X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/8e2928b38da4fd9414338118b99df849ce1ca47e..d75ee07998ef8ac0fc1a9a6beea2e15a3ca1f726:/tcpdump.1 diff --git a/tcpdump.1 b/tcpdump.1 index 95d20bd3..077534d4 100644 --- a/tcpdump.1 +++ b/tcpdump.1 @@ -1,4 +1,4 @@ -.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.128 2002-08-08 08:48:11 guy Exp $ (LBL) +.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $ .\" .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 .\" The Regents of the University of California. All rights reserved. @@ -20,14 +20,14 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH TCPDUMP 1 "8 August 2002" +.TH TCPDUMP 1 "1 July 2003" .SH NAME tcpdump \- dump traffic on a network .SH SYNOPSIS .na .B tcpdump [ -.B \-aAdDeflnNOpqRStuvxX +.B \-AdDeflLnNOpqRStuUvxX ] [ .B \-c .I count @@ -73,8 +73,15 @@ tcpdump \- dump traffic on a network .ti +8 [ .B \-E -.I algo:secret +.I spi@ipaddr algo:secret,... ] +.br +.ti +8 +[ +.B \-y +.I datalinktype +] +.ti +8 [ .I expression ] @@ -169,7 +176,14 @@ must be installed setuid to root. .B Under Linux: You must be root or .I tcpdump -must be installed setuid to root. +must be installed setuid to root (unless your distribution has a kernel +that supports capability bits such as CAP_NET_RAW and code to allow +those capability bits to be given to particular accounts and to cause +those bits to be set on a user's initial processes when they log in, in +which case you must have CAP_NET_RAW in order to capture and +CAP_NET_ADMIN to enumerate network devices with, for example, the +.B \-D +flag). .TP .B Under Ultrix and Digital UNIX/Tru64 UNIX: Any user may capture network traffic with @@ -188,21 +202,23 @@ packet capture on an interface probably requires that either promiscuous-mode or copy-all-mode operation, or both modes of operation, be enabled on that interface. .TP -.B Under BSD: +.B Under BSD (this includes Mac OS X): You must have read access to .IR /dev/bpf* . +On BSDs with a devfs (this includes Mac OS X), this might involve more +than just having somebody with super-user access setting the ownership +or permissions on the BPF devices - it might involve configuring devfs +to set the ownership or permissions every time the system is booted, +if the system even supports that; if it doesn't support that, you might +have to find some other way to make that happen at boot time. .LP Reading a saved packet file doesn't require special privileges. .SH OPTIONS .TP -.TP .B \-A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. .TP -.B \-a -Attempt to convert network and broadcast addresses to names. -.TP .B \-c Exit after receiving \fIcount\fP packets. .TP @@ -259,7 +275,12 @@ function. Print the link-level header on each dump line. .TP .B \-E -Use \fIalgo:secret\fP for decrypting IPsec ESP packets. +Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that +are addressed to \fIaddr\fP and contain Security Parameter Index value +\fIspi\fP. This combination may be repeated with comma or newline seperation. +.IP +Note that setting the secret for IPv4 ESP packets is supported at this time. +.IP Algorithms may be \fBdes-cbc\fP, \fB3des-cbc\fP, @@ -270,21 +291,36 @@ Algorithms may be The default is \fBdes-cbc\fP. The ability to decrypt packets is only present if \fItcpdump\fP was compiled with cryptography enabled. -\fIsecret\fP the ASCII text for ESP secret key. -We cannot take arbitrary binary value at this moment. +.IP +\fIsecret\fP is the ASCII text for ESP secret key. +If preceeded by 0x, then a hex value will be read. +.IP The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and -the use of this option with truly `secret' key is discouraged. +the use of this option with a true `secret' key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via .IR ps (1) and other occasions. +.IP +In addition to the above syntax, the syntax \fIfile name\fP may be used +to have tcpdump read the provided file in. The file is opened upon +receiving the first ESP packet, so any special permissions that tcpdump +may have been given should already have been given up. .TP .B \-f -Print `foreign' internet addresses numerically rather than symbolically +Print `foreign' IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage in -Sun's yp server \(em usually it hangs forever translating non-local +Sun's NIS server \(em usually it hangs forever translating non-local internet numbers). +.IP +The test for `foreign' IPv4 addresses is done using the IPv4 address and +netmask of the interface on which capture is being done. If that +address or netmask are not available, available, either because the +interface on which capture is being done has no address or netmask or +because the