Lines Matching +full:x +full:- +full:real +full:- +full:ip
25 tcpdump \- dump traffic on a network
30 .B \-AbdDefhHIJKlLnNOpqStuUvxX#
32 .B \-B
38 .B \-c
42 .B \-\-count
45 .B \-C
50 .B \-E
55 .B \-F
59 .B \-G
63 .B \-i
68 .B \-\-immediate\-mode
71 .B \-j
75 .B \-m
80 .B \-M
84 .B \-\-number
87 .B \-\-print
90 .B \-Q
95 .B \-r
99 .B \-s
103 .B \-T
107 .B \-\-version
111 .B \-V
115 .B \-w
119 .B \-W
123 .B \-y
128 .B \-z
129 .I postrotate-command
132 .B \-Z
137 .BI \-\-time\-stamp\-precision= tstamp_precision
141 .BI \-\-micro
144 .BI \-\-nano
161 .B \-w
164 .B \-r
167 .B \-V
176 .B \-c
179 typically control-C) or a SIGTERM signal (typically generated with the
182 .B \-c
197 and possibly on the way the OS was configured - if a filter was
219 your ``status'' character, typically control-T, although on some
228 .B \-w
238 .B \-A
242 .B \-b
246 .BI \-B " buffer_size"
249 .BI \-\-buffer\-size= buffer_size
254 .BI \-c " count"
257 .BI \-\-count
263 .BI \-C " file_size"
268 .B \-w
273 .B \-d
274 Dump the compiled packet-matching code in a human readable form to
277 Please mind that although code compilation is always DLT-specific,
285 .B -y
287 .B -i
293 .B -r
295 .B -i
297 .B -d
304 .B \-dd
305 Dump packet-matching code as a
309 .B \-ddd
310 Dump packet-matching code as decimal numbers (preceded with a count).
312 .B \-D
315 .B \-\-list\-interfaces
324 .B \-i
334 .B \-D
343 .B \-e
344 Print the link-level header on each dump line. This can be used, for
348 .B \-E
356 \fBdes-cbc\fP,
357 \fB3des-cbc\fP,
358 \fBblowfish-cbc\fP,
359 \fBrc3-cbc\fP,
360 \fBcast128-cbc\fP, or
362 The default is \fBdes-cbc\fP.
367 If preceded by 0x, then a hex value will be read.
382 .B \-f
385 Sun's NIS server \(em usually it hangs forever translating non-local
392 because it is the "any" pseudo-interface, which is
397 .BI \-F " file"
401 .BI \-G " rotate_seconds"
403 .B \-w
406 .B \-w
411 pre-existing data; providing a time specification that is coarser than the
415 .B \-C
418 .B \-h
421 .B \-\-help
426 .B \-\-version
430 .B \-H
433 .BI \-i " interface"
436 .BI \-\-interface= interface
438 Listen, report the list of link-layer types, report the list of time
441 .B -d
450 Note that captures on the ``any'' pseudo-interface will not be done in promiscuous
454 .B \-D
460 .B \-I
463 .B \-\-monitor\-mode
466 802.11 Wi-Fi interfaces, and supported only on some operating systems.
476 .B \-L
478 .B \-I
479 isn't specified, only those link-layer types available when not in
481 .B \-I
482 is specified, only those link-layer types available when in monitor mode
485 .BI \-\-immediate\-mode
492 .BI \-j " tstamp_type"
495 .BI \-\-time\-stamp\-type= tstamp_type
503 .B \-J
506 .B \-\-list\-time\-stamp\-types
512 .BI \-\-time\-stamp\-precision= tstamp_precision
531 .B \-\-micro
534 .B \-\-nano
536 Shorthands for \fB\-\-time\-stamp\-precision=micro\fP or
537 \fB\-\-time\-stamp\-precision=nano\fP, adjusting the time stamp
539 \fB\-\-micro\fP truncates time stamps if the savefile was created with
542 \fB\-\-nano\fP is used.
544 .B \-K
547 .B \-\-dont\-verify\-checksums
549 Don't attempt to verify IP, TCP, or UDP checksums. This is useful for
553 .B \-l
562 \fBtcpdump \-l | tee dat\fP
572 \fBtcpdump \-l > dat & tail \-f dat\fP
579 .B \-l
582 .B \-U
584 .B \-l
585 in its behavior, but it will cause output to be ``packet-buffered'', so
590 .B \-L
593 .B \-\-list\-data\-link\-types
597 specified mode; for example, on some platforms, a Wi-Fi interface might
605 .BI \-m " module"
610 .BI \-M " secret"
612 TCP segments with the TCP-MD5 option (RFC 2385), if present.
614 .B \-n
617 .B \-N
623 .B \-#
626 .B \-\-number
630 .B \-O
633 .B \-\-no\-optimize
635 Do not run the packet-matching code optimizer.
639 .B \-p
642 .B \-\-no\-promiscuous\-mode
647 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
648 `ether host {local-hw-addr} or ether broadcast'.
650 .BI \-\-print
653 .B \-w
656 .BI \-Q " direction"
659 .BI \-\-direction= direction
665 .B \-q
670 .BI \-r " file"
672 .B \-w
674 Standard input is used if \fIfile\fR is ``-''.
676 .B \-S
679 .B \-\-absolute\-tcp\-sequence\-numbers
683 .BI \-s " snaplen"
686 .BI \-\-snapshot\-length= snaplen
702 large, and much of the detail won't be available if a too-short snapshot
712 .BI \-T " type"
716 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
727 \fBrtcp\fR (Real-Time Applications control protocol),
728 \fBrtp\fR (Real-Time Applications protocol),
730 \fBsomeip\fR (SOME/IP),
739 PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is
748 .B \-t
751 .B \-tt
755 .B \-ttt
757 .B \-\-time\-stamp-precision
761 .B \-tttt
765 .B \-ttttt
767 .B \-\-time\-stamp-precision
771 .B \-u
774 .B \-U
777 .B \-\-packet\-buffered
780 .B \-w
782 .B \-\-print
784 ``packet-buffered''; i.e., as the description of the contents of each
790 .B \-w
792 ``packet-buffered''; i.e., as each packet is saved, it will be written
797 .B \-U
806 .B \-v
809 identification, total length and options in an IP packet are printed.
