.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "26 February 2014"
+.TH TCPDUMP 1 "29 November 2021"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.na
.B tcpdump
[
-.B \-AbdDefhHIJKlLnNOpqRStuUvxX
+.B \-AbdDefhHIJKlLnNOpqStuUvxX#
] [
.B \-B
.I buffer_size
-] [
-.B \-c
-.I count
]
.br
.ti +8
[
+.B \-c
+.I count
+]
+[
+.B \-\-count
+]
+[
.B \-C
.I file_size
-] [
-.B \-G
-.I rotate_seconds
-] [
+]
+.ti +8
+[
+.B \-E
+.I spi@ipaddr algo:secret,...
+]
+.ti +8
+[
.B \-F
.I file
]
-.br
-.ti +8
+[
+.B \-G
+.I rotate_seconds
+]
[
.B \-i
.I interface
]
+.ti +8
+[
+.B \-\-immediate\-mode
+]
[
.B \-j
.I tstamp_type
.B \-m
.I module
]
+.ti +8
[
.B \-M
.I secret
]
-.br
-.ti +8
+[
+.B \-\-number
+]
+[
+.B \-\-print
+]
[
.B \-Q
.I in|out|inout
.I file
]
[
-.B \-V
-.I file
-]
-[
.B \-s
.I snaplen
]
.I type
]
[
+.B \-\-version
+]
+.ti +8
+[
+.B \-V
+.I file
+]
+[
.B \-w
.I file
]
-.br
-.ti +8
[
.B \-W
.I filecount
]
-.br
-.ti +8
-[
-.B \-E
-.I spi@ipaddr algo:secret,...
-]
-.br
-.ti +8
[
.B \-y
.I datalinktype
]
+.ti +8
[
.B \-z
.I postrotate-command
]
.ti +8
[
+.BI \-\-time\-stamp\-precision= tstamp_precision
+]
+.ti +8
+[
+.BI \-\-micro
+]
+[
+.BI \-\-nano
+]
+.ti +8
+[
.I expression
]
.br
.SH DESCRIPTION
.LP
\fITcpdump\fP prints out a description of the contents of packets on a
-network interface that match the boolean \fIexpression\fP. It can also
+network interface that match the Boolean \fIexpression\fP; the
+description is preceded by a time stamp, printed, by default, as hours,
+minutes, seconds, and fractions of a second since midnight. It can also
be run with the
.B \-w
flag, which causes it to save the packet data to a file for later
it will be reported as 0).
.LP
On platforms that support the SIGINFO signal, such as most BSDs
-(including Mac OS X) and Digital/Tru64 UNIX, it will report those counts
+(including macOS) and Digital/Tru64 UNIX, it will report those counts
when it receives a SIGINFO signal (generated, for example, by typing
your ``status'' character, typically control-T, although on some
-platforms, such as Mac OS X, the ``status'' character is not set by
+platforms, such as macOS, the ``status'' character is not set by
default, so you must set it with
.BR stty (1)
-in order to use it) and will continue capturing packets.
+in order to use it) and will continue capturing packets. On platforms that
+do not support the SIGINFO signal, the same can be achieved by using the
+SIGUSR1 signal.
+.LP
+Using the SIGUSR2 signal along with the
+.B \-w
+flag will forcibly flush the packet buffer into the output file.
.LP
Reading packets from a network interface may require that you have
special privileges; see the
-.B pcap (3PCAP)
+.BR pcap (3PCAP)
man page for details. Reading a saved packet file doesn't require
special privileges.
.SH OPTIONS
.BI \-c " count"
Exit after receiving \fIcount\fP packets.
.TP
+.BI \-\-count
+Print only on stdout the packet count when reading capture file(s) instead
+of parsing/printing the packets. If a filter is specified on the command
+line, \fItcpdump\fP counts only packets that were matched by the filter
+expression.
+.TP
.BI \-C " file_size"
Before writing a raw packet to a savefile, check whether the file is
currently larger than \fIfile_size\fP and, if so, close the current
have the name specified with the
.B \-w
flag, with a number after it, starting at 1 and continuing upward.
-The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
+The default unit of \fIfile_size\fP is millions of bytes (1,000,000 bytes,
not 1,048,576 bytes).
+.IP
+By adding a suffix of k/K, m/M or g/G to the value, the unit
+can be changed to 1,024 (KiB), 1,048,576 (MiB), or 1,073,741,824 (GiB)
+respectively.
