X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/1afd3f308e25f7bf070f3932a28ed6b2be8173f6..refs/heads/tcpdump-4.6:/tcpdump.1.in diff --git a/tcpdump.1.in b/tcpdump.1.in index 16f6464f..a9664692 100644 --- a/tcpdump.1.in +++ b/tcpdump.1.in @@ -1,5 +1,3 @@ -.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL) -.\" .\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $ .\" .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 @@ -22,18 +20,21 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH TCPDUMP 1 "12 July 2012" +.TH TCPDUMP 1 "11 July 2014" .SH NAME tcpdump \- dump traffic on a network .SH SYNOPSIS .na .B tcpdump [ -.B \-AbdDefhHIJKlLnNOpqRStuUvxX +.B \-AbdDefhHIJKlLnNOpqRStuUvxX# ] [ .B \-B .I buffer_size -] [ +] +.br +.ti +8 +[ .B \-c .I count ] @@ -70,10 +71,22 @@ tcpdump \- dump traffic on a network .br .ti +8 [ +.B \-\-number +] +[ +.B \-Q +.I in|out|inout +] +.ti +8 +[ .B \-r .I file ] [ +.B \-V +.I file +] +[ .B \-s .I snaplen ] @@ -113,6 +126,13 @@ tcpdump \- dump traffic on a network ] .ti +8 [ +.BI \-\-time\-stamp\-precision= tstamp_precision +] +[ +.B \-\-version +] +.ti +8 +[ .I expression ] .br @@ -127,8 +147,10 @@ flag, which causes it to save the packet data to a file for later analysis, and/or with the .B \-r flag, which causes it to read from a saved packet file rather than to -read packets from a network interface. In all cases, only packets that -match +read packets from a network interface. It can also be run with the +.B \-V +flag, which causes it to read a list of saved packet files. In all cases, +only packets that match .I expression will be processed by .IR tcpdump . @@ -199,14 +221,18 @@ capturing web pages. Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation. .TP -.B \-B +.BI \-B " buffer_size" +.PD 0 +.TP +.BI \-\-buffer\-size= buffer_size +.PD Set the operating system capture buffer size to \fIbuffer_size\fP, in units of KiB (1024 bytes). .TP -.B \-c +.BI \-c " count" Exit after receiving \fIcount\fP packets. .TP -.B \-C +.BI \-C " file_size" Before writing a raw packet to a savefile, check whether the file is currently larger than \fIfile_size\fP and, if so, close the current savefile and open a new one. Savefiles after the first savefile will @@ -229,6 +255,10 @@ program fragment. Dump packet-matching code as decimal numbers (preceded with a count). .TP .B \-D +.PD 0 +.TP +.B \-\-list\-interfaces +.PD Print the list of the network interfaces available on the system and on which .I tcpdump @@ -256,7 +286,9 @@ that lacks the function. .TP .B \-e -Print the link-level header on each dump line. +Print the link-level header on each dump line. This can be used, for +example, to print MAC layer addresses for protocols such as Ethernet and +IEEE 802.11. .TP .B \-E Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that @@ -306,11 +338,11 @@ because the capture is being done on the Linux "any" interface, which can capture on more than one interface, this option will not work correctly. .TP -.B \-F +.BI \-F " file" Use \fIfile\fP as input for the filter expression. An additional expression given on the command line is ignored. .TP -.B \-G +.BI \-G " rotate_seconds" If specified, rotates the dump file specified with the .B \-w option every \fIrotate_seconds\fP seconds. @@ -325,17 +357,29 @@ If used in conjunction with the option, filenames will take the form of `\fIfile\fP'. .TP .B \-h +.PD 0 +.TP +.B \-\-help +.PD Print the tcpdump and libpcap version strings, print a usage message, and exit. .TP +.B \-\-version +.PD +Print the tcpdump and libpcap version strings and exit. +.TP .B \-H Attempt to detect 802.11s draft mesh headers. .TP -.B \-i +.BI \-i " interface" +.PD 0 +.TP +.BI \-\-interface= interface +.PD Listen on \fIinterface\fP. If unspecified, \fItcpdump\fP searches the system interface list for the -lowest numbered, configured up interface (excluding loopback). -Ties are broken by choosing the earliest match. +lowest numbered, configured up interface (excluding loopback), which may turn +out to be, for example, ``eth0''. .IP On Linux systems with 2.2 or later kernels, an .I interface @@ -351,6 +395,10 @@ used as the argument. .TP .B \-I +.PD 0 +.TP +.B \-\-monitor\-mode +.PD Put the interface in "monitor mode"; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems. .IP @@ -371,19 +419,50 @@ monitor mode will be shown; if is specified, only those link-layer types available when in monitor mode will be shown. .TP -.B \-j +.BI \-j " tstamp_type" +.PD 0 +.TP +.BI \-\-time\-stamp\-type= tstamp_type +.PD Set the time stamp type for the capture to \fItstamp_type\fP. The names to use for the time stamp types are given in -.BR pcap-tstamp-type (@MAN_MISC_INFO@); +.BR pcap-tstamp (@MAN_MISC_INFO@); not all the types listed there will necessarily be valid for any given interface. .TP .B \-J +.PD 0 +.TP +.B \-\-list\-time\-stamp\-types +.PD List the supported time stamp types for the interface and exit. If the time stamp type cannot be set for the interface, no time stamp types are listed. .TP +.BI \-\-time\-stamp\-precision= tstamp_precision +When capturing, set the time stamp precision for the capture to +\fItstamp_precision\fP. Note that availability of high precision time +stamps (nanoseconds) and their actual accuracy is platform and hardware +dependent. Also note that when writing captures made with nanosecond +accuracy to a savefile, the time stamps are written with nanosecond +resolution, and the file is written with a different magic number, to +indicate that the time stamps are in seconds and nanoseconds; not all +programs that read pcap savefiles will be able to read those captures. +.LP +When reading a savefile, convert time stamps to the precision specified +by \fItimestamp_precision\fP, and display them with that resolution. If +the precision specified is less than the precision of time stamps in the +file, the conversion will lose precision. +.LP +The supported values for \fItimestamp_precision\fP are \fBmicro\fP for +microsecond resolution and \fBnano\fP for nanosecond resolution. The +default is microsecond resolution. +.TP .B \-K +.PD 0 +.TP +.B \-\-dont\-verify\-checksums +.PD Don't attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad. @@ -426,6 +505,10 @@ than at the end of each line; this is buffered on all platforms, including Windows. .TP .B \-L +.PD 0 +.TP +.B \-\-list\-data\-link\-types +.PD List the known data link types for the interface, in the specified mode, and exit. The list of known data link types may be dependent on the specified mode; for example, on some platforms, a Wi-Fi interface might @@ -436,12 +519,12 @@ and another set of data link types when in monitor mode (for example, it might support 802.11 headers, or 802.11 headers with radio information, only in monitor mode). .TP -.B \-m +.BI \-m " module" Load SMI MIB module definitions from file \fImodule\fR. This option can be used several times to load several MIB modules into \fItcpdump\fP. .TP -.B \-M +.BI \-M " secret" Use \fIsecret\fP as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present. .TP @@ -454,18 +537,42 @@ E.g., if you give this flag then \fItcpdump\fP will print ``nic'' instead of ``nic.ddn.mil''. .TP +.B \-# +.PD 0 +.TP +.B \-\-number +.PD +Print an optional packet number at the beginning of the line. +.TP .B \-O +.PD 0 +.TP +.B \-\-no\-optimize +.PD Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer. .TP .B \-p +.PD 0 +.TP +.B \-\-no\-promiscuous\-mode +.PD \fIDon't\fP put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw-addr} or ether broadcast'. .TP +.BI \-Q " direction" +.PD 0 +.TP +.BI \-\-direction= direction +.PD +Choose send/receive direction \fIdirection\fR for which packets should be +captured. Possible values are `in', `out' and `inout'. Not available +on all platforms. +.TP .B \-q Quick (quiet?) output. Print less protocol information so output @@ -477,16 +584,24 @@ If specified, \fItcpdump\fP will not print replay prevention field. Since there is no protocol version field in ESP/AH specification, \fItcpdump\fP cannot deduce the version of ESP/AH protocol. .TP -.B \-r +.BI \-r " file" Read packets from \fIfile\fR (which was created with the .B \-w -option). +option or by other tools that write pcap or pcap-ng files). Standard