Lines Matching +full:system +full:- +full:clock +full:- +full:direction +full:- +full:out
25 tcpdump \- dump traffic on a network
30 .B \-AbdDefhHIJKlLnNOpqStuUvxX#
32 .B \-B
37 .B \-c
41 .B \-\-count
44 .B \-C
49 .B \-E
54 .B \-F
58 .B \-G
62 .B \-i
67 .B \-\-immediate\-mode
70 .B \-j
74 .B \-m
79 .B \-M
83 .B \-\-number
86 .B \-\-print
89 .B \-Q
90 .I in|out|inout
94 .B \-r
98 .B \-s
102 .B \-T
106 .B \-\-version
110 .B \-V
114 .B \-w
118 .B \-W
122 .B \-y
127 .B \-z
128 .I postrotate-command
131 .B \-Z
136 .BI \-\-time\-stamp\-precision= tstamp_precision
140 .BI \-\-micro
143 .BI \-\-nano
153 \fITcpdump\fP prints out a description of the contents of packets on a
160 .B \-w
163 .B \-r
166 .B \-V
175 .B \-c
178 typically control-C) or a SIGTERM signal (typically generated with the
181 .B \-c
196 and possibly on the way the OS was configured - if a filter was
218 your ``status'' character, typically control-T, although on some
227 .B \-w
237 .B \-A
241 .B \-b
245 .BI \-B " buffer_size"
248 .BI \-\-buffer\-size= buffer_size
250 Set the operating system capture buffer size to \fIbuffer_size\fP, in
253 .BI \-c " count"
256 .BI \-\-count
262 .BI \-C " file_size"
267 .B \-w
272 .B \-d
273 Dump the compiled packet-matching code in a human readable form to
276 Please mind that although code compilation is always DLT-specific,
284 .B -y
286 .B -i
292 .B -r
294 .B -i
296 .B -d
303 .B \-dd
304 Dump packet-matching code as a
308 .B \-ddd
309 Dump packet-matching code as decimal numbers (preceded with a count).
311 .B \-D
314 .B \-\-list\-interfaces
316 Print the list of the network interfaces available on the system and on
323 .B \-i
333 .B \-D
342 .B \-e
343 Print the link-level header on each dump line. This can be used, for
347 .B \-E
355 \fBdes-cbc\fP,
356 \fB3des-cbc\fP,
357 \fBblowfish-cbc\fP,
358 \fBrc3-cbc\fP,
359 \fBcast128-cbc\fP, or
361 The default is \fBdes-cbc\fP.
381 .B \-f
384 Sun's NIS server \(em usually it hangs forever translating non-local
391 because it is the "any" pseudo-interface, which is
396 .BI \-F " file"
400 .BI \-G " rotate_seconds"
402 .B \-w
405 .B \-w
414 .B \-C
417 .B \-h
420 .B \-\-help
425 .B \-\-version
429 .B \-H
432 .BI \-i " interface"
435 .BI \-\-interface= interface
437 Listen, report the list of link-layer types, report the list of time
440 .B -d
441 flag is not given, \fItcpdump\fP searches the system
443 (excluding loopback), which may turn out to be, for example, ``eth0''.
449 Note that captures on the ``any'' pseudo-interface will not be done in promiscuous
453 .B \-D
457 argument, if no interface on the system has that number as a name.
459 .B \-I
462 .B \-\-monitor\-mode
465 802.11 Wi-Fi interfaces, and supported only on some operating systems.
475 .B \-L
477 .B \-I
478 isn't specified, only those link-layer types available when not in
480 .B \-I
481 is specified, only those link-layer types available when in monitor mode
484 .BI \-\-immediate\-mode
491 .BI \-j " tstamp_type"
494 .BI \-\-time\-stamp\-type= tstamp_type
502 .B \-J
505 .B \-\-list\-time\-stamp\-types
511 .BI \-\-time\-stamp\-precision= tstamp_precision
530 .B \-\-micro
533 .B \-\-nano
535 Shorthands for \fB\-\-time\-stamp\-precision=micro\fP or
536 \fB\-\-time\-stamp\-precision=nano\fP, adjusting the time stamp
538 \fB\-\-micro\fP truncates time stamps if the savefile was created with
541 \fB\-\-nano\fP is used.
