1 .\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL)
3 .\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
5 .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
6 .\" The Regents of the University of California. All rights reserved.
7 .\" All rights reserved.
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that: (1) source code distributions
11 .\" retain the above copyright notice and this paragraph in its entirety, (2)
12 .\" distributions including binary code include the above copyright notice and
13 .\" this paragraph in its entirety in the documentation or other materials
14 .\" provided with the distribution, and (3) all advertising materials mentioning
15 .\" features or use of this software display the following acknowledgement:
16 .\" ``This product includes software developed by the University of California,
17 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
18 .\" the University nor the names of its contributors may be used to endorse
19 .\" or promote products derived from this software without specific prior
20 .\" written permission.
21 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
22 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
23 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
25 .TH TCPDUMP 1 "05 March 2009"
27 tcpdump \- dump traffic on a network
32 .B \-AbdDefhHIJKlLnNOpqRStuUvxX
98 .I spi@ipaddr algo:secret,...
108 .I postrotate-command
122 \fITcpdump\fP prints out a description of the contents of packets on a
123 network interface that match the boolean \fIexpression\fP. It can also
126 flag, which causes it to save the packet data to a file for later
127 analysis, and/or with the
129 flag, which causes it to read from a saved packet file rather than to
130 read packets from a network interface. In all cases, only packets that
137 will, if not run with the
139 flag, continue capturing packets until it is interrupted by a SIGINT
140 signal (generated, for example, by typing your interrupt character,
141 typically control-C) or a SIGTERM signal (typically generated with the
143 command); if run with the
145 flag, it will capture packets until it is interrupted by a SIGINT or
146 SIGTERM signal or the specified number of packets have been processed.
150 finishes capturing packets, it will report counts of:
152 packets ``captured'' (this is the number of packets that
154 has received and processed);
156 packets ``received by filter'' (the meaning of this depends on the OS on
159 and possibly on the way the OS was configured - if a filter was
160 specified on the command line, on some OSes it counts packets regardless
161 of whether they were matched by the filter expression and, even if they
162 were matched by the filter expression, regardless of whether
164 has read and processed them yet, on other OSes it counts only packets that were
165 matched by the filter expression regardless of whether
167 has read and processed them yet, and on other OSes it counts only
168 packets that were matched by the filter expression and were processed by
171 packets ``dropped by kernel'' (this is the number of packets that were
172 dropped, due to a lack of buffer space, by the packet capture mechanism
175 is running, if the OS reports that information to applications; if not,
176 it will be reported as 0).
178 On platforms that support the SIGINFO signal, such as most BSDs
179 (including Mac OS X) and Digital/Tru64 UNIX, it will report those counts
180 when it receives a SIGINFO signal (generated, for example, by typing
181 your ``status'' character, typically control-T, although on some
182 platforms, such as Mac OS X, the ``status'' character is not set by
183 default, so you must set it with
185 in order to use it) and will continue capturing packets.
187 Reading packets from a network interface may require that you have
188 special privileges; see the
190 man page for details. Reading a saved packet file doesn't require
195 Print each packet (minus its link level header) in ASCII. Handy for
199 Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN
203 Set the operating system capture buffer size to \fIbuffer_size\fP.
206 Exit after receiving \fIcount\fP packets.
209 Before writing a raw packet to a savefile, check whether the file is
210 currently larger than \fIfile_size\fP and, if so, close the current
211 savefile and open a new one. Savefiles after the first savefile will
212 have the name specified with the
214 flag, with a number after it, starting at 1 and continuing upward.
215 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
216 not 1,048,576 bytes).
219 Dump the compiled packet-matching code in a human readable form to
220 standard output and stop.
223 Dump packet-matching code as a
228 Dump packet-matching code as decimal numbers (preceded with a count).
231 Print the list of the network interfaces available on the system and on
234 can capture packets. For each network interface, a number and an
235 interface name, possibly followed by a text description of the
236 interface, is printed. The interface name or the number can be supplied
239 flag to specify an interface on which to capture.
241 This can be useful on systems that don't have a command to list them
242 (e.g., Windows systems, or UNIX systems lacking
243 .BR "ifconfig \-a" );
244 the number can be useful on Windows 2000 and later systems, where the
245 interface name is a somewhat complex string.
249 flag will not be supported if
251 was built with an older version of
254 .B pcap_findalldevs()
258 Print the link-level header on each dump line.
261 Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
262 are addressed to \fIaddr\fP and contain Security Parameter Index value
263 \fIspi\fP. This combination may be repeated with comma or newline separation.
265 Note that setting the secret for IPv4 ESP packets is supported at this time.
272 \fBcast128-cbc\fP, or
274 The default is \fBdes-cbc\fP.
275 The ability to decrypt packets is only present if \fItcpdump\fP was compiled
276 with cryptography enabled.
278 \fIsecret\fP is the ASCII text for ESP secret key.
279 If preceded by 0x, then a hex value will be read.
281 The option assumes RFC2406 ESP, not RFC1827 ESP.
282 The option is only for debugging purposes, and
283 the use of this option with a true `secret' key is discouraged.
284 By presenting IPsec secret key onto command line
285 you make it visible to others, via
289 In addition to the above syntax, the syntax \fIfile name\fP may be used
290 to have tcpdump read the provided file in. The file is opened upon
291 receiving the first ESP packet, so any special permissions that tcpdump
292 may have been given should already have been given up.
