-.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL)
-.\"
.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "12 July 2012"
+.TH TCPDUMP 1 "11 July 2014"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.na
.B tcpdump
[
-.B \-AbdDefhHIJKlLnNOpqRStuUvxX
+.B \-AbdDefhHIJKlLnNOpqRStuUvxX#
] [
.B \-B
.I buffer_size
-] [
+]
+.br
+.ti +8
+[
.B \-c
.I count
]
.br
.ti +8
[
+.B \-\-number
+]
+[
+.B \-Q
+.I in|out|inout
+]
+.ti +8
+[
.B \-r
.I file
]
[
+.B \-V
+.I file
+]
+[
.B \-s
.I snaplen
]
]
.ti +8
[
+.BI \-\-time\-stamp\-precision= tstamp_precision
+]
+[
+.B \-\-version
+]
+.ti +8
+[
.I expression
]
.br
analysis, and/or with the
.B \-r
flag, which causes it to read from a saved packet file rather than to
-read packets from a network interface. In all cases, only packets that
-match
+read packets from a network interface. It can also be run with the
+.B \-V
+flag, which causes it to read a list of saved packet files. In all cases,
+only packets that match
.I expression
will be processed by
.IR tcpdump .
Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN
notation.
.TP
-.B \-B
+.BI \-B " buffer_size"
+.PD 0
+.TP
+.BI \-\-buffer\-size= buffer_size
+.PD
Set the operating system capture buffer size to \fIbuffer_size\fP, in
units of KiB (1024 bytes).
.TP
-.B \-c
+.BI \-c " count"
Exit after receiving \fIcount\fP packets.
.TP
-.B \-C
+.BI \-C " file_size"
Before writing a raw packet to a savefile, check whether the file is
currently larger than \fIfile_size\fP and, if so, close the current
savefile and open a new one. Savefiles after the first savefile will
Dump packet-matching code as decimal numbers (preceded with a count).
.TP
.B \-D
+.PD 0
+.TP
+.B \-\-list\-interfaces
+.PD
Print the list of the network interfaces available on the system and on
which
.I tcpdump
function.
.TP
.B \-e
-Print the link-level header on each dump line.
+Print the link-level header on each dump line. This can be used, for
+example, to print MAC layer addresses for protocols such as Ethernet and
+IEEE 802.11.
.TP
.B \-E
Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
can capture on more than one interface, this option will not work
correctly.
.TP
-.B \-F
+.BI \-F " file"
Use \fIfile\fP as input for the filter expression.
An additional expression given on the command line is ignored.
.TP
-.B \-G
+.BI \-G " rotate_seconds"
If specified, rotates the dump file specified with the
.B \-w
option every \fIrotate_seconds\fP seconds.
option, filenames will take the form of `\fIfile\fP<count>'.
.TP
.B \-h
+.PD 0
+.TP
+.B \-\-help
+.PD
Print the tcpdump and libpcap version strings, print a usage message,
and exit.
.TP
+.B \-\-version
+.PD
+Print the tcpdump and libpcap version strings and exit.
+.TP
.B \-H
Attempt to detect 802.11s draft mesh headers.
.TP
-.B \-i
+.BI \-i " interface"
+.PD 0
+.TP
+.BI \-\-interface= interface
+.PD
Listen on \fIinterface\fP.
If unspecified, \fItcpdump\fP searches the system interface list for the
-lowest numbered, configured up interface (excluding loopback).
-Ties are broken by choosing the earliest match.
+lowest numbered, configured up interface (excluding loopback), which may turn
+out to be, for example, ``eth0''.
.IP
On Linux systems with 2.2 or later kernels, an
.I interface
argument.
.TP
.B \-I
+.PD 0
+.TP
+.B \-\-monitor\-mode
+.PD
Put the interface in "monitor mode"; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.
.IP
is specified, only those link-layer types available when in monitor mode
will be shown.
.TP
-.B \-j
+.BI \-j " tstamp_type"
+.PD 0
+.TP
+.BI \-\-time\-stamp\-type= tstamp_type
+.PD
Set the time stamp type for the capture to \fItstamp_type\fP. The names
to use for the time stamp types are given in
-.BR pcap-tstamp-type (@MAN_MISC_INFO@);
+.BR pcap-tstamp (@MAN_MISC_INFO@);
not all the types listed there will necessarily be valid for any given
interface.
