.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "2 February 2017"
+.TH TCPDUMP 1 "2 Apr 2019"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
it will be reported as 0).
.LP
On platforms that support the SIGINFO signal, such as most BSDs
-(including Mac OS X) and Digital/Tru64 UNIX, it will report those counts
+(including macOS) and Digital/Tru64 UNIX, it will report those counts
when it receives a SIGINFO signal (generated, for example, by typing
your ``status'' character, typically control-T, although on some
-platforms, such as Mac OS X, the ``status'' character is not set by
+platforms, such as macOS, the ``status'' character is not set by
default, so you must set it with
.BR stty (1)
in order to use it) and will continue capturing packets. On platforms that
do not support the SIGINFO signal, the same can be achieved by using the
SIGUSR1 signal.
.LP
+Using the SIGUSR2 signal along with the
+.B \-w
+flag will forcibly flush the packet buffer into the output file.
+.LP
Reading packets from a network interface may require that you have
special privileges; see the
-.B pcap (3PCAP)
+.BR pcap (3PCAP)
man page for details. Reading a saved packet file doesn't require
special privileges.
.SH OPTIONS
was built with an older version of
.I libpcap
that lacks the
-.B pcap_findalldevs()
+.BR pcap_findalldevs(3PCAP)
function.
.TP
.B \-e
which should include a time format as defined by
.BR strftime (3).
If no time format is specified, each new file will overwrite the previous.
+Whenever a generated filename is not unique, tcpdump will overwrite the
+preexisting data; providing a time specification that is coarser than the
+capture period is therefore not advised.
.IP
If used in conjunction with the
.B \-C
.PD
Set the time stamp type for the capture to \fItstamp_type\fP. The names
to use for the time stamp types are given in
-.BR pcap-tstamp (@MAN_MISC_INFO@);
+.BR \%pcap-tstamp (@MAN_MISC_INFO@);
not all the types listed there will necessarily be valid for any given
interface.
.TP
microsecond resolution and \fBnano\fP for nanosecond resolution. The
default is microsecond resolution.
.TP
+.B \-\-micro
+.PD 0
+.TP
+.B \-\-nano
+.PD
+Shorthands for \fB\-\-time\-stamp\-precision=micro\fP or
+\fB\-\-time\-stamp\-precision=nano\fP, adjusting the time stamp
+precision accordingly. When reading packets from a savefile, using
+\fB\-\-micro\fP truncates time stamps if the savefile was created with
+nanosecond precision. In contrast, a savefile created with microsecond
+precision will have trailing zeroes added to the time stamp when
+\fB\-\-nano\fP is used.
+.TP
.B \-K
.PD 0
.TP
.BI \-r " file"
Read packets from \fIfile\fR (which was created with the
.B \-w
-option or by other tools that write pcap or pcap-ng files).
+option or by other tools that write pcap or pcapng files).
Standard input is used if \fIfile\fR is ``-''.
.TP
.B \-S
fractions of a second since that time, on each dump line.
.TP
.B \-ttt
-Print a delta (micro-second resolution) between current and previous line
-on each dump line.
+Print a delta (microsecond or nanosecond resolution depending on the
+.B \-\-time\-stamp-precision
+option) between current and previous line on each dump line.
+The default is microsecond resolution.
.TP
.B \-tttt
Print a timestamp, as hours, minutes, seconds, and fractions of a second
since midnight, preceded by the date, on each dump line.
.TP
.B \-ttttt
-Print a delta (micro-second resolution) between current and first line
-on each dump line.
+Print a delta (microsecond or nanosecond resolution depending on the
+.B \-\-time\-stamp-precision
+option) between current and first line on each dump line.
+The default is microsecond resolution.
.TP
.B \-u
Print undecoded NFS handles.
was built with an older version of
.I libpcap
that lacks the
-.B pcap_dump_flush()
+.BR pcap_dump_flush(3PCAP)
function.
.TP
.B \-v
Used in conjunction with the
.B \-G
option, this will limit the number of rotated dump files that get
-created, exiting with status 0 when reaching the limit. If used with
+created, exiting with status 0 when reaching the limit.
+.IP
+If used in conjunction with both
.B \-C
-as well, the behavior will result in cyclical files per timeslice.
+and
+.B \-G,
+the
+.B \-W
+option will currently be ignored, and will only affect the file name.
.TP
.B \-x
When parsing and printing,
\fIoffset\fP is the fragment offset field; it is printed whether this is
part of a fragmented datagram or not.
\fIflags\fP are the MF and DF flags; \fB+\fP is reported if MF is set,
-and \fBDF\P is reported if F is set. If neither are set, \fB.\fP is
+and \fBDF\fP is reported if F is set. If neither are set, \fB.\fP is
reported.
\fIproto\fP is the protocol ID field.
\fIlength\fP is the total length field.
.RS
.nf
.sp .5
-\s-2\f(CWIP rtsg.1023 > csam.login: Flags [S], seq 768512:768512, win 4096, opts [mss 1024]
+\f(CWIP rtsg.1023 > csam.login: Flags [S], seq 768512:768512, win 4096, opts [mss 1024]
IP csam.login > rtsg.1023: Flags [S.], seq, 947648:947648, ack 768513, win 4096, opts [mss 1024]
IP rtsg.1023 > csam.login: Flags [.], ack 1, win 4096
IP rtsg.1023 > csam.login: Flags [P.], seq 1:2, ack 1, win 4096, length 1
IP rtsg.1023 > csam.login: Flags [P.], seq 2:21, ack 1, win 4096, length 19
IP csam.login > rtsg.1023: Flags [P.], seq 1:2, ack 21, win 4077, length 1
IP csam.login > rtsg.1023: Flags [P.], seq 2:3, ack 21, win 4077, urg 1, length 1
-IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1\fR\s+2
+IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1\fR
.sp .5
.fi
.RE
.RS
.nf
.sp .5
-\s-2\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
+\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
-techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR\s+2
+techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR
.sp .5
.fi
.RE
.RS
.nf
.sp .5
-\s-2\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
+\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
-jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR\s+2
+jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR
.sp .5
.fi
.RE
indicates that XO (`exactly once') was \fInot\fP set.
.SH "SEE ALSO"
-stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@),
-pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@)
+stty(1), pcap(3PCAP), bpf(4), nit(4P), \%pcap-savefile(@MAN_FILE_FORMATS@),
+\%pcap-filter(@MAN_MISC_INFO@), \%pcap-tstamp(@MAN_MISC_INFO@)
.LP
.RS
-.I http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
+.na
+.I https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
+.ad
.RE
.LP
.SH AUTHORS
The current version is available via http:
.LP
.RS
-.I http://www.tcpdump.org/
+.I https://www.tcpdump.org/
.RE
.LP
The original distribution is available via anonymous ftp:
projects / tcpdump / blobdiff