.TP
.B \-d
Dump the compiled packet-matching code in a human readable form to
standard output and stop.
+.IP
+Please mind that although code compilation is always DLT-specific,
+typically it is impossible (and unnecessary) to specify which DLT to use
+for the dump because \fItcpdump\fP uses either the DLT of the input pcap
+file specified with
+.BR -r ,
+or the default DLT of the network interface specified with
+.BR -i ,
+or the particular DLT of the network interface specified with
+.B -y
+and
+.B -i
+respectively. In these cases the dump shows the same exact code that
+would filter the input file or the network interface without
+.BR -d .
+.IP
+However, when neither
+.B -r
+nor
+.B -i
+is specified, specifying
+.B -d
+prevents \fItcpdump\fP from guessing a suitable network interface (see
+.BR -i ).
+In this case the DLT defaults to EN10MB and can be set to another valid
+value manually with
+.BR -y .
.TP
.B \-dd
Dump packet-matching code as a
.I tcpdump
can capture packets. For each network interface, a number and an
interface name, possibly followed by a text description of the
-interface, is printed. The interface name or the number can be supplied
+interface, are printed. The interface name or the number can be supplied
to the
.B \-i
flag to specify an interface on which to capture.
was built with an older version of
.I libpcap
that lacks the
-.B pcap_findalldevs()
+.BR pcap_findalldevs (3PCAP)
function.
.TP
.B \-e
\fIsecret\fP is the ASCII text for ESP secret key.
If preceded by 0x, then a hex value will be read.
.IP
-The option assumes RFC2406 ESP, not RFC1827 ESP.
+The option assumes RFC 2406 ESP, not RFC 1827 ESP.
The option is only for debugging purposes, and
the use of this option with a true `secret' key is discouraged.
By presenting IPsec secret key onto command line
which should include a time format as defined by
.BR strftime (3).
If no time format is specified, each new file will overwrite the previous.
+Whenever a generated filename is not unique, tcpdump will overwrite the
+pre-existing data; providing a time specification that is coarser than the
+capture period is therefore not advised.
.IP
If used in conjunction with the
.B \-C
Print the tcpdump and libpcap version strings, print a usage message,
and exit.
.TP
+.B \-\-version
+.PD
+Print the tcpdump and libpcap version strings and exit.
+.TP
.B \-H
Attempt to detect 802.11s draft mesh headers.
.TP
.TP
.BI \-\-interface= interface
.PD
-Listen on \fIinterface\fP.
-If unspecified, \fItcpdump\fP searches the system interface list for the
-lowest numbered, configured up interface (excluding loopback), which may turn
-out to be, for example, ``eth0''.
+Listen, report the list of link-layer types, report the list of time
+stamp types, or report the results of compiling a filter expression on
+\fIinterface\fP. If unspecified and if the
+.B -d
+flag is not given, \fItcpdump\fP searches the system
+interface list for the lowest numbered, configured up interface
+(excluding loopback), which may turn out to be, for example, ``eth0''.
.IP
On Linux systems with 2.2 or later kernels, an
.I interface
flag is supported, an interface number as printed by that flag can be
used as the
.I interface
-argument.
+argument, if no interface on the system has that number as a name.
.TP
.B \-I
.PD 0
is specified, only those link-layer types available when in monitor mode
will be shown.
.TP
+.BI \-\-immediate\-mode
+Capture in "immediate mode". In this mode, packets are delivered to
+tcpdump as soon as they arrive, rather than being buffered for
+efficiency. This is the default when printing packets rather than
+saving packets to a ``savefile'' if the packets are being printed to a
+terminal rather than to a file or pipe.
+.TP
.BI \-j " tstamp_type"
.PD 0
.TP
.PD
Set the time stamp type for the capture to \fItstamp_type\fP. The names
to use for the time stamp types are given in
-.BR pcap-tstamp (@MAN_MISC_INFO@);
+.BR \%pcap-tstamp (@MAN_MISC_INFO@);
not all the types listed there will necessarily be valid for any given
interface.
.TP
time stamp type cannot be set for the interface, no time stamp types are
listed.