capture is being done on the Linux "any" interface, which +can capture on more than one interface, this option will not work +correctly. .TP .B \-F Use \fIfile\fP as input for the filter expression. @@ -318,6 +354,9 @@ E.g., ``tcpdump\ \ \-l\ \ |\ \ tee dat'' or ``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''. .TP +.B \-L +List the known data link types for the interface and exit. +.TP .B \-m Load SMI MIB module definitions from file \fImodule\fR. This option @@ -356,7 +395,9 @@ Since there is no protocol version field in ESP/AH specification, \fItcpdump\fP cannot deduce the version of ESP/AH protocol. .TP .B \-r -Read packets from \fIfile\fR (which was created with the -w option). +Read packets from \fIfile\fR (which was created with the +.B \-w +option). Standard input is used if \fIfile\fR is ``-''. .TP .B \-S @@ -390,6 +431,7 @@ Currently known types are \fBrtp\fR (Real-Time Applications protocol), \fBrtcp\fR (Real-Time Applications control protocol), \fBsnmp\fR (Simple Network Management Protocol), +\fBtftp\fR (Trivial File Transfer Protocol), \fBvat\fR (Visual Audio Tool), and \fBwb\fR (distributed White Board). @@ -410,6 +452,23 @@ Print a timestamp in default format proceeded by date on each dump line. .B \-u Print undecoded NFS handles. .TP +.B \-U +Make output saved via the +.B \-w +option ``packet-buffered''; i.e., as each packet is saved, it will be +written to the output file, rather than being written only when the +output buffer fills. +.IP +The +.B \-U +flag will not be supported if +.I tcpdump +was built with an older version of +.I libpcap +that lacks the +.B pcap_dump_flush() +function. +.TP .B \-v (Slightly more) verbose output. For example, the time to live, @@ -429,7 +488,7 @@ telnet \fBSB\fP ... \fBSE\fP options are printed in full. With .B \-X -telnet options are printed in hex as well. +Telnet options are printed in hex as well. .TP .B \-w Write the raw packets to \fIfile\fR rather than parsing and printing @@ -446,16 +505,22 @@ packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding. .TP +.B \-xx +Print each packet, +.I including +its link level header, in hex. +.TP .B \-X -When printing hex, print ASCII too. -Thus if -.B \-x -is also set, the packet is printed in hex/ASCII. +Print each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols. -Even if -.B \-x -is not also set, some parts of some packets may be printed -in hex/ASCII. +.TP +.B \-XX +Print each packet, +.I including +its link level header, in hex and ASCII. +.TP +.B \-y +Set the data link type to use while capturing packets to \fIdatalinktype\fP. .IP "\fI expression\fP" .RS selects which packets will be dumped. @@ -498,7 +563,8 @@ If there is no dir qualifier, .B "src or dst" is assumed. -For `null' link layers (i.e. point to point protocols such as slip) the +For some link layers, such as SLIP and the ``cooked'' Linux capture mode +used for the ``any'' device and for some other device types, the .B inbound and .B outbound @@ -710,10 +776,16 @@ True if the packet is an ethernet broadcast packet. The \fIether\fP keyword is optional. .IP "\fBip broadcast\fR" -True if the packet is an IP broadcast packet. -It checks for both -the all-zeroes and all-ones broadcast conventions, and looks up -the local subnet mask. +True if the packet is an IPv4 broadcast packet. +It checks for both the all-zeroes and all-ones broadcast conventions, +and looks up the subnet mask on the interface on which the capture is +being done. +.IP +If the subnet mask of the interface on which the capture is being done +is not available, either because the interface on which capture is being +done has no netmask or because the capture is being done on the Linux +"any" interface, which can capture on more than one interface, this +check will not work correctly. .IP "\fBether multicast\fR" True if the packet is an ethernet multicast packet. The \fIether\fP @@ -756,7 +828,7 @@ SSAP (Source Service Access Point) fields of the LLC header; .TP \fIatalk\fP \fItcpdump\fR checks for a SNAP-format packet with an OUI of 0x080007 -and the Appletalk etype. +and the AppleTalk etype. .RE .IP In the case of Ethernet, \fItcpdump\fR checks the Ethernet type field @@ -768,11 +840,11 @@ for most of those protocols. The exceptions are: it does for FDDI, Token Ring, and 802.11; .TP \fBatalk\fP -\fItcpdump\fR checks both for the Appletalk etype in an Ethernet frame and +\fItcpdump\fR checks both for the AppleTalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11; .TP \fBaarp\fP -\fItcpdump\fR checks for the Appletalk ARP etype in either an Ethernet +\fItcpdump\fR checks for the AppleTalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000; .TP \fBipx\fP @@ -793,6 +865,42 @@ True if the DECNET destination address is .IP "\fBdecnet host \fIhost\fR" True if either the DECNET source or destination address is .IR host . +.IP "\fBifname \fIinterface\fR" +True if the packet was logged as coming from the specified interface (applies +only to packets logged by OpenBSD's +.BR pf (4)). +.IP "\fBon \fIinterface\fR" +Synonymous with the +.B ifname +modifier. +.IP "\fBrnr \fInum\fR" +True if the packet was logged as matching the specified PF rule number +(applies only to packets logged by OpenBSD's +.BR pf (4)). +.IP "\fBrulenum \fInum\fR" +Synonomous with the +.B rnr +modifier. +.IP "\fBreason \fIcode\fR" +True if the packet was logged with the specified PF reason code. The known +codes are: +.BR match , +.BR bad-offset , +.BR fragment , +.BR short , +.BR normalize , +and +.B memory +(applies only to packets logged by OpenBSD's +.BR pf (4)). +.IP "\fBaction \fIact\fR" +True if PF took the specified action when the packet was logged. Known actions +are: +.B pass +and +.B block +(applies only to packets logged by OpenBSD's +.BR pf(4)). .IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP" Abbreviations for: .in +.5i @@ -838,7 +946,8 @@ Abbreviations for: .fi .in -.5i where \fIp\fR is one of the above protocols. -Note that \fItcpdump\fR does an incomplete job of parsing these protocols. +.IP "\fBl1\fR, \fBl2\fR, \fBiih\fR, \fBlsp\fR, \fBsnp\fR, \fBcsnp\fR, \fBpsnp\fR" +Abbreviations for IS-IS PDU types. .IP "\fBvpi\fP \fIn\fR True if the packet is an ATM packet, for SunATM on Solaris, with a virtual path identifier of @@ -850,6 +959,12 @@ virtual channel identifier of .IP \fBlane\fP True if the packet is an ATM packet, for SunATM on Solaris, and is an ATM LANE packet. +Note that the first \fBlane\fR keyword encountered in \fIexpression\fR +changes the tests done in the remainder of \fIexpression\fR +on the assumption that the packet is either a LANE emulated Ethernet +packet or a LANE LE Control packet. If \fBlane\fR isn't specified, the +tests are done under the assumption that the packet is an +LLC-encapsulated packet. .IP \fBllc\fP True if the packet is an ATM packet, for SunATM on Solaris, and is an LLC-encapsulated packet. @@ -937,7 +1052,7 @@ The following ICMP type field values are available: \fBicmp-echoreply\fP, \fBicmp-maskreq\fP, \fBicmp-maskreply\fP. The following TCP flags field values are available: \fBtcp-fin\fP, -\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, \fBtcp-push\fP, +\fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP, \fBtcp-ack\fP, \fBtcp-urg\fP. .LP Primitives may be combined using: @@ -1207,7 +1322,8 @@ The general format of a tcp protocol line is: \fISrc\fP and \fIdst\fP are the source and destination IP addresses and ports. \fIFlags\fP are some combination of S (SYN), -F (FIN), P (PUSH) or R (RST) or a single `.' (no flags). +F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single +`.' (no flags). \fIData-seqno\fP describes the portion of sequence space covered by the data in this packet (see example below). \fIAck\fP is sequence number of the next data expected the other @@ -1615,10 +1731,10 @@ gory details. If you are decoding SMB sessions containing unicode strings then you may wish to set the environment variable USE_UNICODE to 1. A patch to -auto-detect unicode srings would be welcome. +auto-detect unicode strings would be welcome. For information on SMB packet formats and what all te fields mean see -www.cifs.org or the pub/samba/specs/ directory on your favourite +www.cifs.org or the pub/samba/specs/ directory on your favorite samba.org mirror site. The SMB patches were written by Andrew Tridgell (tridge@samba.org). @@ -1776,9 +1892,9 @@ follow the corresponding request, it might not be parsable. .HD -KIP Appletalk (DDP in UDP) +KIP AppleTalk (DDP in UDP) .LP -Appletalk DDP packets encapsulated in UDP datagrams are de-encapsulated +AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated and dumped as DDP packets (i.e., all the UDP header information is discarded). The file @@ -1808,7 +1924,7 @@ The file may contain blank lines or comment lines (lines starting with a `#'). .LP -Appletalk addresses are printed in the form +AppleTalk addresses are printed in the form .RS .nf .sp .5 @@ -1834,7 +1950,7 @@ the broadcast address (255) is indicated by a net name with no host number \- for this reason it's a good idea to keep node names and net names distinct in /etc/atalk.names). .LP -NBP (name binding protocol) and ATP (Appletalk transaction protocol) +NBP (name binding protocol) and ATP (AppleTalk transaction protocol) packets have their contents interpreted. Other protocols just dump the protocol name (or number if no name is registered for the