.TP
.B \-J
+.PD 0
+.TP
+.B \-\-list\-time\-stamp\-types
+.PD
List the supported time stamp types for the interface and exit. If the
time stamp type cannot be set for the interface, no time stamp types are
listed.
.TP
+.BI \-\-time\-stamp\-precision= tstamp_precision
+When capturing, set the time stamp precision for the capture to
+\fItstamp_precision\fP. Note that availability of high precision time
+stamps (nanoseconds) and their actual accuracy is platform and hardware
+dependent. Also note that when writing captures made with nanosecond
+accuracy to a savefile, the time stamps are written with nanosecond
+resolution, and the file is written with a different magic number, to
+indicate that the time stamps are in seconds and nanoseconds; not all
+programs that read pcap savefiles will be able to read those captures.
+.LP
+When reading a savefile, convert time stamps to the precision specified
+by \fItimestamp_precision\fP, and display them with that resolution. If
+the precision specified is less than the precision of time stamps in the
+file, the conversion will lose precision.
+.LP
+The supported values for \fItimestamp_precision\fP are \fBmicro\fP for
+microsecond resolution and \fBnano\fP for nanosecond resolution. The
+default is microsecond resolution.
+.TP
.B \-K
+.PD 0
+.TP
+.B \-\-dont\-verify\-checksums
+.PD
Don't attempt to verify IP, TCP, or UDP checksums. This is useful for
interfaces that perform some or all of those checksum calculation in
hardware; otherwise, all outgoing TCP checksums will be flagged as bad.
including Windows.
.TP
.B \-L
+.PD 0
+.TP
+.B \-\-list\-data\-link\-types
+.PD
List the known data link types for the interface, in the specified mode,
and exit. The list of known data link types may be dependent on the
specified mode; for example, on some platforms, a Wi-Fi interface might
might support 802.11 headers, or 802.11 headers with radio information,
only in monitor mode).
.TP
-.B \-m
+.BI \-m " module"
Load SMI MIB module definitions from file \fImodule\fR.
This option
can be used several times to load several MIB modules into \fItcpdump\fP.
.TP
-.B \-M
+.BI \-M " secret"
Use \fIsecret\fP as a shared secret for validating the digests found in
TCP segments with the TCP-MD5 option (RFC 2385), if present.
.TP
if you give this flag then \fItcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
+.B \-#
+.PD 0
+.TP
+.B \-\-number
+.PD
+Print an optional packet number at the beginning of the line.
+.TP
.B \-O
+.PD 0
+.TP
+.B \-\-no\-optimize
+.PD
Do not run the packet-matching code optimizer.
This is useful only
if you suspect a bug in the optimizer.
.TP
.B \-p
+.PD 0
+.TP
+.B \-\-no\-promiscuous\-mode
+.PD
\fIDon't\fP put the interface
into promiscuous mode.
Note that the interface might be in promiscuous
mode for some other reason; hence, `-p' cannot be used as an abbreviation for
`ether host {local-hw-addr} or ether broadcast'.
.TP
+.BI \-Q " direction"
+.PD 0
+.TP
+.BI \-\-direction= direction
+.PD
+Choose send/receive direction \fIdirection\fR for which packets should be
+captured. Possible values are `in', `out' and `inout'. Not available
+on all platforms.
+.TP
.B \-q
Quick (quiet?) output.
Print less protocol information so output
Since there is no protocol version field in ESP/AH specification,
\fItcpdump\fP cannot deduce the version of ESP/AH protocol.
.TP
-.B \-r
+.BI \-r " file"
Read packets from \fIfile\fR (which was created with the
.B \-w
-option).
+option or by other tools that write pcap or pcap-ng files).
Standard input is used if \fIfile\fR is ``-''.
.TP
.B \-S
+.PD 0
+.TP
+.B \-\-absolute\-tcp\-sequence\-numbers
+.PD
Print absolute, rather than relative, TCP sequence numbers.