.TP
+.BI \-\-time\-stamp\-precision= tstamp_precision
+When capturing, set the time stamp precision for the capture to
+\fItstamp_precision\fP. Note that availability of high precision time
+stamps (nanoseconds) and their actual accuracy is platform and hardware
+dependent. Also note that when writing captures made with nanosecond
+accuracy to a savefile, the time stamps are written with nanosecond
+resolution, and the file is written with a different magic number, to
+indicate that the time stamps are in seconds and nanoseconds; not all
+programs that read pcap savefiles will be able to read those captures.
+.IP
+When reading a savefile, convert time stamps to the precision specified
+by \fItimestamp_precision\fP, and display them with that resolution. If
+the precision specified is less than the precision of time stamps in the
+file, the conversion will lose precision.
+.IP
+The supported values for \fItimestamp_precision\fP are \fBmicro\fP for
+microsecond resolution and \fBnano\fP for nanosecond resolution. The
+default is microsecond resolution.
+.TP
+.B \-\-micro
+.PD 0
+.TP
+.B \-\-nano
+.PD
+Shorthands for \fB\-\-time\-stamp\-precision=micro\fP or
+\fB\-\-time\-stamp\-precision=nano\fP, adjusting the time stamp
+precision accordingly. When reading packets from a savefile, using
+\fB\-\-micro\fP truncates time stamps if the savefile was created with
+nanosecond precision. In contrast, a savefile created with microsecond
+precision will have trailing zeroes added to the time stamp when
+\fB\-\-nano\fP is used.
+.TP
.B \-K
.PD 0
.TP
if you give this flag then \fItcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
+.B \-#
+.PD 0
+.TP
+.B \-\-number
+.PD
+Print an optional packet number at the beginning of the line.
+.TP
.B \-O
.PD 0
.TP
mode for some other reason; hence, `-p' cannot be used as an abbreviation for
`ether host {local-hw-addr} or ether broadcast'.
.TP
+.BI \-\-print
+Print parsed packet output, even if the raw packets are being saved to a
+file with the
+.B \-w
+flag.
+.TP
.BI \-Q " direction"
.PD 0
.TP
Print less protocol information so output
lines are shorter.
.TP
-.B \-R
-Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829).
-If specified, \fItcpdump\fP will not print replay prevention field.
-Since there is no protocol version field in ESP/AH specification,
-\fItcpdump\fP cannot deduce the version of ESP/AH protocol.
-.TP
.BI \-r " file"
Read packets from \fIfile\fR (which was created with the
.B \-w
-option or by other tools that write pcap or pcap-ng files).
+option or by other tools that write pcap or pcapng files).
Standard input is used if \fIfile\fR is ``-''.
.TP
.B \-S
.BI \-\-snapshot\-length= snaplen
.PD
Snarf \fIsnaplen\fP bytes of data from each packet rather than the
-default of 65535 bytes.
+default of 262144 bytes.
Packets truncated because of a limited snapshot
are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
is the name of the protocol level at which the truncation has occurred.
+.IP
Note that taking larger snapshots both increases
the amount of time it takes to process packets and, effectively,
decreases the amount of packet buffering.
This may cause packets to be
lost.
-You should limit \fIsnaplen\fP to the smallest number that will
-capture the protocol information you're interested in.
-Setting
-\fIsnaplen\fP to 0 sets it to the default of 65535,
+Note also that taking smaller snapshots will discard data from protocols
+above the transport layer, which loses information that may be
+important. NFS and AFS requests and replies, for example, are very
+large, and much of the detail won't be available if a too-short snapshot
+length is selected.
+.IP
+If you need to reduce the snapshot size below the default, you should
+limit \fIsnaplen\fP to the smallest number that will capture the
+protocol information you're interested in. Setting
+\fIsnaplen\fP to 0 sets it to the default of 262144,
for backwards compatibility with recent older versions of
.IR tcpdump .
.TP
\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
\fBcarp\fR (Common Address Redundancy Protocol),
\fBcnfp\fR (Cisco NetFlow protocol),
+\fBdomain\fR (Domain Name System),
\fBlmp\fR (Link Management Protocol),
\fBpgm\fR (Pragmatic General Multicast),
\fBpgm_zmtp1\fR (ZMTP/1.0 inside PGM/EPGM),
+\fBptp\fR (Precision Time Protocol),
+\fBquic\fR (QUIC),
\fBradius\fR (RADIUS),
+\fBresp\fR (REdis Serialization Protocol),
\fBrpc\fR (Remote Procedure Call),
-\fBrtp\fR (Real-Time Applications protocol),
\fBrtcp\fR (Real-Time Applications control protocol),
+\fBrtp\fR (Real-Time Applications protocol),
\fBsnmp\fR (Simple Network Management Protocol),
+\fBsomeip\fR (SOME/IP),
\fBtftp\fR (Trivial File Transfer Protocol),
\fBvat\fR (Visual Audio Tool),
-\fBwb\fR (distributed White Board),
-\fBzmtp1\fR (ZeroMQ Message Transport Protocol 1.0)
+\fBvxlan\fR (Virtual eXtensible Local Area Network),
+\fBwb\fR (distributed White Board)
and
-\fBvxlan\fR (Virtual eXtensible Local Area Network).
