.na
.B tcpdump
[
-.B \-AbdDefIKlLnNOpqRStuUvxX
+.B \-AbdDefhHIJKlLnNOpqRStuUvxX
] [
.B \-B
.I buffer_size
.I interface
]
[
+.B \-j
+.I tstamp_type
+]
+[
.B \-m
.I module
]
notation.
.TP
.B \-B
-Set the operating system capture buffer size to \fIbuffer_size\fP.
+Set the operating system capture buffer size to \fIbuffer_size\fP, in
+units of KiB (1024 bytes).
.TP
.B \-c
Exit after receiving \fIcount\fP packets.
.B \-E
Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
are addressed to \fIaddr\fP and contain Security Parameter Index value
-\fIspi\fP. This combination may be repeated with comma or newline seperation.
+\fIspi\fP. This combination may be repeated with comma or newline separation.
.IP
Note that setting the secret for IPv4 ESP packets is supported at this time.
.IP
with cryptography enabled.
.IP
\fIsecret\fP is the ASCII text for ESP secret key.
-If preceeded by 0x, then a hex value will be read.
+If preceded by 0x, then a hex value will be read.
.IP
The option assumes RFC2406 ESP, not RFC1827 ESP.
The option is only for debugging purposes, and
.B \-C
option, filenames will take the form of `\fIfile\fP<count>'.
.TP
+.B \-h
+Print the tcpdump and libpcap version strings, print a usage message,
+and exit.
+.TP
+.B \-H
+Attempt to detect 802.11s draft mesh headers.
+.TP
.B \-i
Listen on \fIinterface\fP.
If unspecified, \fItcpdump\fP searches the system interface list for the
is specified, only those link-layer types available when in monitor mode
will be shown.
.TP
+.B \-j
+Set the time stamp type for the capture to \fItstamp_type\fP. The names
+to use for the time stamp types are given in
+.BR pcap-tstamp-type (@MAN_MISC_INFO@);
+not all the types listed there will necessarily be valid for any given
+interface.
+.TP
+.B \-J
+List the supported time stamp types for the interface and exit. If the
+time stamp type cannot be set for the interface, no time stamp types are
+listed.
+.TP
.B \-K
Don't attempt to verify IP, TCP, or UDP checksums. This is useful for
interfaces that perform some or all of those checksum calculation in
Useful if you want to see the data
while capturing it.
E.g.,
-.br
-``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
-``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
+.IP
+.RS
+.RS
+.nf
+\fBtcpdump \-l | tee dat\fP
+.fi
+.RE
+.RE
+.IP
+or
+.IP
+.RS
+.RS
+.nf
+\fBtcpdump \-l > dat & tail \-f dat\fP
+.fi
+.RE
+.RE
+.IP
+Note that on Windows,``line buffered'' means ``unbuffered'', so that
+WinDump will write each character individually if
+.B \-l
+is specified.
+.IP
+.B \-U
+is similar to
+.B \-l
+in its behavior, but it will cause output to be ``packet-buffered'', so
+that the output is written to stdout at the end of each packet rather
+than at the end of each line; this is buffered on all platforms,
+including Windows.
.TP
.B \-L
List the known data link types for the interface, in the specified mode,
specified \fItype\fR.
Currently known types are
\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
+\fBcarp\fR (Common Address Redundancy Protocol),
\fBcnfp\fR (Cisco NetFlow protocol),
+\fBradius\fR (RADIUS),
\fBrpc\fR (Remote Procedure Call),
\fBrtp\fR (Real-Time Applications protocol),
\fBrtcp\fR (Real-Time Applications control protocol),
Print undecoded NFS handles.
.TP
.B \-U
-Make output saved via the
+If the
+.B \-w
+option is not specified, make the printed packet output
+``packet-buffered''; i.e., as the description of the contents of each
+packet is printed, it will be written to the standard output, rather
+than, when not writing to a terminal, being written only when the output
+buffer fills.
+.IP
+If the
.B \-w
-option ``packet-buffered''; i.e., as each packet is saved, it will be
-written to the output file, rather than being written only when the
-output buffer fills.
+option is specified, make the saved raw packet output
+``packet-buffered''; i.e., as each packet is saved, it will be written
+to the output file, rather than being written only when the output
+buffer fills.
.IP
The
.B \-U
them out.
They can later be printed with the \-r option.
Standard output is used if \fIfile\fR is ``-''.
+.IP
+This output will be buffered if written to a file or pipe, so a program
+reading from the file or pipe may not see packets for an arbitrary
+amount of time after they are received. Use the
+.B \-U
+flag to cause packets to be written as soon as they are received.
+.IP
See
.BR pcap-savefile (@MAN_FILE_FORMATS@)
for a description of the file format.
and execute the command that you want.
.TP
.B \-Z
-Drops privileges (if root) and changes user ID to
+If
+.I tcpdump
+is running as root, after opening the capture device or input savefile,
+but before opening any savefiles for output, change the user ID to
.I user
and the group ID to the primary group of
.IR user .
\fISrc\fP and \fIdst\fP are the source and destination IP
addresses and ports.
\fIFlags\fP are some combination of S (SYN),
-F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single
-`.' (no flags).
+F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or
+`.' (ACK), or `none' if no flags are set.
\fIData-seqno\fP describes the portion of sequence space covered
by the data in this packet (see example below).
\fIAck\fP is sequence number of the next data expected the other
Csam replies with a similar packet except it includes a piggy-backed
ack for rtsg's SYN.
Rtsg then acks csam's SYN.
-The `.' means no
-flags were set.
+The `.' means the ACK flag was set.
The packet contained no data so there is no data sequence number.
Note that the ack sequence
number is a small integer (1).
If the
`question' section doesn't contain exactly one entry, `[\fIn\fPq]'
is printed.
-
.HD
SMB/CIFS decoding
.LP
on UDP/137, UDP/138 and TCP/139.
Some primitive decoding of IPX and
NetBEUI SMB data is also done.
-
+.LP
By default a fairly minimal decode is done, with a much more detailed
decode done if -v is used.
Be warned that with -v a single SMB packet
may take up a page or more, so only use -v if you really want all the
gory details.
-
-For information on SMB packet formats and what all te fields mean see
+.LP
+For information on SMB packet formats and what all the fields mean see
www.cifs.org or the pub/samba/specs/ directory on your favorite
samba.org mirror site.
The SMB patches were written by Andrew Tridgell
-
.HD
NFS Requests and Replies
.LP
serviced the `new packet' interrupt.
.SH "SEE ALSO"
stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@),
-pcap-filter(@MAN_MISC_INFO@)
+pcap-filter(@MAN_MISC_INFO@), pcap-tstamp-type(@MAN_MISC_INFO@)
.SH AUTHORS
The original authors are:
.LP
projects / tcpdump / blobdiff