Packet Capture and Analysis Tools:

Detect protocol problems via the analysis of packets, trouble shooting

• tcpdump: Packet capture tool based on the libpcap library. http://www.tcpdump.org/
• snoop: tcpdump equivalent in Sun's Solaris operating system
• Wireshark (formerly called Ethereal): Extended tcpdump with a user-friendly GUI. Its plugin architecture allowed many protocol-specific "dissectors" to be written. Also includes some analysis tools useful for performance debugging.
• libtrace: A library for trace processing; works with libpcap (tcpdump) and other formats.
• Netdude: The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files.
• jnettop: Captures traffic coming across the host it is running on and displays streams sorted by the bandwidth they use.
• tcptrace: a statistics/analysis tool for TCP sessions using tcpdump capture files
• capturing packets with Endace DAG cards (dagsnap, dagconvert, ...)

General Hints for Taking Packet Traces

Capture enough data - you can always throw away stuff later. Note that tcpdump's default capture length is small (96 bytes), so use -s 0 (or something like -s 1540) if you are interested in payloads. Wireshark and snoop capture entire packets by default. Seemingly unrelated traffic can impact performance. For example, Web pages from foo.example.com may load slowly because of the images from adserver.example.net . In situations of high background traffic, it may however be necessary to filter out unrelated traffic.

It can be extremely useful to collect packet traces from multiple points in the network

• On the endpoints of the communication
• Near "suspicious" intermediate points such as firewalls

Synchronized clocks (e.g. by NTP) are very useful for matching traces.

Address-to-name resolution can slow down display and causes additional traffic which confuses the trace. With tcpdump, consider using -n or tracing to file (-w file).

Request remote packet traces

When a packet trace from a remote site is required, this often means having to ask someone at that site to provide it. When requesting such a trace, consider making this as easy as possible for the person having to do it. Try to use a packet tracing tool that is already available - tcpdump for most BSD or Linux systems, snoop for Solaris machines. Windows doesn't seem to come bundled with a packet capturing program, but you can direct the user to Wireshark, which is reasonably easy to install and use under Windows. Try to give clean indications on how to call the packet capture program. It is usually best to ask the user to capture to a file, and then send you the capture file as an e-mail attachment or so.

References

• Presentation slides from a short talk about packet capturing techniques given at the network performance section of the January 2006 GEANT2 technical workshop

– Main.FrancoisXavierAndreu - 06 Jun 2005
-- Main.SimonLeinen - 05 Jan 2006-09 Apr 2006
– Main.PekkaSavola - 26 Oct 2006