| tcpdump.1 (242485) | tcpdump.1 (252283) |
|---|---|
| 1.\" $FreeBSD: stable/9/usr.sbin/tcpdump/tcpdump/tcpdump.1 242485 2012-11-02 16:57:51Z delphij $ | 1.\" $FreeBSD: stable/9/usr.sbin/tcpdump/tcpdump/tcpdump.1 252283 2013-06-27 00:37:59Z delphij $ |
| 2.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL) 3.\" 4.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $ 5.\" 6.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 7.\" The Regents of the University of California. All rights reserved. 8.\" All rights reserved. 9.\" --- 8 unchanged lines hidden (view full) --- 18.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 19.\" the University nor the names of its contributors may be used to endorse 20.\" or promote products derived from this software without specific prior 21.\" written permission. 22.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 23.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 24.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 25.\" | 2.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL) 3.\" 4.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $ 5.\" 6.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 7.\" The Regents of the University of California. All rights reserved. 8.\" All rights reserved. 9.\" --- 8 unchanged lines hidden (view full) --- 18.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 19.\" the University nor the names of its contributors may be used to endorse 20.\" or promote products derived from this software without specific prior 21.\" written permission. 22.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 23.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 24.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 25.\" |
| 26.TH TCPDUMP 1 "05 March 2009" | 26.TH TCPDUMP 1 "12 July 2012" |
| 27.SH NAME 28tcpdump \- dump traffic on a network 29.SH SYNOPSIS 30.na 31.B tcpdump 32[ 33.B \-AbdDefhHIJKlLnNOpqRStuUvxX 34] [ --- 35 unchanged lines hidden (view full) --- 70] 71.br 72.ti +8 73[ 74.B \-r 75.I file 76] 77[ | 27.SH NAME 28tcpdump \- dump traffic on a network 29.SH SYNOPSIS 30.na 31.B tcpdump 32[ 33.B \-AbdDefhHIJKlLnNOpqRStuUvxX 34] [ --- 35 unchanged lines hidden (view full) --- 70] 71.br 72.ti +8 73[ 74.B \-r 75.I file 76] 77[ |
| 78.B \-V 79.I file 80] 81[ |
|
| 78.B \-s 79.I snaplen 80] 81[ 82.B \-T 83.I type 84] 85[ --- 37 unchanged lines hidden (view full) --- 123\fITcpdump\fP prints out a description of the contents of packets on a 124network interface that match the boolean \fIexpression\fP. It can also 125be run with the 126.B \-w 127flag, which causes it to save the packet data to a file for later 128analysis, and/or with the 129.B \-r 130flag, which causes it to read from a saved packet file rather than to | 82.B \-s 83.I snaplen 84] 85[ 86.B \-T 87.I type 88] 89[ --- 37 unchanged lines hidden (view full) --- 127\fITcpdump\fP prints out a description of the contents of packets on a 128network interface that match the boolean \fIexpression\fP. It can also 129be run with the 130.B \-w 131flag, which causes it to save the packet data to a file for later 132analysis, and/or with the 133.B \-r 134flag, which causes it to read from a saved packet file rather than to |
| 131read packets from a network interface. In all cases, only packets that 132match | 135read packets from a network interface. It can also be run with the 136.B \-V 137flag, which causes it to read a list of saved packet files. In all cases, 138only packets that match |
| 133.I expression 134will be processed by 135.IR tcpdump . 136.LP 137.I Tcpdump 138will, if not run with the 139.B \-c 140flag, continue capturing packets until it is interrupted by a SIGINT --- 111 unchanged lines hidden (view full) --- 252.I tcpdump 253was built with an older version of 254.I libpcap 255that lacks the 256.B pcap_findalldevs() 257function. 258.TP 259.B \-e | 139.I expression 140will be processed by 141.IR tcpdump . 142.LP 143.I Tcpdump 144will, if not run with the 145.B \-c 146flag, continue capturing packets until it is interrupted by a SIGINT --- 111 unchanged lines hidden (view full) --- 258.I tcpdump 259was built with an older version of 260.I libpcap 261that lacks the 262.B pcap_findalldevs() 263function. 264.TP 265.B \-e |
| 260Print the link-level header on each dump line. | 266Print the link-level header on each dump line. This can be used, for 267example, to print MAC layer addresses for protocols such as Ethernet and 268IEEE 802.11. |
