{"id":13435807,"url":"https://github.com/the-tcpdump-group/tcpdump","last_synced_at":"2025-05-14T13:06:30.176Z","repository":{"id":8026619,"uuid":"9435882","full_name":"the-tcpdump-group/tcpdump","owner":"the-tcpdump-group","description":"the TCPdump network dissector","archived":false,"fork":false,"pushed_at":"2025-05-11T13:07:13.000Z","size":27911,"stargazers_count":2903,"open_issues_count":108,"forks_count":873,"subscribers_count":136,"default_branch":"master","last_synced_at":"2025-05-11T14:22:21.534Z","etag":null,"topics":["auditing","berkeley-packet-filter","bpf","bsd-packet-filter","libpcap","packet-capture","pcap","pcapng","security","sniffer","tcpdump","troubleshooting"],"latest_commit_sha":null,"homepage":"https://www.tcpdump.org/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/the-tcpdump-group.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2013-04-14T21:46:15.000Z","updated_at":"2025-05-11T13:07:17.000Z","dependencies_parsed_at":"2023-11-26T07:23:08.297Z","dependency_job_id":"621e48b8-303c-43ad-bf44-77bc89ec1eed","html_url":"https://github.com/the-tcpdump-group/tcpdump","commit_stats":{"total_commits":7119,"total_committers":216,"mean_commits":"32.958333333333336","dds":0.622559348223065,"last_synced_commit":"68ba720493a4afea5c3e7640098b415ca6910e72"},"previous_names":[],"tags_count":49,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/the-tcpdump-group%2Ftcpdump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/the-tcpdump-group%2Ftcpdump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/the-tcpdump-group%2Ftcpdump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/the-tcpdump-group%2Ftcpdump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/the-tcpdump-group","download_url":"https://codeload.github.com/the-tcpdump-group/tcpdump/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254149953,"owners_count":22022851,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auditing","berkeley-packet-filter","bpf","bsd-packet-filter","libpcap","packet-capture","pcap","pcapng","security","sniffer","tcpdump","troubleshooting"],"created_at":"2024-07-31T03:00:39.438Z","updated_at":"2025-05-14T13:06:25.159Z","avatar_url":"https://github.com/the-tcpdump-group.png","language":"C","funding_links":[],"categories":["C","\u003ca id=\"b293f791ec9366957733415323755aa6\"\u003e\u003c/a\u003eTcpdump"],"sub_categories":[],"readme":"# TCPDUMP 4.x.y by [The Tcpdump Group](https://www.tcpdump.org/)\n\n**To report a security issue please send an e-mail to security@tcpdump.org.**\n\nTo report bugs and other problems, contribute patches, request a\nfeature, provide generic feedback etc please see the\n[guidelines for contributing](CONTRIBUTING.md) in the tcpdump source tree root.\n\nAnonymous Git is available via\n\n\thttps://github.com/the-tcpdump-group/tcpdump.git\n\nThis directory contains source code for tcpdump, a tool for network\nmonitoring and data acquisition.\n\nOver the past few years, tcpdump has been steadily improved by the\nexcellent contributions from the Internet community (just browse\nthrough the [change log](CHANGES)).  We are grateful for all the input.\n\n### Supported platforms\nIn many operating systems tcpdump is available as a native package or port,\nwhich simplifies installation of updates and long-term maintenance. However,\nthe native packages are sometimes a few versions behind and to try a more\nrecent snapshot it will take to compile tcpdump from the source code.\n\ntcpdump compiles and works on at least the following platforms:\n\n* [AIX](./doc/README.aix.md)\n* DragonFly BSD\n* FreeBSD\n* [Haiku](./doc/README.haiku.md)\n* HP-UX 11i\n* [illumos](./doc/README.solaris.md) (OmniOS, OpenIndiana)\n* GNU/Hurd\n* GNU/Linux\n* {Mac} OS X / macOS\n* [NetBSD](./doc/README.NetBSD.md)\n* OpenBSD\n* [Solaris](./doc/README.solaris.md)\n* [Windows](./doc/README.windows.md) (requires WinPcap or Npcap, and Visual\n  Studio with CMake)\n\nIn the past tcpdump certainly or likely worked on the following platforms:\n\n* 4.3BSD\n* BSD/386, later BSD/OS\n* DEC OSF/1, later Digital UNIX, later Tru64 UNIX\n* DOS\n* IRIX\n* LynxOS\n* QNX\n* SINIX\n* SunOS\n* Ultrix\n* UnixWare\n\n### Dependency on libpcap\ntcpdump uses libpcap, a system-independent interface for user-level\npacket capture.  