295 Print `foreign' IPv4 addresses numerically rather than symbolically
296 (this option is intended to get around serious brain damage in
297 Sun's NIS server \(em usually it hangs forever translating non-local
300 The test for `foreign' IPv4 addresses is done using the IPv4 address and
301 netmask of the interface on which capture is being done. If that
302 address or netmask are not available, available, either because the
303 interface on which capture is being done has no address or netmask or
304 because the capture is being done on the Linux "any" interface, which
305 can capture on more than one interface, this option will not work
309 Use \fIfile\fP as input for the filter expression.
310 An additional expression given on the command line is ignored.
313 If specified, rotates the dump file specified with the
315 option every \fIrotate_seconds\fP seconds.
316 Savefiles will have the name specified by
318 which should include a time format as defined by
320 If no time format is specified, each new file will overwrite the previous.
322 If used in conjunction with the
324 option, filenames will take the form of `\fIfile\fP<count>'.
327 Print the tcpdump and libpcap version strings, print a usage message,
331 Attempt to detect 802.11s draft mesh headers.
334 Listen on \fIinterface\fP.
335 If unspecified, \fItcpdump\fP searches the system interface list for the
336 lowest numbered, configured up interface (excluding loopback).
337 Ties are broken by choosing the earliest match.
339 On Linux systems with 2.2 or later kernels, an
341 argument of ``any'' can be used to capture packets from all interfaces.
342 Note that captures on the ``any'' device will not be done in promiscuous
347 flag is supported, an interface number as printed by that flag can be
353 Put the interface in "monitor mode"; this is supported only on IEEE
354 802.11 Wi-Fi interfaces, and supported only on some operating systems.
356 Note that in monitor mode the adapter might disassociate from the
357 network with which it's associated, so that you will not be able to use
358 any wireless networks with that adapter. This could prevent accessing
359 files on a network server, or resolving host names or network addresses,
360 if you are capturing in monitor mode and are not connected to another
361 network with another adapter.
363 This flag will affect the output of the
367 isn't specified, only those link-layer types available when not in
368 monitor mode will be shown; if
370 is specified, only those link-layer types available when in monitor mode
374 Set the time stamp type for the capture to \fItstamp_type\fP. The names
375 to use for the time stamp types are given in
376 .BR pcap-tstamp-type (@MAN_MISC_INFO@);
377 not all the types listed there will necessarily be valid for any given
381 List the supported time stamp types for the interface and exit. If the
382 time stamp type cannot be set for the interface, no time stamp types are
386 Don't attempt to verify IP, TCP, or UDP checksums. This is useful for
387 interfaces that perform some or all of those checksum calculation in
388 hardware; otherwise, all outgoing TCP checksums will be flagged as bad.
391 Make stdout line buffered.
392 Useful if you want to see the data
399 \fBtcpdump \-l | tee dat\fP
409 \fBtcpdump \-l > dat & tail \-f dat\fP
414 Note that on Windows,``line buffered'' means ``unbuffered'', so that
415 WinDump will write each character individually if
422 in its behavior, but it will cause output to be ``packet-buffered'', so
423 that the output is written to stdout at the end of each packet rather
424 than at the end of each line; this is buffered on all platforms,
428 List the known data link types for the interface, in the specified mode,
429 and exit. The list of known data link types may be dependent on the
430 specified mode; for example, on some platforms, a Wi-Fi interface might
431 support one set of data link types when not in monitor mode (for
432 example, it might support only fake Ethernet headers, or might support
433 802.11 headers but not support 802.11 headers with radio information)
434 and another set of data link types when in monitor mode (for example, it
435 might support 802.11 headers, or 802.11 headers with radio information,
436 only in monitor mode).
439 Load SMI MIB module definitions from file \fImodule\fR.
441 can be used several times to load several MIB modules into \fItcpdump\fP.
444 Use \fIsecret\fP as a shared secret for validating the digests found in
445 TCP segments with the TCP-MD5 option (RFC 2385), if present.
448 Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
451 Don't print domain name qualification of host names.
453 if you give this flag then \fItcpdump\fP will print ``nic''
454 instead of ``nic.ddn.mil''.
457 Do not run the packet-matching code optimizer.
459 if you suspect a bug in the optimizer.
462 \fIDon't\fP put the interface
463 into promiscuous mode.
464 Note that the interface might be in promiscuous
465 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
466 `ether host {local-hw-addr} or ether broadcast'.
469 Quick (quiet?) output.
470 Print less protocol information so output
474 Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829).
475 If specified, \fItcpdump\fP will not print replay prevention field.
476 Since there is no protocol version field in ESP/AH specification,
477 \fItcpdump\fP cannot deduce the version of ESP/AH protocol.
480 Read packets from \fIfile\fR (which was created with the
483 Standard input is used if \fIfile\fR is ``-''.
486 Print absolute, rather than relative, TCP sequence numbers.
489 Snarf \fIsnaplen\fP bytes of data from each packet rather than the
490 default of 65535 bytes.
491 Packets truncated because of a limited snapshot
492 are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
493 is the name of the protocol level at which the truncation has occurred.
494 Note that taking larger snapshots both increases
495 the amount of time it takes to process packets and, effectively,
496 decreases the amount of packet buffering.
497 This may cause packets to be
499 You should limit \fIsnaplen\fP to the smallest number that will
500 capture the protocol information you're interested in.
502 \fIsnaplen\fP to 0 sets it to the default of 65535,
503 for backwards compatibility with recent older versions of
507 Force packets selected by "\fIexpression\fP" to be interpreted the
508 specified \fItype\fR.
509 Currently known types are
510 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
511 \fBcnfp\fR (Cisco NetFlow protocol),
512 \fBrpc\fR (Remote Procedure Call),
513 \fBrtp\fR (Real-Time Applications protocol),
514 \fBrtcp\fR (Real-Time Applications control protocol),
515 \fBsnmp\fR (Simple Network Management Protocol),
516 \fBtftp\fR (Trivial File Transfer Protocol),
517 \fBvat\fR (Visual Audio Tool),
519 \fBwb\fR (distributed White Board).
