Subject: Re: ascii dump for tcpdump (was Re: truss-like command for netbsd)
To: Robert Elz <kre@munnari.OZ.AU>
From: Simon J. Gerraty <email@example.com>
Date: 10/13/1998 22:06:42
>On the subject, I'm not sure that ascii conversion of tcpdump output is
>worth the code it would consume - even the hex output is really useful only
>when you're faced with protocols that tcpdump doesn't understand, and you
>want to figure out what's going on the hard way (usually it is easier to
>add the relevant decode to tcpdump, which is why the dhcp mods got made...)
Yes, true... but I've found the hex output invaluable for:
1/ capturing packets for editing/regenerating
- handy for reproducing odd failure modes in routers :-)
- or for generating a RIP storm in the test-lab.
2/ dealing with "protocols that tcpdump doesn't understand"
- when you have a 1000+ router network in melt-down, people don't
want to wait any longer than necessary for the fault to be
The ascii bit just makes it a bit easier to locate the relevant packets.
As for code size, about 400 lines of easy to read code - for both
the hex/ascii and print-telnet junk in my original patches. Alan
Barrett's hex/ascii version was much more compact.
Of course at that 1000+ router site we have lots of dedicated "sniffer"s
but they just tend not to be in the right place when the sh^& hits
the fan :-) With 80+ workstations round the country each with tcpdump
available - we have a handy fall-back.
So yes I agree that proper protocol decode is good but the hex/ascii is