.TP
-.B \-s
+.BI \-s " snaplen"
+.PD 0
+.TP
+.BI \-\-snapshot\-length= snaplen
+.PD
Snarf \fIsnaplen\fP bytes of data from each packet rather than the
default of 65535 bytes.
Packets truncated because of a limited snapshot
for backwards compatibility with recent older versions of
.IR tcpdump .
.TP
-.B \-T
+.BI \-T " type"
Force packets selected by "\fIexpression\fP" to be interpreted the
specified \fItype\fR.
Currently known types are
\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
\fBcarp\fR (Common Address Redundancy Protocol),
\fBcnfp\fR (Cisco NetFlow protocol),
+\fBlmp\fR (Link Management Protocol),
+\fBpgm\fR (Pragmatic General Multicast),
+\fBpgm_zmtp1\fR (ZMTP/1.0 inside PGM/EPGM),
\fBradius\fR (RADIUS),
\fBrpc\fR (Remote Procedure Call),
\fBrtp\fR (Real-Time Applications protocol),
\fBsnmp\fR (Simple Network Management Protocol),
\fBtftp\fR (Trivial File Transfer Protocol),
\fBvat\fR (Visual Audio Tool),
+\fBwb\fR (distributed White Board),
+\fBzmtp1\fR (ZeroMQ Message Transport Protocol 1.0)
and
-\fBwb\fR (distributed White Board).
+\fBvxlan\fR (Virtual eXtensible Local Area Network).
+.IP
+Note that the \fBpgm\fR type above affects UDP interpretation only, the native
+PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
+often called "EPGM" or "PGM/UDP".
+.IP
+Note that the \fBpgm_zmtp1\fR type above affects interpretation of both native
+PGM and UDP at once. During the native PGM decoding the application data of an
+ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames.
+During the UDP decoding in addition to that any UDP packet would be treated as
+an encapsulated PGM packet.
.TP
.B \-t
\fIDon't\fP print a timestamp on each dump line.
Print undecoded NFS handles.
.TP
.B \-U
+.PD 0
+.TP
+.B \-\-packet\-buffered
+.PD
If the
.B \-w
option is not specified, make the printed packet output
.B \-X
Telnet options are printed in hex as well.
.TP
-.B \-w
+.BI \-V " file"
+Read a list of filenames from \fIfile\fR. Standard input is used
+if \fIfile\fR is ``-''.
+.TP
+.BI \-w " file"
Write the raw packets to \fIfile\fR rather than parsing and printing
them out.
They can later be printed with the \-r option.
.I including
its link level header, in hex and ASCII.
.TP
-.B \-y
+.BI \-y " datalinktype"
+.PD 0
+.TP
+.BI \-\-linktype= datalinktype
+.PD
Set the data link type to use while capturing packets to \fIdatalinktype\fP.
.TP
-.B \-z
+.BI \-z " postrotate-command"
Used in conjunction with the
.B -C
or
options, this will make
.I tcpdump
run "
-.I command file
+.I postrotate-command file
" where
.I file
is the savefile being closed after each rotation. For example, specifying
savefile name as the only argument, make the flags & arguments arrangements
and execute the command that you want.
.TP
-.B \-Z
+.BI \-Z " user"
+.PD 0
+.TP
+.BI \-\-relinquish\-privileges= user
+.PD
If
.I tcpdump
is running as root, after opening the capture device or input savefile,
For the \fIexpression\fP syntax, see
.BR pcap-filter (@MAN_MISC_INFO@).
.LP
-Expression arguments can be passed to \fItcpdump\fP as either a single
-argument or as multiple arguments, whichever is more convenient.
-Generally, if the expression contains Shell metacharacters, it is
-easier to pass it as a single, quoted argument.
+The \fIexpression\fP argument can be passed to \fItcpdump\fP as either a single
+Shell argument, or as multiple Shell arguments, whichever is more convenient.
+Generally, if the expression contains Shell metacharacters, such as
+backslashes used to escape protocol names, it is easier to pass it as
+a single, quoted argument rather than to escape the Shell
+metacharacters.
