-.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.138 2003-02-04 06:00:36 guy Exp $ (LBL)
+.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\" The Regents of the University of California. All rights reserved.
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "21 December 2002"
+.TH TCPDUMP 1 "1 July 2003"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.na
.B tcpdump
[
-.B \-aAdDeflLnNOpqRStuUvxX
+.B \-AdDeflLnNOpqRStuUvxX
] [
.B \-c
.I count
.ti +8
[
.B \-E
-.I algo:secret
+.I spi@ipaddr algo:secret,...
]
+.br
+.ti +8
[
.B \-y
.I datalinktype
.B Under Linux:
You must be root or
.I tcpdump
-must be installed setuid to root.
+must be installed setuid to root (unless your distribution has a kernel
+that supports capability bits such as CAP_NET_RAW and code to allow
+those capability bits to be given to particular accounts and to cause
+those bits to be set on a user's initial processes when they log in, in
+which case you must have CAP_NET_RAW in order to capture and
+CAP_NET_ADMIN to enumerate network devices with, for example, the
+.B \-D
+flag).
.TP
.B Under Ultrix and Digital UNIX/Tru64 UNIX:
Any user may capture network traffic with
promiscuous-mode or copy-all-mode operation, or both modes of
operation, be enabled on that interface.
.TP
-.B Under BSD:
+.B Under BSD (this includes Mac OS X):
You must have read access to
.IR /dev/bpf* .
+On BSDs with a devfs (this includes Mac OS X), this might involve more
+than just having somebody with super-user access setting the ownership
+or permissions on the BPF devices - it might involve configuring devfs
+to set the ownership or permissions every time the system is booted,
+if the system even supports that; if it doesn't support that, you might
+have to find some other way to make that happen at boot time.
.LP
Reading a saved packet file doesn't require special privileges.
.SH OPTIONS
Print each packet (minus its link level header) in ASCII. Handy for
capturing web pages.
.TP
-.B \-a
-Attempt to convert network and broadcast addresses to names.
-.TP
.B \-c
Exit after receiving \fIcount\fP packets.
.TP
Print the link-level header on each dump line.
.TP
.B \-E
-Use \fIalgo:secret\fP for decrypting IPsec ESP packets.
+Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
+are addressed to \fIaddr\fP and contain Security Parameter Index value
+\fIspi\fP. This combination may be repeated with comma or newline seperation.
+.IP
+Note that setting the secret for IPv4 ESP packets is supported at this time.
+.IP
Algorithms may be
\fBdes-cbc\fP,
\fB3des-cbc\fP,
The default is \fBdes-cbc\fP.
The ability to decrypt packets is only present if \fItcpdump\fP was compiled
with cryptography enabled.
-\fIsecret\fP the ASCII text for ESP secret key.
-We cannot take arbitrary binary value at this moment.
+.IP
+\fIsecret\fP is the ASCII text for ESP secret key.
+If preceeded by 0x, then a hex value will be read.
+.IP
The option assumes RFC2406 ESP, not RFC1827 ESP.
The option is only for debugging purposes, and
-the use of this option with truly `secret' key is discouraged.
+the use of this option with a true `secret' key is discouraged.
By presenting IPsec secret key onto command line
you make it visible to others, via
.IR ps (1)
and other occasions.
+.IP
+In addition to the above syntax, the syntax \fIfile name\fP may be used
+to have tcpdump read the provided file in. The file is opened upon
+receiving the first ESP packet, so any special permissions that tcpdump
+may have been given should already have been given up.
.TP
.B \-f
Print `foreign' IPv4 addresses numerically rather than symbolically
\fBrtp\fR (Real-Time Applications protocol),
\fBrtcp\fR (Real-Time Applications control protocol),
\fBsnmp\fR (Simple Network Management Protocol),
+\fBtftp\fR (Trivial File Transfer Protocol),
\fBvat\fR (Visual Audio Tool),
and
\fBwb\fR (distributed White Board).
there is no dir qualifier,
.B "src or dst"
is assumed.
