-.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.163 2004-06-12 08:51:23 guy Exp $ (LBL)
+.\" @(#) $Header: /tcpdump/master/tcpdump/Attic/tcpdump.1,v 1.164 2004-09-24 01:14:20 guy Exp $ (LBL)
.\"
.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
.\"
If \fIhost\fR is a name with multiple IP addresses, each address will
be checked for a match.
.IP "\fBether dst \fIehost\fP
-True if the ethernet destination address is \fIehost\fP.
+True if the Ethernet destination address is \fIehost\fP.
\fIEhost\fP
may be either a name from /etc/ethers or a number (see
.IR ethers (3N)
for numeric format).
.IP "\fBether src \fIehost\fP
-True if the ethernet source address is \fIehost\fP.
+True if the Ethernet source address is \fIehost\fP.
.IP "\fBether host \fIehost\fP
-True if either the ethernet source or destination address is \fIehost\fP.
+True if either the Ethernet source or destination address is \fIehost\fP.
.IP "\fBgateway\fP \fIhost\fP
True if the packet used \fIhost\fP as a gateway.
-I.e., the ethernet
+I.e., the Ethernet
source or destination address was \fIhost\fP but neither the IP source
nor the IP destination was \fIhost\fP.
\fIHost\fP must be a name and
.IR ip (4P))
of protocol type \fIprotocol\fP.
\fIProtocol\fP can be a number or one of the names
-\fIicmp\fP, \fIicmp6\fP, \fIigmp\fP, \fIigrp\fP, \fIpim\fP, \fIah\fP,
-\fIesp\fP, \fIvrrp\fP, \fIudp\fP, or \fItcp\fP.
-Note that the identifiers \fItcp\fP, \fIudp\fP, and \fIicmp\fP are also
+\fBicmp\fP, \fBicmp6\fP, \fBigmp\fP, \fBigrp\fP, \fBpim\fP, \fBah\fP,
+\fBesp\fP, \fBvrrp\fP, \fBudp\fP, or \fBtcp\fP.
+Note that the identifiers \fBtcp\fP, \fBudp\fP, and \fBicmp\fP are also
keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell.
Note that this primitive does not chase the protocol header chain.
.IP "\fBip6 proto \fIprotocol\fR"
.IP "\fBip protochain \fIprotocol\fR"
Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4.
.IP "\fBether broadcast\fR"
-True if the packet is an ethernet broadcast packet.
+True if the packet is an Ethernet broadcast packet.
The \fIether\fP
keyword is optional.
.IP "\fBip broadcast\fR"
"any" interface, which can capture on more than one interface, this
check will not work correctly.
.IP "\fBether multicast\fR"
-True if the packet is an ethernet multicast packet.
-The \fIether\fP
+True if the packet is an Ethernet multicast packet.
+The \fBether\fP
keyword is optional.
This is shorthand for `\fBether[0] & 1 != 0\fP'.
.IP "\fBip multicast\fR"
.IP "\fBether proto \fIprotocol\fR"
True if the packet is of ether type \fIprotocol\fR.
\fIProtocol\fP can be a number or one of the names
-\fIip\fP, \fIip6\fP, \fIarp\fP, \fIrarp\fP, \fIatalk\fP, \fIaarp\fP,
-\fIdecnet\fP, \fIsca\fP, \fIlat\fP, \fImopdl\fP, \fImoprc\fP,
-\fIiso\fP, \fIstp\fP, \fIipx\fP, or \fInetbeui\fP.
+\fBip\fP, \fBip6\fP, \fBarp\fP, \fBrarp\fP, \fBatalk\fP, \fBaarp\fP,
+\fBdecnet\fP, \fBsca\fP, \fBlat\fP, \fBmopdl\fP, \fBmoprc\fP,
+\fBiso\fP, \fBstp\fP, \fBipx\fP, or \fBnetbeui\fP.
Note these identifiers are also keywords
and must be escaped via backslash (\\).
.IP
\fItcpdump\fR checks the DSAP (Destination Service Access Point) and
SSAP (Source Service Access Point) fields of the LLC header;
.TP
-\fBstp\fP and \fInetbeui\fP
+\fBstp\fP and \fBnetbeui\fP
\fItcpdump\fR checks the DSAP of the LLC header;
.TP
-\fIatalk\fP
+\fBatalk\fP
\fItcpdump\fR checks for a SNAP-format packet with an OUI of 0x080007
and the AppleTalk etype.
.RE
.IP "\fBiso proto \fIprotocol\fR"
True if the packet is an OSI packet of protocol type \fIprotocol\fP.
\fIProtocol\fP can be a number or one of the names
-\fIclnp\fP, \fIesis\fP, or \fIisis\fP.
+\fBclnp\fP, \fBesis\fP, or \fBisis\fP.
.IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR"
Abbreviations for:
.in +.5i
.LP
To print IP broadcast or multicast packets that were
.I not
-sent via ethernet broadcast or multicast:
+sent via Ethernet broadcast or multicast:
.RS
.nf
.B
Link Level Headers
.LP
If the '-e' option is given, the link level header is printed out.
-On ethernets, the source and destination addresses, protocol,
+On Ethernets, the source and destination addresses, protocol,
and packet length are printed.
.LP
On FDDI networks, the '-e' option causes \fItcpdump\fP to print
.fi
.RE
The first line says that rtsg sent an arp packet asking
-for the ethernet address of internet host csam.
+for the Ethernet address of internet host csam.
Csam
-replies with its ethernet address (in this example, ethernet addresses
+replies with its Ethernet address (in this example, Ethernet addresses
are in caps and internet addresses in lower case).
.LP
This would look less redundant if we had done \fItcpdump \-n\fP:
.sp .5
.fi
.RE
-For the first packet this says the ethernet source address is RTSG, the
-destination is the ethernet broadcast address, the type field
+For the first packet this says the Ethernet source address is RTSG, the
+destination is the Ethernet broadcast address, the type field
contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
.HD
TCP Packets
The timestamp reflects the time the kernel first saw the packet.
No attempt
is made to account for the time lag between when the
-ethernet interface removed the packet from the wire and when the kernel
+Ethernet interface removed the packet from the wire and when the kernel
serviced the `new packet' interrupt.
.SH "SEE ALSO"
stty(1), pcap(3), bpf(4), nit(4P), pfconfig(8)
projects / tcpdump / commitdiff