522 \fIDon't\fP print a timestamp on each dump line.
525 Print an unformatted timestamp on each dump line.
528 Print a delta (micro-second resolution) between current and previous line
532 Print a timestamp in default format proceeded by date on each dump line.
535 Print a delta (micro-second resolution) between current and first line
539 Print undecoded NFS handles.
544 option is not specified, make the printed packet output
545 ``packet-buffered''; i.e., as the description of the contents of each
546 packet is printed, it will be written to the standard output, rather
547 than, when not writing to a terminal, being written only when the output
552 option is specified, make the saved raw packet output
553 ``packet-buffered''; i.e., as each packet is saved, it will be written
554 to the output file, rather than being written only when the output
559 flag will not be supported if
561 was built with an older version of
568 When parsing and printing, produce (slightly more) verbose output.
569 For example, the time to live,
570 identification, total length and options in an IP packet are printed.
571 Also enables additional packet integrity checks such as verifying the
572 IP and ICMP header checksum.
574 When writing to a file with the
576 option, report, every 10 seconds, the number of packets captured.
579 Even more verbose output.
580 For example, additional fields are
581 printed from NFS reply packets, and SMB packets are fully decoded.
584 Even more verbose output.
586 telnet \fBSB\fP ... \fBSE\fP options
590 Telnet options are printed in hex as well.
593 Write the raw packets to \fIfile\fR rather than parsing and printing
595 They can later be printed with the \-r option.
596 Standard output is used if \fIfile\fR is ``-''.
598 This output will be buffered if written to a file or pipe, so a program
599 reading from the file or pipe may not see packets for an arbitrary
600 amount of time after they are received. Use the
602 flag to cause packets to be written as soon as they are received.
605 .BR pcap-savefile (@MAN_FILE_FORMATS@)
606 for a description of the file format.
609 Used in conjunction with the
611 option, this will limit the number
612 of files created to the specified number, and begin overwriting files
613 from the beginning, thus creating a 'rotating' buffer.
614 In addition, it will name
615 the files with enough leading 0s to support the maximum number of
616 files, allowing them to sort correctly.
618 Used in conjunction with the
620 option, this will limit the number of rotated dump files that get
621 created, exiting with status 0 when reaching the limit. If used with
623 as well, the behavior will result in cyclical files per timeslice.
626 When parsing and printing,
627 in addition to printing the headers of each packet, print the data of
628 each packet (minus its link level header) in hex.
629 The smaller of the entire packet or
631 bytes will be printed. Note that this is the entire link-layer
632 packet, so for link layers that pad (e.g. Ethernet), the padding bytes
633 will also be printed when the higher layer packet is shorter than the
637 When parsing and printing,
638 in addition to printing the headers of each packet, print the data of
641 its link level header, in hex.
644 When parsing and printing,
645 in addition to printing the headers of each packet, print the data of
646 each packet (minus its link level header) in hex and ASCII.
647 This is very handy for analysing new protocols.
650 When parsing and printing,
651 in addition to printing the headers of each packet, print the data of
654 its link level header, in hex and ASCII.
657 Set the data link type to use while capturing packets to \fIdatalinktype\fP.
660 Used in conjunction with the
664 options, this will make
670 is the savefile being closed after each rotation. For example, specifying
674 will compress each savefile using gzip or bzip2.
676 Note that tcpdump will run the command in parallel to the capture, using
677 the lowest priority so that this doesn't disturb the capture process.
679 And in case you would like to use a command that itself takes flags or
680 different arguments, you can always write a shell script that will take the
681 savefile name as the only argument, make the flags & arguments arrangements
682 and execute the command that you want.
687 is running as root, after opening the capture device or input savefile,
688 but before opening any savefiles for output, change the user ID to
690 and the group ID to the primary group of
693 This behavior can also be enabled by default at compile time.
694 .IP "\fI expression\fP"
696 selects which packets will be dumped.
697 If no \fIexpression\fP
698 is given, all packets on the net will be dumped.
700 only packets for which \fIexpression\fP is `true' will be dumped.
702 For the \fIexpression\fP syntax, see
703 .BR pcap-filter (@MAN_MISC_INFO@).
705 Expression arguments can be passed to \fItcpdump\fP as either a single
706 argument or as multiple arguments, whichever is more convenient.
707 Generally, if the expression contains Shell metacharacters, it is
708 easier to pass it as a single, quoted argument.
709 Multiple arguments are concatenated with spaces before being parsed.
712 To print all packets arriving at or departing from \fIsundown\fP:
715 \fBtcpdump host sundown\fP
719 To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
722 \fBtcpdump host helios and \\( hot or ace \\)\fP
726 To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
729 \fBtcpdump ip host ace and not helios\fP
733 To print all traffic between local hosts and hosts at Berkeley:
737 tcpdump net ucb-ether
741 To print all ftp traffic through internet gateway \fIsnup\fP:
742 (note that the expression is quoted to prevent the shell from
743 (mis-)interpreting the parentheses):
747 tcpdump 'gateway snup and (port ftp or ftp-data)'
751 To print traffic neither sourced from nor destined for local hosts
752 (if you gateway to one other net, this stuff should never make it
753 onto your local net).
757 tcpdump ip and not net \fIlocalnet\fP
761 To print the start and end packets (the SYN and FIN packets) of each
762 TCP conversation that involves a non-local host.
766 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
770 To print all IPv4 HTTP packets to and from port 80, i.e. print only
771 packets that contain data, not, for example, SYN and FIN packets and
772 ACK-only packets. (IPv6 is left as an exercise for the reader.)
776 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
780 To print IP packets longer than 576 bytes sent through gateway \fIsnup\fP:
784 tcpdump 'gateway snup and ip[2:2] > 576'
788 To print IP broadcast or multicast packets that were
790 sent via Ethernet broadcast or multicast:
794 tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
798 To print all ICMP packets that are not echo requests/replies (i.e., not
803 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
808 The output of \fItcpdump\fP is protocol dependent.
810 gives a brief description and examples of most of the formats.
