Ever been on a machine that was ailing and just wouldn't respond? As soon as you're root, lower the priority of the offending process ID(s) (in this example, 1103) by using the 'renice' command:

# renice -19 1103

When you're doing a packet capture for the purpose of examining the frame payload, you'll want to extend the snaplen (snapshot length) to 1515. That's long enough to accomodate the 1500 MTU and should give you a pretty good look at what you're after.

For example:

# tcpdump -s1515 -X -ieth0 -w sample.cap

Note: This applies to 'ethereal' and 'wireshark' but their defaults are to capture max(INT) by default.

You can use the lsof (LiSt Open Files) utility to view information about which processes own file handles on a system. Since sockets map to file descriptors, lsof will show you which processes own socket connections. If you see that your machine is connected to another on TCP port 6234 (source or dest) and you want to find out which process(es) are responsible for the connection, run:

# lsof -ni tcp:6234

Note that when run as an unprivileged user, lsof will only show you file descriptors that you have permission to see. You must run lsof as root to see everything in the kernel.

You can use the tee program to save the contents of a pipe to a file while also viewing it on standard out:

# tail -0f /var/log/httpd/error_log | tee ~/newest_errors.txt

Note: tail -0 instructs tail to begin at the very end of the file (the default is to show the last ten lines), and -f means tail will periodically check the file for additional data and print the data to standard out.

A nice way to take the pulse of a BSD machine is to run systat -vm. It updates often and includes quite a bit of useful information.

Netcat is handy little utility for scripting all manners of network functionality. Here we're making sure a web server is responding as we'd expect:

$ (echo "GET / HTTP/1.1"; echo "Host: www.xinu.org"; echo) | nc www.xinu.org 80

If you want to use tcpdump to watch initiating connections (that is, the syn flag only is set indicating we're looking at the first third of the three-way handshake) on ports 80 and 443 you could do something like this:

# tcpdump '(tcp[13] & 0x3f = 2) and (dst port 80 or dst port 443)'