-For `null' link layers (i.e. point to point protocols such as slip) the
+For some link layers, such as SLIP and the ``cooked'' Linux capture mode
+used for the ``any'' device and for some other device types, the
.B inbound
and
.B outbound
.TP
\fIatalk\fP
\fItcpdump\fR checks for a SNAP-format packet with an OUI of 0x080007
-and the Appletalk etype.
+and the AppleTalk etype.
.RE
.IP
In the case of Ethernet, \fItcpdump\fR checks the Ethernet type field
it does for FDDI, Token Ring, and 802.11;
.TP
\fBatalk\fP
-\fItcpdump\fR checks both for the Appletalk etype in an Ethernet frame and
+\fItcpdump\fR checks both for the AppleTalk etype in an Ethernet frame and
for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;
.TP
\fBaarp\fP
-\fItcpdump\fR checks for the Appletalk ARP etype in either an Ethernet
+\fItcpdump\fR checks for the AppleTalk ARP etype in either an Ethernet
frame or an 802.2 SNAP frame with an OUI of 0x000000;
.TP
\fBipx\fP
.IP "\fBdecnet host \fIhost\fR"
True if either the DECNET source or destination address is
.IR host .
+.IP "\fBifname \fIinterface\fR"
+True if the packet was logged as coming from the specified interface (applies
+only to packets logged by OpenBSD's
+.BR pf (4)).
+.IP "\fBon \fIinterface\fR"
+Synonymous with the
+.B ifname
+modifier.
+.IP "\fBrnr \fInum\fR"
+True if the packet was logged as matching the specified PF rule number
+(applies only to packets logged by OpenBSD's
+.BR pf (4)).
+.IP "\fBrulenum \fInum\fR"
+Synonomous with the
+.B rnr
+modifier.
+.IP "\fBreason \fIcode\fR"
+True if the packet was logged with the specified PF reason code. The known
+codes are:
+.BR match ,
+.BR bad-offset ,
+.BR fragment ,
+.BR short ,
+.BR normalize ,
+and
+.B memory
+(applies only to packets logged by OpenBSD's
+.BR pf (4)).
+.IP "\fBaction \fIact\fR"
+True if PF took the specified action when the packet was logged. Known actions
+are:
+.B pass
+and
+.B block
+(applies only to packets logged by OpenBSD's
+.BR pf(4)).
.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP"
Abbreviations for:
.in +.5i
\fISrc\fP and \fIdst\fP are the source and destination IP
addresses and ports.
\fIFlags\fP are some combination of S (SYN),
-F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).
+F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single
+`.' (no flags).
\fIData-seqno\fP describes the portion of sequence space covered
by the data in this packet (see example below).
\fIAck\fP is sequence number of the next data expected the other
If you are decoding SMB sessions containing unicode strings then you
may wish to set the environment variable USE_UNICODE to 1.
A patch to
-auto-detect unicode srings would be welcome.
+auto-detect unicode strings would be welcome.
For information on SMB packet formats and what all te fields mean see
-www.cifs.org or the pub/samba/specs/ directory on your favourite
+www.cifs.org or the pub/samba/specs/ directory on your favorite
samba.org mirror site.
The SMB patches were written by Andrew Tridgell
corresponding request, it might not be parsable.
.HD
-KIP Appletalk (DDP in UDP)
+KIP AppleTalk (DDP in UDP)
.LP
-Appletalk DDP packets encapsulated in UDP datagrams are de-encapsulated
+AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
and dumped as DDP packets (i.e., all the UDP header information is
discarded).
The file
file may contain blank lines or comment lines (lines starting with
a `#').
.LP
-Appletalk addresses are printed in the form
+AppleTalk addresses are printed in the form
.RS
.nf
.sp .5
number \- for this reason it's a good idea to keep node names and
net names distinct in /etc/atalk.names).
.LP
-NBP (name binding protocol) and ATP (Appletalk transaction protocol)
+NBP (name binding protocol) and ATP (AppleTalk transaction protocol)
packets have their contents interpreted.
Other protocols just dump
the protocol name (or number if no name is registered for the
projects / tcpdump / blobdiff