X-Git-Url: https://gitweb.dragonflybsd.org/~nant/dragonfly.git/blobdiff_plain/73e63d40f2724d173bdfe67ab6259587983cc3a1:/contrib/tcpdump/tcpdump.1..8698f99899c8fc9febde35e4d24a1b1c812b4a83:/contrib/tcpdump/tcpdump.1.in diff --git a/contrib/tcpdump/tcpdump.1 b/contrib/tcpdump/tcpdump.1.in similarity index 94% rename from contrib/tcpdump/tcpdump.1 rename to contrib/tcpdump/tcpdump.1.in index e1969cf4fe..61e3d773c7 100644 --- a/contrib/tcpdump/tcpdump.1 +++ b/contrib/tcpdump/tcpdump.1.in @@ -1,4 +1,4 @@ -.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1,v 1.185.2.6 2008-05-30 01:38:21 guy Exp $ (LBL) +.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL) .\" .\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $ .\" @@ -22,14 +22,14 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH TCPDUMP 1 "07 January 2008" +.TH TCPDUMP 1 "05 March 2009" .SH NAME tcpdump \- dump traffic on a network .SH SYNOPSIS .na .B tcpdump [ -.B \-AdDefIKlLnNOpqRStuUvxX +.B \-AbdDefhHIJKlLnNOpqRStuUvxX ] [ .B \-B .I buffer_size @@ -56,6 +56,10 @@ tcpdump \- dump traffic on a network .I interface ] [ +.B \-j +.I tstamp_type +] +[ .B \-m .I module ] @@ -191,6 +195,10 @@ special privileges. Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. .TP +.B \-b +Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN +notation. +.TP .B \-B Set the operating system capture buffer size to \fIbuffer_size\fP. .TP @@ -252,7 +260,7 @@ Print the link-level header on each dump line. .B \-E Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that are addressed to \fIaddr\fP and contain Security Parameter Index value -\fIspi\fP. This combination may be repeated with comma or newline seperation. +\fIspi\fP. This combination may be repeated with comma or newline separation. .IP Note that setting the secret for IPv4 ESP packets is supported at this time. .IP @@ -268,7 +276,7 @@ The ability to decrypt packets is only present if \fItcpdump\fP was compiled with cryptography enabled. .IP \fIsecret\fP is the ASCII text for ESP secret key. -If preceeded by 0x, then a hex value will be read. +If preceded by 0x, then a hex value will be read. .IP The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and @@ -315,6 +323,13 @@ If used in conjunction with the .B \-C option, filenames will take the form of `\fIfile\fP'. .TP +.B \-h +Print the tcpdump and libpcap version strings, print a usage message, +and exit. +.TP +.B \-H +Attempt to detect 802.11s draft mesh headers. +.TP .B \-i Listen on \fIinterface\fP. If unspecified, \fItcpdump\fP searches the system interface list for the @@ -344,11 +359,33 @@ any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter. +.IP +This flag will affect the output of the +.B \-L +flag. If +.B \-I +isn't specified, only those link-layer types available when not in +monitor mode will be shown; if +.B \-I +is specified, only those link-layer types available when in monitor mode +will be shown. +.TP +.B \-j +Set the time stamp type for the capture to \fItstamp_type\fP. The names +to use for the time stamp types are given in +.BR pcap-tstamp-type (@MAN_MISC_INFO@); +not all the types listed there will necessarily be valid for any given +interface. +.TP +.B \-J +List the supported time stamp types for the interface and exit. If the +time stamp type cannot be set for the interface, no time stamp types are +listed. .TP .B \-K -Don't attempt to verify TCP checksums. This is useful for interfaces -that perform the TCP checksum calculation in hardware; otherwise, -all outgoing TCP checksums will be flagged as bad. +Don't attempt to verify IP, TCP, or UDP checksums. This is useful for +interfaces that perform some or all of those checksum calculation in +hardware; otherwise, all outgoing TCP checksums will be flagged as bad. .TP .B \-l Make stdout line buffered. @@ -360,7 +397,15 @@ E.g., ``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''. .TP .B \-L -List the known data link types for the interface and exit. +List the known data link types for the interface, in the specified mode, +and exit. The list of known data link types may be dependent on the +specified mode; for example, on some platforms, a Wi-Fi interface might +support one set of data link types when not in monitor mode (for +example, it might support only fake Ethernet headers, or might support +802.11 headers but not support 802.11 headers with radio information) +and another set of data link types when in monitor mode (for example, it +might support 802.11 headers, or 802.11 headers with radio information, +only in monitor mode). .TP .B \-m Load SMI MIB module definitions from file \fImodule\fR. @@ -414,10 +459,7 @@ Print absolute, rather than relative, TCP sequence numbers. .TP .B \-s Snarf \fIsnaplen\fP bytes of data from each packet rather than the -default of 68 (with SunOS's NIT, the minimum is actually 96). -68 bytes is adequate for