X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/37214e1cda9ed3ae0d1597373c304ca024ad462e..d75ee07998ef8ac0fc1a9a6beea2e15a3ca1f726:/tcpdump.1 diff --git a/tcpdump.1 b/tcpdump.1 index 8587a5cf..077534d4 100644 --- a/tcpdump.1 +++ b/tcpdump.1 @@ -1,4 +1,4 @@ -.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.137 2003-01-16 07:59:45 guy Exp $ (LBL) +.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $ .\" .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 .\" The Regents of the University of California. All rights reserved. @@ -20,14 +20,14 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH TCPDUMP 1 "21 December 2002" +.TH TCPDUMP 1 "1 July 2003" .SH NAME tcpdump \- dump traffic on a network .SH SYNOPSIS .na .B tcpdump [ -.B \-aAdDeflLnNOpqRStuUvxX +.B \-AdDeflLnNOpqRStuUvxX ] [ .B \-c .I count @@ -73,8 +73,10 @@ tcpdump \- dump traffic on a network .ti +8 [ .B \-E -.I algo:secret +.I spi@ipaddr algo:secret,... ] +.br +.ti +8 [ .B \-y .I datalinktype @@ -174,7 +176,14 @@ must be installed setuid to root. .B Under Linux: You must be root or .I tcpdump -must be installed setuid to root. +must be installed setuid to root (unless your distribution has a kernel +that supports capability bits such as CAP_NET_RAW and code to allow +those capability bits to be given to particular accounts and to cause +those bits to be set on a user's initial processes when they log in, in +which case you must have CAP_NET_RAW in order to capture and +CAP_NET_ADMIN to enumerate network devices with, for example, the +.B \-D +flag). .TP .B Under Ultrix and Digital UNIX/Tru64 UNIX: Any user may capture network traffic with @@ -193,9 +202,15 @@ packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode operation, or both modes of operation, be enabled on that interface. .TP -.B Under BSD: +.B Under BSD (this includes Mac OS X): You must have read access to .IR /dev/bpf* . +On BSDs with a devfs (this includes Mac OS X), this might involve more +than just having somebody with super-user access setting the ownership +or permissions on the BPF devices - it might involve configuring devfs +to set the ownership or permissions every time the system is booted, +if the system even supports that; if it doesn't support that, you might +have to find some other way to make that happen at boot time. .LP Reading a saved packet file doesn't require special privileges. .SH OPTIONS @@ -204,9 +219,6 @@ Reading a saved packet file doesn't require special privileges. Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. .TP -.B \-a -Attempt to convert network and broadcast addresses to names. -.TP .B \-c Exit after receiving \fIcount\fP packets. .TP @@ -263,7 +275,12 @@ function. Print the link-level header on each dump line. .TP .B \-E -Use \fIalgo:secret\fP for decrypting IPsec ESP packets. +Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that +are addressed to \fIaddr\fP and contain Security Parameter Index value +\fIspi\fP. This combination may be repeated with comma or newline seperation. +.IP +Note that setting the secret for IPv4 ESP packets is supported at this time. +.IP Algorithms may be \fBdes-cbc\fP, \fB3des-cbc\fP, @@ -274,15 +291,22 @@ Algorithms may be The default is \fBdes-cbc\fP. The ability to decrypt packets is only present if \fItcpdump\fP was compiled with cryptography enabled. -\fIsecret\fP the ASCII text for ESP secret key. -We cannot take arbitrary binary value at this moment. +.IP +\fIsecret\fP is the ASCII text for ESP secret key. +If preceeded by 0x, then a hex value will be read. +.IP The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and -the use of this option with truly `secret' key is discouraged. +the use of this option with a true `secret' key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via .IR ps (1) and other occasions. +.IP +In addition to the above syntax, the syntax \fIfile name\fP may be used +to have tcpdump read the provided file in. The file is opened upon +receiving the first ESP packet, so any special permissions that tcpdump +may have been given should already have been given up. .TP .B \-f Print `foreign' IPv4 addresses numerically rather than symbolically @@ -407,6 +431,7 @@ Currently known types are \fBrtp\fR (Real-Time Applications protocol), \fBrtcp\fR (Real-Time Applications control protocol), \fBsnmp\fR (Simple Network Management Protocol), +\fBtftp\fR (Trivial File Transfer Protocol), \fBvat\fR (Visual Audio Tool), and \fBwb\fR (distributed White Board). @@ -538,7 +563,8 @@ If there is no dir qualifier, .B "src or dst" is assumed. -For `null' link layers (i.e. point to point protocols such as