Lines Matching +full:capture +full:- +full:only
25 tcpdump \- dump traffic on a network
30 .B \-AbdDefhHIJKlLnNOpqStuUvxX#
32 .B \-B
37 .B \-c
41 .B \-\-count
44 .B \-C
49 .B \-E
54 .B \-F
58 .B \-G
62 .B \-i
67 .B \-\-immediate\-mode
70 .B \-j
74 .B \-m
79 .B \-M
83 .B \-\-number
86 .B \-\-print
89 .B \-Q
94 .B \-r
98 .B \-s
102 .B \-T
106 .B \-\-version
110 .B \-V
114 .B \-w
118 .B \-W
122 .B \-y
127 .B \-z
128 .I postrotate-command
131 .B \-Z
136 .BI \-\-time\-stamp\-precision= tstamp_precision
140 .BI \-\-micro
143 .BI \-\-nano
160 .B \-w
163 .B \-r
166 .B \-V
168 only packets that match
175 .B \-c
178 typically control-C) or a SIGTERM signal (typically generated with the
181 .B \-c
182 flag, it will capture packets until it is interrupted by a SIGINT or
196 and possibly on the way the OS was configured - if a filter was
201 has read and processed them yet, on other OSes it counts only packets that were
204 has read and processed them yet, and on other OSes it counts only
209 dropped, due to a lack of buffer space, by the packet capture mechanism
218 your ``status'' character, typically control-T, although on some
227 .B \-w
237 .B \-A
241 .B \-b
245 .BI \-B " buffer_size"
248 .BI \-\-buffer\-size= buffer_size
250 Set the operating system capture buffer size to \fIbuffer_size\fP, in
253 .BI \-c " count"
256 .BI \-\-count
257 Print only on stdout the packet count when reading capture file(s) instead
259 line, \fItcpdump\fP counts only packets that were matched by the filter
262 .BI \-C " file_size"
267 .B \-w
272 .B \-d
273 Dump the compiled packet-matching code in a human readable form to
276 Please mind that although code compilation is always DLT-specific,
284 .B -y
286 .B -i
292 .B -r
294 .B -i
296 .B -d
303 .B \-dd
304 Dump packet-matching code as a
308 .B \-ddd
309 Dump packet-matching code as decimal numbers (preceded with a count).
311 .B \-D
314 .B \-\-list\-interfaces
319 can capture packets. For each network interface, a number and an
323 .B \-i
324 flag to specify an interface on which to capture.
333 .B \-D
342 .B \-e
343 Print the link-level header on each dump line. This can be used, for
347 .B \-E
355 \fBdes-cbc\fP,
356 \fB3des-cbc\fP,
357 \fBblowfish-cbc\fP,
358 \fBrc3-cbc\fP,
359 \fBcast128-cbc\fP, or
361 The default is \fBdes-cbc\fP.
362 The ability to decrypt packets is only present if \fItcpdump\fP was compiled
369 The option is only for debugging purposes, and
381 .B \-f
384 Sun's NIS server \(em usually it hangs forever translating non-local
388 netmask of the interface on that capture is being done. If that
390 interface on that capture is being done has no address or netmask or
391 because it is the "any" pseudo-interface, which is
393 can capture on more than one interface, this option will not work
396 .BI \-F " file"
400 .BI \-G " rotate_seconds"
402 .B \-w
405 .B \-w
411 capture period is therefore not advised.
414 .B \-C
417 .B \-h
420 .B \-\-help
425 .B \-\-version
429 .B \-H
432 .BI \-i " interface"
435 .BI \-\-interface= interface
437 Listen, report the list of link-layer types, report the list of time
440 .B -d
448 argument of ``any'' can be used to capture packets from all interfaces.
449 Note that captures on the ``any'' pseudo-interface will not be done in promiscuous
453 .B \-D
459 .B \-I
462 .B \-\-monitor\-mode
464 Put the interface in "monitor mode"; this is supported only on IEEE
465 802.11 Wi-Fi interfaces, and supported only on some operating systems.
475 .B \-L
477 .B \-I
478 isn't specified, only those link-layer types available when not in
480 .B \-I
481 is specified, only those link-layer types available when in monitor mode
484 .BI \-\-immediate\-mode
485 Capture in "immediate mode". In this mode, packets are delivered to
491 .BI \-j " tstamp_type"
494 .BI \-\-time\-stamp\-type= tstamp_type
496 Set the time stamp type for the capture to \fItstamp_type\fP. The names
502 .B \-J
505 .B \-\-list\-time\-stamp\-types
511 .BI \-\-time\-stamp\-precision= tstamp_precision
512 When capturing, set the time stamp precision for the capture to
530 .B \-\-micro
533 .B \-\-nano
535 Shorthands for \fB\-\-time\-stamp\-precision=micro\fP or
536 \fB\-\-time\-stamp\-precision=nano\fP, adjusting the time stamp
538 \fB\-\-micro\fP truncates time stamps if the savefile was created with
541 \fB\-\-nano\fP is used.
