Lines Matching +full:print +full:- +full:flags +full:. +full:pcap

1 .\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1,v 1.167.2.11 2007/06/15 20:13:49 guy Exp $ (LBL)
2 .\"
3 .\"	$NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
4 .\"
5 .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
6 .\"	The Regents of the University of California.  All rights reserved.
7 .\" All rights reserved.
8 .\"
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that: (1) source code distributions
11 .\" retain the above copyright notice and this paragraph in its entirety, (2)
12 .\" distributions including binary code include the above copyright notice and
13 .\" this paragraph in its entirety in the documentation or other materials
14 .\" provided with the distribution, and (3) all advertising materials mentioning
15 .\" features or use of this software display the following acknowledgement:
16 .\" ``This product includes software developed by the University of California,
17 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
18 .\" the University nor the names of its contributors may be used to endorse
19 .\" or promote products derived from this software without specific prior
20 .\" written permission.
21 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
22 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
23 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
24 .\"
27 tcpdump \- dump traffic on a network
32 .B \-AdDeflLnNOpqRStuUvxX
34 .B \-c
40 .B \-C
43 .B \-F
49 .B \-i
53 .B \-m
57 .B \-M
63 .B \-r
67 .B \-s
71 .B \-T
75 .B \-w
81 .B \-W
87 .B \-E
88 .I spi@ipaddr algo:secret,...
93 .B \-y
97 .B \-Z
109 network interface that match the boolean \fIexpression\fP.  It can also
111 .B \-w
114 .B \-r
116 read packets from a network interface.  In all cases, only packets that
120 .IR tcpdump .
124 .B \-c
127 typically control-C) or a SIGTERM signal (typically generated with the
130 .B \-c
132 SIGTERM signal or the specified number of packets have been processed.
145 and possibly on the way the OS was configured - if a filter was
162 it will be reported as 0).
167 your ``status'' character, typically control-T, although on some
171 in order to use it) and will continue capturing packets.
176 .B Under SunOS 3.x or 4.x with NIT or BPF:
180 .IR /dev/bpf* .
183 You must have read/write access to the network pseudo device, e.g.
184 .IR /dev/le .
192 mode.  Note that, on many (perhaps all) interfaces, if you don't capture
194 not done in promiscuous mode may not be very useful.
196 .B Under HP-UX with DLPI:
199 must be installed setuid to root.
204 must be installed setuid to root.
215 .B \-D
216 flag).
220 .IR tcpdump .
221 However, no user (not even the super-user) can capture in promiscuous
222 mode on an interface unless the super-user has enabled promiscuous-mode
225 and no user (not even the super-user) can capture unicast traffic
226 received by or sent by the machine on an interface unless the super-user
227 has enabled copy-all-mode operation on that interface using
232 promiscuous-mode or copy-all-mode operation, or both modes of
233 operation, be enabled on that interface.
240 on systems that do.
242 than just having somebody with super-user access setting the ownership
243 or permissions on the BPF devices - it might involve configuring devfs
246 have to find some other way to make that happen at boot time.
248 Reading a saved packet file doesn't require special privileges.
251 .B \-A
252 Print each packet (minus its link level header) in ASCII.  Handy for
253 capturing web pages.
255 .B \-c
256 Exit after receiving \fIcount\fP packets.
258 .B \-C
261 savefile and open a new one.  Savefiles after the first savefile will
263 .B \-w
264 flag, with a number after it, starting at 1 and continuing upward.
266 not 1,048,576 bytes).
268 .B \-d
269 Dump the compiled packet-matching code in a human readable form to
270 standard output and stop.
272 .B \-dd
273 Dump packet-matching code as a
275 program fragment.
277 .B \-ddd
278 Dump packet-matching code as decimal numbers (preceded with a count).
280 .B \-D
281 Print the list of the network interfaces available on the system and on
284 can capture packets.  For each network interface, a number and an
286 interface, is printed.  The interface name or the number can be supplied
288 .B \-i
289 flag to specify an interface on which to capture.
292 (e.g., Windows systems, or UNIX systems lacking
295 interface name is a somewhat complex string.
298 .B \-D
305 function.
307 .B \-e
308 Print the link-level header on each dump line.
310 .B \-E
313 \fIspi\fP. This combination may be repeated with comma or newline seperation.
315 Note that setting the secret for IPv4 ESP packets is supported at this time.
318 \fBdes-cbc\fP,
319 \fB3des-cbc\fP,
320 \fBblowfish-cbc\fP,
321 \fBrc3-cbc\fP,
322 \fBcast128-cbc\fP, or
323 \fBnone\fP.
324 The default is \fBdes-cbc\fP.
326 with cryptography enabled.
328 \fIsecret\fP is the ASCII text for ESP secret key. 