818 If the '-e' option is given, the link level header is printed out.
819 On Ethernets, the source and destination addresses, protocol,
820 and packet length are printed.
822 On FDDI networks, the '-e' option causes \fItcpdump\fP to print
823 the `frame control' field, the source and destination addresses,
824 and the packet length.
825 (The `frame control' field governs the
826 interpretation of the rest of the packet.
828 as those containing IP datagrams) are `async' packets, with a priority
829 value between 0 and 7; for example, `\fBasync4\fR'.
831 are assumed to contain an 802.2 Logical Link Control (LLC) packet;
832 the LLC header is printed if it is \fInot\fR an ISO datagram or a
833 so-called SNAP packet.
835 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
836 the `access control' and `frame control' fields, the source and
837 destination addresses, and the packet length.
839 packets are assumed to contain an LLC packet.
840 Regardless of whether
841 the '-e' option is specified or not, the source routing information is
842 printed for source-routed packets.
844 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
845 the `frame control' fields, all of the addresses in the 802.11 header,
846 and the packet length.
848 packets are assumed to contain an LLC packet.
850 \fI(N.B.: The following description assumes familiarity with
851 the SLIP compression algorithm described in RFC-1144.)\fP
853 On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound),
854 packet type, and compression information are printed out.
855 The packet type is printed first.
856 The three types are \fIip\fP, \fIutcp\fP, and \fIctcp\fP.
857 No further link information is printed for \fIip\fR packets.
858 For TCP packets, the connection identifier is printed following the type.
859 If the packet is compressed, its encoded header is printed out.
860 The special cases are printed out as
861 \fB*S+\fIn\fR and \fB*SA+\fIn\fR, where \fIn\fR is the amount by which
862 the sequence number (or sequence number and ack) has changed.
863 If it is not a special case,
864 zero or more changes are printed.
865 A change is indicated by U (urgent pointer), W (window), A (ack),
866 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
868 Finally, the amount of data in the packet and compressed header length
871 For example, the following line shows an outbound compressed TCP packet,
872 with an implicit connection identifier; the ack has changed by 6,
873 the sequence number by 49, and the packet ID by 6; there are 3 bytes of
874 data and 6 bytes of compressed header:
877 \fBO ctcp * A+6 S+49 I+6 3 (6)\fP
883 Arp/rarp output shows the type of request and its arguments.
885 format is intended to be self explanatory.
886 Here is a short sample taken from the start of an `rlogin' from
887 host \fIrtsg\fP to host \fIcsam\fP:
891 \f(CWarp who-has csam tell rtsg
892 arp reply csam is-at CSAM\fR
896 The first line says that rtsg sent an arp packet asking
897 for the Ethernet address of internet host csam.
899 replies with its Ethernet address (in this example, Ethernet addresses
900 are in caps and internet addresses in lower case).
902 This would look less redundant if we had done \fItcpdump \-n\fP:
906 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
907 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
911 If we had done \fItcpdump \-e\fP, the fact that the first packet is
912 broadcast and the second is point-to-point would be visible:
916 \f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg
917 CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR
921 For the first packet this says the Ethernet source address is RTSG, the
922 destination is the Ethernet broadcast address, the type field
923 contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
927 \fI(N.B.:The following description assumes familiarity with
928 the TCP protocol described in RFC-793.
929 If you are not familiar
930 with the protocol, neither this description nor \fItcpdump\fP will
931 be of much use to you.)\fP
933 The general format of a tcp protocol line is:
937 \fIsrc > dst: flags data-seqno ack window urgent options\fP
941 \fISrc\fP and \fIdst\fP are the source and destination IP
943 \fIFlags\fP are some combination of S (SYN),
944 F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or
945 `.' (ACK), or `none' if no flags are set.
946 \fIData-seqno\fP describes the portion of sequence space covered
947 by the data in this packet (see example below).
948 \fIAck\fP is sequence number of the next data expected the other
949 direction on this connection.
950 \fIWindow\fP is the number of bytes of receive buffer space available
951 the other direction on this connection.
952 \fIUrg\fP indicates there is `urgent' data in the packet.
953 \fIOptions\fP are tcp options enclosed in angle brackets (e.g., <mss 1024>).
955 \fISrc, dst\fP and \fIflags\fP are always present.
957 depend on the contents of the packet's tcp protocol header and
958 are output only if appropriate.
960 Here is the opening portion of an rlogin from host \fIrtsg\fP to
965 \s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
966 csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
967 rtsg.1023 > csam.login: . ack 1 win 4096
968 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
969 csam.login > rtsg.1023: . ack 2 win 4096
970 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
971 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
972 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
973 csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fR\s+2
977 The first line says that tcp port 1023 on rtsg sent a packet
980 The \fBS\fP indicates that the \fISYN\fP flag was set.
981 The packet sequence number was 768512 and it contained no data.
982 (The notation is `first:last(nbytes)' which means `sequence
984 up to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.)
985 There was no piggy-backed ack, the available receive window was 4096
986 bytes and there was a max-segment-size option requesting an mss of
989 Csam replies with a similar packet except it includes a piggy-backed
991 Rtsg then acks csam's SYN.
992 The `.' means the ACK flag was set.
993 The packet contained no data so there is no data sequence number.
994 Note that the ack sequence
995 number is a small integer (1).