input is used if \fIfile\fR is ``-''. .TP .B \-S +.PD 0 +.TP +.B \-\-absolute\-tcp\-sequence\-numbers +.PD Print absolute, rather than relative, TCP sequence numbers. .TP -.B \-s +.BI \-s " snaplen" +.PD 0 +.TP +.BI \-\-snapshot\-length= snaplen +.PD Snarf \fIsnaplen\fP bytes of data from each packet rather than the default of 65535 bytes. Packets truncated because of a limited snapshot @@ -504,13 +619,16 @@ Setting for backwards compatibility with recent older versions of .IR tcpdump . .TP -.B \-T +.BI \-T " type" Force packets selected by "\fIexpression\fP" to be interpreted the specified \fItype\fR. Currently known types are \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol), \fBcarp\fR (Common Address Redundancy Protocol), \fBcnfp\fR (Cisco NetFlow protocol), +\fBlmp\fR (Link Management Protocol), +\fBpgm\fR (Pragmatic General Multicast), +\fBpgm_zmtp1\fR (ZMTP/1.0 inside PGM/EPGM), \fBradius\fR (RADIUS), \fBrpc\fR (Remote Procedure Call), \fBrtp\fR (Real-Time Applications protocol), @@ -518,8 +636,20 @@ Currently known types are \fBsnmp\fR (Simple Network Management Protocol), \fBtftp\fR (Trivial File Transfer Protocol), \fBvat\fR (Visual Audio Tool), +\fBwb\fR (distributed White Board), +\fBzmtp1\fR (ZeroMQ Message Transport Protocol 1.0) and -\fBwb\fR (distributed White Board). +\fBvxlan\fR (Virtual eXtensible Local Area Network). +.IP +Note that the \fBpgm\fR type above affects UDP interpretation only, the native +PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is +often called "EPGM" or "PGM/UDP". +.IP +Note that the \fBpgm_zmtp1\fR type above affects interpretation of both native +PGM and UDP at once. During the native PGM decoding the application data of an +ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames. +During the UDP decoding in addition to that any UDP packet would be treated as +an encapsulated PGM packet. .TP .B \-t \fIDon't\fP print a timestamp on each dump line. @@ -542,6 +672,10 @@ on each dump line. Print undecoded NFS handles. .TP .B \-U +.PD 0 +.TP +.B \-\-packet\-buffered +.PD If the .B \-w option is not specified, make the printed packet output @@ -592,7 +726,11 @@ With .B \-X Telnet options are printed in hex as well. .TP -.B \-w +.BI \-V " file" +Read a list of filenames from \fIfile\fR. Standard input is used +if \fIfile\fR is ``-''. +.TP +.BI \-w " file" Write the raw packets to \fIfile\fR rather than parsing and printing them out. They can later be printed with the \-r option. @@ -665,10 +803,14 @@ each packet, .I including its link level header, in hex and ASCII. .TP -.B \-y +.BI \-y " datalinktype" +.PD 0 +.TP +.BI \-\-linktype= datalinktype +.PD Set the data link type to use while capturing packets to \fIdatalinktype\fP. .TP -.B \-z +.BI \-z " postrotate-command" Used in conjunction with the .B -C or @@ -676,7 +818,7 @@ or options, this will make .I tcpdump run " -.I command file +.I postrotate-command file " where .I file is the savefile being closed after each rotation. For example, specifying @@ -693,7 +835,11 @@ different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want. .TP -.B \-Z +.BI \-Z " user" +.PD 0 +.TP +.BI \-\-relinquish\-privileges= user +.PD If .I tcpdump is running as root, after opening the capture device or input savefile, @@ -714,10 +860,12 @@ only packets for which \fIexpression\fP is `true' will be dumped. For the \fIexpression\fP syntax, see .BR pcap-filter (@MAN_MISC_INFO@). .LP -Expression arguments can be passed to \fItcpdump\fP as either a single -argument or as multiple arguments, whichever is more convenient. -Generally, if the expression contains Shell metacharacters, it is -easier to pass it as a single, quoted argument. +The \fIexpression\fP argument can be passed to \fItcpdump\fP as either a single +Shell argument, or as multiple Shell arguments, whichever is more convenient. +Generally, if the expression contains Shell metacharacters, such as +backslashes used to escape protocol names, it is easier to pass it as +a single, quoted argument rather than to escape the Shell +metacharacters. Multiple arguments are concatenated with spaces before being parsed. .SH