Subject: Re: ascii dump for tcpdump (was Re: truss-like command for netbsd)
To: Robert Elz <kre@munnari.OZ.AU>
From: Simon J. Gerraty <>
List: current-users
Date: 10/13/1998 22:06:42
>On the subject, I'm not sure that ascii conversion of tcpdump output is
>worth the code it would consume - even the hex output is really useful only
>when you're faced with protocols that tcpdump doesn't understand, and you
>want to figure out what's going on the hard way (usually it is easier to
>add the relevant decode to tcpdump, which is why the dhcp mods got made...)

Yes, true... but I've found the hex output invaluable for:

1/	capturing packets for editing/regenerating
	- handy for reproducing odd failure modes in routers :-)
	- or for generating a RIP storm in the test-lab.
2/	dealing with "protocols that tcpdump doesn't understand"
	- when you have a 1000+ router network in melt-down, people don't
	want to wait any longer than necessary for the fault to be 
	characterized etc.

The ascii bit just makes it a bit easier to locate the relevant packets.
As for code size, about 400 lines of easy to read code - for both 
the hex/ascii and print-telnet junk in my original patches.  Alan
Barrett's hex/ascii version was much more compact.

Of course at that 1000+ router site we have lots of dedicated "sniffer"s 
but they just tend not to be in the right place when the sh^& hits 
the fan :-)  With 80+ workstations round the country each with tcpdump
available - we have a handy fall-back.

So yes I agree that proper protocol decode is good but the hex/ascii is