.TH tcpsnoop 1m "Jul 04, 2005" "version 0.70" "USER COMMANDS" .SH NAME tcpsnoop \- snoop TCP network packets by process. Uses DTrace. .SH SYNOPSIS .B tcpsnoop [\-a|hjsvZ] [\-n name] [\-p pid] .SH DESCRIPTION This analyses TCP network packets and prints the responsible PID and UID, plus standard details such as IP address and port. This captures traffic of newly created TCP connections that were established while this program was running. It can help identify which processes is causing TCP traffic. Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command. .SH OPTIONS .TP \-a print all data .TP \-j print project ID .TP \-s print time, us .TP \-v print time, string .TP \-Z print zone ID .TP \-n name command name to snoop .TP \-p PID process ID to snoop .PP .SH EXAMPLES .TP Default output, snoop TCP network packets with details, # .B tcpsnoop .TP Print human readable timestamps, # .B tcpsnoop \-v .TP Print zonename, # .B tcpsnoop \-Z .TP Print sshd traffic only, # .B tcpsnoop \-n sshd .PP .SH FIELDS .TP UID user ID .TP PID process ID .TP CMD command name .TP LADDR local IP address .TP RADDR remote IP address .TP LPORT local port number .TP RPORT remote port number .TP DR direction .TP SIZE packet size, bytes .TP TIME timestamp, us .TP STRTIME human readable timestamp, string .TP ZONE zone ID .TP PROJ project ID .PP .SH DOCUMENTATION See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output. .SH EXIT tcpsnoop will print traffic until Ctrl\-C is hit. .SH AUTHOR Brendan Gregg [Sydney, Australia] .SH SEE ALSO tcptop(1M), dtrace(1M)