.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "2 Mar 2020"
+.TH TCPDUMP 1 "21 December 2020"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.SH DESCRIPTION
.LP
\fITcpdump\fP prints out a description of the contents of packets on a
-network interface that match the boolean \fIexpression\fP; the
+network interface that match the Boolean \fIexpression\fP; the
description is preceded by a time stamp, printed, by default, as hours,
minutes, seconds, and fractions of a second since midnight. It can also
be run with the
.B \-d
Dump the compiled packet-matching code in a human readable form to
standard output and stop.
+.IP
+Please mind that although code compilation is always DLT-specific,
+typically it is impossible (and unnecessary) to specify which DLT to use
+for the dump because \fItcpdump\fP uses either the DLT of the input pcap
+file specified with
+.BR -r ,
+or the default DLT of the network interface specified with
+.BR -i ,
+or the particular DLT of the network interface specified with
+.B -y
+and
+.B -i
+respectively. In these cases the dump shows the same exact code that
+would filter the input file or the network interface without
+.BR -d .
+.IP
+However, when neither
+.B -r
+nor
+.B -i
+is specified, specifying
+.B -d
+prevents \fItcpdump\fP from guessing a suitable network interface (see
+.BR -i ).
+In this case the DLT defaults to EN10MB and can be set to another valid
+value manually with
+.BR -y .
.TP
.B \-dd
Dump packet-matching code as a
.BR strftime (3).
If no time format is specified, each new file will overwrite the previous.
Whenever a generated filename is not unique, tcpdump will overwrite the
-preexisting data; providing a time specification that is coarser than the
+pre-existing data; providing a time specification that is coarser than the
capture period is therefore not advised.
.IP
If used in conjunction with the
.TP
.BI \-\-interface= interface
.PD
-Listen on \fIinterface\fP.
-If unspecified, \fItcpdump\fP searches the system interface list for the
-lowest numbered, configured up interface (excluding loopback), which may turn
-out to be, for example, ``eth0''.
+Listen, report the list of link-layer types, report the list of time
+stamp types, or report the results of compiling a filter expression on
+\fIinterface\fP. If unspecified and if the
+.B -d
+flag is not given, \fItcpdump\fP searches the system
+interface list for the lowest numbered, configured up interface
+(excluding loopback), which may turn out to be, for example, ``eth0''.
.IP
On Linux systems with 2.2 or later kernels, an
.I interface
\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
\fBcarp\fR (Common Address Redundancy Protocol),
\fBcnfp\fR (Cisco NetFlow protocol),
+\fBdomain\fR (Domain Name System),
\fBlmp\fR (Link Management Protocol),
\fBpgm\fR (Pragmatic General Multicast),
\fBpgm_zmtp1\fR (ZMTP/1.0 inside PGM/EPGM),
.IP
When writing to a file with the
.B \-w
-option, report, once per second, the number of packets captured.
+option and at the same time not reading from a file with the
+.B \-r
+option, report to stderr, once per second, the number of packets captured. In
+Solaris, FreeBSD and possibly other operating systems this periodic update
+currently can cause loss of captured packets on their way from the kernel to
+tcpdump.
.TP
.B \-vv
Even more verbose output.
packet, so for link layers that pad (e.g. Ethernet), the padding bytes
will also be printed when the higher layer packet is shorter than the
required padding.
+In the current implementation this flag may have the same effect as
+.B \-xx
+if the packet is truncated.
.TP
.B \-xx
When parsing and printing,
in addition to printing the headers of each packet, print the data of
each packet (minus its link level header) in hex and ASCII.
This is very handy for analysing new protocols.
+In the current implementation this flag may have the same effect as
+.B \-XX
+if the packet is truncated.
.TP
.B \-XX
When parsing and printing,
.TP
.BI \-\-linktype= datalinktype
.PD
-Set the data link type to use while capturing packets to \fIdatalinktype\fP.
+Set the data link type to use while capturing packets (see
+.BR -L )
+or just compiling and dumping packet-matching code (see
+.BR -d )
+to \fIdatalinktype\fP.
.TP
.BI \-z " postrotate-command"
Used in conjunction with the
.fi
.RE
.LP
+To print the TCP packets with flags RST and ACK both set.