If your operating system does not provide libpcap, or\nif it provides a libpcap that does not support the APIs from libpcap 1.0\nor later, you must first retrieve and build libpcap before building\ntcpdump,\n\nOnce libpcap is built (either install it or make sure it's in\n`../libpcap`), you can build tcpdump using the procedure in the\n[installation notes](INSTALL.md).\n\n### Origins of tcpdump\nThe program is loosely based on SMI's \"etherfind\" although none of the\netherfind code remains.  It was originally written by Van Jacobson as\npart of an ongoing research project to investigate and improve TCP and\nInternet gateway performance.  The parts of the program originally\ntaken from Sun's etherfind were later re-written by Steven McCanne of\nLBL.  To insure that there would be no vestige of proprietary code in\ntcpdump, Steve wrote these pieces from the specification given by the\nmanual entry, with no access to the source of tcpdump or etherfind.\n```text\nformerly from\tLawrence Berkeley National Laboratory\n\t\tNetwork Research Group \u003ctcpdump@ee.lbl.gov\u003e\n\t\tftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z (3.4)\n```\n\n### See also\nRichard Stevens gives an excellent treatment of the Internet protocols\nin his book *\"TCP/IP Illustrated, Volume 1\"*. If you want to learn more\nabout tcpdump and how to interpret its output, pick up this book.\n\nAnother tool that tcpdump users might find useful is\n[tcpslice](https://github.com/the-tcpdump-group/tcpslice).\nIt is a program that can be used to extract portions of tcpdump binary\ntrace files.\n\n### The original LBL README by Steve McCanne, Craig Leres and Van Jacobson\n```\nThis directory also contains some short awk programs intended as\nexamples of ways to reduce tcpdump data when you're tracking\nparticular network problems:\n\nsend-ack.awk\n\tSimplifies the tcpdump trace for an ftp (or other unidirectional\n\ttcp transfer).  Since we assume that one host only sends and\n\tthe other only acks, all address information is left off and\n\twe just note if the packet is a \"send\" or an \"ack\".\n\n\tThere is one output line per line of the original trace.\n\tField 1 is the packet time in decimal seconds, relative\n\tto the start of the conversation.  Field 2 is delta-time\n\tfrom last packet.  Field 3 is packet type/direction.\n\t\"Send\" means data going from sender to receiver, \"ack\"\n\tmeans an ack going from the receiver to the sender.  A\n\tpreceding \"*\" indicates that the data is a retransmission.\n\tA preceding \"-\" indicates a hole in the sequence space\n\t(i.e., missing packet(s)), a \"#\" means an odd-size (not max\n\tseg size) packet.  Field 4 has the packet flags\n\t(same format as raw trace).  Field 5 is the sequence\n\tnumber (start seq. num for sender, next expected seq number\n\tfor acks).  The number in parens following an ack is\n\tthe delta-time from the first send of the packet to the\n\tack.  A number in parens following a send is the\n\tdelta-time from the first send of the packet to the\n\tcurrent send (on duplicate packets only).  Duplicate\n\tsends or acks have a number in square brackets showing\n\tthe number of duplicates so far.\n\n\tHere is a short sample from near the start of an ftp:\n\t\t3.00    0.20   send . 512\n\t\t3.20    0.20    ack . 1024  (0.20)\n\t\t3.20    0.00   send P 1024\n\t\t3.40    0.20    ack . 1536  (0.20)\n\t\t3.80    0.40 * send . 0  (3.80) [2]\n\t\t3.82    0.02 *  ack . 1536  (0.62) [2]\n\tThree seconds into the conversation, bytes 512 through 1023\n\twere sent.  200ms later they were acked.  Shortly thereafter\n\tbytes 1024-1535 were sent and again acked after 200ms.\n\tThen, for no apparent reason, 0-511 is retransmitted, 3.8\n\tseconds after its initial send (the round trip time for this\n\tftp was 1sec, +-500ms).  Since the receiver is expecting\n\t1536, 1536 is re-acked when 0 arrives.\n\npacketdat.awk\n\tComputes chunk summary data for an ftp (or similar\n\tunidirectional tcp transfer). [A \"chunk\" refers to\n\ta chunk of the sequence space -- essentially the packet\n\tsequence number divided by the max segment size.]