+\fBzmtp1\fR (ZeroMQ Message Transport Protocol 1.0).
.IP
Note that the \fBpgm\fR type above affects UDP interpretation only, the native
PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
\fIDon't\fP print a timestamp on each dump line.
.TP
.B \-tt
-Print an unformatted timestamp on each dump line.
+Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and
+fractions of a second since that time, on each dump line.
.TP
.B \-ttt
-Print a delta (micro-second resolution) between current and previous line
-on each dump line.
+Print a delta (microsecond or nanosecond resolution depending on the
+.B \-\-time\-stamp-precision
+option) between current and previous line on each dump line.
+The default is microsecond resolution.
.TP
.B \-tttt
-Print a timestamp in default format proceeded by date on each dump line.
+Print a timestamp, as hours, minutes, seconds, and fractions of a second
+since midnight, preceded by the date, on each dump line.
.TP
.B \-ttttt
-Print a delta (micro-second resolution) between current and first line
-on each dump line.
+Print a delta (microsecond or nanosecond resolution depending on the
+.B \-\-time\-stamp-precision
+option) between current and first line on each dump line.
+The default is microsecond resolution.
.TP
.B \-u
Print undecoded NFS handles.
.PD
If the
.B \-w
-option is not specified, make the printed packet output
+option is not specified, or if it is specified but the
+.B \-\-print
+flag is also specified, make the printed packet output
``packet-buffered''; i.e., as the description of the contents of each
packet is printed, it will be written to the standard output, rather
than, when not writing to a terminal, being written only when the output
was built with an older version of
.I libpcap
that lacks the
-.B pcap_dump_flush()
+.BR pcap_dump_flush (3PCAP)
function.
.TP
.B \-v
.IP
When writing to a file with the
.B \-w
-option, report, every 10 seconds, the number of packets captured.
+option and at the same time not reading from a file with the
+.B \-r
+option, report to stderr, once per second, the number of packets captured. In
+Solaris, FreeBSD and possibly other operating systems this periodic update
+currently can cause loss of captured packets on their way from the kernel to
+tcpdump.
.TP
.B \-vv
Even more verbose output.
present and adding one (e.g. .pcap) is recommended.
.IP
See
-.BR pcap-savefile (@MAN_FILE_FORMATS@)
+.BR \%pcap-savefile (@MAN_FILE_FORMATS@)
for a description of the file format.
.TP
-.B \-W
+.BI \-W " filecount"
Used in conjunction with the
.B \-C
option, this will limit the number
Used in conjunction with the
.B \-G
option, this will limit the number of rotated dump files that get
-created, exiting with status 0 when reaching the limit. If used with
+created, exiting with status 0 when reaching the limit.
+.IP
+If used in conjunction with both
.B \-C
-as well, the behavior will result in cyclical files per timeslice.
+and
+.B \-G,
+the
+.B \-W
+option will currently be ignored, and will only affect the file name.
.TP
.B \-x
When parsing and printing,
packet, so for link layers that pad (e.g. Ethernet), the padding bytes
will also be printed when the higher layer packet is shorter than the
required padding.
+In the current implementation this flag may have the same effect as
+.B \-xx
+if the packet is truncated.
.TP
.B \-xx
When parsing and printing,
in addition to printing the headers of each packet, print the data of
each packet (minus its link level header) in hex and ASCII.
This is very handy for analysing new protocols.
+In the current implementation this flag may have the same effect as
+.B \-XX
+if the packet is truncated.
.TP
.B \-XX
When parsing and printing,
.TP
.BI \-\-linktype= datalinktype
.PD
-Set the data link type to use while capturing packets to \fIdatalinktype\fP.
+Set the data link type to use while capturing packets (see
+.BR -L )
+or just compiling and dumping packet-matching code (see
+.BR -d )
+to \fIdatalinktype\fP.