543 .B \-K
546 .B \-\-dont\-verify\-checksums
552 .B \-l
561 \fBtcpdump \-l | tee dat\fP
571 \fBtcpdump \-l > dat & tail \-f dat\fP
578 .B \-l
581 .B \-U
583 .B \-l
584 in its behavior, but it will cause output to be ``packet-buffered'', so
589 .B \-L
592 .B \-\-list\-data\-link\-types
596 specified mode; for example, on some platforms, a Wi-Fi interface might
598 example, it might support only fake Ethernet headers, or might support
602 only in monitor mode).
604 .BI \-m " module"
609 .BI \-M " secret"
611 TCP segments with the TCP-MD5 option (RFC 2385), if present.
613 .B \-n
616 .B \-N
622 .B \-#
625 .B \-\-number
629 .B \-O
632 .B \-\-no\-optimize
634 Do not run the packet-matching code optimizer.
635 This is useful only
638 .B \-p
641 .B \-\-no\-promiscuous\-mode
646 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
647 `ether host {local-hw-addr} or ether broadcast'.
649 .BI \-\-print
652 .B \-w
655 .BI \-Q " direction"
658 .BI \-\-direction= direction
664 .B \-q
669 .BI \-r " file"
671 .B \-w
673 Standard input is used if \fIfile\fR is ``-''.
675 .B \-S
678 .B \-\-absolute\-tcp\-sequence\-numbers
682 .BI \-s " snaplen"
685 .BI \-\-snapshot\-length= snaplen
701 large, and much of the detail won't be available if a too-short snapshot
705 limit \fIsnaplen\fP to the smallest number that will capture the
711 .BI \-T " type"
715 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
726 \fBrtcp\fR (Real-Time Applications control protocol),
727 \fBrtp\fR (Real-Time Applications protocol),
737 Note that the \fBpgm\fR type above affects UDP interpretation only, the native
738 PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
747 .B \-t
750 .B \-tt
754 .B \-ttt
756 .B \-\-time\-stamp-precision
760 .B \-tttt
764 .B \-ttttt
766 .B \-\-time\-stamp-precision
770 .B \-u
773 .B \-U
776 .B \-\-packet\-buffered
779 .B \-w
781 .B \-\-print
783 ``packet-buffered''; i.e., as the description of the contents of each
785 than, when not writing to a terminal, being written only when the output
789 .B \-w
791 ``packet-buffered''; i.e., as each packet is saved, it will be written
792 to the output file, rather than being written only when the output
796 .B \-U
805 .B \-v
813 .B \-w
815 .B \-r
821 .B \-vv
826 .B \-vvv
832 .B \-X
835 .BI \-V " file"
837 if \fIfile\fR is ``-''.
839 .BI \-w " file"
842 They can later be printed with the \-r option.
843 Standard output is used if \fIfile\fR is ``-''.
848 .B \-U
855 reading capture files and doesn't add an extension when writing them
864 .BI \-W " filecount"
866 .B \-C
875 .B \-G
880 .B \-C
882 .B \-G,
884 .B \-W
885 option will currently be ignored, and will only affect the file name.
887 .B \-x
893 bytes will be printed. Note that this is the entire link-layer
898 .B \-xx
901 .B \-xx
908 .B \-X
914 .B \-XX
917 .B \-XX
924 .BI \-y " datalinktype"
927 .BI \-\-linktype= datalinktype
931 or just compiling and dumping packet-matching code (see
935 .BI \-z " postrotate-command"
937 .B -C
939 .B -G
943 .I postrotate-command file
947 .B \-z gzip
949 .B \-z bzip2
952 Note that tcpdump will run the command in parallel to the capture, using
953 the lowest priority so that this doesn't disturb the capture process.
957 savefile name as the only argument, make the flags & arguments arrangements
960 .BI \-Z " user"
963 .BI \-\-relinquish\-privileges= user
967 is running as root, after opening the capture device or input savefile,
980 only packets for which \fIexpression\fP is `true' will be dumped.
1019 tcpdump net ucb-ether
1025 (mis-)interpreting the parentheses):
1029 tcpdump 'gateway snup and (port ftp or ftp-data)'
1044 TCP conversation that involves a non-local host.
1048 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
1053 (i.e. select only the RST and ACK flags in the flags field, and if the result
1058 tcpdump 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'
1062 To print all IPv4 HTTP packets to and from port 80, i.e. print only
1064 ACK-only packets. (IPv6 is left as an exercise for the reader.)
1068 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
1095 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
1129 When the \fIany\fP interface is selected on capture or when a link-type
1130 \fILINUX_SLL2\fP capture file is read the
1138 If the '-e' option is given, the link level header is printed out.
1142 On FDDI networks, the '-e' option causes \fItcpdump\fP to print
1153 so-called SNAP packet.
1155 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
1161 the '-e' option is specified or not, the source routing information is
1162 printed for source-routed packets.