543 .B \-K
546 .B \-\-dont\-verify\-checksums
552 .B \-l
561 \fBtcpdump \-l | tee dat\fP
571 \fBtcpdump \-l > dat & tail \-f dat\fP
578 .B \-l
581 .B \-U
583 .B \-l
584 in its behavior, but it will cause output to be ``packet-buffered'', so
589 .B \-L
592 .B \-\-list\-data\-link\-types
596 specified mode; for example, on some platforms, a Wi-Fi interface might
604 .BI \-m " module"
609 .BI \-M " secret"
611 TCP segments with the TCP-MD5 option (RFC 2385), if present.
613 .B \-n
616 .B \-N
622 .B \-#
625 .B \-\-number
629 .B \-O
632 .B \-\-no\-optimize
634 Do not run the packet-matching code optimizer.
638 .B \-p
641 .B \-\-no\-promiscuous\-mode
646 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
647 `ether host {local-hw-addr} or ether broadcast'.
649 .BI \-\-print
652 .B \-w
655 .BI \-Q " direction"
658 .BI \-\-direction= direction
660 Choose send/receive direction \fIdirection\fR for which packets should be
661 captured. Possible values are `in', `out' and `inout'. Not available
664 .B \-q
669 .BI \-r " file"
671 .B \-w
673 Standard input is used if \fIfile\fR is ``-''.
675 .B \-S
678 .B \-\-absolute\-tcp\-sequence\-numbers
682 .BI \-s " snaplen"
685 .BI \-\-snapshot\-length= snaplen
701 large, and much of the detail won't be available if a too-short snapshot
711 .BI \-T " type"
715 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
718 \fBdomain\fR (Domain Name System),
726 \fBrtcp\fR (Real-Time Applications control protocol),
727 \fBrtp\fR (Real-Time Applications protocol),
738 PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
747 .B \-t
750 .B \-tt
754 .B \-ttt
756 .B \-\-time\-stamp-precision
760 .B \-tttt
764 .B \-ttttt
766 .B \-\-time\-stamp-precision
770 .B \-u
773 .B \-U
776 .B \-\-packet\-buffered
779 .B \-w
781 .B \-\-print
783 ``packet-buffered''; i.e., as the description of the contents of each
789 .B \-w
791 ``packet-buffered''; i.e., as each packet is saved, it will be written
796 .B \-U
805 .B \-v
813 .B \-w
815 .B \-r
821 .B \-vv
826 .B \-vvv
832 .B \-X
835 .BI \-V " file"
837 if \fIfile\fR is ``-''.
839 .BI \-w " file"
841 them out.
842 They can later be printed with the \-r option.
843 Standard output is used if \fIfile\fR is ``-''.
848 .B \-U
864 .BI \-W " filecount"
866 .B \-C
875 .B \-G
880 .B \-C
882 .B \-G,
884 .B \-W
887 .B \-x
893 bytes will be printed. Note that this is the entire link-layer
898 .B \-xx
901 .B \-xx
908 .B \-X
914 .B \-XX
917 .B \-XX
924 .BI \-y " datalinktype"
927 .BI \-\-linktype= datalinktype
931 or just compiling and dumping packet-matching code (see
935 .BI \-z " postrotate-command"
937 .B -C
939 .B -G
943 .I postrotate-command file
947 .B \-z gzip
949 .B \-z bzip2
960 .BI \-Z " user"
963 .BI \-\-relinquish\-privileges= user
1019 tcpdump net ucb-ether
1025 (mis-)interpreting the parentheses):
1029 tcpdump 'gateway snup and (port ftp or ftp-data)'
1044 TCP conversation that involves a non-local host.
1048 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
1058 tcpdump 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'
1064 ACK-only packets. (IPv6 is left as an exercise for the reader.)
1068 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
1095 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
1111 is the current clock time in the form
1117 and is as accurate as the kernel's clock.
1129 When the \fIany\fP interface is selected on capture or when a link-type
1132 type with \fIIn\fP and \fIOut\fP denoting a packet destined for this host or
1138 If the '-e' option is given, the link level header is printed out.
1142 On FDDI networks, the '-e' option causes \fItcpdump\fP to print
1153 so-called SNAP packet.
1155 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
1161 the '-e' option is specified or not, the source routing information is
1162 printed for source-routed packets.
1164 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
1173 On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound),
1174 packet type, and compression information are printed out.
