G.5. tcpdump

This is a good time to mention that tcpdump can capture and store packet flows for consumption at a later date. Frequently, you may find yourself without a top-notch packet analysis utility such as ethereal. Fortunately, you can create tcpdump data files and view them with a tool such as ethereal. Even if a stream analysis tool is not available, the documentation for ethereal is tremendously helpful in packet analysis.

G.5.1. Using tcpdump to view ARP messages

Example G.16. Viewing an ARP broadcast request and reply with tcpdump



Example G.17. Viewing a gratuitous ARP packet with tcpdump



Example G.18. Viewing unicast ARP packets with tcpdump



G.5.2. Using tcpdump to see ICMP unreachable messages

Example G.19. tcpdump reporting port unreachable



Example G.20. tcpdump reporting host unreachable



Example G.21. tcpdump reporting net unreachable



G.5.3. Using tcpdump to watch TCP sessions

Example G.22. Monitoring TCP window sizes with tcpdump



Example G.23. Examining TCP flags with tcpdump



Example G.24. Examining TCP acknowledgement numbers with tcpdump



G.5.4. Reading and writing tcpdump data

Example G.25. Writing tcpdump data to a file



Example G.26. Reading tcpdump data from a file



Example G.27. Causing tcpdump to use a line buffer



G.5.5. Understanding fragmentation as reported by tcpdump

Example G.28. Understanding fragmentation as reported by tcpdump



G.5.6. Other options to the tcpdump command

Example G.29. Specifying interface with tcpdump



Example G.30. Timestamp related options to tcpdump
