raw savefile.


The following options can be used in just about any sane combination.

break long lines so they don't wrap

This produces a neater, more readable display of the application data. The default width is 60 columns. See the -w flag for how to change this default.

show line breaks

When -b is used, it may be useful to see exactly where tcpshow wrapped each line, in its display of application data. This option causes the string ``<break>'' to be displayed at the end of each wrapped line. (Lines which were not wrapped, but terminated before the page width, are not so marked.)

-w width
set pagewidth to width columns

This determines where tcpshow will fold long lines, when the -b switch is used.

don't decode the link header

The data link header (Ethernet header) is not decoded and displayed.

don't decode the IP header

The IP header is not decoded and displayed.

don't show the data

The protocol data is not displayed (a count of data bytes is shown).

display only the data

The data, plus a minimal decode of the IP and transport/ICMP headers, is displayed.

-track track TCP sequence numbers

An additional field is produced in the output which shows the TCP acknowledgement number which this side of the connection should receive once the current packet has been received by its peer.

-terse show the header decode in compact format

Without this option, the display of the decoded header is verbose, occupying a lot of display-space real-estate. With this option, the decoded header information is much more compact and terse. Once you're familiar with the meanings of the header fields, you'll probably always use this option. (Maybe this should be the default, with a -verbose flag to get long-winded header decodes?)

don't run tcpdump(1) to pre-process the input

If the input file is already in the expected format, this option must be used. See EXAMPLES below of where this flag is appropriate.

point-to-point link

If the input file was collected from data travelling over a point-to-point link (one which doesn't make an Ethernet header available), this option needs to be used.

also display a hex dump of spurious data at packetend

For a reason unknown to the author, tcpdump(1) output sometimes contains data at the end of packets which don't belong to those packets. This spurious data is suppressed from the output, except when this option is used.

display a help summary

This list of options is displayed, with one-liner descriptions.


filter the input file using a tcpdump(1) expression

If the -cooked option is not used, then tcpdump(1) is required to be on your PATH. It is used to read the raw savefile, producing output in the format tcpshow expects. The expression should be a valid tcpdump(1) expression. It is not parsed or interpreted by tcpshow, but passed on to tcpdump(1) for its consumption.


In the following examples, where tcpdump(1) is used, the flag -s 1518 is used to be sure of saving the complete Ethernet frame.

Also, where tcpdump(1) expressions are used, these could equally have been given to tcpdump(1) directly, if it was known at this time what data you're interested in.

Capture a raw savefile and decode it later.

# tcpdump -s 1518 -w savefile
# tcpshow < savefile

Decode the data as quickly as tcpdump(1) gives it to us.

# tcpdump -s 1518 -lenx | tcpshow

Display headers only.

# tcpshow -nodata < savefile

Display data only (minimal header decode).

# tcpshow -data

Display a decode of Telnet traffic only, omitting the link and IP headers.

# tcpdump -s 1518 -w savefile
# tcpshow -nolink -noip tcp port telnet < savefile

Give a compact display of the TCP headers, and a full display of the data, for all packets going into or coming from the host "sam" -- this host is on a LAN accessible through a PPP link.

# tcpdump -i ppp0 -s 1518 -w savefile
# tcpshow -pp -terse host sam < savefile

Show all SMTP mail transfers, omitting the headers and wrapping the message bodies to make it easy to read them (you're not supposed to do this).

# tcpdump -s 1518 -w savefile
# tcpshow -b -w 40 -data port smtp < savefile

To display a decode of data not captured via tcpdump(1), you would typically use the application that captured the trace to dump that trace into a file in ASCII-hex format. You feed that file into a Perl/sh/awk script (that you write), which produces a file in the format tcpshow expects. Such scripts are easy to write. For example, if your application is "capture" and your script is "convert", then tcpshow might be used as follows.

# capture -hexoutput | convert | tcpshow

A loose definition of the format tcpshow expects is: the 1st line of each packet must begin in column 1. All other lines must begin with a TAB. The hex bytes can be separated from each other by any amount of whitespace, including none.

When using -cooked, the first field should be the time the packet was captured (or a string like "no-time-recorded" if the time isn't available). The remaining fields should be the bytes of the IP datagram.

When -cooked is not used, the first field should be as above, with the next three fields being the Ethernet source address, the Ethernet destination address and the DIX Ethernet Type field.


tcpshow reads from standard input and writes to standard output.


tcpdump(1), nit(4P), bpf(4)


Mike Ryan <>


This program and its source code are freely available. See the Conditions governing their use in the source code.


It should decode IP and TCP options.

It should decode data from application protocols that don't send their data in ASCII (e.g. DNS/BIND).

It should not depend on tcpdump(1) as much as it does. It should be modified to use pcap(3) directly.

It doesn't bother mapping IP addresses into their host names. The option to do this should be provided.

The -terse option should be a default, with -verbose avaiable to produce a verbose display of the headers.