-.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL)
-.\"
.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "05 March 2009"
+.TH TCPDUMP 1 "11 July 2014"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.na
.B tcpdump
[
-.B \-AbdDefhHIJKlLnNOpqRStuUvxX
+.B \-AbdDefhHIJKlLnNOpqRStuUvxX#
] [
.B \-B
.I buffer_size
-] [
+]
+.br
+.ti +8
+[
.B \-c
.I count
]
.br
.ti +8
[
+.B \-\-number
+]
+[
+.B \-Q
+.I in|out|inout
+]
+.ti +8
+[
.B \-r
.I file
]
[
+.B \-V
+.I file
+]
+[
.B \-s
.I snaplen
]
]
.ti +8
[
+.BI \-\-time\-stamp\-precision= tstamp_precision
+]
+[
+.B \-\-version
+]
+.ti +8
+[
.I expression
]
.br
analysis, and/or with the
.B \-r
flag, which causes it to read from a saved packet file rather than to
-read packets from a network interface. In all cases, only packets that
-match
+read packets from a network interface. It can also be run with the
+.B \-V
+flag, which causes it to read a list of saved packet files. In all cases,
+only packets that match
.I expression
will be processed by
.IR tcpdump .
Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN
notation.
.TP
-.B \-B
-Set the operating system capture buffer size to \fIbuffer_size\fP.
+.BI \-B " buffer_size"
+.PD 0
.TP
-.B \-c
+.BI \-\-buffer\-size= buffer_size
+.PD
+Set the operating system capture buffer size to \fIbuffer_size\fP, in
+units of KiB (1024 bytes).
+.TP
+.BI \-c " count"
Exit after receiving \fIcount\fP packets.
.TP
-.B \-C
+.BI \-C " file_size"
Before writing a raw packet to a savefile, check whether the file is
currently larger than \fIfile_size\fP and, if so, close the current
savefile and open a new one. Savefiles after the first savefile will
Dump packet-matching code as decimal numbers (preceded with a count).
.TP
.B \-D
+.PD 0
+.TP
+.B \-\-list\-interfaces
+.PD
Print the list of the network interfaces available on the system and on
which
.I tcpdump
function.
.TP
.B \-e
-Print the link-level header on each dump line.
+Print the link-level header on each dump line. This can be used, for
+example, to print MAC layer addresses for protocols such as Ethernet and
+IEEE 802.11.
.TP
.B \-E
Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
The ability to decrypt packets is only present if \fItcpdump\fP was compiled
with cryptography enabled.
.IP
-\fIsecret\fP is the ASCII text for ESP secret key.
+\fIsecret\fP is the ASCII text for ESP secret key.
If preceded by 0x, then a hex value will be read.
.IP
The option assumes RFC2406 ESP, not RFC1827 ESP.
and other occasions.
.IP
In addition to the above syntax, the syntax \fIfile name\fP may be used
-to have tcpdump read the provided file in. The file is opened upon
+to have tcpdump read the provided file in. The file is opened upon
receiving the first ESP packet, so any special permissions that tcpdump
may have been given should already have been given up.
.TP
can capture on more than one interface, this option will not work
correctly.
.TP
-.B \-F
+.BI \-F " file"
Use \fIfile\fP as input for the filter expression.
An additional expression given on the command line is ignored.
.TP
-.B \-G
+.BI \-G " rotate_seconds"
If specified, rotates the dump file specified with the
.B \-w
option every \fIrotate_seconds\fP seconds.
option, filenames will take the form of `\fIfile\fP<count>'.
.TP
.B \-h
+.PD 0
+.TP
+.B \-\-help
+.PD
Print the tcpdump and libpcap version strings, print a usage message,
and exit.
.TP
+.B \-\-version
+.PD
+Print the tcpdump and libpcap version strings and exit.
+.TP
.B \-H
Attempt to detect 802.11s draft mesh headers.
.TP
-.B \-i
+.BI \-i " interface"
+.PD 0
+.TP
+.BI \-\-interface= interface
+.PD
Listen on \fIinterface\fP.
If unspecified, \fItcpdump\fP searches the system interface list for the
-lowest numbered, configured up interface (excluding loopback).
-Ties are broken by choosing the earliest match.
+lowest numbered, configured up interface (excluding loopback), which may turn
+out to be, for example, ``eth0''.
.IP
On Linux systems with 2.2 or later kernels, an
.I interface
argument.
.TP
.B \-I
+.PD 0
+.TP
+.B \-\-monitor\-mode
+.PD
Put the interface in "monitor mode"; this is supported only on IEEE
802.11 Wi-Fi interfaces, and supported only on some operating systems.
.IP
is specified, only those link-layer types available when in monitor mode
will be shown.
