-.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.157 2004-01-15 19:55:56 guy Exp $ (LBL)
+.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.163 2004-06-12 08:51:23 guy Exp $ (LBL)
.\"
.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
.\"
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "23 November 2003"
+.TH TCPDUMP 1 "22 March 2004"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.I module
]
[
-.B \-r
-.I file
+.B \-M
+.I secret
]
.br
.ti +8
[
+.B \-r
+.I file
+]
+[
.B \-s
.I snaplen
]
.br
.ti +8
[
+.B \-W
+.I filecount
+]
+.br
+.ti +8
+[
.B \-E
.I spi@ipaddr algo:secret,...
]
.B \-y
.I datalinktype
]
+[
+.B \-Z
+.I user
+]
.ti +8
[
.I expression
savefile and open a new one. Savefiles after the first savefile will
have the name specified with the
.B \-w
-flag, with a number after it, starting at 2 and continuing upward.
+flag, with a number after it, starting at 1 and continuing upward.
The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
not 1,048,576 bytes).
.TP
This option
can be used several times to load several MIB modules into \fItcpdump\fP.
.TP
+.B \-M
+Use \fIsecret\fP as a shared secret for validating the digests found in
+TCP segments with the TCP-MD5 option (RFC 2385), if present.
+.TP
.B \-n
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
.TP
They can later be printed with the \-r option.
Standard output is used if \fIfile\fR is ``-''.
.TP
+.B \-W
+Used in conjunction with the
+.I \-C
+option, this will limit the number
+of files created to the specified number, and begin overwriting files
+from the beginning, thus creating a 'rotating' buffer.
+In addition, it will name
+the files with enough leading 0s to support the maximum number of
+files, allowing them to sort correctly.
+.TP
.B \-x
Print each packet (minus its link level header) in hex.
The smaller of the entire packet or
.TP
.B \-y
Set the data link type to use while capturing packets to \fIdatalinktype\fP.
+.TP
+.B \-Z
+Drops privileges (if root) and changes user ID to
+.I user
+and the group ID to the primary group of
+.IR user .
+.IP
+This behavior can also be enabled by default at compile time.
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.
for most of those protocols. The exceptions are:
.RS
.TP
-\fBiso\fP, \fBsap\fP, and \fBnetbeui\fP
+\fBiso\fP, \fBstp\fP, and \fBnetbeui\fP
\fItcpdump\fR checks for an 802.3 frame and then checks the LLC header as
it does for FDDI, Token Ring, and 802.11;
.TP
.B memory
(applies only to packets logged by OpenBSD's
.BR pf (4)).
+.IP "\fBrset \fIname\fR"
+True if the packet was logged as matching the specified PF ruleset
+name of an anchored ruleset (applies only to packets logged by
+.BR pf (4)).
+.IP "\fBruleset \fIname\fR"
+Synonomous with the
+.B rset
+modifier.
+.IP "\fBsrnr \fInum\fR"
+True if the packet was logged as matching the specified PF rule number
+of an anchored ruleset (applies only to packets logged by
+.BR pf (4)).
+.IP "\fBsubrulenum \fInum\fR"
+Synonomous with the
+.B srnr
+modifier.
.IP "\fBaction \fIact\fR"
True if PF took the specified action when the packet was logged. Known actions
are:
and
.B block
(applies only to packets logged by OpenBSD's
-.BR pf(4)).
+.BR pf (4)).
.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP"
Abbreviations for:
.in +.5i
projects / tcpdump / blobdiff