.TP
.BI \-z " postrotate-command"
Used in conjunction with the
only packets for which \fIexpression\fP is `true' will be dumped.
.LP
For the \fIexpression\fP syntax, see
-.BR pcap-filter (@MAN_MISC_INFO@).
+.BR \%pcap-filter (@MAN_MISC_INFO@).
.LP
The \fIexpression\fP argument can be passed to \fItcpdump\fP as either a single
Shell argument, or as multiple Shell arguments, whichever is more convenient.
.fi
.RE
.LP
+To print the TCP packets with flags RST and ACK both set.
+(i.e. select only the RST and ACK flags in the flags field, and if the result
+is "RST and ACK both set", match)
+.RS
+.nf
+.B
+tcpdump 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'
+.fi
+.RE
+.LP
To print all IPv4 HTTP packets to and from port 80, i.e. print only
packets that contain data, not, for example, SYN and FIN packets and
ACK-only packets. (IPv6 is left as an exercise for the reader.)
.B
..
.HD
+Timestamps
+.LP
+By default, all output lines are preceded by a timestamp.
+The timestamp
+is the current clock time in the form
+.RS
+.nf
+\fIhh:mm:ss.frac\fP
+.fi
+.RE
+and is as accurate as the kernel's clock.
+The timestamp reflects the time the kernel applied a time stamp to the packet.
+No attempt is made to account for the time lag between when the network
+interface finished receiving the packet from the network and when the
+kernel applied a time stamp to the packet; that time lag could include a
+delay between the time when the network interface finished receiving a
+packet from the network and the time when an interrupt was delivered to
+the kernel to get it to read the packet and a delay between the time
+when the kernel serviced the `new packet' interrupt and the time when it
+applied a time stamp to the packet.
+.HD
Link Level Headers
.LP
If the '-e' option is given, the link level header is printed out.
packets are assumed to contain an LLC packet.
.LP
\fI(N.B.: The following description assumes familiarity with
-the SLIP compression algorithm described in RFC-1144.)\fP
+the SLIP compression algorithm described in RFC 1144.)\fP
.LP
On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound),
packet type, and compression information are printed out.
.HD
ARP/RARP Packets
.LP
-Arp/rarp output shows the type of request and its arguments.
+ARP/RARP output shows the type of request and its arguments.
The
format is intended to be self explanatory.
Here is a short sample taken from the start of an `rlogin' from
.sp .5
.fi
.RE
-The first line says that rtsg sent an arp packet asking
+The first line says that rtsg sent an ARP packet asking
for the Ethernet address of internet host csam.
Csam
replies with its Ethernet address (in this example, Ethernet addresses
destination is the Ethernet broadcast address, the type field
contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
.HD
+IPv4 Packets
+.LP
+If the link-layer header is not being printed, for IPv4 packets,
+\fBIP\fP is printed after the time stamp.
+.LP
+If the
+.B \-v
+flag is specified, information from the IPv4 header is shown in
+parentheses after the \fBIP\fP or the link-layer header.
+The general format of this information is:
+.RS
+.nf
+.sp .5
+tos \fItos\fP, ttl \fIttl\fP, id \fIid\fP, offset \fIoffset\fP, flags [\fIflags\fP], proto \fIproto\fP, length \fIlength\fP, options (\fIoptions\fP)
+.sp .5
+.fi
+.RE
+\fItos\fP is the type of service field; if the ECN bits are non-zero,
+those are reported as \fBECT(1)\fP, \fBECT(0)\fP, or \fBCE\fP.
+\fIttl\fP is the time-to-live; it is not reported if it is zero.
+\fIid\fP is the IP identification field.
+\fIoffset\fP is the fragment offset field; it is printed whether this is
+part of a fragmented datagram or not.
+\fIflags\fP are the MF and DF flags; \fB+\fP is reported if MF is set,
+and \fBDF\fP is reported if F is set. If neither are set, \fB.\fP is
+reported.
+\fIproto\fP is the protocol ID field.
+\fIlength\fP is the total length field.
+\fIoptions\fP are the IP options, if any.
+.LP
+Next, for TCP and UDP packets, the source and destination IP addresses
+and TCP or UDP ports, with a dot between each IP address and its
+corresponding port, will be printed, with a > separating the source and
+destination. For other protocols, the addresses will be printed, with
+a > separating the source and destination. Higher level protocol
+information, if any, will be printed after that.