329 If preceeded by 0x, then a hex value will be read.
331 The option assumes RFC2406 ESP, not RFC1827 ESP.
333 the use of this option with a true `secret' key is discouraged.
337 and other occasions.
340 to have tcpdump read the provided file in. The file is opened upon 
342 may have been given should already have been given up.
344 .B \-f
345 Print `foreign' IPv4 addresses numerically rather than symbolically
347 Sun's NIS server \(em usually it hangs forever translating non-local
348 internet numbers).
351 netmask of the interface on which capture is being done.  If that
356 correctly.
358 .B \-F
359 Use \fIfile\fP as input for the filter expression.
360 An additional expression given on the command line is ignored.
362 .B \-i
363 Listen on \fIinterface\fP.
365 lowest numbered, configured up interface (excluding loopback).
366 Ties are broken by choosing the earliest match.
370 argument of ``any'' can be used to capture packets from all interfaces.
372 mode.
375 .B \-D
379 argument.
381 .B \-l
382 Make stdout line buffered.
384 while capturing it.
385 E.g.,
387 ``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
388 ``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
390 .B \-L
391 List the known data link types for the interface and exit.
393 .B \-m
394 Load SMI MIB module definitions from file \fImodule\fR.
396 can be used several times to load several MIB modules into \fItcpdump\fP.
398 .B \-M
400 TCP segments with the TCP-MD5 option (RFC 2385), if present.
402 .B \-n
403 Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
405 .B \-N
406 Don't print domain name qualification of host names.
407 E.g.,
408 if you give this flag then \fItcpdump\fP will print ``nic''
409 instead of ``nic.ddn.mil''.
411 .B \-O
412 Do not run the packet-matching code optimizer.
414 if you suspect a bug in the optimizer.
416 .B \-p
418 into promiscuous mode.
420 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
421 `ether host {local-hw-addr} or ether broadcast'.
423 .B \-q
424 Quick (quiet?) output.
425 Print less protocol information so output
426 lines are shorter.
428 .B \-R
429 Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829).
430 If specified, \fItcpdump\fP will not print replay prevention field.
432 \fItcpdump\fP cannot deduce the version of ESP/AH protocol.
434 .B \-r
436 .B \-w
437 option).
438 Standard input is used if \fIfile\fR is ``-''.
440 .B \-S
441 Print absolute, rather than relative, TCP sequence numbers.
443 .B \-s
445 default of 68 (with SunOS's NIT, the minimum is actually 96).
448 packets (see below).
451 is the name of the protocol level at which the truncation has occurred.
454 decreases the amount of packet buffering.
456 lost.
458 capture the protocol information you're interested in.
460 \fIsnaplen\fP to 0 means use the required length to catch whole packets.
462 .B \-T
464 specified \fItype\fR.
466 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
469 \fBrtp\fR (Real-Time Applications protocol),
470 \fBrtcp\fR (Real-Time Applications control protocol),
475 \fBwb\fR (distributed White Board).
477 .B \-t
478 \fIDon't\fP print a timestamp on each dump line.
480 .B \-tt
481 Print an unformatted timestamp on each dump line.
483 .B \-ttt
484 Print a delta (in micro-seconds) between current and previous line
485 on each dump line.
487 .B \-tttt
488 Print a timestamp in default format proceeded by date on each dump line.
490 .B \-u
491 Print undecoded NFS handles.
493 .B \-U
495 .B \-w
496 option ``packet-buffered''; i.e., as each packet is saved, it will be
498 output buffer fills.
501 .B \-U
508 function.
510 .B \-v
511 When parsing and printing, produce (slightly more) verbose output.
513 identification, total length and options in an IP packet are printed.
515 IP and ICMP header checksum.
518 .B \-w
519 option, report, every 10 seconds, the number of packets captured.
521 .B \-vv
522 Even more verbose output.
524 printed from NFS reply packets, and SMB packets are fully decoded.
526 .B \-vvv
527 Even more verbose output.
529 telnet \fBSB\fP ... \fBSE\fP options
530 are printed in full.
532 .B \-X
533 Telnet options are printed in hex as well.
535 .B \-w
537 them out.
538 They can later be printed with the \-r option.
539 Standard output is used if \fIfile\fR is ``-''.
541 .B \-W
543 .B \-C 
546 from the beginning, thus creating a 'rotating' buffer. 
549 files, allowing them to sort correctly.
551 .B \-x
553 in addition to printing the headers of each packet, print the data of
554 each packet (minus its link level header) in hex. 
557 bytes will be printed.  Note that this is the entire link-layer
558 packet, so for link layers that pad (e.g. Ethernet), the padding bytes
560 required padding.
562 .B \-xx
564 in addition to printing the headers of each packet, print the data of
567 its link level header, in hex.
569 .B \-X
571 in addition to printing the headers of each packet, print the data of
572 each packet (minus its link level header) in hex and ASCII.
