Lines Matching +full:helios +full:- +full:4
25 tcpdump \- dump traffic on a network
30 .B \-AbdDefhHIJKlLnNOpqStuUvxX#
32 .B \-B
37 .B \-c
41 .B \-\-count
44 .B \-C
49 .B \-E
54 .B \-F
58 .B \-G
62 .B \-i
67 .B \-\-immediate\-mode
70 .B \-j
74 .B \-m
79 .B \-M
83 .B \-\-number
86 .B \-\-print
89 .B \-Q
94 .B \-r
98 .B \-s
102 .B \-T
106 .B \-\-version
110 .B \-V
114 .B \-w
118 .B \-W
122 .B \-y
127 .B \-z
128 .I postrotate-command
131 .B \-Z
136 .BI \-\-time\-stamp\-precision= tstamp_precision
140 .BI \-\-micro
143 .BI \-\-nano
160 .B \-w
163 .B \-r
166 .B \-V
175 .B \-c
178 typically control-C) or a SIGTERM signal (typically generated with the
181 .B \-c
196 and possibly on the way the OS was configured - if a filter was
218 your ``status'' character, typically control-T, although on some
227 .B \-w
237 .B \-A
241 .B \-b
245 .BI \-B " buffer_size"
248 .BI \-\-buffer\-size= buffer_size
253 .BI \-c " count"
256 .BI \-\-count
262 .BI \-C " file_size"
267 .B \-w
272 .B \-d
273 Dump the compiled packet-matching code in a human readable form to
276 Please mind that although code compilation is always DLT-specific,
284 .B -y
286 .B -i
292 .B -r
294 .B -i
296 .B -d
303 .B \-dd
304 Dump packet-matching code as a
308 .B \-ddd
309 Dump packet-matching code as decimal numbers (preceded with a count).
311 .B \-D
314 .B \-\-list\-interfaces
323 .B \-i
333 .B \-D
342 .B \-e
343 Print the link-level header on each dump line. This can be used, for
347 .B \-E
355 \fBdes-cbc\fP,
356 \fB3des-cbc\fP,
357 \fBblowfish-cbc\fP,
358 \fBrc3-cbc\fP,
359 \fBcast128-cbc\fP, or
361 The default is \fBdes-cbc\fP.
381 .B \-f
384 Sun's NIS server \(em usually it hangs forever translating non-local
391 because it is the "any" pseudo-interface, which is
396 .BI \-F " file"
400 .BI \-G " rotate_seconds"
402 .B \-w
405 .B \-w
414 .B \-C
417 .B \-h
420 .B \-\-help
425 .B \-\-version
429 .B \-H
432 .BI \-i " interface"
435 .BI \-\-interface= interface
437 Listen, report the list of link-layer types, report the list of time
440 .B -d
449 Note that captures on the ``any'' pseudo-interface will not be done in promiscuous
453 .B \-D
459 .B \-I
462 .B \-\-monitor\-mode
465 802.11 Wi-Fi interfaces, and supported only on some operating systems.
475 .B \-L
477 .B \-I
478 isn't specified, only those link-layer types available when not in
480 .B \-I
481 is specified, only those link-layer types available when in monitor mode
484 .BI \-\-immediate\-mode
491 .BI \-j " tstamp_type"
494 .BI \-\-time\-stamp\-type= tstamp_type
502 .B \-J
505 .B \-\-list\-time\-stamp\-types
511 .BI \-\-time\-stamp\-precision= tstamp_precision
530 .B \-\-micro
533 .B \-\-nano
535 Shorthands for \fB\-\-time\-stamp\-precision=micro\fP or
536 \fB\-\-time\-stamp\-precision=nano\fP, adjusting the time stamp
538 \fB\-\-micro\fP truncates time stamps if the savefile was created with
541 \fB\-\-nano\fP is used.
543 .B \-K
546 .B \-\-dont\-verify\-checksums
552 .B \-l
561 \fBtcpdump \-l | tee dat\fP
571 \fBtcpdump \-l > dat & tail \-f dat\fP
578 .B \-l
581 .B \-U
583 .B \-l
584 in its behavior, but it will cause output to be ``packet-buffered'', so
589 .B \-L
592 .B \-\-list\-data\-link\-types
596 specified mode; for example, on some platforms, a Wi-Fi interface might
604 .BI \-m " module"
609 .BI \-M " secret"
611 TCP segments with the TCP-MD5 option (RFC 2385), if present.
613 .B \-n
616 .B \-N
622 .B \-#
625 .B \-\-number
629 .B \-O
632 .B \-\-no\-optimize
634 Do not run the packet-matching code optimizer.
638 .B \-p
641 .B \-\-no\-promiscuous\-mode
646 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
647 `ether host {local-hw-addr} or ether broadcast'.
