Lines Matching +full:periodic +full:- +full:op +full:- +full:mode

25 tcpdump \- dump traffic on a network
30 .B \-AbdDefhHIJKlLnNOpqStuUvxX#
32 .B \-B
37 .B \-c
41 .B \-\-count
44 .B \-C
49 .B \-E
54 .B \-F
58 .B \-G
62 .B \-i
67 .B \-\-immediate\-mode
70 .B \-j
74 .B \-m
79 .B \-M
83 .B \-\-number
86 .B \-\-print
89 .B \-Q
94 .B \-r
98 .B \-s
102 .B \-T
106 .B \-\-version
110 .B \-V
114 .B \-w
118 .B \-W
122 .B \-y
127 .B \-z
128 .I postrotate-command
131 .B \-Z
136 .BI \-\-time\-stamp\-precision= tstamp_precision
140 .BI \-\-micro
143 .BI \-\-nano
160 .B \-w
163 .B \-r
166 .B \-V
175 .B \-c
178 typically control-C) or a SIGTERM signal (typically generated with the
181 .B \-c
196 and possibly on the way the OS was configured - if a filter was
218 your ``status'' character, typically control-T, although on some
227 .B \-w
237 .B \-A
241 .B \-b
245 .BI \-B " buffer_size"
248 .BI \-\-buffer\-size= buffer_size
253 .BI \-c " count"
256 .BI \-\-count
262 .BI \-C " file_size"
267 .B \-w
272 .B \-d
273 Dump the compiled packet-matching code in a human readable form to
276 Please mind that although code compilation is always DLT-specific,
284 .B -y
286 .B -i
292 .B -r
294 .B -i
296 .B -d
303 .B \-dd
304 Dump packet-matching code as a
308 .B \-ddd
309 Dump packet-matching code as decimal numbers (preceded with a count).
311 .B \-D
314 .B \-\-list\-interfaces
323 .B \-i
333 .B \-D
342 .B \-e
343 Print the link-level header on each dump line.  This can be used, for
347 .B \-E
355 \fBdes-cbc\fP,
356 \fB3des-cbc\fP,
357 \fBblowfish-cbc\fP,
358 \fBrc3-cbc\fP,
359 \fBcast128-cbc\fP, or
361 The default is \fBdes-cbc\fP.
381 .B \-f
384 Sun's NIS server \(em usually it hangs forever translating non-local
391 because it is the "any" pseudo-interface, which is
396 .BI \-F " file"
400 .BI \-G " rotate_seconds"
402 .B \-w
405 .B \-w
414 .B \-C
417 .B \-h
420 .B \-\-help
425 .B \-\-version
429 .B \-H
432 .BI \-i " interface"
435 .BI \-\-interface= interface
437 Listen, report the list of link-layer types, report the list of time
440 .B -d
449 Note that captures on the ``any'' pseudo-interface will not be done in promiscuous
450 mode.
453 .B \-D
459 .B \-I
462 .B \-\-monitor\-mode
464 Put the interface in "monitor mode"; this is supported only on IEEE
465 802.11 Wi-Fi interfaces, and supported only on some operating systems.
467 Note that in monitor mode the adapter might disassociate from the
471 if you are capturing in monitor mode and are not connected to another
475 .B \-L
477 .B \-I
478 isn't specified, only those link-layer types available when not in
479 monitor mode will be shown; if
480 .B \-I
481 is specified, only those link-layer types available when in monitor mode
484 .BI \-\-immediate\-mode
485 Capture in "immediate mode".  In this mode, packets are delivered to
491 .BI \-j " tstamp_type"
494 .BI \-\-time\-stamp\-type= tstamp_type
502 .B \-J
505 .B \-\-list\-time\-stamp\-types
511 .BI \-\-time\-stamp\-precision= tstamp_precision
530 .B \-\-micro
533 .B \-\-nano
535 Shorthands for \fB\-\-time\-stamp\-precision=micro\fP or
536 \fB\-\-time\-stamp\-precision=nano\fP, adjusting the time stamp
538 \fB\-\-micro\fP truncates time stamps if the savefile was created with
541 \fB\-\-nano\fP is used.
543 .B \-K
546 .B \-\-dont\-verify\-checksums
552 .B \-l
561 \fBtcpdump \-l | tee dat\fP
571 \fBtcpdump \-l > dat & tail \-f dat\fP
578 .B \-l
581 .B \-U
583 .B \-l
584 in its behavior, but it will cause output to be ``packet-buffered'', so
589 .B \-L
592 .B \-\-list\-data\-link\-types
594 List the known data link types for the interface, in the specified mode,
596 specified mode; for example, on some platforms, a Wi-Fi interface might
597 support one set of data link types when not in monitor mode (for
600 and another set of data link types when in monitor mode (for example, it
602 only in monitor mode).