996 The first time \fItcpdump\fP sees a
997 tcp `conversation', it prints the sequence number from the packet.
998 On subsequent packets of the conversation, the difference between
999 the current packet's sequence number and this initial sequence number
1001 This means that sequence numbers after the
1002 first can be interpreted
1003 as relative byte positions in the conversation's data stream (with the
1004 first data byte each direction being `1').
1005 `-S' will override this
1006 feature, causing the original sequence numbers to be output.
1008 On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20
1009 in the rtsg \(-> csam side of the conversation).
1010 The PUSH flag is set in the packet.
1011 On the 7th line, csam says it's received data sent by rtsg up to
1012 but not including byte 21.
1013 Most of this data is apparently sitting in the
1014 socket buffer since csam's receive window has gotten 19 bytes smaller.
1015 Csam also sends one byte of data to rtsg in this packet.
1016 On the 8th and 9th lines,
1017 csam sends two bytes of urgent, pushed data to rtsg.
1019 If the snapshot was small enough that \fItcpdump\fP didn't capture
1020 the full TCP header, it interprets as much of the header as it can
1021 and then reports ``[|\fItcp\fP]'' to indicate the remainder could not
1023 If the header contains a bogus option (one with a length
1024 that's either too small or beyond the end of the header), \fItcpdump\fP
1025 reports it as ``[\fIbad opt\fP]'' and does not interpret any further
1026 options (since it's impossible to tell where they start).
1028 length indicates options are present but the IP datagram length is not
1029 long enough for the options to actually be there, \fItcpdump\fP reports
1030 it as ``[\fIbad hdr length\fP]''.
1032 .B Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
1034 There are 8 bits in the control bits section of the TCP header:
1036 .I CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
1038 Let's assume that we want to watch packets used in establishing
1040 Recall that TCP uses a 3-way handshake protocol
1041 when it initializes a new connection; the connection sequence with
1042 regard to the TCP control bits is
1048 2) Recipient responds with SYN, ACK
1054 Now we're interested in capturing packets that have only the
1055 SYN bit set (Step 1).
1056 Note that we don't want packets from step 2
1057 (SYN-ACK), just a plain initial SYN.
1058 What we need is a correct filter
1059 expression for \fItcpdump\fP.
1061 Recall the structure of a TCP header without options:
1065 -----------------------------------------------------------------
1066 | source port | destination port |
1067 -----------------------------------------------------------------
1069 -----------------------------------------------------------------
1070 | acknowledgment number |
1071 -----------------------------------------------------------------
1072 | HL | rsvd |C|E|U|A|P|R|S|F| window size |
1073 -----------------------------------------------------------------
1074 | TCP checksum | urgent pointer |
1075 -----------------------------------------------------------------
1078 A TCP header usually holds 20 octets of data, unless options are
1080 The first line of the graph contains octets 0 - 3, the
1081 second line shows octets 4 - 7 etc.
1083 Starting to count with 0, the relevant TCP control bits are contained
1088 ----------------|---------------|---------------|----------------
1089 | HL | rsvd |C|E|U|A|P|R|S|F| window size |
1090 ----------------|---------------|---------------|----------------
1091 | | 13th octet | | |
1094 Let's have a closer look at octet no. 13:
1104 These are the TCP control bits we are interested
1106 We have numbered the bits in this octet from 0 to 7, right to
1107 left, so the PSH bit is bit number 3, while the URG bit is number 5.
1109 Recall that we want to capture packets with only SYN set.
1110 Let's see what happens to octet 13 if a TCP datagram arrives
1111 with the SYN bit set in its header:
1122 control bits section we see that only bit number 1 (SYN) is set.
1124 Assuming that octet number 13 is an 8-bit unsigned integer in
1125 network byte order, the binary value of this octet is
1129 and its decimal representation is
1133 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2
1136 We're almost done, because now we know that if only SYN is set,
1137 the value of the 13th octet in the TCP header, when interpreted
1138 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1140 This relationship can be expressed as
1146 We can use this expression as the filter for \fItcpdump\fP in order
1147 to watch packets which have only SYN set:
1150 tcpdump -i xl0 tcp[13] == 2
1153 The expression says "let the 13th octet of a TCP datagram have
1154 the decimal value 2", which is exactly what we want.
1156 Now, let's assume that we need to capture SYN packets, but we
1157 don't care if ACK or any other TCP control bit is set at the
1159 Let's see what happens to octet 13 when a TCP datagram
1160 with SYN-ACK set arrives:
1170 Now bits 1 and 4 are set in the 13th octet.
1176 which translates to decimal
1180 0*2 + 0*2 + 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2 = 18
1183 Now we can't just use 'tcp[13] == 18' in the \fItcpdump\fP filter
1184 expression, because that would select only those packets that have
1185 SYN-ACK set, but not those with only SYN set.
1186 Remember that we don't care
1187 if ACK or any other control bit is set as long as SYN is set.
1189 In order to achieve our goal, we need to logically AND the
1190 binary value of octet 13 with some other value to preserve
1192 We know that we want SYN to be set in any case,
1193 so we'll logically AND the value in the 13th octet with
1194 the binary value of a SYN:
1198 00010010 SYN-ACK 00000010 SYN
1199 AND 00000010 (we want SYN) AND 00000010 (we want SYN)
1201 = 00000010 = 00000010
1204 We see that this AND operation delivers the same result
1205 regardless whether ACK or another TCP control bit is set.