573 This is very handy for analysing new protocols.
575 .B \-XX
577 in addition to printing the headers of each packet, print the data of
580 its link level header, in hex and ASCII.
582 .B \-y
583 Set the data link type to use while capturing packets to \fIdatalinktype\fP.
585 .B \-Z
589 .IR user .
591 This behavior can also be enabled by default at compile time.
594 selects which packets will be dumped.
596 is given, all packets on the net will be dumped.
598 only packets for which \fIexpression\fP is `true' will be dumped.
601 .I primitives.
604 (name or number) preceded by one or more qualifiers.
608 qualifiers say what kind of thing the id name or number refers to.
615 E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'.
619 is assumed.
622 .IR id .
630 E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
634 is assumed.
640 qualifiers can be used to specify a desired direction.
642 qualifiers restrict the match to a particular protocol.
657 E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange
658 7000-7009'.
661 assumed.
662 E.g., `src foo' means `(ip or arp or rarp) src foo'
664 arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
668 network interface.''  FDDI headers contain Ethernet-like source
669 and destination addresses, and often contain Ethernet-like packet
671 analogous Ethernet fields.
673 but you cannot name them explicitly in a filter expression.
677 and 802.11 wireless LAN headers.  For 802.11 headers, the destination
679 BSSID, RA, and TA fields aren't tested.]
687 and arithmetic expressions.
688 All of these are described below.
695 to combine primitives.
696 E.g., `host foo and not port ftp and not port ftp-data'.
697 To save typing, identical qualifier lists can be omitted.
698 E.g.,
699 `tcp dst port ftp or ftp-data or domain' is exactly the same as
700 `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
705 which may be either an address or a name.
707 True if the IPv4/v6 source field of the packet is \fIhost\fP.
709 True if either the IPv4/v6 source or destination of the packet is \fIhost\fP.
725 be checked for a match.
727 True if the Ethernet destination address is \fIehost\fP.
731 for numeric format).
733 True if the Ethernet source address is \fIehost\fP.
735 True if either the Ethernet source or destination address is \fIehost\fP.
737 True if the packet used \fIhost\fP as a gateway.
738 I.e., the Ethernet
740 nor the IP destination was \fIhost\fP.
742 must be found both by the machine's host-name-to-IP-address resolution
743 mechanisms (host name file, DNS, NIS, etc.) and by the machine's
744 host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
751 which can be used with either names or numbers for \fIhost / ehost\fP.)
752 This syntax does not work in IPv6-enabled configuration at this moment.
755 number of \fInet\fP.
757 (/etc/networks, etc.) or a network number.
758 An IPv4 network number can be written as a dotted quad (e.g., 192.168.1.0),
759 dotted triple (e.g., 192.168.1), dotted pair (e.g, 172.16), or single
760 number (e.g., 10); the netmask is 255.255.255.255 for a dotted quad
761 (which means that it's really a host match), 255.255.255.0 for a dotted
762 triple, 255.255.0.0 for a dotted pair, or 255.0.0.0 for a single number.
765 host matches, and a network match requires a netmask length.
768 number of \fInet\fP.
771 number of \fInet\fP.
773 True if the IPv4 address matches \fInet\fR with the specific \fInetmask\fR.
774 May be qualified with \fBsrc\fR or \fBdst\fR.
775 Note that this syntax is not valid for IPv6 \fInet\fR.
778 bits wide.
779 May be qualified with \fBsrc\fR or \fBdst\fR.
782 destination port value of \fIport\fP.
786 .IR udp (4P)).
788 number and protocol are checked.
790 only the port number is checked (e.g., \fBdst port 513\fR will print both
791 tcp/login traffic and udp/who traffic, and \fBport domain\fR will print
792 both tcp/domain and udp/domain traffic).
794 True if the packet has a source port value of \fIport\fP.
796 True if either the source or destination port of the packet is \fIport\fP.
797 .IP "\fBdst portrange \fIport1\fB-\fIport2\fR"
799 destination port value between \fIport1\fP and \fIport2\fP.
807 .IP "\fBsrc portrange \fIport1\fB-\fIport2\fR"
809 \fIport2\fP.
810 .IP "\fBportrange \fIport1\fB-\fIport2\fR"
812 \fIport1\fP and \fIport2\fP.
821 which matches only tcp packets whose source port is \fIport\fP.
823 True if the packet has a length less than or equal to \fIlength\fP.
827 \fBlen <= \fIlength\fP.
831 True if the packet has a length greater than or equal to \fIlength\fP.
835 \fBlen >= \fIlength\fP.
841 of protocol type \fIprotocol\fP.
844 \fBesp\fP, \fBvrrp\fP, \fBudp\fP, or \fBtcp\fP.
846 keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell.
847 Note that this primitive does not chase the protocol header chain.
849 True if the packet is an IPv6 packet of protocol type \fIprotocol\fP.
850 Note that this primitive does not chase the protocol header chain.
854 in its protocol header chain.