| 261.TP 262.B \-E 263Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that 264are addressed to \fIaddr\fP and contain Security Parameter Index value 265\fIspi\fP. This combination may be repeated with comma or newline separation. 266.IP 267Note that setting the secret for IPv4 ESP packets is supported at this time. 268.IP --- 236 unchanged lines hidden (view full) --- 505for backwards compatibility with recent older versions of 506.IR tcpdump . 507.TP 508.B \-T 509Force packets selected by "\fIexpression\fP" to be interpreted the 510specified \fItype\fR. 511Currently known types are 512\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol), | 269.TP 270.B \-E 271Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that 272are addressed to \fIaddr\fP and contain Security Parameter Index value 273\fIspi\fP. This combination may be repeated with comma or newline separation. 274.IP 275Note that setting the secret for IPv4 ESP packets is supported at this time. 276.IP --- 236 unchanged lines hidden (view full) --- 513for backwards compatibility with recent older versions of 514.IR tcpdump . 515.TP 516.B \-T 517Force packets selected by "\fIexpression\fP" to be interpreted the 518specified \fItype\fR. 519Currently known types are 520\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol), |
| 521\fBcarp\fR (Common Address Redundancy Protocol), |
|
| 513\fBcnfp\fR (Cisco NetFlow protocol), | 522\fBcnfp\fR (Cisco NetFlow protocol), |
| 523\fBradius\fR (RADIUS), |
|
| 514\fBrpc\fR (Remote Procedure Call), 515\fBrtp\fR (Real-Time Applications protocol), 516\fBrtcp\fR (Real-Time Applications control protocol), 517\fBsnmp\fR (Simple Network Management Protocol), 518\fBtftp\fR (Trivial File Transfer Protocol), 519\fBvat\fR (Visual Audio Tool), | 524\fBrpc\fR (Remote Procedure Call), 525\fBrtp\fR (Real-Time Applications protocol), 526\fBrtcp\fR (Real-Time Applications control protocol), 527\fBsnmp\fR (Simple Network Management Protocol), 528\fBtftp\fR (Trivial File Transfer Protocol), 529\fBvat\fR (Visual Audio Tool), |
| 530\fBwb\fR (distributed White Board), 531\fBzmtp1\fR (ZeroMQ Message Transport Protocol 1.0) |
|
| 520and | 532and |
| 521\fBwb\fR (distributed White Board). | 533\fBvxlan\fR (Virtual eXtensible Local Area Network). |
| 522.TP 523.B \-t 524\fIDon't\fP print a timestamp on each dump line. 525.TP 526.B \-tt 527Print an unformatted timestamp on each dump line. 528.TP 529.B \-ttt --- 56 unchanged lines hidden (view full) --- 586Even more verbose output. 587For example, 588telnet \fBSB\fP ... \fBSE\fP options 589are printed in full. 590With 591.B \-X 592Telnet options are printed in hex as well. 593.TP | 534.TP 535.B \-t 536\fIDon't\fP print a timestamp on each dump line. 537.TP 538.B \-tt 539Print an unformatted timestamp on each dump line. 540.TP 541.B \-ttt --- 56 unchanged lines hidden (view full) --- 598Even more verbose output. 599For example, 600telnet \fBSB\fP ... \fBSE\fP options 601are printed in full. 602With 603.B \-X 604Telnet options are printed in hex as well. 605.TP |
| 606.B \-V 607Read a list of filenames from \fIfile\fR. Standard input is used 608if \fIfile\fR is ``-''. 609.TP |
|
| 594.B \-w 595Write the raw packets to \fIfile\fR rather than parsing and printing 596them out. 597They can later be printed with the \-r option. 598Standard output is used if \fIfile\fR is ``-''. 599.IP 600This output will be buffered if written to a file or pipe, so a program 601reading from the file or pipe may not see packets for an arbitrary 602amount of time after they are received. Use the 603.B \-U 604flag to cause packets to be written as soon as they are received. 605.IP | 610.B \-w 611Write the raw packets to \fIfile\fR rather than parsing and printing 612them out. 613They can later be printed with the \-r option. 614Standard output is used if \fIfile\fR is ``-''. 615.IP 616This output will be buffered if written to a file or pipe, so a program 617reading from the file or pipe may not see packets for an arbitrary 618amount of time after they are received. Use the 619.B \-U 620flag to cause packets to be written as soon as they are received. 621.IP |
| 622The MIME type \fIapplication/vnd.tcpdump.pcap\fP has been registered 623with IANA for \fIpcap\fP files. The filename extension \fI.pcap\fP 624appears to be the most commonly used along with \fI.cap\fP and 625\fI.dmp\fP. \fITcpdump\fP itself doesn't check the extension when 626reading capture files and doesn't add an extension when writing them 627(it uses magic numbers in the file header instead). However, many 628operating systems and applications will use the extension if it is 629present and adding one (e.g. .pcap) is recommended. 630.IP |