649 .BI \-\-print
652 .B \-w
655 .BI \-Q " direction"
658 .BI \-\-direction= direction
664 .B \-q
669 .BI \-r " file"
671 .B \-w
673 Standard input is used if \fIfile\fR is ``-''.
675 .B \-S
678 .B \-\-absolute\-tcp\-sequence\-numbers
682 .BI \-s " snaplen"
685 .BI \-\-snapshot\-length= snaplen
701 large, and much of the detail won't be available if a too-short snapshot
711 .BI \-T " type"
715 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
726 \fBrtcp\fR (Real-Time Applications control protocol),
727 \fBrtp\fR (Real-Time Applications protocol),
738 PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
747 .B \-t
750 .B \-tt
754 .B \-ttt
756 .B \-\-time\-stamp-precision
760 .B \-tttt
764 .B \-ttttt
766 .B \-\-time\-stamp-precision
770 .B \-u
773 .B \-U
776 .B \-\-packet\-buffered
779 .B \-w
781 .B \-\-print
783 ``packet-buffered''; i.e., as the description of the contents of each
789 .B \-w
791 ``packet-buffered''; i.e., as each packet is saved, it will be written
796 .B \-U
805 .B \-v
813 .B \-w
815 .B \-r
821 .B \-vv
826 .B \-vvv
832 .B \-X
835 .BI \-V " file"
837 if \fIfile\fR is ``-''.
839 .BI \-w " file"
842 They can later be printed with the \-r option.
843 Standard output is used if \fIfile\fR is ``-''.
848 .B \-U
864 .BI \-W " filecount"
866 .B \-C
875 .B \-G
880 .B \-C
882 .B \-G,
884 .B \-W
887 .B \-x
893 bytes will be printed. Note that this is the entire link-layer
898 .B \-xx
901 .B \-xx
908 .B \-X
914 .B \-XX
917 .B \-XX
924 .BI \-y " datalinktype"
927 .BI \-\-linktype= datalinktype
931 or just compiling and dumping packet-matching code (see
935 .BI \-z " postrotate-command"
937 .B -C
939 .B -G
943 .I postrotate-command file
947 .B \-z gzip
949 .B \-z bzip2
960 .BI \-Z " user"
963 .BI \-\-relinquish\-privileges= user
1001 To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
1004 \fBtcpdump host helios and \\( hot or ace \\)\fP
1008 To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
1011 \fBtcpdump ip host ace and not helios\fP
1019 tcpdump net ucb-ether
1025 (mis-)interpreting the parentheses):
1029 tcpdump 'gateway snup and (port ftp or ftp-data)'
1044 TCP conversation that involves a non-local host.
1048 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
1058 tcpdump 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'
1064 ACK-only packets. (IPv6 is left as an exercise for the reader.)
1068 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
1095 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
1129 When the \fIany\fP interface is selected on capture or when a link-type
1138 If the '-e' option is given, the link level header is printed out.
1142 On FDDI networks, the '-e' option causes \fItcpdump\fP to print
1153 so-called SNAP packet.
1155 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
1161 the '-e' option is specified or not, the source routing information is
1162 printed for source-routed packets.
1164 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
1186 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
1210 \f(CWarp who-has csam tell rtsg
1211 arp reply csam is-at CSAM\fR
1221 This would look less redundant if we had done \fItcpdump \-n\fP:
1225 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
1226 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
1230 If we had done \fItcpdump \-e\fP, the fact that the first packet is
1231 broadcast and the second is point-to-point would be visible:
1235 \f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg
1236 CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR
1245 If the link-layer header is not being printed, for IPv4 packets,
1249 .B \-v
1251 parentheses after the \fBIP\fP or the link-layer header.
1260 \fItos\fP is the type of service field; if the ECN bits are non-zero,
1262 \fIttl\fP is the time-to-live; it is not reported if it is zero.