.TP
-.B \-j
+.BI \-j " tstamp_type"
+.PD 0
+.TP
+.BI \-\-time\-stamp\-type= tstamp_type
+.PD
Set the time stamp type for the capture to \fItstamp_type\fP. The names
to use for the time stamp types are given in
-.BR pcap-tstamp-type (@MAN_MISC_INFO@);
+.BR pcap-tstamp (@MAN_MISC_INFO@);
not all the types listed there will necessarily be valid for any given
interface.
.TP
.B \-J
+.PD 0
+.TP
+.B \-\-list\-time\-stamp\-types
+.PD
List the supported time stamp types for the interface and exit. If the
time stamp type cannot be set for the interface, no time stamp types are
listed.
.TP
+.BI \-\-time\-stamp\-precision= tstamp_precision
+When capturing, set the time stamp precision for the capture to
+\fItstamp_precision\fP. Note that availability of high precision time
+stamps (nanoseconds) and their actual accuracy is platform and hardware
+dependent. Also note that when writing captures made with nanosecond
+accuracy to a savefile, the time stamps are written with nanosecond
+resolution, and the file is written with a different magic number, to
+indicate that the time stamps are in seconds and nanoseconds; not all
+programs that read pcap savefiles will be able to read those captures.
+.LP
+When reading a savefile, convert time stamps to the precision specified
+by \fItimestamp_precision\fP, and display them with that resolution. If
+the precision specified is less than the precision of time stamps in the
+file, the conversion will lose precision.
+.LP
+The supported values for \fItimestamp_precision\fP are \fBmicro\fP for
+microsecond resolution and \fBnano\fP for nanosecond resolution. The
+default is microsecond resolution.
+.TP
.B \-K
+.PD 0
+.TP
+.B \-\-dont\-verify\-checksums
+.PD
Don't attempt to verify IP, TCP, or UDP checksums. This is useful for
interfaces that perform some or all of those checksum calculation in
hardware; otherwise, all outgoing TCP checksums will be flagged as bad.
including Windows.
.TP
.B \-L
+.PD 0
+.TP
+.B \-\-list\-data\-link\-types
+.PD
List the known data link types for the interface, in the specified mode,
and exit. The list of known data link types may be dependent on the
specified mode; for example, on some platforms, a Wi-Fi interface might
might support 802.11 headers, or 802.11 headers with radio information,
only in monitor mode).
.TP
-.B \-m
+.BI \-m " module"
Load SMI MIB module definitions from file \fImodule\fR.
This option
can be used several times to load several MIB modules into \fItcpdump\fP.
.TP
-.B \-M
+.BI \-M " secret"
Use \fIsecret\fP as a shared secret for validating the digests found in
TCP segments with the TCP-MD5 option (RFC 2385), if present.
.TP
if you give this flag then \fItcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
+.B \-#
+.PD 0
+.TP
+.B \-\-number
+.PD
+Print an optional packet number at the beginning of the line.
+.TP
.B \-O
+.PD 0
+.TP
+.B \-\-no\-optimize
+.PD
Do not run the packet-matching code optimizer.
This is useful only
if you suspect a bug in the optimizer.
.TP
.B \-p
+.PD 0
+.TP
+.B \-\-no\-promiscuous\-mode
+.PD
\fIDon't\fP put the interface
into promiscuous mode.
Note that the interface might be in promiscuous
mode for some other reason; hence, `-p' cannot be used as an abbreviation for
`ether host {local-hw-addr} or ether broadcast'.
.TP
+.BI \-Q " direction"
+.PD 0
+.TP
+.BI \-\-direction= direction
+.PD
+Choose send/receive direction \fIdirection\fR for which packets should be
+captured. Possible values are `in', `out' and `inout'. Not available
+on all platforms.
+.TP
.B \-q
Quick (quiet?) output.
Print less protocol information so output
Since there is no protocol version field in ESP/AH specification,
\fItcpdump\fP cannot deduce the version of ESP/AH protocol.
.TP
-.B \-r
+.BI \-r " file"
Read packets from \fIfile\fR (which was created with the
.B \-w
-option).
+option or by other tools that write pcap or pcap-ng files).
Standard input is used if \fIfile\fR is ``-''.
.TP
.B \-S
+.PD 0
+.TP
+.B \-\-absolute\-tcp\-sequence\-numbers
+.PD
Print absolute, rather than relative, TCP sequence numbers.
.TP
-.B \-s
+.BI \-s " snaplen"
+.PD 0
+.TP
+.BI \-\-snapshot\-length= snaplen
+.PD
Snarf \fIsnaplen\fP bytes of data from each packet rather than the
default of 65535 bytes.
Packets truncated because of a limited snapshot
for backwards compatibility with recent older versions of
.IR tcpdump .
.TP
-.B \-T
+.BI \-T " type"
Force packets selected by "\fIexpression\fP" to be interpreted the
specified \fItype\fR.