+(i.e. select only the RST and ACK flags in the flags field, and if the result
+is "RST and ACK both set", match)
+.RS
+.nf
+.B
+tcpdump 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'
+.fi
+.RE
+.LP
To print all IPv4 HTTP packets to and from port 80, i.e. print only
packets that contain data, not, for example, SYN and FIN packets and
ACK-only packets. (IPv6 is left as an exercise for the reader.)
.HD
ARP/RARP Packets
.LP
-Arp/rarp output shows the type of request and its arguments.
+ARP/RARP output shows the type of request and its arguments.
The
format is intended to be self explanatory.
Here is a short sample taken from the start of an `rlogin' from
.sp .5
.fi
.RE
-The first line says that rtsg sent an arp packet asking
+The first line says that rtsg sent an ARP packet asking
for the Ethernet address of internet host csam.
Csam
replies with its Ethernet address (in this example, Ethernet addresses
(The notation is `first:last' which means `sequence
numbers \fIfirst\fP
up to but not including \fIlast\fP'.)
-There was no piggy-backed ack, the available receive window was 4096
-bytes and there was a max-segment-size option requesting an mss of
+There was no piggy-backed ACK, the available receive window was 4096
+bytes and there was a max-segment-size option requesting an MSS of
1024 bytes.
.LP
Csam replies with a similar packet except it includes a piggy-backed
-ack for rtsg's SYN.
-Rtsg then acks csam's SYN.
+ACK for rtsg's SYN.
+Rtsg then ACKs csam's SYN.
The `.' means the ACK flag was set.
The packet contained no data so there is no data sequence number or length.
-Note that the ack sequence
+Note that the ACK sequence
number is a small integer (1).
The first time \fItcpdump\fP sees a
TCP `conversation', it prints the sequence number from the packet.
.sp .5
.fi
.RE
-This says that port \fIwho\fP on host \fIactinide\fP sent a udp
+This says that port \fIwho\fP on host \fIactinide\fP sent a UDP
datagram to port \fIwho\fP on host \fIbroadcast\fP, the Internet
broadcast address.
The packet contained 84 bytes of user data.
the Domain Service protocol described in RFC-1035.
If you are not familiar
with the protocol, the following description will appear to be written
-in greek.)\fP
+in Greek.)\fP
.LP
Name server requests are formatted as
.RS
Because the \-v flag
is given, some of the file attributes (which are returned in addition
to the file data) are printed: the file type (``REG'', for regular file),
-the file mode (in octal), the uid and gid, and the file size.
+the file mode (in octal), the UID and GID, and the file size.
.LP
If the \-v flag is given more than once, even more details are printed.
.LP
The `:digit' following the
transaction id gives the packet sequence number in the transaction
and the number in parens is the amount of data in the packet,
-excluding the atp header.
+excluding the ATP header.
The `*' on packet 7 indicates that the
EOM bit was set.
.LP
indicates that XO (`exactly once') was \fInot\fP set.
.SH "SEE ALSO"
-stty(1), pcap(3PCAP), bpf(4), nit(4P), \%pcap-savefile(@MAN_FILE_FORMATS@),
-\%pcap-filter(@MAN_MISC_INFO@), \%pcap-tstamp(@MAN_MISC_INFO@)
+.BR stty (1),
+.BR pcap (3PCAP),
+.BR bpf (4),
+.BR nit (4P),
+.BR \%pcap-savefile (@MAN_FILE_FORMATS@),
+.BR \%pcap-filter (@MAN_MISC_INFO@),
+.BR \%pcap-tstamp (@MAN_MISC_INFO@)
.LP
.RS
.na
.LP
To report bugs and other problems, contribute patches, request a
-feature, provide generic feedback etc please see the file
+feature, provide generic feedback etc. please see the file
.I CONTRIBUTING
in the tcpdump source tree root.
.LP
.IP
all of a packet, not just the part that's within the snapshot length,
will be copied from the kernel (the 2.0[.x] packet capture mechanism, if
-asked to copy only part of a packet to userland, will not report the
+asked to copy only part of a packet to userspace, will not report the
true length of the packet; this would cause most IP packets to get an
error from
.BR tcpdump );
projects / tcpdump / blobdiff