+.LP
+For fragmented IP datagrams, the first fragment contains the higher
+level protocol header; fragments after the first contain no higher level
+protocol header. Fragmentation information will be printed only with
+the
+.B \-v
+flag, in the IP header information, as described above.
+.HD
TCP Packets
.LP
\fI(N.B.:The following description assumes familiarity with
-the TCP protocol described in RFC-793.
+the TCP protocol described in RFC 793.
If you are not familiar
-with the protocol, neither this description nor \fItcpdump\fP will
+with the protocol, this description will not
be of much use to you.)\fP
.LP
-The general format of a tcp protocol line is:
+The general format of a TCP protocol line is:
.RS
.nf
.sp .5
-\fIsrc > dst: flags data-seqno ack window urgent options\fP
+\fIsrc\fP > \fIdst\fP: Flags [\fItcpflags\fP], seq \fIdata-seqno\fP, ack \fIackno\fP, win \fIwindow\fP, urg \fIurgent\fP, options [\fIopts\fP], length \fIlen\fP
.sp .5
.fi
.RE
\fISrc\fP and \fIdst\fP are the source and destination IP
addresses and ports.
-\fIFlags\fP are some combination of S (SYN),
+\fITcpflags\fP are some combination of S (SYN),
F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or
`.' (ACK), or `none' if no flags are set.
\fIData-seqno\fP describes the portion of sequence space covered
by the data in this packet (see example below).
-\fIAck\fP is sequence number of the next data expected the other
+\fIAckno\fP is sequence number of the next data expected the other
direction on this connection.
\fIWindow\fP is the number of bytes of receive buffer space available
the other direction on this connection.
\fIUrg\fP indicates there is `urgent' data in the packet.
-\fIOptions\fP are tcp options enclosed in angle brackets (e.g., <mss 1024>).
+\fIOpts\fP are TCP options (e.g., mss 1024).
+\fILen\fP is the length of payload data.
.LP
-\fISrc, dst\fP and \fIflags\fP are always present.
+\fIIptype\fR, \fISrc\fP, \fIdst\fP, and \fIflags\fP are always present.
The other fields
-depend on the contents of the packet's tcp protocol header and
+depend on the contents of the packet's TCP protocol header and
are output only if appropriate.
.LP
Here is the opening portion of an rlogin from host \fIrtsg\fP to
.RS
.nf
.sp .5
-\s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
-csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
-rtsg.1023 > csam.login: . ack 1 win 4096
-rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
-csam.login > rtsg.1023: . ack 2 win 4096
-rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
-csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
-csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
-csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fR\s+2
+\f(CWIP rtsg.1023 > csam.login: Flags [S], seq 768512:768512, win 4096, opts [mss 1024]
+IP csam.login > rtsg.1023: Flags [S.], seq, 947648:947648, ack 768513, win 4096, opts [mss 1024]
+IP rtsg.1023 > csam.login: Flags [.], ack 1, win 4096
+IP rtsg.1023 > csam.login: Flags [P.], seq 1:2, ack 1, win 4096, length 1
+IP csam.login > rtsg.1023: Flags [.], ack 2, win 4096
+IP rtsg.1023 > csam.login: Flags [P.], seq 2:21, ack 1, win 4096, length 19
+IP csam.login > rtsg.1023: Flags [P.], seq 1:2, ack 21, win 4077, length 1
+IP csam.login > rtsg.1023: Flags [P.], seq 2:3, ack 21, win 4077, urg 1, length 1
+IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1\fR
.sp .5
.fi
.RE
-The first line says that tcp port 1023 on rtsg sent a packet
+The first line says that TCP port 1023 on rtsg sent a packet
to port \fIlogin\fP
on csam.
The \fBS\fP indicates that the \fISYN\fP flag was set.
The packet sequence number was 768512 and it contained no data.
-(The notation is `first:last(nbytes)' which means `sequence
+(The notation is `first:last' which means `sequence
numbers \fIfirst\fP
-up to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.)
-There was no piggy-backed ack, the available receive window was 4096
-bytes and there was a max-segment-size option requesting an mss of
+up to but not including \fIlast\fP'.)
+There was no piggy-backed ACK, the available receive window was 4096
+bytes and there was a max-segment-size option requesting an MSS of
1024 bytes.
.LP
Csam replies with a similar packet except it includes a piggy-backed
-ack for rtsg's SYN.