861 matches any IPv6 packet with TCP protocol header in the protocol header chain.
863 authentication header, routing header, or hop-by-hop option header,
864 between IPv6 header and TCP header.
867 so this can be somewhat slow.
869 Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4.
871 True if the packet is an Ethernet broadcast packet.
873 keyword is optional.
875 True if the packet is an IPv4 broadcast packet.
876 It checks for both the all-zeroes and all-ones broadcast conventions,
878 being done.
884 check will not work correctly.
886 True if the packet is an Ethernet multicast packet.
888 keyword is optional.
889 This is shorthand for `\fBether[0] & 1 != 0\fP'.
891 True if the packet is an IPv4 multicast packet.
893 True if the packet is an IPv6 multicast packet.
895 True if the packet is of ether type \fIprotocol\fR.
899 \fBiso\fP, \fBstp\fP, \fBipx\fP, or \fBnetbeui\fP.
901 and must be escaped via backslash (\\).
903 [In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), Token Ring
904 (e.g., `\fBtr protocol arp\fR'), and IEEE 802.11 wireless LANS (e.g.,
908 802.11 header.
912 in so-called SNAP format with an Organizational Unit Identifier (OUI) of
914 is in SNAP format with an OUI of 0x000000.
926 \fItcpdump\fR checks for a SNAP-format packet with an OUI of 0x080007
927 and the AppleTalk etype.
931 for most of those protocols.  The exceptions are:
940 for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;
948 DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of
949 IPX, and the IPX etype in a SNAP frame.
955 name.
957 that are configured to run DECNET.]
960 .IR host .
963 .IR host .
971 modifier.
979 modifier.
981 True if the packet was logged with the specified PF reason code.  The known
999 modifier.
1007 modifier.
1009 True if PF took the specified action when the packet was logged.  Known actions
1023 where \fIp\fR is one of the above protocols.
1031 where \fIp\fR is one of the above protocols.
1033 \fItcpdump\fP does not currently know how to parse these protocols.
1035 True if the packet is an IEEE 802.1Q VLAN packet.
1037 \fIvlan_id\fR.
1040 the assumption that the packet is a VLAN packet.  The \fBvlan
1042 hierarchies.  Each use of that expression increments the filter offsets
1043 by 4.
1058 higher order VLAN.
1060 True if the packet is an MPLS packet.
1062 \fIlabel_num\fR.
1065 the assumption that the packet is a MPLS-encapsulated IP packet.  The
1067 filter on MPLS hierarchies.  Each use of that expression increments the
1068 filter offsets by 4. 
1080 \fBmpls && mpls 1024 && host 192.9.200.1\fR
1083 filters packets to or from 192.9.200.1 with an inner label of 1024 and
1084 any outer label.
1086 True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet
1087 type 0x8863).
1089 True if the packet is a PPP-over-Ethernet Session packet (Ethernet
1090 type 0x8864).
1093 the assumption that the packet is a PPPoE session packet.
1101 filters IPv4 protocols encapsulated in PPPoE.
1109 where \fIp\fR is one of the above protocols.
1111 True if the packet is an OSI packet of protocol type \fIprotocol\fP.
1113 \fBclnp\fP, \fBesis\fP, or \fBisis\fP.
1121 where \fIp\fR is one of the above protocols.
1123 Abbreviations for IS-IS PDU types.
1127 .IR n .
1131 .IR n .
1134 an ATM LANE packet.
1138 packet or a LANE LE Control packet.  If \fBlane\fR isn't specified, the
1140 LLC-encapsulated packet.
1143 an LLC-encapsulated packet.
1146 a segment OAM F4 flow cell (VPI=0 & VCI=3).
1149 an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
1152 a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
1155 a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
1158 on a meta signaling circuit (VPI=0 & VCI=1).
1161 on a broadcast signaling circuit (VPI=0 & VCI=2).
1164 on a signaling circuit (VPI=0 & VCI=5).
1167 on an ILMI circuit (VPI=0 & VCI=16).
1170 on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
1171 Connect Ack, Release, or Release Done message.
1174 on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
1175 Release, or Release Done message.
1180 [+, -, *, /, &, |, <<, >>], a length operator, and special packet data
1181 accessors.  Note that all comparisons are unsigned, so that, for example,
1182 0x80000000 and 0xffffffff are > 0.
1192 indicates the protocol layer for the index operation.
1194 link layer. \fBradio\fR refers to the "radio header" added to some
1195 802.11 captures.)
1196 Note that \fItcp, udp\fR and other upper-layer protocol types only
1197 apply to IPv4, not IPv6 (this will be fixed in the future).
1199 given by \fIexpr\fR.
1201 field of interest; it can be either one, two, or four, and defaults to one.
