NAME¶
tcpprof —
report profile of network
traffic
SYNOPSIS¶
| tcpprof |
[-?hdnpR]
[-f filter
expr] [-i
interface]
[-P port]
[-r
filename]
[-s
seconds]
[-S
letters]
[-t
lines] |
DESCRIPTION¶
tcpprof reports a profile of network traffic by ranking it by
link type, ip protocol, TCP/UDP port, ip address, or network address.
Network information is collected either by reading data from
filename, or by directly monitoring the network
interface
interface. The default action for
tcpprof is to automatically search for an appropriate
interface, and to generate a profile before it exits.
When reading data from
filename,
tcpprof
will display the profile and exit immediately after the entire file has been
processed. When collecting data from
interface,
tcpprof will keep running unless the
-s
option had been specified.
OPTIONS¶
The options are as follows:
- -f
filter expr
- Filter the packets according the rules given by
filter expr. For the syntax of these rules, see
tcpdump(1). The argument must be quoted if it contains
spaces in order to separate it from other options.
- -h,
-?
- Display version and a brief help message.
- -d
- tcpprof will track the source and
destination information separately, where applicable, and identify source
data with a ">" and destination data with "<".
For example, a "http <" statistic signifies all traffic with
destination port 80 (http). This option only applies to port, host and
network statistics.
- -i
interface
- Do a live capture (rather than read from a file) on the
interface interface given on the command line. If
interface is "auto" then
tcpprof tries to find an appropriate one by itself.
- -P
port
- This tells tcpprof to ignore TCP and UDP
ports greater than or equal to port when displaying
port statistics. This is not the same as filtering these port numbers out
of the data set. This way, packets with i.e. the source port above
port and the destination port below
port will be able to still count the lower port
number as a statistic. In addition, this doesn't affect the other
statistic types (link, protocol, etc.)
- -p
- Set the interface into non-promiscuous mode (promiscuous is
the default) when doing live captures.
- -r
filename
- Read all data from filename, which
may be a regular file, a named pipe or "-" to read it's data
from standard input. Acceptable file formats include pcap
(tcpdump(1) files) and "snoop" format files.
filename is usually a file created by the
tcpdump(1) command using the "-w" option.
- -S
letters
- Tells tcpprof which statistics to
display. letters must be a string of one or more of
the following letters:
- l
- show stats about the link layer
- i
- show stats about all ip protocols
- p
- show stats about TCP/UDP ports
- h
- show stats about hosts/ip addresses
- n
- show stats about network addresses
- a
- a synonym for "liphn"
- -s
seconds
- When monitoring an interface, tcpprof
runs for only seconds seconds, and then quits. Has
no effect when reading data from a file.
- -t
lines
- When printing a profile of the data,
tcpprof will display a maximum of
lines lines for each statistic.
SIGNALS¶
Upon receiving a SIGINT,
tcpprof will print any remaining
statistics, and then exit.
FILES¶
- /dev/bpfn
- the packet filter device
EXAMPLES¶
tcpprof -i fxp0 -S a
Displays a complete profile of network data passing through the fxp0 network
interface, after the user enters ^C (control C).
tcpprof -r file.dump -S a
Displays a complete profile of network data from the
tcpdump(1) generated file "file.dump".
SEE ALSO¶
tcpdump(1),
pcap(3),
bpf(4)
HISTORY¶
tcpprof was first written along side tcpstat in Winter 1998
using FreeBSD 3.0, and then finally retrofitted for Linux in Spring 2000. It
became installed along with tcpstat since version 1.5.
AUTHORS¶
Paul Herman ⟨pherman@frenchfries.net⟩
Cologne, Germany.
Please send all bug reports to this address.
BUGS¶
Not tested with link types other than Ethernet, PPP, and "None" types.
There may be problems reading non-IPv4 packets across platforms when reading
null type link layers. This is due to a lack of a standardized packet type
descriptor in libpcap for this link type.
Snoop file formats cannot be read from stdin or named pipes.
