The following is a demonstration of the tcpsnoop script.



Here we run tcpsnoop and wait for new TCP connections to be established,

   # tcpsnoop.d
  TIME    PID           LADDR:PORT                 RADDR:PORT   BYTES FLAGS
  256057958984    574    10.134.64.85:22     ->   10.132.145.148:51590    116 (PUSH|ACK)
  256058057137    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058058053    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058156625    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058156836    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058157681    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058256620    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058256793    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058258584    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058356664    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058356836    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058357532    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058456619    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058456783    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058457352    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058556611    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058556781    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058557426    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058656585    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058656750    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058657423    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058756605    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058756778    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058757443    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058856657    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058856827    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)
  256058857505    574    10.134.64.85:22     <-   10.132.145.148:51590      0 (ACK)
  256058956612    574    10.134.64.85:22     ->   10.132.145.148:51590    228 (PUSH|ACK)
  256058956783    574    10.134.64.85:22     ->   10.132.145.148:51590    132 (PUSH|ACK)

As new connections are made, each of the TCP packets are traced along with
the PID.