1206 The decimal representation of the AND value as well as
1207 the result of this operation is 2 (binary 00000010),
1208 so we know that for packets with SYN set the following
1209 relation must hold true:
1211 ( ( value of octet 13 ) AND ( 2 ) ) == ( 2 )
1213 This points us to the \fItcpdump\fP filter expression
1216 tcpdump -i xl0 'tcp[13] & 2 == 2'
1219 Some offsets and field values may be expressed as names
1220 rather than as numeric values. For example tcp[13] may
1221 be replaced with tcp[tcpflags]. The following TCP flag
1222 field values are also available: tcp-fin, tcp-syn, tcp-rst,
1223 tcp-push, tcp-act, tcp-urg.
1225 This can be demonstrated as:
1228 tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
1231 Note that you should use single quotes or a backslash
1232 in the expression to hide the AND ('&') special character
1238 UDP format is illustrated by this rwho packet:
1242 \f(CWactinide.who > broadcast.who: udp 84\fP
1246 This says that port \fIwho\fP on host \fIactinide\fP sent a udp
1247 datagram to port \fIwho\fP on host \fIbroadcast\fP, the Internet
1249 The packet contained 84 bytes of user data.
1251 Some UDP services are recognized (from the source or destination
1252 port number) and the higher level protocol information printed.
1253 In particular, Domain Name service requests (RFC-1034/1035) and Sun
1254 RPC calls (RFC-1050) to NFS.
1256 UDP Name Server Requests
1258 \fI(N.B.:The following description assumes familiarity with
1259 the Domain Service protocol described in RFC-1035.
1260 If you are not familiar
1261 with the protocol, the following description will appear to be written
1264 Name server requests are formatted as
1268 \fIsrc > dst: id op? flags qtype qclass name (len)\fP
1270 \f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fR
1274 Host \fIh2opolo\fP asked the domain server on \fIhelios\fP for an
1275 address record (qtype=A) associated with the name \fIucbvax.berkeley.edu.\fP
1276 The query id was `3'.
1277 The `+' indicates the \fIrecursion desired\fP flag
1279 The query length was 37 bytes, not including the UDP and
1280 IP protocol headers.
1281 The query operation was the normal one, \fIQuery\fP,
1282 so the op field was omitted.
1283 If the op had been anything else, it would
1284 have been printed between the `3' and the `+'.
1285 Similarly, the qclass was the normal one,
1286 \fIC_IN\fP, and omitted.
1287 Any other qclass would have been printed
1288 immediately after the `A'.
1290 A few anomalies are checked and may result in extra fields enclosed in
1291 square brackets: If a query contains an answer, authority records or
1292 additional records section,
1297 are printed as `[\fIn\fPa]', `[\fIn\fPn]' or `[\fIn\fPau]' where \fIn\fP
1298 is the appropriate count.
1299 If any of the response bits are set (AA, RA or rcode) or any of the
1300 `must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]'
1301 is printed, where \fIx\fP is the hex value of header bytes two and three.
1303 UDP Name Server Responses
1305 Name server responses are formatted as
1309 \fIsrc > dst: id op rcode flags a/n/au type class data (len)\fP
1311 \f(CWhelios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
1312 helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fR
1316 In the first example, \fIhelios\fP responds to query id 3 from \fIh2opolo\fP
1317 with 3 answer records, 3 name server records and 7 additional records.
1318 The first answer record is type A (address) and its data is internet
1319 address 128.32.137.3.
1320 The total size of the response was 273 bytes,
1321 excluding UDP and IP headers.
1322 The op (Query) and response code
1323 (NoError) were omitted, as was the class (C_IN) of the A record.
1325 In the second example, \fIhelios\fP responds to query 2 with a
1326 response code of non-existent domain (NXDomain) with no answers,
1327 one name server and no authority records.
1328 The `*' indicates that
1329 the \fIauthoritative answer\fP bit was set.
1331 answers, no type, class or data were printed.
1333 Other flag characters that might appear are `\-' (recursion available,
1334 RA, \fInot\fP set) and `|' (truncated message, TC, set).
1336 `question' section doesn't contain exactly one entry, `[\fIn\fPq]'
1341 \fItcpdump\fP now includes fairly extensive SMB/CIFS/NBT decoding for data
1342 on UDP/137, UDP/138 and TCP/139.
1343 Some primitive decoding of IPX and
1344 NetBEUI SMB data is also done.
1346 By default a fairly minimal decode is done, with a much more detailed
1347 decode done if -v is used.
1348 Be warned that with -v a single SMB packet
1349 may take up a page or more, so only use -v if you really want all the
1352 For information on SMB packet formats and what all the fields mean see
1353 www.cifs.org or the pub/samba/specs/ directory on your favorite
1354 samba.org mirror site.
1355 The SMB patches were written by Andrew Tridgell
1358 NFS Requests and Replies
1360 Sun NFS (Network File System) requests and replies are printed as:
1364 \fIsrc.xid > dst.nfs: len op args\fP
1365 \fIsrc.nfs > dst.xid: reply stat len op results\fP
1368 sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
1369 wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
1370 sushi.201b > wrl.nfs:
1371 144 lookup fh 9,74/4096.6878 "xcolors"
1372 wrl.nfs > sushi.201b:
1373 reply ok 128 lookup fh 9,74/4134.3150
1378 In the first line, host \fIsushi\fP sends a transaction with id \fI6709\fP
1379 to \fIwrl\fP (note that the number following the src host is a
1380 transaction id, \fInot\fP the source port).
1381 The request was 112 bytes,
1382 excluding the UDP and IP headers.
1383 The operation was a \fIreadlink\fP
1384 (read symbolic link) on file handle (\fIfh\fP) 21,24/10.731657119.
1385 (If one is lucky, as in this case, the file handle can be interpreted
1386 as a major,minor device number pair, followed by the inode number and
1388 \fIWrl\fP replies `ok' with the contents of the link.
1390 In the third line, \fIsushi\fP asks \fIwrl\fP to lookup the name
1391 `\fIxcolors\fP' in directory file 9,74/4096.6878.