Currently known types are
\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
+\fBcarp\fR (Common Address Redundancy Protocol),
\fBcnfp\fR (Cisco NetFlow protocol),
+\fBlmp\fR (Link Management Protocol),
+\fBpgm\fR (Pragmatic General Multicast),
+\fBpgm_zmtp1\fR (ZMTP/1.0 inside PGM/EPGM),
+\fBradius\fR (RADIUS),
\fBrpc\fR (Remote Procedure Call),
\fBrtp\fR (Real-Time Applications protocol),
\fBrtcp\fR (Real-Time Applications control protocol),
\fBsnmp\fR (Simple Network Management Protocol),
\fBtftp\fR (Trivial File Transfer Protocol),
\fBvat\fR (Visual Audio Tool),
+\fBwb\fR (distributed White Board),
+\fBzmtp1\fR (ZeroMQ Message Transport Protocol 1.0)
and
-\fBwb\fR (distributed White Board).
+\fBvxlan\fR (Virtual eXtensible Local Area Network).
+.IP
+Note that the \fBpgm\fR type above affects UDP interpretation only, the native
+PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
+often called "EPGM" or "PGM/UDP".
+.IP
+Note that the \fBpgm_zmtp1\fR type above affects interpretation of both native
+PGM and UDP at once. During the native PGM decoding the application data of an
+ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames.
+During the UDP decoding in addition to that any UDP packet would be treated as
+an encapsulated PGM packet.
.TP
.B \-t
\fIDon't\fP print a timestamp on each dump line.
Print undecoded NFS handles.
.TP
.B \-U
+.PD 0
+.TP
+.B \-\-packet\-buffered
+.PD
If the
.B \-w
option is not specified, make the printed packet output
.B \-X
Telnet options are printed in hex as well.
.TP
-.B \-w
+.BI \-V " file"
+Read a list of filenames from \fIfile\fR. Standard input is used
+if \fIfile\fR is ``-''.
+.TP
+.BI \-w " file"
Write the raw packets to \fIfile\fR rather than parsing and printing
them out.
They can later be printed with the \-r option.
.B \-U
flag to cause packets to be written as soon as they are received.
.IP
+The MIME type \fIapplication/vnd.tcpdump.pcap\fP has been registered
+with IANA for \fIpcap\fP files. The filename extension \fI.pcap\fP
+appears to be the most commonly used along with \fI.cap\fP and
+\fI.dmp\fP. \fITcpdump\fP itself doesn't check the extension when
+reading capture files and doesn't add an extension when writing them
+(it uses magic numbers in the file header instead). However, many
+operating systems and applications will use the extension if it is
+present and adding one (e.g. .pcap) is recommended.
+.IP
See
.BR pcap-savefile (@MAN_FILE_FORMATS@)
for a description of the file format.
.TP
.B \-W
-Used in conjunction with the
-.B \-C
+Used in conjunction with the
+.B \-C
option, this will limit the number
of files created to the specified number, and begin overwriting files
-from the beginning, thus creating a 'rotating' buffer.
+from the beginning, thus creating a 'rotating' buffer.
In addition, it will name
the files with enough leading 0s to support the maximum number of
files, allowing them to sort correctly.
.IP
-Used in conjunction with the
+Used in conjunction with the
.B \-G
option, this will limit the number of rotated dump files that get
created, exiting with status 0 when reaching the limit. If used with
.B \-x
When parsing and printing,
in addition to printing the headers of each packet, print the data of
-each packet (minus its link level header) in hex.
+each packet (minus its link level header) in hex.
The smaller of the entire packet or
.I snaplen
bytes will be printed. Note that this is the entire link-layer
.I including
its link level header, in hex and ASCII.
.TP
-.B \-y
+.BI \-y " datalinktype"
+.PD 0
+.TP
+.BI \-\-linktype= datalinktype
+.PD
Set the data link type to use while capturing packets to \fIdatalinktype\fP.
.TP
-.B \-z
+.BI \-z " postrotate-command"
Used in conjunction with the
.B -C
or
options, this will make
.I tcpdump
run "
-.I command file
+.I postrotate-command file
" where
.I file
is the savefile being closed after each rotation. For example, specifying
savefile name as the only argument, make the flags & arguments arrangements
and execute the command that you want.
.TP
-.B \-Z
+.BI \-Z " user"
+.PD 0
+.TP
+.BI \-\-relinquish\-privileges= user
+.PD
If
.I tcpdump
is running as root, after opening the capture device or input savefile,
For the \fIexpression\fP syntax, see
.BR pcap-filter (@MAN_MISC_INFO@).
.LP
-Expression arguments can be passed to \fItcpdump\fP as either a single
-argument or as multiple arguments, whichever is more convenient.
