1 The following is a demonstration of the tcpsnoop program.
5 Here we run tcpsnoop and wait for new TCP connections to be established,
8 UID PID LADDR LPORT DR RADDR RPORT SIZE CMD
9 100 20892 192.168.1.5 36398 -> 192.168.1.1 79 54 finger
10 100 20892 192.168.1.5 36398 <- 192.168.1.1 79 66 finger
11 100 20892 192.168.1.5 36398 -> 192.168.1.1 79 54 finger
12 100 20892 192.168.1.5 36398 -> 192.168.1.1 79 56 finger
13 100 20892 192.168.1.5 36398 <- 192.168.1.1 79 54 finger
14 100 20892 192.168.1.5 36398 <- 192.168.1.1 79 606 finger
15 100 20892 192.168.1.5 36398 -> 192.168.1.1 79 54 finger
16 100 20892 192.168.1.5 36398 <- 192.168.1.1 79 54 finger
17 100 20892 192.168.1.5 36398 -> 192.168.1.1 79 54 finger
18 100 20892 192.168.1.5 36398 -> 192.168.1.1 79 54 finger
19 100 20892 192.168.1.5 36398 <- 192.168.1.1 79 54 finger
20 0 242 192.168.1.5 23 <- 192.168.1.1 54224 54 inetd
21 0 242 192.168.1.5 23 -> 192.168.1.1 54224 54 inetd
22 0 242 192.168.1.5 23 <- 192.168.1.1 54224 54 inetd
23 0 242 192.168.1.5 23 <- 192.168.1.1 54224 78 inetd
24 0 242 192.168.1.5 23 -> 192.168.1.1 54224 54 inetd
25 0 20893 192.168.1.5 23 -> 192.168.1.1 54224 57 in.telnetd
26 0 20893 192.168.1.5 23 <- 192.168.1.1 54224 54 in.telnetd
27 0 20893 192.168.1.5 23 -> 192.168.1.1 54224 78 in.telnetd
28 0 20893 192.168.1.5 23 <- 192.168.1.1 54224 57 in.telnetd
29 0 20893 192.168.1.5 23 -> 192.168.1.1 54224 54 in.telnetd
30 0 20893 192.168.1.5 23 <- 192.168.1.1 54224 54 in.telnetd
31 0 20893 192.168.1.5 23 -> 192.168.1.1 54224 60 in.telnetd
32 0 20893 192.168.1.5 23 <- 192.168.1.1 54224 63 in.telnetd
33 0 20893 192.168.1.5 23 -> 192.168.1.1 54224 54 in.telnetd
34 0 20893 192.168.1.5 23 <- 192.168.1.1 54224 60 in.telnetd
35 0 20893 192.168.1.5 23 -> 192.168.1.1 54224 60 in.telnetd
36 0 20893 192.168.1.5 23 <- 192.168.1.1 54224 60 in.telnetd
37 0 20893 192.168.1.5 23 -> 192.168.1.1 54224 72 in.telnetd
40 As new connections are made, each of the TCP packets are traced along with
41 the UID, PID and command name.
45 tcpsnoop has many options, for example here we use "-v" to print times,
48 STRTIME UID PID LADDR LPORT DR RADDR RPORT SIZE CMD
49 2005 Jul 11 21:21:19 0 242 192.168.1.5 79 <- 192.168.1.1 49001 54 inetd
50 2005 Jul 11 21:21:19 0 242 192.168.1.5 79 -> 192.168.1.1 49001 54 inetd
51 2005 Jul 11 21:21:19 0 242 192.168.1.5 79 <- 192.168.1.1 49001 54 inetd
52 2005 Jul 11 21:21:19 0 242 192.168.1.5 79 <- 192.168.1.1 49001 56 inetd
53 2005 Jul 11 21:21:19 0 242 192.168.1.5 79 -> 192.168.1.1 49001 54 inetd
54 2005 Jul 11 21:21:19 0 23181 192.168.1.5 79 -> 192.168.1.1 49001 444 in.fingerd
55 2005 Jul 11 21:21:19 0 23181 192.168.1.5 79 -> 192.168.1.1 49001 54 in.fingerd
56 2005 Jul 11 21:21:19 0 23181 192.168.1.5 79 <- 192.168.1.1 49001 54 in.fingerd
57 2005 Jul 11 21:21:19 0 23181 192.168.1.5 79 <- 192.168.1.1 49001 54 in.fingerd
58 2005 Jul 11 21:21:19 0 23181 192.168.1.5 79 <- 192.168.1.1 49001 54 in.fingerd
59 2005 Jul 11 21:21:19 0 23181 192.168.1.5 79 -> 192.168.1.1 49001 54 in.fingerd