TRACELOOK(1) UNIX Reference Manual TRACELOOK(1) NAME tracelook - reveal contents of tcpdump trace files SYNOPSIS tracelook [-nflag] [-Nflag] [-Sflag] tcpdumpfile ----------- DESCRIPTION Tracelook reveals the contents of a trace file created via the -w argu- ment to the tcpdump(1) command. The -nflag argument corresponds with the tcpdump(1) -n argument. The -Nflag argument corresponds to the tcpdump(1) -N argument. The -Sflag argument corresponds with the tcpdump(1) -S argument. Tracelook starts by looking for all the TCP connections in tcpdumpfile. A ----------- hosts window is brought up, listing in the left-hand column the hosts in- volved in the trace, with the number of packets/bytes listed next to each host. The right-hand column lists all the connections in the table. Clicking on "View" causes a window to open listing the contents of the trace file. If no hosts or connections are selected, the window displays all the packets associated with TCP connections in the trace file. If a host is selected, the window displays all the packets associated with TCP connections to or from that host. If a connection is selected, the win- dow displays those packets associated with that TCP connection. Double-clicking one of the connections causes a new window to be present- ed, allowing for various fields to be plotted using xgraph(1). When plotting a connection, the user can select various variables to be plot- ted. In each direction of the connection, the user can plot the adver- tised window in each packet (window), the highest sequence number in each ------ packet (seqhigh), the lowest sequence number in each packet (seqlow), and ------- ------ the acknowledgement number in each packet (ack). --- The list of connections in the right-hand column can be filtered to those involving a single host by selecting (single-clicking) that host in the left-hand column. To restore the list of connections to the startup con- dition, press the "Deselect" button. The "Dismiss" button terminates tracelook. NOTES Tracelook needs various supporting script files in order to run. In or- der to find the files, tracelook initially looks in all the directories specified in the PATH variable, trying to find a directory "../lib" par- allel to each of the bin directories pointed to by the PATH variable. Tracelook also looks for a LIBPATH variable. In each directory discov- ered, tracelook looks for its support files in that directory, as well as in a tracelook/ subdirectory. There is a very primitive site configuration mechanism: at the beginning of tracelook, there are two variables (AWK and XGRAPH) which define the --- ------ names of the commands to be used to invoke awk(1) and xgraph(1) in the local environment. Additionally, all calls to xgraph(1) are made in the routine bg xgraph open, which is also in the configuration section at the -------------- beginning of the file. ENVIRONMENT Tracelook checks the following environment variables: PATH, LIBPATH. SEE ALSO tcpdump(1), xgraph(1). HISTORY Tracelook was written at Ipsilon Networks, Inc., in 1995. BUGS Tracelook should look at all protocols, not just TCP. Tracelook is slow --- and uses system resources prodigiously. Tracelook does not appear to work with older versions of awk(1). BSD Experimental November 13, 1995 2