Multiple arguments are concatenated with spaces before being parsed.
.SH EXAMPLES
.LP
.RS
.nf
.sp .5
-\fIsrc.xid > dst.nfs: len op args\fP
-\fIsrc.nfs > dst.xid: reply stat len op results\fP
+\fIsrc.sport > dst.nfs: NFS request xid xid len op args\fP
+\fIsrc.nfs > dst.dport: NFS reply xid xid reply stat len op results\fP
.sp .5
\f(CW
-sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
-wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
-sushi.201b > wrl.nfs:
+sushi.1023 > wrl.nfs: NFS request xid 26377
+ 112 readlink fh 21,24/10.73165
+wrl.nfs > sushi.1023: NFS reply xid 26377
+ reply ok 40 readlink "../var"
+sushi.1022 > wrl.nfs: NFS request xid 8219
144 lookup fh 9,74/4096.6878 "xcolors"
-wrl.nfs > sushi.201b:
+wrl.nfs > sushi.1022: NFS reply xid 8219
reply ok 128 lookup fh 9,74/4134.3150
\fR
.sp .5
.fi
.RE
-In the first line, host \fIsushi\fP sends a transaction with id \fI6709\fP
-to \fIwrl\fP (note that the number following the src host is a
-transaction id, \fInot\fP the source port).
+In the first line, host \fIsushi\fP sends a transaction with id \fI26377\fP
+to \fIwrl\fP.
The request was 112 bytes,
excluding the UDP and IP headers.
The operation was a \fIreadlink\fP
(read symbolic link) on file handle (\fIfh\fP) 21,24/10.731657119.
(If one is lucky, as in this case, the file handle can be interpreted
as a major,minor device number pair, followed by the inode number and
-generation number.)
-\fIWrl\fP replies `ok' with the contents of the link.
+generation number.) In the second line, \fIwrl\fP replies `ok' with
+the same transaction id and the contents of the link.
+.LP
+In the third line, \fIsushi\fP asks (using a new transaction id) \fIwrl\fP
+to lookup the name `\fIxcolors\fP' in directory file 9,74/4096.6878. In
+the fourth line, \fIwrl\fP sends a reply with the respective transaction id.
.LP
-In the third line, \fIsushi\fP asks \fIwrl\fP to lookup the name
-`\fIxcolors\fP' in directory file 9,74/4096.6878.
Note that the data printed
depends on the operation type.
The format is intended to be self
explanatory if read in conjunction with
an NFS protocol spec.
+Also note that older versions of tcpdump printed NFS packets in a
+slightly different format: the transaction id (xid) would be printed
+instead of the non-NFS port number of the packet.
.LP
If the \-v (verbose) flag is given, additional information is printed.
For example:
.nf
.sp .5
\f(CW
-sushi.1372a > wrl.nfs:
+sushi.1023 > wrl.nfs: NFS request xid 79658
148 read fh 21,11/12.195 8192 bytes @ 24576
-wrl.nfs > sushi.1372a:
+wrl.nfs > sushi.1023: NFS reply xid 79658
reply ok 1472 read REG 100664 ids 417/0 sz 29388
\fP
.sp .5
AFS and RX.
.LP
If the -v (verbose) flag is given twice, acknowledgement packets and
-additional header information is printed, such as the the RX call ID,
+additional header information is printed, such as the RX call ID,
call number, sequence number, serial number, and the RX packet flags.
.LP
If the -v flag is given twice, additional information is printed,
-such as the the RX call ID, serial number, and the RX packet flags.
+such as the RX call ID, serial number, and the RX packet flags.
The MTU negotiation information is also printed from RX ack packets.
.LP
If the -v flag is given three times, the security index and service id
serviced the `new packet' interrupt.
.SH "SEE ALSO"
stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@),
-pcap-filter(@MAN_MISC_INFO@), pcap-tstamp-type(@MAN_MISC_INFO@)
+pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@)
.LP
.RS
.I http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
The original distribution is available via anonymous ftp:
.LP
.RS
-.I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
+.I ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z
.RE
.LP
IPv6/IPsec support is added by WIDE/KAME project.
projects / tcpdump / blobdiff