slip) the +For some link layers, such as SLIP and the ``cooked'' Linux capture mode +used for the ``any'' device and for some other device types, the .B inbound and .B outbound @@ -802,7 +828,7 @@ SSAP (Source Service Access Point) fields of the LLC header; .TP \fIatalk\fP \fItcpdump\fR checks for a SNAP-format packet with an OUI of 0x080007 -and the Appletalk etype. +and the AppleTalk etype. .RE .IP In the case of Ethernet, \fItcpdump\fR checks the Ethernet type field @@ -814,11 +840,11 @@ for most of those protocols. The exceptions are: it does for FDDI, Token Ring, and 802.11; .TP \fBatalk\fP -\fItcpdump\fR checks both for the Appletalk etype in an Ethernet frame and +\fItcpdump\fR checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11; .TP \fBaarp\fP -\fItcpdump\fR checks for the Appletalk ARP etype in either an Ethernet +\fItcpdump\fR checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000; .TP \fBipx\fP @@ -839,6 +865,42 @@ True if the DECNET destination address is .IP "\fBdecnet host \fIhost\fR" True if either the DECNET source or destination address is .IR host . +.IP "\fBifname \fIinterface\fR" +True if the packet was logged as coming from the specified interface (applies +only to packets logged by OpenBSD's +.BR pf (4)). +.IP "\fBon \fIinterface\fR" +Synonymous with the +.B ifname +modifier. +.IP "\fBrnr \fInum\fR" +True if the packet was logged as matching the specified PF rule number +(applies only to packets logged by OpenBSD's +.BR pf (4)). +.IP "\fBrulenum \fInum\fR" +Synonomous with the +.B rnr +modifier. +.IP "\fBreason \fIcode\fR" +True if the packet was logged with the specified PF reason code. The known +codes are: +.BR match , +.BR bad-offset , +.BR fragment , +.BR short , +.BR normalize , +and +.B memory +(applies only to packets logged by OpenBSD's +.BR pf (4)). +.IP "\fBaction \fIact\fR" +True if PF took the specified action when the packet was logged. Known actions +are: +.B pass +and +.B block +(applies only to packets logged by OpenBSD's +.BR pf(4)). .IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP" Abbreviations for: .in +.5i @@ -990,7 +1052,7 @@ The following ICMP type field values are available: \fBicmp-echoreply\fP, \fBicmp-maskreq\fP, \fBicmp-maskreply\fP. The following TCP flags field values are available: \fBtcp-fin\fP, -\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, \fBtcp-push\fP, +\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, \fBtcp-ack\fP, \fBtcp-urg\fP. .LP Primitives may be combined using: @@ -1260,7 +1322,8 @@ The general format of a tcp protocol line is: \fISrc\fP and \fIdst\fP are the source and destination IP addresses and ports. \fIFlags\fP are some combination of S (SYN), -F (FIN), P (PUSH) or R (RST) or a single `.' (no flags). +F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single +`.' (no flags). \fIData-seqno\fP describes the portion of sequence space covered by the data in this packet (see example below). \fIAck\fP is sequence number of the next data expected the other @@ -1668,10 +1731,10 @@ gory details. If you are decoding SMB sessions containing unicode strings then you may wish to set the environment variable USE_UNICODE to 1. A patch to -auto-detect unicode srings would be welcome. +auto-detect unicode strings would be welcome. For information on SMB packet formats and what all te fields mean see -www.cifs.org or the pub/samba/specs/ directory on your favourite +www.cifs.org or the pub/samba/specs/ directory on your favorite samba.org mirror site. The SMB patches were written by Andrew Tridgell (tridge@samba.org). @@ -1829,9 +1892,9 @@ follow the corresponding request, it might not be parsable. .HD -KIP Appletalk (DDP in UDP) +KIP AppleTalk (DDP in UDP) .LP -Appletalk DDP packets encapsulated in UDP datagrams are de-encapsulated +AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated and dumped as DDP packets (i.e., all the UDP header information is discarded). The file @@ -1861,7 +1924,7 @@ The file may contain blank lines or comment lines (lines starting with a `#'). .LP -Appletalk addresses are printed in the form +AppleTalk addresses are printed in the form .RS .nf .sp .5 @@ -1887,7 +1950,7 @@ the broadcast address (255) is indicated by a net name with no host number \- for this reason it's a good idea to keep node names and net names distinct in /etc/atalk.names). .LP -NBP (name binding protocol) and ATP (Appletalk transaction protocol) +NBP (name binding protocol) and ATP (AppleTalk transaction protocol) packets have their contents interpreted. Other protocols just dump the protocol name (or number if no name is registered for the