1164 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
1186 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
1210 \f(CWarp who-has csam tell rtsg
1211 arp reply csam is-at CSAM\fR
1221 This would look less redundant if we had done \fItcpdump \-n\fP:
1225 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
1226 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
1230 If we had done \fItcpdump \-e\fP, the fact that the first packet is
1231 broadcast and the second is point-to-point would be visible:
1235 \f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg
1236 CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR
1245 If the link-layer header is not being printed, for IPv4 packets,
1249 .B \-v
1251 parentheses after the \fBIP\fP or the link-layer header.
1260 \fItos\fP is the type of service field; if the ECN bits are non-zero,
1262 \fIttl\fP is the time-to-live; it is not reported if it is zero.
1283 protocol header. Fragmentation information will be printed only with
1285 .B \-v
1299 \fIsrc\fP > \fIdst\fP: Flags [\fItcpflags\fP], seq \fIdata-seqno\fP, ack \fIackno\fP, win \fIwindow…
1308 \fIData-seqno\fP describes the portion of sequence space covered
1321 are output only if appropriate.
1348 There was no piggy-backed ACK, the available receive window was 4096
1349 bytes and there was a max-segment-size option requesting an MSS of
1352 Csam replies with a similar packet except it includes a piggy-backed
1368 `-S' will override this
1372 in the rtsg \(-> csam side of the conversation).
1382 If the snapshot was small enough that \fItcpdump\fP didn't capture
1394 .SS Particular TCP Flag Combinations (SYN-ACK, URG-ACK, etc.)
1402 Recall that TCP uses a 3-way handshake protocol
1416 Now we're interested in capturing packets that have only the
1419 (SYN-ACK), just a plain initial SYN.
1427 -----------------------------------------------------------------
1429 -----------------------------------------------------------------
1431 -----------------------------------------------------------------
1433 -----------------------------------------------------------------
1435 -----------------------------------------------------------------
1437 -----------------------------------------------------------------
1442 The first line of the graph contains octets 0 - 3, the
1443 second line shows octets 4 - 7 etc.
1450 ----------------|---------------|---------------|----------------
1452 ----------------|---------------|---------------|----------------
1460 |---------------|
1462 |---------------|
1471 Recall that we want to capture packets with only SYN set.
1477 |---------------|
1479 |---------------|
1484 control bits section we see that only bit number 1 (SYN) is set.
1486 Assuming that octet number 13 is an 8-bit unsigned integer in
1498 We're almost done, because now we know that if only SYN is set,
1500 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1509 to watch packets which have only SYN set:
1512 tcpdump -i xl0 'tcp[13] == 2'
1518 Now, let's assume that we need to capture SYN packets, but we
1522 with SYN-ACK set arrives:
1526 |---------------|
1528 |---------------|
1546 expression, because that would select only those packets that have
1547 SYN-ACK set, but not those with only SYN set.
1560 00010010 SYN-ACK 00000010 SYN
1562 -------- --------
1578 tcpdump -i xl0 'tcp[13] & 2 == 2'
1584 field values are also available: tcp-fin, tcp-syn, tcp-rst,
1585 tcp-push, tcp-ack, tcp-urg, tcp-ece and tcp-cwr.
1590 tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
1691 Other flag characters that might appear are `\-' (recursion available,
1704 decode done if -v is used.
1705 Be warned that with -v a single SMB packet
1706 may take up a page or more, so only use -v if you really want all the
1757 instead of the non-NFS port number of the packet.
1759 If the \-v (verbose) flag is given, additional information is printed.
1773 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1778 second line is the first fragment of the reply, and hence is only 1472
1782 Because the \-v flag
1787 If the \-v flag is given more than once, even more details are printed.
1803 \fIsrc.sport > dst.dport: rx packet-type\fP
1804 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
1805 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
1829 AFS RPCs have at least some of the arguments decoded (generally only
1832 The format is intended to be self-describing, but it will probably
1836 If the -v (verbose) flag is given twice, acknowledgement packets and
1840 If the -v flag is given twice, additional information is printed,
1844 If the -v flag is given three times, the security index and service id
1861 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
1874 16.1 icsd-net
1882 from a net by the 3rd octet in the number \-
1897 \f(CW144.1.209.2 > icsd-net.112.220
1898 office.2 > icsd-net.112.220
1899 jssmag.149.235 > icsd-net.2\fR
1912 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
1914 number \- for this reason it's a good idea to keep node names and
1928 \f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
1929 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
1930 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR
1949 \f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
1950 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
1951 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
1952 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
1953 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1954 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
1955 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1956 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
1957 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
1958 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
1959 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1960 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1961 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
1962 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR
1967 up to 8 packets (the `<0-7>').
1971 Helios responds with 8 512-byte packets.
1989 .B tcp-ece
1991 .B tcp-cwr
2005 .I https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
2034 To report a security issue please send an e-mail to \%security@tcpdump.org.
2057 not correctly handle source-routed Token Ring packets.
2069 It only looks at IPv4 packets.