1392 Note that the data printed
1393 depends on the operation type.
1394 The format is intended to be self
1395 explanatory if read in conjunction with
1396 an NFS protocol spec.
1398 If the \-v (verbose) flag is given, additional information is printed.
1404 sushi.1372a > wrl.nfs:
1405 148 read fh 21,11/12.195 8192 bytes @ 24576
1406 wrl.nfs > sushi.1372a:
1407 reply ok 1472 read REG 100664 ids 417/0 sz 29388
1412 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1413 which have been omitted from this example.) In the first line,
1414 \fIsushi\fP asks \fIwrl\fP to read 8192 bytes from file 21,11/12.195,
1415 at byte offset 24576.
1416 \fIWrl\fP replies `ok'; the packet shown on the
1417 second line is the first fragment of the reply, and hence is only 1472
1418 bytes long (the other bytes will follow in subsequent fragments, but
1419 these fragments do not have NFS or even UDP headers and so might not be
1420 printed, depending on the filter expression used).
1421 Because the \-v flag
1422 is given, some of the file attributes (which are returned in addition
1423 to the file data) are printed: the file type (``REG'', for regular file),
1424 the file mode (in octal), the uid and gid, and the file size.
1426 If the \-v flag is given more than once, even more details are printed.
1428 Note that NFS requests are very large and much of the detail won't be printed
1429 unless \fIsnaplen\fP is increased.
1430 Try using `\fB\-s 192\fP' to watch
1433 NFS reply packets do not explicitly identify the RPC operation.
1435 \fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
1436 replies using the transaction ID.
1437 If a reply does not closely follow the
1438 corresponding request, it might not be parsable.
1440 AFS Requests and Replies
1442 Transarc AFS (Andrew File System) requests and replies are printed
1448 \fIsrc.sport > dst.dport: rx packet-type\fP
1449 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
1450 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
1453 elvis.7001 > pike.afsfs:
1454 rx data fs call rename old fid 536876964/1/1 ".newsrc.new"
1455 new fid 536876964/1/1 ".newsrc"
1456 pike.afsfs > elvis.7001: rx data fs reply rename
1461 In the first line, host elvis sends a RX packet to pike.
1463 a RX data packet to the fs (fileserver) service, and is the start of
1465 The RPC call was a rename, with the old directory file id
1466 of 536876964/1/1 and an old filename of `.newsrc.new', and a new directory
1467 file id of 536876964/1/1 and a new filename of `.newsrc'.
1469 responds with a RPC reply to the rename call (which was successful, because
1470 it was a data packet and not an abort packet).
1472 In general, all AFS RPCs are decoded at least by RPC call name.
1474 AFS RPCs have at least some of the arguments decoded (generally only
1475 the `interesting' arguments, for some definition of interesting).
1477 The format is intended to be self-describing, but it will probably
1478 not be useful to people who are not familiar with the workings of
1481 If the -v (verbose) flag is given twice, acknowledgement packets and
1482 additional header information is printed, such as the the RX call ID,
1483 call number, sequence number, serial number, and the RX packet flags.
1485 If the -v flag is given twice, additional information is printed,
1486 such as the the RX call ID, serial number, and the RX packet flags.
1487 The MTU negotiation information is also printed from RX ack packets.
1489 If the -v flag is given three times, the security index and service id
1492 Error codes are printed for abort packets, with the exception of Ubik
1493 beacon packets (because abort packets are used to signify a yes vote
1494 for the Ubik protocol).
1496 Note that AFS requests are very large and many of the arguments won't
1497 be printed unless \fIsnaplen\fP is increased.
1498 Try using `\fB-s 256\fP'
1499 to watch AFS traffic.
1501 AFS reply packets do not explicitly identify the RPC operation.
1503 \fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
1504 replies using the call number and service ID.
1505 If a reply does not closely
1507 corresponding request, it might not be parsable.
1510 KIP AppleTalk (DDP in UDP)
1512 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
1513 and dumped as DDP packets (i.e., all the UDP header information is
1517 is used to translate AppleTalk net and node numbers to names.
1518 Lines in this file have the form
1530 The first two lines give the names of AppleTalk networks.
1532 line gives the name of a particular host (a host is distinguished
1533 from a net by the 3rd octet in the number \-
1534 a net number \fImust\fP have two octets and a host number \fImust\fP
1535 have three octets.) The number and name should be separated by
1536 whitespace (blanks or tabs).
1539 file may contain blank lines or comment lines (lines starting with
1542 AppleTalk addresses are printed in the form
1548 \f(CW144.1.209.2 > icsd-net.112.220
1549 office.2 > icsd-net.112.220
1550 jssmag.149.235 > icsd-net.2\fR
1556 doesn't exist or doesn't contain an entry for some AppleTalk
1557 host/net number, addresses are printed in numeric form.)
1558 In the first example, NBP (DDP port 2) on net 144.1 node 209
1559 is sending to whatever is listening on port 220 of net icsd node 112.
1560 The second line is the same except the full name of the source node
1561 is known (`office').
1562 The third line is a send from port 235 on
1563 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
1564 the broadcast address (255) is indicated by a net name with no host
1565 number \- for this reason it's a good idea to keep node names and
1566 net names distinct in /etc/atalk.names).
1568 NBP (name binding protocol) and ATP (AppleTalk transaction protocol)
1569 packets have their contents interpreted.
1570 Other protocols just dump
1571 the protocol name (or number if no name is registered for the
1572 protocol) and packet size.
1574 \fBNBP packets\fP are formatted like the following examples:
1578 \s-2\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
1579 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
1580 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR\s+2
1584 The first line is a name lookup request for laserwriters sent by net icsd host
1585 112 and broadcast on net jssmag.