1203 length of the packet.
1205 For example, `\fBether[0] & 1 != 0\fP' catches all multicast traffic.
1207 catches all IPv4 packets with options.
1211 IPv4 datagrams.
1213 index operations.
1216 intervening fragment.
1219 as numeric values.
1222 code field), and \fBtcpflags\fP (TCP flags field).
1224 The following ICMP type field values are available: \fBicmp-echoreply\fP,
1225 \fBicmp-unreach\fP, \fBicmp-sourcequench\fP, \fBicmp-redirect\fP,
1226 \fBicmp-echo\fP, \fBicmp-routeradvert\fP, \fBicmp-routersolicit\fP,
1227 \fBicmp-timxceed\fP, \fBicmp-paramprob\fP, \fBicmp-tstamp\fP,
1228 \fBicmp-tstampreply\fP, \fBicmp-ireq\fP, \fBicmp-ireqreply\fP,
1229 \fBicmp-maskreq\fP, \fBicmp-maskreply\fP.
1231 The following TCP flags field values are available: \fBtcp-fin\fP,
1232 \fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP,
1233 \fBtcp-ack\fP, \fBtcp-urg\fP.
1238 (parentheses are special to the Shell and must be escaped).
1240 Negation (`\fB!\fP' or `\fBnot\fP').
1242 Concatenation (`\fB&&\fP' or `\fBand\fP').
1244 Alternation (`\fB||\fP' or `\fBor\fP').
1246 Negation has highest precedence.
1248 left to right.
1250 are now required for concatenation.
1253 is assumed.
1274 argument or as multiple arguments, whichever is more convenient.
1276 easier to pass it as a single, quoted argument.
1277 Multiple arguments are concatenated with spaces before being parsed.
1280 To print all packets arriving at or departing from \fIsundown\fP:
1287 To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
1294 To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
1301 To print all traffic between local hosts and hosts at Berkeley:
1305 tcpdump net ucb-ether
1309 To print all ftp traffic through internet gateway \fIsnup\fP:
1311 (mis-)interpreting the parentheses):
1315 tcpdump 'gateway snup and (port ftp or ftp-data)'
1319 To print traffic neither sourced from nor destined for local hosts
1321 onto your local net).
1329 To print the start and end packets (the SYN and FIN packets) of each
1330 TCP conversation that involves a non-local host.
1334 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
1338 To print all IPv4 HTTP packets to and from port 80, i.e. print only
1340 ACK-only packets.  (IPv6 is left as an exercise for the reader.)
1344 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
1348 To print IP packets longer than 576 bytes sent through gateway \fIsnup\fP:
1356 To print IP broadcast or multicast packets that were
1366 To print all ICMP packets that are not echo requests/replies (i.e., not
1371 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
1376 The output of \fItcpdump\fP is protocol dependent.
1378 gives a brief description and examples of most of the formats.
1382 ..
1386 If the '-e' option is given, the link level header is printed out.
1388 and packet length are printed.
1390 On FDDI networks, the  '-e' option causes \fItcpdump\fP to print
1392 and the packet length.
1394 interpretation of the rest of the packet.
1397 value between 0 and 7; for example, `\fBasync4\fR'.
1401 so-called SNAP packet.
1403 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
1405 destination addresses, and the packet length.
1407 packets are assumed to contain an LLC packet.
1409 the '-e' option is specified or not, the source routing information is
1410 printed for source-routed packets.
1412 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
1414 and the packet length.
1416 packets are assumed to contain an LLC packet.
1418 \fI(N.B.: The following description assumes familiarity with
1419 the SLIP compression algorithm described in RFC-1144.)\fP
1422 packet type, and compression information are printed out.
1423 The packet type is printed first.
1424 The three types are \fIip\fP, \fIutcp\fP, and \fIctcp\fP.
1425 No further link information is printed for \fIip\fR packets.
1426 For TCP packets, the connection identifier is printed following the type.
1427 If the packet is compressed, its encoded header is printed out.
1430 the sequence number (or sequence number and ack) has changed.
1432 zero or more changes are printed.
1434 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
1435 or a new value (=n).
1437 are printed.
1451 Arp/rarp output shows the type of request and its arguments.
1453 format is intended to be self explanatory.
1459 \f(CWarp who-has csam tell rtsg
1460 arp reply csam is-at CSAM\fR
1465 for the Ethernet address of internet host csam.
1468 are in caps and internet addresses in lower case).
1470 This would look less redundant if we had done \fItcpdump \-n\fP:
1474 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
1475 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
1479 If we had done \fItcpdump \-e\fP, the fact that the first packet is
1480 broadcast and the second is point-to-point would be visible:
1484 \f(CWRTSG Broadcast 0806  64: arp who-has csam tell rtsg
1485 CSAM RTSG 0806  64: arp reply csam is-at CSAM\fR
1491 contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
1495 \fI(N.B.:The following description assumes familiarity with
1496 the TCP protocol described in RFC-793.