IP, ICMP, TCP -and UDP but may truncate protocol information from name server and NFS -packets (see below). +default of 65535 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP is the name of the protocol level at which the truncation has occurred. @@ -429,7 +471,9 @@ lost. You should limit \fIsnaplen\fP to the smallest number that will capture the protocol information you're interested in. Setting -\fIsnaplen\fP to 0 means use the required length to catch whole packets. +\fIsnaplen\fP to 0 sets it to the default of 65535, +for backwards compatibility with recent older versions of +.IR tcpdump . .TP .B \-T Force packets selected by "\fIexpression\fP" to be interpreted the @@ -513,6 +557,9 @@ Write the raw packets to \fIfile\fR rather than parsing and printing them out. They can later be printed with the \-r option. Standard output is used if \fIfile\fR is ``-''. +See +.BR pcap-savefile (@MAN_FILE_FORMATS@) +for a description of the file format. .TP .B \-W Used in conjunction with the @@ -591,7 +638,10 @@ savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want. .TP .B \-Z -Drops privileges (if root) and changes user ID to +If +.I tcpdump +is running as root, after opening the capture device or input savefile, +but before opening any savefiles for output, change the user ID to .I user and the group ID to the primary group of .IR user . @@ -606,7 +656,7 @@ Otherwise, only packets for which \fIexpression\fP is `true' will be dumped. .LP For the \fIexpression\fP syntax, see -.BR pcap-filter (7). +.BR pcap-filter (@MAN_MISC_INFO@). .LP Expression arguments can be passed to \fItcpdump\fP as either a single argument or as multiple arguments, whichever is more convenient. @@ -847,8 +897,8 @@ The general format of a tcp protocol line is: \fISrc\fP and \fIdst\fP are the source and destination IP addresses and ports. \fIFlags\fP are some combination of S (SYN), -F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single -`.' (no flags). +F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or +`.' (ACK), or `none' if no flags are set. \fIData-seqno\fP describes the portion of sequence space covered by the data in this packet (see example below). \fIAck\fP is sequence number of the next data expected the other @@ -895,8 +945,7 @@ bytes and there was a max-segment-size option requesting an mss of Csam replies with a similar packet except it includes a piggy-backed ack for rtsg's SYN. Rtsg then acks csam's SYN. -The `.' means no -flags were set. +The `.' means the ACK flag was set. The packet contained no data so there is no data sequence number. Note that the ack sequence number is a small integer (1). @@ -1123,6 +1172,18 @@ This points us to the \fItcpdump\fP filter expression tcpdump -i xl0 'tcp[13] & 2 == 2' .RE .PP +Some offsets and field values may be expressed as names +rather than as numeric values. For example tcp[13] may +be replaced with tcp[tcpflags]. The following TCP flag +field values are also available: tcp-fin, tcp-syn, tcp-rst, +tcp-push, tcp-act, tcp-urg. +.PP +This can be demonstrated as: +.RS +.B + tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0' +.RE +.PP Note that you should use single quotes or a backslash in the expression to hide the AND ('&') special character from the shell. @@ -1230,15 +1291,6 @@ RA, \fInot\fP set) and `|' (truncated message, TC, set). If the `question' section doesn't contain exactly one entry, `[\fIn\fPq]' is printed. -.LP -Note that name server requests and responses tend to be large and the -default \fIsnaplen\fP of 68 bytes may not capture enough of the packet -to print. -Use the \fB\-s\fP flag to increase the snaplen if you -need to seriously investigate name server traffic. -`\fB\-s 128\fP' -has worked well for me. - .HD SMB/CIFS decoding .LP @@ -1246,19 +1298,18 @@ SMB/CIFS decoding on UDP/137, UDP/138 and TCP/139. Some primitive decoding of IPX and NetBEUI SMB data is also done. - +.LP By default a fairly minimal decode is done, with a much more detailed decode done if -v is used. Be warned that with -v a single SMB packet may take up a page or more, so only use -v if you really want all the gory details. - -For information on SMB packet formats and what all te fields mean see +.LP +For information on SMB packet formats and what all the fields mean see www.cifs.org or the pub/samba/specs/ directory on your favorite samba.org mirror site. The SMB patches were written by Andrew Tridgell (tridge@samba.org). - .HD NFS Requests and Replies .LP @@ -1610,7 +1661,8 @@ is made to account for the time lag between when the Ethernet interface removed the packet from the wire and when the kernel serviced the `new packet' interrupt. .SH "SEE ALSO" -stty(1), pcap(3), bpf(4), pcap-filter(7) +stty(1), pcap(3), bpf(4), pcap-savefile(@MAN_FILE_FORMATS@), +pcap-filter(@MAN_MISC_INFO@), pcap-tstamp-type(@MAN_MISC_INFO@) .SH AUTHORS The original authors are: .LP