This is a page with links to various tools, many of which can process tcpdump output and, for example, generate statistics.
Libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet shaping, handling and injection. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort.
Replays a pcap file on an interface using libnet.
Makes output from the tcpdump program easier to read and parse.
ttt is yet another descendant of tcpdump but it is capable of real-time, graphical, and remote traffic-monitoring. ttt won't replace tcpdump, rather, it helps you find out what to look into with tcpdump. ttt monitors the network and automatically picks up the main contributors of the traffic within the time window. The graphs are updated every second by default.
USI++ is a C++-library that is a wrapper on top of libpcap. It allows you to handle packets at a fairly high-level.
The Internet Traffic Archive is a moderated repository to support widespread access to traces of Internet network traffic, sponsored by ACM SIGCOMM. The traces can be used to study network dynamics, usage characteristics, and growth patterns, as well as providing the grist for trace-driven simulations. The archive is also open to programs for reducing raw trace data to more manageable forms, for generating synthetic traces, and for analyzing traces.
EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
TCPTrace analyzes the behavior of captured TCP streams, and accepts many trace file formats (including pcap). It provides connection statistics and several types of graphs, including the widely-used time-sequence graphs.
tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.
which functions as a command-line (well, full-screen) "network 'top'", showing who's sending most of the data on a network, as well as a Web server that can cough up Charts And Graphs from network traffic (or, at least, can cough up tables that can be fed to gnuplot to draw charts and graphs).
A free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
(The tool formerly known as Ethereal, which still exists as a seperate project, lead by Ethereal Software. They provide training for it. See for details
Includes a tool to combine multiple capture files and produce a combined file, sorted by packet time stamp.
CoralReef is a software suite developed by CAIDA to analyze data collected by passive Internet traffic monitors. It provides a programming library libcoral, similar to libpcap with extensions for ATM and other network types, which is available from both C and Perl. The software presently supports dedicated PC boxes using OC3mon and OC12mon cards that collect traffic data in real time, as well as reading from pcap tracefiles. Version 3.4 to be released soon supports listening via bpf enabled devices. CoralReef includes drivers, analysis, web report generation, examples, and capture software. This package is maintained by CAIDA developers with the support and collaboration of the Internet measurement community.
tcpstat reports certain network interface statistics much like vmstat does for system statistics. tcpstat gets its information by either monitoring a specific interface, or by reading previously saved tcpdump data from a file.
netdude (NETwork DUmp data Displayer and Editor). From their webpage, "it is a GUI-based tool that allows you to make detailed changes to packets in tcpdump tracefiles."
The libpcap interface supports a filtering mechanism based on the architecture in the BSD packet filter. BPF is described in the 1993 Winter Usenix paper ``The BSD Packet Filter: A New Architecture for User-level Packet Capture''.
by Andrew Begel, Steven McCanne, and Susan Graham, originally at: http://www.cs.berkeley.edu/~abegel/sigcomm99/bpf+.ps
A paper presented at SIGCOMM '96 on an enhanced version of BPF.
he program xplot was written in the late 1980s to support the analysis of TCP packet traces.
MultiTail now has a colorscheme included for monitoring the tcpdump output. It can also filter, convert timestamps to timestrings and much more.