604 .BI \-m " module"
609 .BI \-M " secret"
611 TCP segments with the TCP-MD5 option (RFC 2385), if present.
613 .B \-n
616 .B \-N
622 .B \-#
625 .B \-\-number
629 .B \-O
632 .B \-\-no\-optimize
634 Do not run the packet-matching code optimizer.
638 .B \-p
641 .B \-\-no\-promiscuous\-mode
644 into promiscuous mode.
646 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
647 `ether host {local-hw-addr} or ether broadcast'.
649 .BI \-\-print
652 .B \-w
655 .BI \-Q " direction"
658 .BI \-\-direction= direction
664 .B \-q
669 .BI \-r " file"
671 .B \-w
673 Standard input is used if \fIfile\fR is ``-''.
675 .B \-S
678 .B \-\-absolute\-tcp\-sequence\-numbers
682 .BI \-s " snaplen"
685 .BI \-\-snapshot\-length= snaplen
701 large, and much of the detail won't be available if a too-short snapshot
711 .BI \-T " type"
715 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
726 \fBrtcp\fR (Real-Time Applications control protocol),
727 \fBrtp\fR (Real-Time Applications protocol),
738 PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
747 .B \-t
750 .B \-tt
754 .B \-ttt
756 .B \-\-time\-stamp-precision
760 .B \-tttt
764 .B \-ttttt
766 .B \-\-time\-stamp-precision
770 .B \-u
773 .B \-U
776 .B \-\-packet\-buffered
779 .B \-w
781 .B \-\-print
783 ``packet-buffered''; i.e., as the description of the contents of each
789 .B \-w
791 ``packet-buffered''; i.e., as each packet is saved, it will be written
796 .B \-U
805 .B \-v
813 .B \-w
815 .B \-r
817 Solaris, FreeBSD and possibly other operating systems this periodic update
821 .B \-vv
826 .B \-vvv
832 .B \-X
835 .BI \-V " file"
837 if \fIfile\fR is ``-''.
839 .BI \-w " file"
842 They can later be printed with the \-r option.
843 Standard output is used if \fIfile\fR is ``-''.
848 .B \-U
864 .BI \-W " filecount"
866 .B \-C
875 .B \-G
880 .B \-C
882 .B \-G,
884 .B \-W
887 .B \-x
893 bytes will be printed.  Note that this is the entire link-layer
898 .B \-xx
901 .B \-xx
908 .B \-X
914 .B \-XX
917 .B \-XX
924 .BI \-y " datalinktype"
927 .BI \-\-linktype= datalinktype
931 or just compiling and dumping packet-matching code (see
935 .BI \-z " postrotate-command"
937 .B -C
939 .B -G
943 .I postrotate-command file
947 .B \-z gzip
949 .B \-z bzip2
960 .BI \-Z " user"
963 .BI \-\-relinquish\-privileges= user
1019 tcpdump net ucb-ether
1025 (mis-)interpreting the parentheses):
1029 tcpdump 'gateway snup and (port ftp or ftp-data)'
1044 TCP conversation that involves a non-local host.
1048 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
1058 tcpdump 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'
1064 ACK-only packets.  (IPv6 is left as an exercise for the reader.)
1068 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
1095 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
1129 When the \fIany\fP interface is selected on capture or when a link-type
1138 If the '-e' option is given, the link level header is printed out.
1142 On FDDI networks, the  '-e' option causes \fItcpdump\fP to print
1153 so-called SNAP packet.
1155 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
1161 the '-e' option is specified or not, the source routing information is
1162 printed for source-routed packets.
1164 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
1186 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
1210 \f(CWarp who-has csam tell rtsg
1211 arp reply csam is-at CSAM\fR
1221 This would look less redundant if we had done \fItcpdump \-n\fP:
1225 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
1226 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
1230 If we had done \fItcpdump \-e\fP, the fact that the first packet is
1231 broadcast and the second is point-to-point would be visible:
1235 \f(CWRTSG Broadcast 0806  64: arp who-has csam tell rtsg
1236 CSAM RTSG 0806  64: arp reply csam is-at CSAM\fR
1245 If the link-layer header is not being printed, for IPv4 packets,
1249 .B \-v
1251 parentheses after the \fBIP\fP or the link-layer header.