|
| 606See 607.BR pcap-savefile (5) 608for a description of the file format. 609.TP 610.B \-W 611Used in conjunction with the 612.B \-C 613option, this will limit the number --- 87 unchanged lines hidden (view full) --- 701Otherwise, 702only packets for which \fIexpression\fP is `true' will be dumped. 703.LP 704For the \fIexpression\fP syntax, see 705.BR pcap-filter (7). 706.LP 707Expression arguments can be passed to \fItcpdump\fP as either a single 708argument or as multiple arguments, whichever is more convenient. | 631See 632.BR pcap-savefile (5) 633for a description of the file format. 634.TP 635.B \-W 636Used in conjunction with the 637.B \-C 638option, this will limit the number --- 87 unchanged lines hidden (view full) --- 726Otherwise, 727only packets for which \fIexpression\fP is `true' will be dumped. 728.LP 729For the \fIexpression\fP syntax, see 730.BR pcap-filter (7). 731.LP 732Expression arguments can be passed to \fItcpdump\fP as either a single 733argument or as multiple arguments, whichever is more convenient. |
| 709Generally, if the expression contains Shell metacharacters, it is 710easier to pass it as a single, quoted argument. | 734Generally, if the expression contains Shell metacharacters, such as 735backslashes used to escape protocol names, it is easier to pass it as 736a single, quoted argument rather than to escape the Shell 737metacharacters. |
| 711Multiple arguments are concatenated with spaces before being parsed. 712.SH EXAMPLES 713.LP 714To print all packets arriving at or departing from \fIsundown\fP: 715.RS 716.nf 717\fBtcpdump host sundown\fP 718.fi --- 985 unchanged lines hidden (view full) --- 1704The timestamp reflects the time the kernel first saw the packet. 1705No attempt 1706is made to account for the time lag between when the 1707Ethernet interface removed the packet from the wire and when the kernel 1708serviced the `new packet' interrupt. 1709.SH "SEE ALSO" 1710stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(5), 1711pcap-filter(7), pcap-tstamp-type(7) | 738Multiple arguments are concatenated with spaces before being parsed. 739.SH EXAMPLES 740.LP 741To print all packets arriving at or departing from \fIsundown\fP: 742.RS 743.nf 744\fBtcpdump host sundown\fP 745.fi --- 985 unchanged lines hidden (view full) --- 1731The timestamp reflects the time the kernel first saw the packet. 1732No attempt 1733is made to account for the time lag between when the 1734Ethernet interface removed the packet from the wire and when the kernel 1735serviced the `new packet' interrupt. 1736.SH "SEE ALSO" 1737stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(5), 1738pcap-filter(7), pcap-tstamp-type(7) |
| 1739.LP 1740.RS 1741.I http://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap 1742.RE 1743.LP |
|
| 1712.SH AUTHORS 1713The original authors are: 1714.LP 1715Van Jacobson, 1716Craig Leres and 1717Steven McCanne, all of the 1718Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. 1719.LP 1720It is currently being maintained by tcpdump.org. 1721.LP 1722The current version is available via http: 1723.LP 1724.RS 1725.I http://www.tcpdump.org/ 1726.RE 1727.LP 1728The original distribution is available via anonymous ftp: 1729.LP 1730.RS | 1744.SH AUTHORS 1745The original authors are: 1746.LP 1747Van Jacobson, 1748Craig Leres and 1749Steven McCanne, all of the 1750Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. 1751.LP 1752It is currently being maintained by tcpdump.org. 1753.LP 1754The current version is available via http: 1755.LP 1756.RS 1757.I http://www.tcpdump.org/ 1758.RE 1759.LP 1760The original distribution is available via anonymous ftp: 1761.LP 1762.RS |
| 1731.I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z | 1763.I ftp://ftp.ee.lbl.gov/old/tcpdump.tar.Z |
| 1732.RE 1733.LP 1734IPv6/IPsec support is added by WIDE/KAME project. 1735This program uses Eric Young's SSLeay library, under specific configurations. 1736.SH BUGS 1737Please send problems, bugs, questions, desirable enhancements, patches 1738etc. to: 1739.LP --- 51 unchanged lines hidden --- | 1764.RE 1765.LP 1766IPv6/IPsec support is added by WIDE/KAME project. 1767This program uses Eric Young's SSLeay library, under specific configurations. 1768.SH BUGS 1769Please send problems, bugs, questions, desirable enhancements, patches 1770etc. to: 1771.LP --- 51 unchanged lines hidden --- |