LinuxCommandLibrary

ipsumdump

Analyze and summarize network packet streams

TLDR

Print the source and destination IP addresses of all packets in a PCAP file

$ ipsumdump --src --dst [path/to/file.pcap]
copy

Print the timestamps, source address, source port, destination address, destination port and protocol of all packets read from a given network interface
$ ipsumdump --interface [eth0] -tsSdDp
copy

Print the anonymized source address, anonymized destination address, and IP packet length of all packets in a PCAP file
$ ipsumdump --src --dst --length --anonymize [path/to/file.pcap]
copy

SYNOPSIS

ipsumdump [-n] [-h] [-v] [-r pcapfile] [-s snaplen] [-f format] [-c count] [-w outfile] [filter]

PARAMETERS

-r pcapfile
    Read input from pcapfile instead of stdin

-w outfile
    Write summary output to outfile instead of stdout

-c count
    Stop after processing count packets

-n
    Do not resolve port numbers to service names (numeric only)

-h
    Print help summary and capabilities

-v
    Enable verbose output with more details

-s snaplen
    Use snaplen as maximum bytes per packet (default: full packet)

-f format
    Custom output format string (default: '%-7.0f %4d %5d %s %s %s')

filter
    BPF filter expression to select packets (e.g., 'tcp port 80')

DESCRIPTION

ipsumdump is a utility from the tcptrace suite that processes libpcap packet capture files (such as those generated by tcpdump -w) and outputs concise, human-readable summaries of IP traffic flows.

It groups packets into unidirectional flows based on source/destination IP, ports, and protocol, then prints statistics like packet count, byte count, and average packet size per flow.

Unlike raw packet dumps from tcpdump, ipsumdump focuses on aggregates, making it ideal for quick traffic analysis, bandwidth usage overviews, or spotting high-volume flows without sifting through every packet.

Supports live capture from interfaces or files, with filtering via Berkeley Packet Filter (BPF) syntax. Output is customizable via format strings. Primarily handles IPv4; IPv6 support is experimental.

Common use: tcpdump -w cap.pcap && ipsumdump -r cap.pcap for instant summaries.

CAVEATS

Limited IPv6 support; assumes libpcap format input.
Does not decode packet payloads, only IP headers and flow stats.
May miss flows if snaplen truncates headers.

DEFAULT OUTPUT FORMAT

Columns: bytes pkts avg_size src_ip:port dst_ip:port proto
Example:
123456 100 1234 192.168.1.1.12345 8.8.8.8.53 UDP

FORMAT STRING SPECIFIERS

%{bytes,f,pkts,avg_size,src_ip,dst_ip,src_port,dst_port,proto,time,start,end,dur,idle,min,max,idle_min,idle_max,loss,jitter,jitmax,ecn,ecn_s,ecn_d} etc.
See man page for full list.

HISTORY

Developed by Shawn Ostermann in 1997 as part of the tcptrace project at Ohio University. Evolved for analyzing TCP/IP traces; last major updates around 2000s, still maintained sporadically.

SEE ALSO

tcpdump(8), tcptrace(1), tcpslice(1), libpcap(3)

Copied to clipboard