1260 \fItos\fP is the type of service field; if the ECN bits are non-zero,
1262 \fIttl\fP is the time-to-live; it is not reported if it is zero.
1285 .B \-v
1299 \fIsrc\fP > \fIdst\fP: Flags [\fItcpflags\fP], seq \fIdata-seqno\fP, ack \fIackno\fP, win \fIwindow…
1308 \fIData-seqno\fP describes the portion of sequence space covered
1348 There was no piggy-backed ACK, the available receive window was 4096
1349 bytes and there was a max-segment-size option requesting an MSS of
1352 Csam replies with a similar packet except it includes a piggy-backed
1368 `-S' will override this
1372 in the rtsg \(-> csam side of the conversation).
1394 .SS Particular TCP Flag Combinations (SYN-ACK, URG-ACK, etc.)
1402 Recall that TCP uses a 3-way handshake protocol
1419 (SYN-ACK), just a plain initial SYN.
1427 -----------------------------------------------------------------
1429 -----------------------------------------------------------------
1431 -----------------------------------------------------------------
1433 -----------------------------------------------------------------
1435 -----------------------------------------------------------------
1437 -----------------------------------------------------------------
1442 The first line of the graph contains octets 0 - 3, the
1443 second line shows octets 4 - 7 etc.
1450 ----------------|---------------|---------------|----------------
1452 ----------------|---------------|---------------|----------------
1460                 |---------------|
1462                 |---------------|
1477                 |---------------|
1479                 |---------------|
1486 Assuming that octet number 13 is an 8-bit unsigned integer in
1500 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1512 tcpdump -i xl0 'tcp[13] == 2'
1522 with SYN-ACK set arrives:
1526      |---------------|
1528      |---------------|
1547 SYN-ACK set, but not those with only SYN set.
1560           00010010 SYN-ACK              00000010 SYN
1562           --------                      --------
1578      tcpdump -i xl0 'tcp[13] & 2 == 2'
1584 field values are also available: tcp-fin, tcp-syn, tcp-rst,
1585 tcp-push, tcp-ack, tcp-urg, tcp-ece and tcp-cwr.
1590      tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
1627 \fIsrc > dst: id op? flags qtype qclass name (len)\fP
1641 so the op field was omitted.
1642 If the op had been anything else, it would
1667 \fIsrc > dst:  id op rcode flags a/n/au type class data (len)\fP
1680 The op (Query) and response code
1691 Other flag characters that might appear are `\-' (recursion available,
1704 decode done if -v is used.
1705 Be warned that with -v a single SMB packet
1706 may take up a page or more, so only use -v if you really want all the
1719 \fIsrc.sport > dst.nfs: NFS request xid xid len op args\fP
1720 \fIsrc.nfs > dst.dport: NFS reply xid xid reply stat len op results\fP
1757 instead of the non-NFS port number of the packet.
1759 If the \-v (verbose) flag is given, additional information is printed.
1773 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1782 Because the \-v flag
1785 the file mode (in octal), the UID and GID, and the file size.
1787 If the \-v flag is given more than once, even more details are printed.
1803 \fIsrc.sport > dst.dport: rx packet-type\fP
1804 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
1805 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
1832 The format is intended to be self-describing, but it will probably
1836 If the -v (verbose) flag is given twice, acknowledgement packets and
1840 If the -v flag is given twice, additional information is printed,
1844 If the -v flag is given three times, the security index and service id
1861 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
1874 16.1		icsd-net
1882 from a net by the 3rd octet in the number \-
1897 \f(CW144.1.209.2 > icsd-net.112.220
1898 office.2 > icsd-net.112.220
1899 jssmag.149.235 > icsd-net.2\fR
1912 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
1914 number \- for this reason it's a good idea to keep node names and
1928 \f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
1929 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
1930 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR
1949 \f(CWjssmag.209.165 > helios.132: atp-req  12266<0-7> 0xae030001
1950 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
1951 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
1952 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
1953 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1954 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
1955 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1956 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
1957 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
1958 jssmag.209.165 > helios.132: atp-req  12266<3,5> 0xae030001
1959 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1960 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1961 jssmag.209.165 > helios.132: atp-rel  12266<0-7> 0xae030001
1962 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR
1967 up to 8 packets (the `<0-7>').
1971 Helios responds with 8 512-byte packets.
1989 .B tcp-ece
1991 .B tcp-cwr
2005 .I https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
2034 To report a security issue please send an e-mail to \%security@tcpdump.org.
2057 not correctly handle source-routed Token Ring packets.