1499 be of much use to you.)\fP
1505 \fIsrc > dst: flags data-seqno ack window urgent options\fP
1510 addresses and ports.
1511 \fIFlags\fP are some combination of S (SYN),
1512 F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single
1513 `.' (no flags).
1514 \fIData-seqno\fP describes the portion of sequence space covered
1515 by the data in this packet (see example below).
1517 direction on this connection.
1519 the other direction on this connection.
1520 \fIUrg\fP indicates there is `urgent' data in the packet.
1521 \fIOptions\fP are tcp options enclosed in angle brackets (e.g., <mss 1024>).
1523 \fISrc, dst\fP and \fIflags\fP are always present.
1526 are output only if appropriate.
1529 host \fIcsam\fP.
1533 \s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
1534 csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
1535 rtsg.1023 > csam.login: . ack 1 win 4096
1536 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
1537 csam.login > rtsg.1023: . ack 2 win 4096
1538 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
1539 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
1540 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
1541 csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fR\s+2
1547 on csam.
1548 The \fBS\fP indicates that the \fISYN\fP flag was set.
1549 The packet sequence number was 768512 and it contained no data.
1552 up to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.)
1553 There was no piggy-backed ack, the available receive window was 4096
1554 bytes and there was a max-segment-size option requesting an mss of
1555 1024 bytes.
1557 Csam replies with a similar packet except it includes a piggy-backed
1558 ack for rtsg's SYN.
1559 Rtsg then acks csam's SYN.
1560 The `.' means no
1561 flags were set.
1562 The packet contained no data so there is no data sequence number.
1564 number is a small integer (1).
1566 tcp `conversation', it prints the sequence number from the packet.
1569 is printed.
1573 first data byte each direction being `1').
1574 `-S' will override this
1575 feature, causing the original sequence numbers to be output.
1578 in the rtsg \(-> csam side of the conversation).
1579 The PUSH flag is set in the packet.
1581 but not including byte 21.
1583 socket buffer since csam's receive window has gotten 19 bytes smaller.
1584 Csam also sends one byte of data to rtsg in this packet.
1586 csam sends two bytes of urgent, pushed data to rtsg.
1591 be interpreted.
1595 options (since it's impossible to tell where they start).
1599 it as ``[\fIbad hdr length\fP]''.
1601 .B Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
1608 a TCP connection.
1609 Recall that TCP uses a 3-way handshake protocol
1624 SYN bit set (Step 1).
1626 (SYN-ACK), just a plain initial SYN.
1628 expression for \fItcpdump\fP.
1634 -----------------------------------------------------------------
1636 -----------------------------------------------------------------
1638 -----------------------------------------------------------------
1640 -----------------------------------------------------------------
1642 -----------------------------------------------------------------
1644 -----------------------------------------------------------------
1648 present.
1649 The first line of the graph contains octets 0 - 3, the
1650 second line shows octets 4 - 7 etc.
1657 ----------------|---------------|---------------|----------------
1659 ----------------|---------------|---------------|----------------
1663 Let's have a closer look at octet no. 13:
1667                 |---------------|
1669                 |---------------|
1674 in.
1676 left, so the PSH bit is bit number 3, while the URG bit is number 5.
1678 Recall that we want to capture packets with only SYN set.
1684                 |---------------|
1686                 |---------------|
1691 control bits section we see that only bit number 1 (SYN) is set.
1693 Assuming that octet number 13 is an 8-bit unsigned integer in
1707 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1719 tcpdump -i xl0 tcp[13] == 2
1723 the decimal value 2", which is exactly what we want.
1727 same time.
1729 with SYN-ACK set arrives:
1733      |---------------|
1735      |---------------|
1739 Now bits 1 and 4 are set in the 13th octet.
1754 SYN-ACK set, but not those with only SYN set.
1756 if ACK or any other control bit is set as long as SYN is set.
1760 the SYN bit.
1767           00010010 SYN-ACK              00000010 SYN
1769           --------                      --------
1774 regardless whether ACK or another TCP control bit is set.
1785      tcpdump -i xl0 'tcp[13] & 2 == 2'
1790 from the shell.
1799 \f(CWactinide.who > broadcast.who: udp 84\fP
1805 broadcast address.
1806 The packet contained 84 bytes of user data.
1809 port number) and the higher level protocol information printed.
1810 In particular, Domain Name service requests (RFC-1034/1035) and Sun
1811 RPC calls (RFC-1050) to NFS.
1815 \fI(N.B.:The following description assumes familiarity with
1816 the Domain Service protocol described in RFC-1035.
1819 in greek.)\fP
1825 \fIsrc > dst: id op? flags qtype qclass name (len)\fP
1827 \f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fR
1832 address record (qtype=A) associated with the name \fIucbvax.berkeley.edu.\fP
1833 The query id was `3'.
1835 was set.