-Rtsg then acks csam's SYN.
+ACK for rtsg's SYN.
+Rtsg then ACKs csam's SYN.
The `.' means the ACK flag was set.
-The packet contained no data so there is no data sequence number.
-Note that the ack sequence
+The packet contained no data so there is no data sequence number or length.
+Note that the ACK sequence
number is a small integer (1).
The first time \fItcpdump\fP sees a
-tcp `conversation', it prints the sequence number from the packet.
+TCP `conversation', it prints the sequence number from the packet.
On subsequent packets of the conversation, the difference between
the current packet's sequence number and this initial sequence number
is printed.
rather than as numeric values. For example tcp[13] may
be replaced with tcp[tcpflags]. The following TCP flag
field values are also available: tcp-fin, tcp-syn, tcp-rst,
-tcp-push, tcp-act, tcp-urg.
+tcp-push, tcp-ack, tcp-urg.
.PP
This can be demonstrated as:
.RS
.sp .5
.fi
.RE
-This says that port \fIwho\fP on host \fIactinide\fP sent a udp
+This says that port \fIwho\fP on host \fIactinide\fP sent a UDP
datagram to port \fIwho\fP on host \fIbroadcast\fP, the Internet
broadcast address.
The packet contained 84 bytes of user data.
.LP
Some UDP services are recognized (from the source or destination
port number) and the higher level protocol information printed.
-In particular, Domain Name service requests (RFC-1034/1035) and Sun
-RPC calls (RFC-1050) to NFS.
+In particular, Domain Name service requests (RFC 1034/1035) and Sun
+RPC calls (RFC 1050) to NFS.
.HD
-UDP Name Server Requests
+TCP or UDP Name Server Requests
.LP
\fI(N.B.:The following description assumes familiarity with
-the Domain Service protocol described in RFC-1035.
+the Domain Service protocol described in RFC 1035.
If you are not familiar
with the protocol, the following description will appear to be written
-in greek.)\fP
+in Greek.)\fP
.LP
Name server requests are formatted as
.RS
The query id was `3'.
The `+' indicates the \fIrecursion desired\fP flag
was set.
-The query length was 37 bytes, not including the UDP and
+The query length was 37 bytes, excluding the TCP or UDP and
IP protocol headers.
The query operation was the normal one, \fIQuery\fP,
so the op field was omitted.
`must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]'
is printed, where \fIx\fP is the hex value of header bytes two and three.
.HD
-UDP Name Server Responses
+TCP or UDP Name Server Responses
.LP
Name server responses are formatted as
.RS
The first answer record is type A (address) and its data is internet
address 128.32.137.3.
The total size of the response was 273 bytes,
-excluding UDP and IP headers.
+excluding TCP or UDP and IP headers.
The op (Query) and response code
(NoError) were omitted, as was the class (C_IN) of the A record.
.LP
gory details.
.LP
For information on SMB packet formats and what all the fields mean see
-www.cifs.org or the pub/samba/specs/ directory on your favorite
-samba.org mirror site.
+\%https://download.samba.org/pub/samba/specs/ and other online resources.
The SMB patches were written by Andrew Tridgell
.HD
Because the \-v flag
is given, some of the file attributes (which are returned in addition
to the file data) are printed: the file type (``REG'', for regular file),
-the file mode (in octal), the uid and gid, and the file size.
+the file mode (in octal), the UID and GID, and the file size.
.LP
If the \-v flag is given more than once, even more details are printed.
.LP
-Note that NFS requests are very large and much of the detail won't be printed
-unless \fIsnaplen\fP is increased.
-Try using `\fB\-s 192\fP' to watch
-NFS traffic.
-.LP
NFS reply packets do not explicitly identify the RPC operation.
Instead,
\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
beacon packets (because abort packets are used to signify a yes vote
for the Ubik protocol).
.LP
-Note that AFS requests are very large and many of the arguments won't
-be printed unless \fIsnaplen\fP is increased.
-Try using `\fB-s 256\fP'
-to watch AFS traffic.
-.LP
AFS reply packets do not explicitly identify the RPC operation.
Instead,
\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
.RS
.nf
.sp .5
-\s-2\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
+\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
-techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR\s+2
+techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR
.sp .5
.fi
.RE
.RS
.nf
.sp .5
-\s-2\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
+\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
-jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR\s+2
+jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR
.sp .5
.fi
.RE
The `:digit' following the
transaction id gives the packet sequence number in the transaction
and the number in parens is the amount of data in the packet,
-excluding the atp header.