1179 If the packet is compressed, its encoded header is printed out.
1180 The special cases are printed out as
1186 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
1210 \f(CWarp who-has csam tell rtsg
1211 arp reply csam is-at CSAM\fR
1221 This would look less redundant if we had done \fItcpdump \-n\fP:
1225 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
1226 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
1230 If we had done \fItcpdump \-e\fP, the fact that the first packet is
1231 broadcast and the second is point-to-point would be visible:
1235 \f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg
1236 CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR
1245 If the link-layer header is not being printed, for IPv4 packets,
1249 .B \-v
1251 parentheses after the \fBIP\fP or the link-layer header.
1260 \fItos\fP is the type of service field; if the ECN bits are non-zero,
1262 \fIttl\fP is the time-to-live; it is not reported if it is zero.
1285 .B \-v
1299 \fIsrc\fP > \fIdst\fP: Flags [\fItcpflags\fP], seq \fIdata-seqno\fP, ack \fIackno\fP, win \fIwindow…
1308 \fIData-seqno\fP describes the portion of sequence space covered
1311 direction on this connection.
1313 the other direction on this connection.
1348 There was no piggy-backed ACK, the available receive window was 4096
1349 bytes and there was a max-segment-size option requesting an MSS of
1352 Csam replies with a similar packet except it includes a piggy-backed
1367 first data byte each direction being `1').
1368 `-S' will override this
1372 in the rtsg \(-> csam side of the conversation).
1394 .SS Particular TCP Flag Combinations (SYN-ACK, URG-ACK, etc.)
1402 Recall that TCP uses a 3-way handshake protocol
1419 (SYN-ACK), just a plain initial SYN.
1427 -----------------------------------------------------------------
1429 -----------------------------------------------------------------
1431 -----------------------------------------------------------------
1433 -----------------------------------------------------------------
1435 -----------------------------------------------------------------
1437 -----------------------------------------------------------------
1442 The first line of the graph contains octets 0 - 3, the
1443 second line shows octets 4 - 7 etc.
1450 ----------------|---------------|---------------|----------------
1452 ----------------|---------------|---------------|----------------
1460 |---------------|
1462 |---------------|
1477 |---------------|
1479 |---------------|
1486 Assuming that octet number 13 is an 8-bit unsigned integer in
1500 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1512 tcpdump -i xl0 'tcp[13] == 2'
1522 with SYN-ACK set arrives:
1526 |---------------|
1528 |---------------|
1547 SYN-ACK set, but not those with only SYN set.
1560 00010010 SYN-ACK 00000010 SYN
1562 -------- --------
1578 tcpdump -i xl0 'tcp[13] & 2 == 2'
1584 field values are also available: tcp-fin, tcp-syn, tcp-rst,
1585 tcp-push, tcp-ack, tcp-urg, tcp-ece and tcp-cwr.
1590 tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
1691 Other flag characters that might appear are `\-' (recursion available,
1704 decode done if -v is used.
1705 Be warned that with -v a single SMB packet
1706 may take up a page or more, so only use -v if you really want all the
1715 Sun NFS (Network File System) requests and replies are printed as:
1757 instead of the non-NFS port number of the packet.
1759 If the \-v (verbose) flag is given, additional information is printed.
1773 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1782 Because the \-v flag
1787 If the \-v flag is given more than once, even more details are printed.
1797 Transarc AFS (Andrew File System) requests and replies are printed
1803 \fIsrc.sport > dst.dport: rx packet-type\fP
1804 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
1805 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
1832 The format is intended to be self-describing, but it will probably
1836 If the -v (verbose) flag is given twice, acknowledgement packets and
1840 If the -v flag is given twice, additional information is printed,
1844 If the -v flag is given three times, the security index and service id
1861 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
1874 16.1 icsd-net
1882 from a net by the 3rd octet in the number \-
1897 \f(CW144.1.209.2 > icsd-net.112.220
1898 office.2 > icsd-net.112.220
1899 jssmag.149.235 > icsd-net.2\fR
1912 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
1914 number \- for this reason it's a good idea to keep node names and
1928 \f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
1929 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
1930 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR
1949 \f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
1950 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
1951 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
1952 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
1953 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1954 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
1955 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1956 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
1957 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
1958 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
1959 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1960 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1961 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
1962 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR
1967 up to 8 packets (the `<0-7>').
1971 Helios responds with 8 512-byte packets.
1989 .B tcp-ece
1991 .B tcp-cwr
2005 .I https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
2034 To report a security issue please send an e-mail to \%security@tcpdump.org.
2057 not correctly handle source-routed Token Ring packets.