1837 IP protocol headers.
1839 so the op field was omitted.
1841 have been printed between the `3' and the `+'.
1843 \fIC_IN\fP, and omitted.
1845 immediately after the `A'.
1855 is the appropriate count.
1858 is printed, where \fIx\fP is the hex value of header bytes two and three.
1866 \fIsrc > dst:  id op rcode flags a/n/au type class data (len)\fP
1868 \f(CWhelios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
1869 helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fR
1874 with 3 answer records, 3 name server records and 7 additional records.
1876 address 128.32.137.3.
1878 excluding UDP and IP headers.
1880 (NoError) were omitted, as was the class (C_IN) of the A record.
1883 response code of non-existent domain (NXDomain) with no answers,
1884 one name server and no authority records.
1886 the \fIauthoritative answer\fP bit was set.
1888 answers, no type, class or data were printed.
1890 Other flag characters that might appear are `\-' (recursion available,
1891 RA, \fInot\fP set) and `|' (truncated message, TC, set).
1894 is printed.
1898 to print.
1899 Use the \fB\-s\fP flag to increase the snaplen if you
1900 need to seriously investigate name server traffic.
1901 `\fB\-s 128\fP'
1902 has worked well for me.
1908 on UDP/137, UDP/138 and TCP/139.
1910 NetBEUI SMB data is also done.
1913 decode done if -v is used.
1914 Be warned that with -v a single SMB packet
1915 may take up a page or more, so only use -v if you really want all the
1916 gory details.
1919 www.cifs.org or the pub/samba/specs/ directory on your favorite
1920 samba.org mirror site.
1922 (tridge@samba.org).
1931 \fIsrc.xid > dst.nfs: len op args\fP
1932 \fIsrc.nfs > dst.xid: reply stat len op results\fP
1935 sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
1936 wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
1937 sushi.201b > wrl.nfs:
1939 wrl.nfs > sushi.201b:
1947 transaction id, \fInot\fP the source port).
1949 excluding the UDP and IP headers.
1951 (read symbolic link) on file handle (\fIfh\fP) 21,24/10.731657119.
1954 generation number.)
1955 \fIWrl\fP replies `ok' with the contents of the link.
1958 `\fIxcolors\fP' in directory file 9,74/4096.6878.
1960 depends on the operation type.
1963 an NFS protocol spec.
1965 If the \-v (verbose) flag is given, additional information is printed.
1971 sushi.1372a > wrl.nfs:
1973 wrl.nfs > sushi.1372a:
1979 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1980 which have been omitted from this example.)  In the first line,
1982 at byte offset 24576.
1987 printed, depending on the filter expression used).
1988 Because the \-v flag
1991 the file mode (in octal), the uid and gid, and the file size.
1993 If the \-v flag is given more than once, even more details are printed.
1996 unless \fIsnaplen\fP is increased.
1997 Try using `\fB\-s 192\fP' to watch
1998 NFS traffic.
2000 NFS reply packets do not explicitly identify the RPC operation.
2003 replies using the transaction ID.
2005 corresponding request, it might not be parsable.
2015 \fIsrc.sport > dst.dport: rx packet-type\fP
2016 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
2017 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
2020 elvis.7001 > pike.afsfs:
2021 	rx data fs call rename old fid 536876964/1/1 ".newsrc.new"
2022 	new fid 536876964/1/1 ".newsrc"
2023 pike.afsfs > elvis.7001: rx data fs reply rename
2028 In the first line, host elvis sends a RX packet to pike.
2031 an RPC call.
2033 of 536876964/1/1 and an old filename of `.newsrc.new', and a new directory
2034 file id of 536876964/1/1 and a new filename of `.newsrc'.
2037 it was a data packet and not an abort packet).
2039 In general, all AFS RPCs are decoded at least by RPC call name.
2042 the `interesting' arguments, for some definition of interesting).
2044 The format is intended to be self-describing, but it will probably
2046 AFS and RX.
2048 If the -v (verbose) flag is given twice, acknowledgement packets and
2050 call number, sequence number, serial number, and the RX packet flags.
2052 If the -v flag is given twice, additional information is printed,
2053 such as the the RX call ID, serial number, and the RX packet flags.
2054 The MTU negotiation information is also printed from RX ack packets.
2056 If the -v flag is given three times, the security index and service id
2057 are printed.
2061 for the Ubik protocol).
2064 be printed unless \fIsnaplen\fP is increased.
2065 Try using `\fB-s 256\fP'
2066 to watch AFS traffic.
2068 AFS reply packets do not explicitly identify the RPC operation.
2071 replies using the call number and service ID.
2074 corresponding request, it might not be parsable.
2079 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
2080 and dumped as DDP packets (i.e., all the UDP header information is
2081 discarded).