1285 .B \-v
1299 \fIsrc\fP > \fIdst\fP: Flags [\fItcpflags\fP], seq \fIdata-seqno\fP, ack \fIackno\fP, win \fIwindow…
1308 \fIData-seqno\fP describes the portion of sequence space covered
1336 IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1\fR
1348 There was no piggy-backed ACK, the available receive window was 4096
1349 bytes and there was a max-segment-size option requesting an MSS of
1352 Csam replies with a similar packet except it includes a piggy-backed
1368 `-S' will override this
1372 in the rtsg \(-> csam side of the conversation).
1394 .SS Particular TCP Flag Combinations (SYN-ACK, URG-ACK, etc.)
1402 Recall that TCP uses a 3-way handshake protocol
1419 (SYN-ACK), just a plain initial SYN.
1427 -----------------------------------------------------------------
1429 -----------------------------------------------------------------
1431 -----------------------------------------------------------------
1433 -----------------------------------------------------------------
1435 -----------------------------------------------------------------
1437 -----------------------------------------------------------------
1442 The first line of the graph contains octets 0 - 3, the
1443 second line shows octets 4 - 7 etc.
1450 ----------------|---------------|---------------|----------------
1452 ----------------|---------------|---------------|----------------
1460 |---------------|
1462 |---------------|
1477 |---------------|
1479 |---------------|
1480 |7 6 5 4 3 2 1 0|
1486 Assuming that octet number 13 is an 8-bit unsigned integer in
1494 7 6 5 4 3 2 1 0
1500 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1512 tcpdump -i xl0 'tcp[13] == 2'
1522 with SYN-ACK set arrives:
1526 |---------------|
1528 |---------------|
1529 |7 6 5 4 3 2 1 0|
1532 Now bits 1 and 4 are set in the 13th octet.
1541 7 6 5 4 3 2 1 0
1547 SYN-ACK set, but not those with only SYN set.
1560 00010010 SYN-ACK 00000010 SYN
1562 -------- --------
1578 tcpdump -i xl0 'tcp[13] & 2 == 2'
1584 field values are also available: tcp-fin, tcp-syn, tcp-rst,
1585 tcp-push, tcp-ack, tcp-urg, tcp-ece and tcp-cwr.
1590 tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
1629 \f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fR
1633 Host \fIh2opolo\fP asked the domain server on \fIhelios\fP for an
1670 helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fR
1674 In the first example, \fIhelios\fP responds to query id 3 from \fIh2opolo\fP
1683 In the second example, \fIhelios\fP responds to query 2 with a
1691 Other flag characters that might appear are `\-' (recursion available,
1704 decode done if -v is used.
1705 Be warned that with -v a single SMB packet
1706 may take up a page or more, so only use -v if you really want all the
1757 instead of the non-NFS port number of the packet.
1759 If the \-v (verbose) flag is given, additional information is printed.
1773 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1782 Because the \-v flag
1787 If the \-v flag is given more than once, even more details are printed.
1803 \fIsrc.sport > dst.dport: rx packet-type\fP
1804 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
1805 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
1832 The format is intended to be self-describing, but it will probably
1836 If the -v (verbose) flag is given twice, acknowledgement packets and
1840 If the -v flag is given twice, additional information is printed,
1844 If the -v flag is given three times, the security index and service id
1861 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
1874 16.1 icsd-net
1882 from a net by the 3rd octet in the number \-
1897 \f(CW144.1.209.2 > icsd-net.112.220
1898 office.2 > icsd-net.112.220
1899 jssmag.149.235 > icsd-net.2\fR
1912 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
1914 number \- for this reason it's a good idea to keep node names and
1928 \f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
1929 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
1930 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR
1949 \f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
1950 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
1951 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
1952 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
1953 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1954 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
1955 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1956 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
1957 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
1958 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
1959 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1960 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1961 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
1962 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR
1966 Jssmag.209 initiates transaction id 12266 with host helios by requesting
1967 up to 8 packets (the `<0-7>').
1971 Helios responds with 8 512-byte packets.
1980 Helios
1989 .B tcp-ece
1991 .B tcp-cwr
2005 .I https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
2034 To report a security issue please send an e-mail to \%security@tcpdump.org.
2057 not correctly handle source-routed Token Ring packets.