.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "6 May 2014"
+.TH TCPDUMP 1 "11 July 2014"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.na
.B tcpdump
[
-.B \-AbdDefhHIJKlLnNOpqRStuUvxX
+.B \-AbdDefhHIJKlLnNOpqRStuUvxX#
] [
.B \-B
.I buffer_size
-] [
+]
+.br
+.ti +8
+[
.B \-c
.I count
]
]
.ti +8
[
+.BI \-\-time\-stamp\-precision= tstamp_precision
+]
+.ti +8
+[
+.B \-\-immediate\-mode
+]
+[
.B \-\-version
]
+.ti +8
[
.I expression
]
.SH DESCRIPTION
.LP
\fITcpdump\fP prints out a description of the contents of packets on a
-network interface that match the boolean \fIexpression\fP. It can also
+network interface that match the boolean \fIexpression\fP; the
+description is preceded by a time stamp, printed, by default, as hours,
+minutes, seconds, and fractions of a second since midnight. It can also
be run with the
.B \-w
flag, which causes it to save the packet data to a file for later
platforms, such as Mac OS X, the ``status'' character is not set by
default, so you must set it with
.BR stty (1)
-in order to use it) and will continue capturing packets.
+in order to use it) and will continue capturing packets. On platforms that
+do not support the SIGINFO signal, the same can be achieved by using the
+SIGUSR1 signal.
.LP
Reading packets from a network interface may require that you have
special privileges; see the
is specified, only those link-layer types available when in monitor mode
will be shown.
.TP
+.BI \-\-immediate\-mode
+Capture in "immediate mode". In this mode, packets are delivered to
+tcpdump as soon as they arrive, rather than being buffered for
+efficiency. This is the default when printing packets rather than
+saving packets to a ``savefile'' if the packets are being printed to a
+terminal rather than to a file or pipe.
+.TP
.BI \-j " tstamp_type"
.PD 0
.TP
listed.
.TP
.BI \-\-time\-stamp\-precision= tstamp_precision
-.PD
-Set the time stamp precision for the capture to
-\fItstamp_precision\fP. Currently supported are microseconds and
-nanoseconds. Note that availability of high precision time stamps (nanoseconds)
-and their actual accuracy is platform and HW dependent. Also note that when
-writing captures to the savefile, distinct magic number is used to distinguish
-savefiles which contains time stamps in nanoseconds.
+When capturing, set the time stamp precision for the capture to
+\fItstamp_precision\fP. Note that availability of high precision time
+stamps (nanoseconds) and their actual accuracy is platform and hardware
+dependent. Also note that when writing captures made with nanosecond
+accuracy to a savefile, the time stamps are written with nanosecond
+resolution, and the file is written with a different magic number, to
+indicate that the time stamps are in seconds and nanoseconds; not all
+programs that read pcap savefiles will be able to read those captures.
+.LP
+When reading a savefile, convert time stamps to the precision specified
+by \fItimestamp_precision\fP, and display them with that resolution. If
+the precision specified is less than the precision of time stamps in the
+file, the conversion will lose precision.
+.LP
+The supported values for \fItimestamp_precision\fP are \fBmicro\fP for
+microsecond resolution and \fBnano\fP for nanosecond resolution. The
+default is microsecond resolution.
.TP
.B \-K
.PD 0
if you give this flag then \fItcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
+.B \-#
+.PD 0
+.TP
.B \-\-number
+.PD
Print an optional packet number at the beginning of the line.
.TP
.B \-O
\fIDon't\fP print a timestamp on each dump line.
.TP
.B \-tt
-Print an unformatted timestamp on each dump line.
+Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and
+fractions of a second since that time, on each dump line.
.TP
.B \-ttt
Print a delta (micro-second resolution) between current and previous line
on each dump line.
.TP
.B \-tttt
-Print a timestamp in default format proceeded by date on each dump line.
+Print a timestamp, as hours, minutes, seconds, and fractions of a second
+since midnight, preceded by the date, on each dump line.
.TP
.B \-ttttt
Print a delta (micro-second resolution) between current and first line
.fi
.RE
and is as accurate as the kernel's clock.
-The timestamp reflects the time the kernel first saw the packet.
-No attempt
-is made to account for the time lag between when the
-Ethernet interface removed the packet from the wire and when the kernel
-serviced the `new packet' interrupt.
+The timestamp reflects the time the kernel applied a time stamp to the packet.
+No attempt is made to account for the time lag between when the network
+interface finished receiving the packet from the network and when the
+kernel applied a time stamp to the packet; that time lag could include a
+delay between the time when the network interface finished receiving a
+packet from the network and the time when an interrupt was delivered to
+the kernel to get it to read the packet and a delay between the time
+when the kernel serviced the `new packet' interrupt and the time when it
+applied a time stamp to the packet.
.SH "SEE ALSO"
stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@),
pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@)
projects / tcpdump / blobdiff