2083 .I /etc/atalk.names
2084 is used to translate AppleTalk net and node numbers to names.
2091 \f(CW1.254		ether
2092 16.1		icsd-net
2093 1.254.110	ace\fR
2097 The first two lines give the names of AppleTalk networks.
2100 from a net by the 3rd octet in the number \-
2102 have three octets.)  The number and name should be separated by
2103 whitespace (blanks or tabs).
2105 .I /etc/atalk.names
2107 a `#').
2113 \fInet.host.port\fP
2115 \f(CW144.1.209.2 > icsd-net.112.220
2116 office.2 > icsd-net.112.220
2117 jssmag.149.235 > icsd-net.2\fR
2122 .I /etc/atalk.names
2124 host/net number, addresses are printed in numeric form.)
2126 is sending to whatever is listening on port 220 of net icsd node 112.
2128 is known (`office').
2130 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
2132 number \- for this reason it's a good idea to keep node names and
2133 net names distinct in /etc/atalk.names).
2136 packets have their contents interpreted.
2139 protocol) and packet size.
2145 \s-2\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
2146 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
2147 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR\s+2
2152 112 and broadcast on net jssmag.
2153 The nbp id for the lookup is 190.
2155 same id) from host jssmag.209 saying that it has a laserwriter
2156 resource named "RM1140" registered on port 250.
2159 "techpit" registered on port 186.
2165 \s-2\f(CWjssmag.209.165 > helios.132: atp-req  12266<0-7> 0xae030001
2166 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
2167 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
2168 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
2169 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
2170 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
2171 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
2172 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
2173 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
2174 jssmag.209.165 > helios.132: atp-req  12266<3,5> 0xae030001
2175 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
2176 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
2177 jssmag.209.165 > helios.132: atp-rel  12266<0-7> 0xae030001
2178 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR\s+2
2182 Jssmag.209 initiates transaction id 12266 with host helios by requesting
2183 up to 8 packets (the `<0-7>').
2185 is the value of the `userdata' field in the request.
2187 Helios responds with 8 512-byte packets.
2191 excluding the atp header.
2193 EOM bit was set.
2195 Jssmag.209 then requests that packets 3 & 5 be retransmitted.
2197 resends them then jssmag.209 releases the transaction.
2199 jssmag.209 initiates the next request.
2201 indicates that XO (`exactly once') was \fInot\fP set.
2215 (The first form indicates there are more fragments.
2217 indicates this is the last fragment.)
2219 \fIId\fP is the fragment id.
2221 size (in bytes) excluding the IP header.
2223 fragment's offset (in bytes) in the original datagram.
2225 The fragment information is output for each fragment.
2228 info is printed after the protocol info.
2231 frag info is printed after the source and destination addresses.
2232 For example, here is part of an ftp from arizona.edu to lbl-rtsg.arpa
2237 \s-2\f(CWarizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
2239 rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560\fP\s+2
2244 2nd line don't include port numbers.
2247 what the port or sequence numbers are when we print the later fragments.
2250 the first frag and 204 in the second).
2253 with packets, this can fool you.
2256 trailing \fB(DF)\fP.
2260 By default, all output lines are preceded by a timestamp.
2265 \fIhh:mm:ss.frac\fP
2268 and is as accurate as the kernel's clock.
2269 The timestamp reflects the time the kernel first saw the packet.
2273 serviced the `new packet' interrupt.
2275 stty(1), pcap(3), bpf(4), nit(4P), pfconfig(8)
2282 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
2284 It is currently being maintained by tcpdump.org.
2289 .I http://www.tcpdump.org/
2295 .I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
2298 IPv6/IPsec support is added by WIDE/KAME project.
2299 This program uses Eric Young's SSLeay library, under specific configuration.
2301 Please send problems, bugs, questions, desirable enhancements, etc. to:
2304 tcpdump-workers@tcpdump.org
2307 Please send source code contributions, etc. to:
2310 patches@tcpdump.org
2313 NIT doesn't let you watch your own outbound traffic, BPF will.
2314 We recommend that you use the latter.
2316 On Linux systems with 2.0[.x] kernels:
2324 will be copied from the kernel (the 2.0[.x] packet capture mechanism, if
2330 capturing on some PPP devices won't work correctly.
2332 We recommend that you upgrade to a 2.2 or later kernel.
2335 to compute the right length for the higher level protocol.
2339 section.
2341 prefer to fix the program generating them rather than \fItcpdump\fP.
2344 skewed time stamps (the time change is ignored).
2347 not correctly handle source-routed Token Ring packets.
2350 correctly handle 802.11 data packets with both To DS and From DS set.
2353 should chase header chain, but at this moment it does not.
2355 is supplied for this behavior.
2358 does not work against IPv6 packets.
2359 It only looks at IPv4 packets.