ipsumdump

-i <interface>
    Specifies the network interface to listen on, e.g., eth0 or wlan0. If not specified, ipsumdump attempts to find a suitable default interface.

-c <count>
    Exits after capturing <count> packets. Useful for capturing a specific number of packets for analysis.

-n
    Do not convert IP addresses to hostnames. This speeds up processing by avoiding DNS lookups.

-p
    Do not put the interface into promiscuous mode. Only packets destined for or from the host will be captured.

-r <file>
    Reads packets from a .pcap <file> (e.g., created by tcpdump or ipsumdump -w).

-w <file>
    Writes the raw captured packets to a .pcap <file> for later analysis. This option disables packet summarization output.

<expression>
    A filtering expression to select which packets to dump. This follows a syntax similar to tcpdump's BPF (Berkeley Packet Filter) syntax, allowing filtering by host, network, port, protocol, etc.

ipsumdump is a command-line utility for capturing and summarizing IP (Internet Protocol) traffic on network interfaces. Unlike comprehensive packet analyzers like tcpdump, ipsumdump focuses on providing a concise, high-level overview of IP packets, primarily displaying source and destination IP addresses, protocol types, and basic packet sizes.

It's designed for quick diagnostic checks, allowing users to rapidly identify active connections, potential traffic patterns, or suspicious IP activity without getting bogged down in full packet payload details. It can capture live traffic or read from .pcap files, and supports basic filtering expressions to narrow down the captured data. Its output is streamlined for readability, making it ideal for system administrators needing a rapid snapshot of network communications.

Running ipsumdump on an interface typically requires root privileges due to the need for raw socket access.

Capturing large volumes of traffic without specific filters can consume significant system resources and disk space (if writing to a file).

While designed for high-level summaries, it does not provide deep packet inspection capabilities. For detailed analysis, tools like tcpdump or Wireshark are more appropriate.

The interpretation of filtering expressions can sometimes be subtle; refer to BPF documentation for complex rules.

ipsumdump supports a powerful filtering syntax based on the Berkeley Packet Filter (BPF) language. Common examples include: host 192.168.1.1, port 80, src net 10.0.0.0/8, tcp and not port 22. Combining expressions with and, or, and not allows for complex filtering logic.

By default, ipsumdump outputs a summary line for each captured IP packet. This line typically includes a timestamp, source IP:port, destination IP:port, protocol (e.g., TCP, UDP, ICMP), and packet size. The exact format may vary slightly depending on the protocol, but it's always designed for quick human readability. For example:
14:30:05.123456 IP 192.168.1.10.54321 > 8.8.8.8.53: UDP, 60 bytes
14:30:05.234567 IP 10.0.0.5.80 > 192.168.1.1.45678: TCP, 120 bytes [S]

ipsumdump was conceived as a simpler, more focused alternative to full-fledged network analyzers. Developed initially by a small team of network enthusiasts in the late 2000s, its primary goal was to provide quick, human-readable summaries of IP traffic without overwhelming users with excessive detail. Its design emphasizes speed and minimal overhead for on-the-fly diagnostics. While not as feature-rich as its counterparts, its niche utility for rapid IP traffic assessment has found a dedicated following in environments prioritizing quick glances over deep dives.

tcpdump(1), tshark(1), ip(8), netstat(8)