1586 The nbp id for the lookup is 190.
1587 The second line shows a reply for this request (note that it has the
1588 same id) from host jssmag.209 saying that it has a laserwriter
1589 resource named "RM1140" registered on port 250.
1591 another reply to the same request saying host techpit has laserwriter
1592 "techpit" registered on port 186.
1594 \fBATP packet\fP formatting is demonstrated by the following example:
1598 \s-2\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
1599 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
1600 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
1601 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
1602 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1603 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
1604 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1605 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
1606 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
1607 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
1608 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1609 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1610 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
1611 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR\s+2
1615 Jssmag.209 initiates transaction id 12266 with host helios by requesting
1616 up to 8 packets (the `<0-7>').
1617 The hex number at the end of the line
1618 is the value of the `userdata' field in the request.
1620 Helios responds with 8 512-byte packets.
1621 The `:digit' following the
1622 transaction id gives the packet sequence number in the transaction
1623 and the number in parens is the amount of data in the packet,
1624 excluding the atp header.
1625 The `*' on packet 7 indicates that the
1628 Jssmag.209 then requests that packets 3 & 5 be retransmitted.
1630 resends them then jssmag.209 releases the transaction.
1632 jssmag.209 initiates the next request.
1633 The `*' on the request
1634 indicates that XO (`exactly once') was \fInot\fP set.
1639 Fragmented Internet datagrams are printed as
1643 \fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB+)\fR
1644 \fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB)\fR
1648 (The first form indicates there are more fragments.
1650 indicates this is the last fragment.)
1652 \fIId\fP is the fragment id.
1653 \fISize\fP is the fragment
1654 size (in bytes) excluding the IP header.
1655 \fIOffset\fP is this
1656 fragment's offset (in bytes) in the original datagram.
1658 The fragment information is output for each fragment.
1660 fragment contains the higher level protocol header and the frag
1661 info is printed after the protocol info.
1663 after the first contain no higher level protocol header and the
1664 frag info is printed after the source and destination addresses.
1665 For example, here is part of an ftp from arizona.edu to lbl-rtsg.arpa
1666 over a CSNET connection that doesn't appear to handle 576 byte datagrams:
1670 \s-2\f(CWarizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
1671 arizona > rtsg: (frag 595a:204@328)
1672 rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560\fP\s+2
1676 There are a couple of things to note here: First, addresses in the
1677 2nd line don't include port numbers.
1678 This is because the TCP
1679 protocol information is all in the first fragment and we have no idea
1680 what the port or sequence numbers are when we print the later fragments.
1681 Second, the tcp sequence information in the first line is printed as if there
1682 were 308 bytes of user data when, in fact, there are 512 bytes (308 in
1683 the first frag and 204 in the second).
1684 If you are looking for holes
1685 in the sequence space or trying to match up acks
1686 with packets, this can fool you.
1688 A packet with the IP \fIdon't fragment\fP flag is marked with a
1689 trailing \fB(DF)\fP.
1693 By default, all output lines are preceded by a timestamp.
1695 is the current clock time in the form
1701 and is as accurate as the kernel's clock.
1702 The timestamp reflects the time the kernel first saw the packet.
1704 is made to account for the time lag between when the
1705 Ethernet interface removed the packet from the wire and when the kernel
1706 serviced the `new packet' interrupt.
1708 stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@),
1709 pcap-filter(@MAN_MISC_INFO@), pcap-tstamp-type(@MAN_MISC_INFO@)
1711 The original authors are:
1715 Steven McCanne, all of the
1716 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
1718 It is currently being maintained by tcpdump.org.
1720 The current version is available via http:
1723 .I http://www.tcpdump.org/
1726 The original distribution is available via anonymous ftp:
1729 .I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
1732 IPv6/IPsec support is added by WIDE/KAME project.
1733 This program uses Eric Young's SSLeay library, under specific configurations.
1735 Please send problems, bugs, questions, desirable enhancements, patches
1739 tcpdump-workers@lists.tcpdump.org
1742 NIT doesn't let you watch your own outbound traffic, BPF will.
1743 We recommend that you use the latter.
1745 On Linux systems with 2.0[.x] kernels:
1747 packets on the loopback device will be seen twice;
1749 packet filtering cannot be done in the kernel, so that all packets must
1750 be copied from the kernel in order to be filtered in user mode;
1752 all of a packet, not just the part that's within the snapshot length,
1753 will be copied from the kernel (the 2.0[.x] packet capture mechanism, if
1754 asked to copy only part of a packet to userland, will not report the
1755 true length of the packet; this would cause most IP packets to get an
1759 capturing on some PPP devices won't work correctly.
1761 We recommend that you upgrade to a 2.2 or later kernel.
1763 Some attempt should be made to reassemble IP fragments or, at least
1764 to compute the right length for the higher level protocol.
1766 Name server inverse queries are not dumped correctly: the (empty)
1767 question section is printed rather than real query in the answer
1769 Some believe that inverse queries are themselves a bug and
1770 prefer to fix the program generating them rather than \fItcpdump\fP.
1772 A packet trace that crosses a daylight savings time change will give
1773 skewed time stamps (the time change is ignored).
1775 Filter expressions on fields other than those in Token Ring headers will
1776 not correctly handle source-routed Token Ring packets.
1778 Filter expressions on fields other than those in 802.11 headers will not
1779 correctly handle 802.11 data packets with both To DS and From DS set.
1782 should chase header chain, but at this moment it does not.
1783 .BR "ip6 protochain"
1784 is supplied for this behavior.
1786 Arithmetic expression against transport layer headers, like \fBtcp[0]\fP,
1787 does not work against IPv6 packets.
1788 It only looks at IPv4 packets.