X-Git-Url: https://git.tcpdump.org/tcpdump/blobdiff_plain/fc7b8aeb5e40fc50c68624e12069f5ba7bd9ae2c..486704db7c840dcfb51f70f1812d9c3ad37ad39c:/tcpdump.1.in diff --git a/tcpdump.1.in b/tcpdump.1.in index 3cceb468..ebf50ab6 100644 --- a/tcpdump.1.in +++ b/tcpdump.1.in @@ -20,18 +20,21 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH TCPDUMP 1 "6 May 2014" +.TH TCPDUMP 1 "11 July 2014" .SH NAME tcpdump \- dump traffic on a network .SH SYNOPSIS .na .B tcpdump [ -.B \-AbdDefhHIJKlLnNOpqRStuUvxX +.B \-AbdDefhHIJKlLnNOpqRStuUvxX# ] [ .B \-B .I buffer_size -] [ +] +.br +.ti +8 +[ .B \-c .I count ] @@ -123,8 +126,16 @@ tcpdump \- dump traffic on a network ] .ti +8 [ +.BI \-\-time\-stamp\-precision= tstamp_precision +] +.ti +8 +[ +.B \-\-immediate\-mode +] +[ .B \-\-version ] +.ti +8 [ .I expression ] @@ -133,7 +144,9 @@ tcpdump \- dump traffic on a network .SH DESCRIPTION .LP \fITcpdump\fP prints out a description of the contents of packets on a -network interface that match the boolean \fIexpression\fP. It can also +network interface that match the boolean \fIexpression\fP; the +description is preceded by a time stamp, printed, by default, as hours, +minutes, seconds, and fractions of a second since midnight. It can also be run with the .B \-w flag, which causes it to save the packet data to a file for later @@ -197,7 +210,9 @@ your ``status'' character, typically control-T, although on some platforms, such as Mac OS X, the ``status'' character is not set by default, so you must set it with .BR stty (1) -in order to use it) and will continue capturing packets. +in order to use it) and will continue capturing packets. On platforms that +do not support the SIGINFO signal, the same can be achieved by using the +SIGUSR1 signal. .LP Reading packets from a network interface may require that you have special privileges; see the @@ -412,6 +427,13 @@ monitor mode will be shown; if is specified, only those link-layer types available when in monitor mode will be shown. .TP +.BI \-\-immediate\-mode +Capture in "immediate mode". In this mode, packets are delivered to +tcpdump as soon as they arrive, rather than being buffered for +efficiency. This is the default when printing packets rather than +saving packets to a ``savefile'' if the packets are being printed to a +terminal rather than to a file or pipe. +.TP .BI \-j " tstamp_type" .PD 0 .TP @@ -433,13 +455,23 @@ time stamp type cannot be set for the interface, no time stamp types are listed. .TP .BI \-\-time\-stamp\-precision= tstamp_precision -.PD -Set the time stamp precision for the capture to -\fItstamp_precision\fP. Currently supported are microseconds and -nanoseconds. Note that availability of high precision time stamps (nanoseconds) -and their actual accuracy is platform and HW dependent. Also note that when -writing captures to the savefile, distinct magic number is used to distinguish -savefiles which contains time stamps in nanoseconds. +When capturing, set the time stamp precision for the capture to +\fItstamp_precision\fP. Note that availability of high precision time +stamps (nanoseconds) and their actual accuracy is platform and hardware +dependent. Also note that when writing captures made with nanosecond +accuracy to a savefile, the time stamps are written with nanosecond +resolution, and the file is written with a different magic number, to +indicate that the time stamps are in seconds and nanoseconds; not all +programs that read pcap savefiles will be able to read those captures. +.LP +When reading a savefile, convert time stamps to the precision specified +by \fItimestamp_precision\fP, and display them with that resolution. If +the precision specified is less than the precision of time stamps in the +file, the conversion will lose precision. +.LP +The supported values for \fItimestamp_precision\fP are \fBmicro\fP for +microsecond resolution and \fBnano\fP for nanosecond resolution. The +default is microsecond resolution. .TP .B \-K .PD 0 @@ -520,7 +552,11 @@ E.g., if you give this flag then \fItcpdump\fP will print ``nic'' instead of ``nic.ddn.mil''. .TP +.B \-# +.PD 0 +.TP .B \-\-number +.PD Print an optional packet number at the beginning of the line. .TP .B \-O @@ -634,14 +670,16 @@ an encapsulated PGM packet. \fIDon't\fP print a timestamp on each dump line. .TP .B \-tt -Print an unformatted timestamp on each dump line. +Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and +fractions of a second since that time, on each dump line. .TP .B \-ttt Print a delta (micro-second resolution) between current and previous line on each dump line. .TP .B \-tttt -Print a timestamp in default format proceeded by date on each dump line. +Print a timestamp, as hours, minutes, seconds, and fractions of a second +since midnight, preceded by the date, on each dump line. .TP .B \-ttttt Print a delta (micro-second resolution) between current and first line @@ -1844,11 +1882,15 @@ is the current clock time in the form .fi .RE and is as accurate as the kernel's clock. -The timestamp reflects the time the kernel first saw the packet. -No attempt -is made to account for the time lag between when the -Ethernet interface removed the packet from the wire and when the kernel -serviced the `new packet' interrupt. +The timestamp reflects the time the kernel applied a time stamp to the packet. +No attempt is made to account for the time lag between when the network +interface finished receiving the packet from the network and when the +kernel applied a time stamp to the packet; that time lag could include a +delay between the time when the network interface finished receiving a +packet from the network and the time when an interrupt was delivered to +the kernel to get it to read the packet and a delay between the time +when the kernel serviced the `new packet' interrupt and the time when it +applied a time stamp to the packet. .SH "SEE ALSO" stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(@MAN_FILE_FORMATS@), pcap-filter(@MAN_MISC_INFO@), pcap-tstamp(@MAN_MISC_INFO@)