EXAMPLES .LP @@ -1373,39 +1521,45 @@ Sun NFS (Network File System) requests and replies are printed as: .RS .nf .sp .5 -\fIsrc.xid > dst.nfs: len op args\fP -\fIsrc.nfs > dst.xid: reply stat len op results\fP +\fIsrc.sport > dst.nfs: NFS request xid xid len op args\fP +\fIsrc.nfs > dst.dport: NFS reply xid xid reply stat len op results\fP .sp .5 \f(CW -sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165 -wrl.nfs > sushi.6709: reply ok 40 readlink "../var" -sushi.201b > wrl.nfs: +sushi.1023 > wrl.nfs: NFS request xid 26377 + 112 readlink fh 21,24/10.73165 +wrl.nfs > sushi.1023: NFS reply xid 26377 + reply ok 40 readlink "../var" +sushi.1022 > wrl.nfs: NFS request xid 8219 144 lookup fh 9,74/4096.6878 "xcolors" -wrl.nfs > sushi.201b: +wrl.nfs > sushi.1022: NFS reply xid 8219 reply ok 128 lookup fh 9,74/4134.3150 \fR .sp .5 .fi .RE -In the first line, host \fIsushi\fP sends a transaction with id \fI6709\fP -to \fIwrl\fP (note that the number following the src host is a -transaction id, \fInot\fP the source port). +In the first line, host \fIsushi\fP sends a transaction with id \fI26377\fP +to \fIwrl\fP. The request was 112 bytes, excluding the UDP and IP headers. The operation was a \fIreadlink\fP (read symbolic link) on file handle (\fIfh\fP) 21,24/10.731657119. (If one is lucky, as in this case, the file handle can be interpreted as a major,minor device number pair, followed by the inode number and -generation number.) -\fIWrl\fP replies `ok' with the contents of the link. +generation number.) In the second line, \fIwrl\fP replies `ok' with +the same transaction id and the contents of the link. +.LP +In the third line, \fIsushi\fP asks (using a new transaction id) \fIwrl\fP +to lookup the name `\fIxcolors\fP' in directory file 9,74/4096.6878. In +the fourth line, \fIwrl\fP sends a reply with the respective transaction id. .LP -In the third line, \fIsushi\fP asks \fIwrl\fP to lookup the name -`\fIxcolors\fP' in directory file 9,74/4096.6878. Note that the data printed depends on the operation type. The format is intended to be self explanatory if read in conjunction with an NFS protocol spec. +Also note that older versions of tcpdump printed NFS packets in a +slightly different format: the transaction id (xid) would be printed +instead of the non-NFS port number of the packet. .LP If the \-v (verbose) flag is given, additional information is printed. For example: @@ -1413,9 +1567,9 @@ For example: .nf .sp .5 \f(CW -sushi.1372a > wrl.nfs: +sushi.1023 > wrl.nfs: NFS request xid 79658 148 read fh 21,11/12.195 8192 bytes @ 24576 -wrl.nfs > sushi.1372a: +wrl.nfs > sushi.1023: NFS reply xid 79658 reply ok 1472 read REG 100664 ids 417/0 sz 29388 \fP .sp .5 @@ -1491,11 +1645,11 @@ not be useful to people who are not familiar with the workings of AFS and RX. .LP If the -v (verbose) flag is given twice, acknowledgement packets and -additional header information is printed, such as the the RX call ID, +additional header information is printed, such as the RX call ID, call number, sequence number, serial number, and the RX packet flags. .LP If the -v flag is given twice, additional information is printed, -such as the the RX call ID, serial number, and the RX packet flags. +such as the RX call ID, serial number, and the RX packet flags. The MTU negotiation information is also printed from RX ack packets. .LP If the -v flag is given three times, the security index and service id @@ -1718,7 +1872,7 @@ Ethernet interface removed the packet from the wire and when the kernel serviced the `new packet' interrupt. .SH "SEE ALSO" stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@), -pcap-filter(@MAN_MISC_INFO@), pcap-tstamp-type(@MAN_MISC_INFO@) +pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@) .LP .RS .I http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap @@ -1743,7 +1897,7 @@ The current version is available via http: The original distribution is available via anonymous ftp: .LP .RS -.I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z +.I ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z .RE .LP IPv6/IPsec support is added by WIDE/KAME project.