+excluding the ATP header.
The `*' on packet 7 indicates that the
EOM bit was set.
.LP
The `*' on the request
indicates that XO (`exactly once') was \fInot\fP set.
-.HD
-IP Fragmentation
-.LP
-Fragmented Internet datagrams are printed as
-.RS
-.nf
-.sp .5
-\fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB+)\fR
-\fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB)\fR
-.sp .5
-.fi
-.RE
-(The first form indicates there are more fragments.
-The second
-indicates this is the last fragment.)
-.LP
-\fIId\fP is the fragment id.
-\fISize\fP is the fragment
-size (in bytes) excluding the IP header.
-\fIOffset\fP is this
-fragment's offset (in bytes) in the original datagram.
-.LP
-The fragment information is output for each fragment.
-The first
-fragment contains the higher level protocol header and the frag
-info is printed after the protocol info.
-Fragments
-after the first contain no higher level protocol header and the
-frag info is printed after the source and destination addresses.
-For example, here is part of an ftp from arizona.edu to lbl-rtsg.arpa
-over a CSNET connection that doesn't appear to handle 576 byte datagrams:
-.RS
-.nf
-.sp .5
-\s-2\f(CWarizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
-arizona > rtsg: (frag 595a:204@328)
-rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560\fP\s+2
-.sp .5
-.fi
-.RE
-There are a couple of things to note here: First, addresses in the
-2nd line don't include port numbers.
-This is because the TCP
-protocol information is all in the first fragment and we have no idea
-what the port or sequence numbers are when we print the later fragments.
-Second, the tcp sequence information in the first line is printed as if there
-were 308 bytes of user data when, in fact, there are 512 bytes (308 in
-the first frag and 204 in the second).
-If you are looking for holes
-in the sequence space or trying to match up acks
-with packets, this can fool you.
-.LP
-A packet with the IP \fIdon't fragment\fP flag is marked with a
-trailing \fB(DF)\fP.
-.HD
-Timestamps
-.LP
-By default, all output lines are preceded by a timestamp.
-The timestamp
-is the current clock time in the form
-.RS
-.nf
-\fIhh:mm:ss.frac\fP
-.fi
-.RE
-and is as accurate as the kernel's clock.
-The timestamp reflects the time the kernel first saw the packet.
-No attempt
-is made to account for the time lag between when the
-Ethernet interface removed the packet from the wire and when the kernel
-serviced the `new packet' interrupt.
.SH "SEE ALSO"
-stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@),
-pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@)
+.BR stty (1),
+.BR pcap (3PCAP),
+.BR bpf (4),
+.BR nit (4P),
+.BR \%pcap-savefile (@MAN_FILE_FORMATS@),
+.BR \%pcap-filter (@MAN_MISC_INFO@),
+.BR \%pcap-tstamp (@MAN_MISC_INFO@)
.LP
.RS
-.I http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
+.na
+.I https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
+.ad
.RE
.LP
.SH AUTHORS
.LP
It is currently being maintained by tcpdump.org.
.LP
-The current version is available via http:
+The current version is available via HTTPS:
.LP
.RS
-.I http://www.tcpdump.org/
+.I https://www.tcpdump.org/
.RE
.LP
The original distribution is available via anonymous ftp:
.RE
.LP
IPv6/IPsec support is added by WIDE/KAME project.
-This program uses Eric Young's SSLeay library, under specific configurations.
+This program uses OpenSSL/LibreSSL, under specific configurations.
.SH BUGS
-Please send problems, bugs, questions, desirable enhancements, patches
-etc. to:
.LP
-.RS
-.RE
+To report bugs and other problems, contribute patches, request a
+feature, provide generic feedback etc. please see the file
+.I CONTRIBUTING
+in the tcpdump source tree root.
.LP
NIT doesn't let you watch your own outbound traffic, BPF will.
We recommend that you use the latter.
.IP
all of a packet, not just the part that's within the snapshot length,
will be copied from the kernel (the 2.0[.x] packet capture mechanism, if
-asked to copy only part of a packet to userland, will not report the
+asked to copy only part of a packet to userspace, will not report the
true length of the packet; this would cause most IP packets to get an
error from
.BR tcpdump );
projects / tcpdump / blobdiff