-Generally, if the expression contains Shell metacharacters, it is
-easier to pass it as a single, quoted argument.
+The \fIexpression\fP argument can be passed to \fItcpdump\fP as either a single
+Shell argument, or as multiple Shell arguments, whichever is more convenient.
+Generally, if the expression contains Shell metacharacters, such as
+backslashes used to escape protocol names, it is easier to pass it as
+a single, quoted argument rather than to escape the Shell
+metacharacters.
Multiple arguments are concatenated with spaces before being parsed.
.SH EXAMPLES
.LP
.PP
This can be demonstrated as:
.RS
-.B
+.B
tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
.RE
.PP
.RS
.nf
.sp .5
-\fIsrc.xid > dst.nfs: len op args\fP
-\fIsrc.nfs > dst.xid: reply stat len op results\fP
+\fIsrc.sport > dst.nfs: NFS request xid xid len op args\fP
+\fIsrc.nfs > dst.dport: NFS reply xid xid reply stat len op results\fP
.sp .5
\f(CW
-sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
-wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
-sushi.201b > wrl.nfs:
+sushi.1023 > wrl.nfs: NFS request xid 26377
+ 112 readlink fh 21,24/10.73165
+wrl.nfs > sushi.1023: NFS reply xid 26377
+ reply ok 40 readlink "../var"
+sushi.1022 > wrl.nfs: NFS request xid 8219
144 lookup fh 9,74/4096.6878 "xcolors"
-wrl.nfs > sushi.201b:
+wrl.nfs > sushi.1022: NFS reply xid 8219
reply ok 128 lookup fh 9,74/4134.3150
\fR
.sp .5
.fi
.RE
-In the first line, host \fIsushi\fP sends a transaction with id \fI6709\fP
-to \fIwrl\fP (note that the number following the src host is a
-transaction id, \fInot\fP the source port).
+In the first line, host \fIsushi\fP sends a transaction with id \fI26377\fP
+to \fIwrl\fP.
The request was 112 bytes,
excluding the UDP and IP headers.
The operation was a \fIreadlink\fP
(read symbolic link) on file handle (\fIfh\fP) 21,24/10.731657119.
(If one is lucky, as in this case, the file handle can be interpreted
as a major,minor device number pair, followed by the inode number and
-generation number.)
-\fIWrl\fP replies `ok' with the contents of the link.
+generation number.) In the second line, \fIwrl\fP replies `ok' with
+the same transaction id and the contents of the link.
+.LP
+In the third line, \fIsushi\fP asks (using a new transaction id) \fIwrl\fP
+to lookup the name `\fIxcolors\fP' in directory file 9,74/4096.6878. In
+the fourth line, \fIwrl\fP sends a reply with the respective transaction id.
.LP
-In the third line, \fIsushi\fP asks \fIwrl\fP to lookup the name
-`\fIxcolors\fP' in directory file 9,74/4096.6878.
Note that the data printed
depends on the operation type.
The format is intended to be self
explanatory if read in conjunction with
an NFS protocol spec.
+Also note that older versions of tcpdump printed NFS packets in a
+slightly different format: the transaction id (xid) would be printed
+instead of the non-NFS port number of the packet.
.LP
If the \-v (verbose) flag is given, additional information is printed.
For example:
.nf
.sp .5
\f(CW
-sushi.1372a > wrl.nfs:
+sushi.1023 > wrl.nfs: NFS request xid 79658
148 read fh 21,11/12.195 8192 bytes @ 24576
-wrl.nfs > sushi.1372a:
+wrl.nfs > sushi.1023: NFS reply xid 79658
reply ok 1472 read REG 100664 ids 417/0 sz 29388
\fP
.sp .5
AFS and RX.
.LP
If the -v (verbose) flag is given twice, acknowledgement packets and
-additional header information is printed, such as the the RX call ID,
+additional header information is printed, such as the RX call ID,
call number, sequence number, serial number, and the RX packet flags.
.LP
If the -v flag is given twice, additional information is printed,
-such as the the RX call ID, serial number, and the RX packet flags.
+such as the RX call ID, serial number, and the RX packet flags.
The MTU negotiation information is also printed from RX ack packets.
.LP
If the -v flag is given three times, the security index and service id
serviced the `new packet' interrupt.
.SH "SEE ALSO"
stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@),
-pcap-filter(@MAN_MISC_INFO@), pcap-tstamp-type(@MAN_MISC_INFO@)
+pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@)
+.LP
+.RS
+.I http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
+.RE
+.LP
.SH AUTHORS
The original authors are:
.LP
The original distribution is available via anonymous ftp:
.LP
.RS
-.I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
+.I ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z
.RE
.LP
IPv6/IPsec support is added by WIDE/KAME project.
projects / tcpdump / blobdiff