\n\n\tA summary line is printed showing the number of chunks,\n\tthe number of packets it took to send that many chunks\n\t(if there are no lost or duplicated packets, the number\n\tof packets should equal the number of chunks) and the\n\tnumber of acks.\n\n\tFollowing the summary line is one line of information\n\tper chunk.  The line contains eight fields:\n\t   1 - the chunk number\n\t   2 - the start sequence number for this chunk\n\t   3 - time of first send\n\t   4 - time of last send\n\t   5 - time of first ack\n\t   6 - time of last ack\n\t   7 - number of times chunk was sent\n\t   8 - number of times chunk was acked\n\t(all times are in decimal seconds, relative to the start\n\tof the conversation.)\n\n\tAs an example, here is the first part of the output for\n\tan ftp trace:\n\n\t# 134 chunks.  536 packets sent.  508 acks.\n\t1       1       0.00    5.80    0.20    0.20    4       1\n\t2       513     0.28    6.20    0.40    0.40    4       1\n\t3       1025    1.16    6.32    1.20    1.20    4       1\n\t4       1561    1.86    15.00   2.00    2.00    6       1\n\t5       2049    2.16    15.44   2.20    2.20    5       1\n\t6       2585    2.64    16.44   2.80    2.80    5       1\n\t7       3073    3.00    16.66   3.20    3.20    4       1\n\t8       3609    3.20    17.24   3.40    5.82    4       11\n\t9       4097    6.02    6.58    6.20    6.80    2       5\n\n\tThis says that 134 chunks were transferred (about 70K\n\tsince the average packet size was 512 bytes).  It took\n\t536 packets to transfer the data (i.e., on the average\n\teach chunk was transmitted four times).  Looking at,\n\tsay, chunk 4, we see it represents the 512 bytes of\n\tsequence space from 1561 to 2048.  It was first sent\n\t1.86 seconds into the conversation.  It was last\n\tsent 15 seconds into the conversation and was sent\n\ta total of 6 times (i.e., it was retransmitted every\n\t2 seconds on the average).  It was acked once, 140ms\n\tafter it first arrived.\n\nstime.awk\natime.awk\n\tOutput one line per send or ack, respectively, in the form\n\t\t\u003ctime\u003e \u003cseq. number\u003e\n\twhere \u003ctime\u003e is the time in seconds since the start of the\n\ttransfer and \u003cseq. number\u003e is the sequence number being sent\n\tor acked.  I typically plot this data looking for suspicious\n\tpatterns.\n\n\nThe problem I was looking at was the bulk-data-transfer\nthroughput of medium delay network paths (1-6 sec.  round trip\ntime) under typical DARPA Internet conditions.  The trace of the\nftp transfer of a large file was used as the raw data source.\nThe method was:\n\n  - On a local host (but not the Sun running tcpdump), connect to\n    the remote ftp.\n\n  - On the monitor Sun, start the trace going.  E.g.,\n      tcpdump host local-host and remote-host and port ftp-data \u003etracefile\n\n  - On local, do either a get or put of a large file (~500KB),\n    preferably to the null device (to minimize effects like\n    closing the receive window while waiting for a disk write).\n\n  - When transfer is finished, stop tcpdump.  Use awk to make up\n    two files of summary data (maxsize is the maximum packet size,\n    tracedata is the file of tcpdump tracedata):\n      awk -f send-ack.awk packetsize=avgsize tracedata \u003esa\n      awk -f packetdat.awk packetsize=avgsize tracedata \u003epd\n\n  - While the summary data files are printing, take a look at\n    how the transfer behaved:\n      awk -f stime.awk tracedata | xgraph\n    (90% of what you learn seems to happen in this step).\n\n  - Do all of the above steps several times, both directions,\n    at different times of day, with different protocol\n    implementations on the other end.\n\n  - Using one of the Unix data analysis packages (in my case,\n    S and Gary Perlman's Unix|Stat), spend a few months staring\n    at the data.\n\n  - Change something in the local protocol implementation and\n    redo the steps above.\n\n  - Once a week, tell your funding agent that you're discovering\n    wonderful things and you'll write up that research report\n    \"real soon now\".\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthe-tcpdump-group%2Ftcpdump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthe-tcpdump-group%2Ftcpdump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthe-tcpdump-group%2Ftcpdump/lists"}