Printing
The -p option prints information from the Ethernet, IP, and TCP/UDP
headers C for all the packets found in the dumpfile.
For example,
Beluga:/Users/mani> tcptrace -p malus.dmp.gzproduces output as shown below for all the packets found in the file malus.dmp.gz.
. . . Packet 2 Packet Length: 74 Collected: Thu Jul 10 19:12:54.987110 2003 ETH Srce: 00:00:00:00:00:00 ETH Dest: 00:00:00:00:00:00 Type: 0x800 (IP) IP VERS: 4 IP Srce: 17.112.152.32 (a17-112-152-32.apple.com) IP Dest: 132.235.3.153 (elephus.cs.ohiou.edu) Type: 0x6 (TCP) HLEN: 20 TTL: 50 LEN: 60 ID: 32113 CKSUM: 0x9936 OFFSET: 0x4000 Don't Fragment TCP SPRT: 80 (http) DPRT: 59518 FLG: -A--S- (0x12) SEQ: 0x1fbdbe84 ACK: 0x0f455ca5 WIN: 33304 HLEN: 40 CKSUM: 0xfa0f DLEN: 0 OPTS: 20 bytes MSS(1460) WS(0) TS(-202350942,1957864058) Packet 3 . . .
As illustrated above, detailed information from the protocol headers of is printed for every packet. The -X option which is set by default causes fields like SEQ, ACK to be printed in hexadecimal. You may use the -D option to print them in decimal. Note that since this option prints loads of output for every packet, you probably want to use the -B and/or -E options 6.1 to selectively print information on the packets of interest.
On the other hand, if you are using the -o/-i options 6.1 or the --oUDP/--iUDP 8.1 to selectively process TCP or UDP connections respectively, you need to use the -P option (instead of the -p option) to print packet information on the selected connections alone. For example,
tcptrace -n -o1,3 -P sirius.dmp
prints packet header information only from the packets part of TCP connections 1 and 3, found in the dumpfile sirius.dmp.
Extracting
The -e option can be used to extract the contents (TCP data payload)
of each connection into a separate data file.
For example,
Beluga:/Users/mani> tcptrace -e albus.dmp
generates files a2b_contents.dat, b2a_contents.dat; c2d_contents.dat, d2c_contents.dat if the file albus.dmp had 2 traced TCP connections. tcptrace is pretty smart in generating these contents files. It does not commit trivial mistakes like saving retransmissions multiple times in the file for example, and is aware of sequence space wrap-arounds. However, if you want the entire contents of the traffic, please make sure that packets are captured in their entirety (give suitable snaplen value with tcpdump for example).