814 .B \-w
816 .B \-r
822 .B \-vv
827 .B \-vvv
833 .B \-X
836 .BI \-V " file"
838 if \fIfile\fR is ``-''.
840 .BI \-w " file"
843 They can later be printed with the \-r option.
844 Standard output is used if \fIfile\fR is ``-''.
849 .B \-U
865 .BI \-W " filecount"
867 .B \-C
876 .B \-G
881 .B \-C
883 .B \-G,
885 .B \-W
888 .B \-x
894 bytes will be printed. Note that this is the entire link-layer
899 .B \-xx
902 .B \-xx
909 .B \-X
915 .B \-XX
918 .B \-XX
925 .BI \-y " datalinktype"
928 .BI \-\-linktype= datalinktype
932 or just compiling and dumping packet-matching code (see
936 .BI \-z " postrotate-command"
938 .B -C
940 .B -G
944 .I postrotate-command file
948 .B \-z gzip
950 .B \-z bzip2
961 .BI \-Z " user"
964 .BI \-\-relinquish\-privileges= user
1009 To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
1012 \fBtcpdump ip host ace and not helios\fP
1020 tcpdump net ucb-ether
1026 (mis-)interpreting the parentheses):
1030 tcpdump 'gateway snup and (port ftp or ftp-data)'
1040 tcpdump ip and not net \fIlocalnet\fP
1045 TCP conversation that involves a non-local host.
1049 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
1059 tcpdump 'tcp[tcpflags] & (tcp-rst|tcp-ack) == (tcp-rst|tcp-ack)'
1065 ACK-only packets. (IPv6 is left as an exercise for the reader.)
1069 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
1073 To print IP packets longer than 576 bytes sent through gateway \fIsnup\fP:
1077 tcpdump 'gateway snup and ip[2:2] > 576'
1081 To print IP broadcast or multicast packets that were
1087 tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
1096 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
1132 If the '-e' option is given, the link level header is printed out.
1136 On FDDI networks, the '-e' option causes \fItcpdump\fP to print
1142 as those containing IP datagrams) are `async' packets, with a priority
1147 so-called SNAP packet.
1149 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
1155 the '-e' option is specified or not, the source routing information is
1156 printed for source-routed packets.
1158 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
1170 The three types are \fIip\fP, \fIutcp\fP, and \fIctcp\fP.
1171 No further link information is printed for \fIip\fR packets.
1180 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
1205 \f(CWarp who-has csam tell rtsg
1206 arp reply csam is-at CSAM\fR
1216 This would look less redundant if we had done \fItcpdump \-n\fP:
1220 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
1221 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
1225 If we had done \fItcpdump \-e\fP, the fact that the first packet is
1226 broadcast and the second is point-to-point would be visible:
1230 \f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg
1231 CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR
1241 If the link-layer header is not being printed, for IPv4 packets,
1242 \fBIP\fP is printed after the time stamp.
1245 .B \-v
1247 parentheses after the \fBIP\fP or the link-layer header.
1256 \fItos\fP is the type of service field; if the ECN bits are non-zero,
1258 \fIttl\fP is the time-to-live; it is not reported if it is zero.
1259 \fIid\fP is the IP identification field.
1267 \fIoptions\fP are the IP options, if any.
1269 Next, for TCP and UDP packets, the source and destination IP addresses
1270 and TCP or UDP ports, with a dot between each IP address and its
1276 For fragmented IP datagrams, the first fragment contains the higher
1280 .B \-v
1281 flag, in the IP header information, as described above.
1295 \fIsrc\fP > \fIdst\fP: Flags [\fItcpflags\fP], seq \fIdata-seqno\fP, ack \fIackno\fP, win \fIwindow…
1299 \fISrc\fP and \fIdst\fP are the source and destination IP
1304 \fIData-seqno\fP describes the portion of sequence space covered
1344 There was no piggy-backed ACK, the available receive window was 4096
1345 bytes and there was a max-segment-size option requesting an MSS of
1348 Csam replies with a similar packet except it includes a piggy-backed
1364 `-S' will override this
1368 in the rtsg \(-> csam side of the conversation).
1387 length indicates options are present but the IP datagram length is not
1391 .B Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
1399 Recall that TCP uses a 3-way handshake protocol
1416 (SYN-ACK), just a plain initial SYN.
1424 -----------------------------------------------------------------
1426 -----------------------------------------------------------------
1428 -----------------------------------------------------------------
1430 -----------------------------------------------------------------
1432 -----------------------------------------------------------------
1434 -----------------------------------------------------------------
1439 The first line of the graph contains octets 0 - 3, the
1440 second line shows octets 4 - 7 etc.
1447 ----------------|---------------|---------------|----------------
1449 ----------------|---------------|---------------|----------------
1457 |---------------|
1459 |---------------|
1474 |---------------|
1476 |---------------|
1483 Assuming that octet number 13 is an 8-bit unsigned integer in
1497 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1509 tcpdump -i xl0 tcp[13] == 2
1519 with SYN-ACK set arrives:
1523 |---------------|
1525 |---------------|
1544 SYN-ACK set, but not those with only SYN set.
1557 00010010 SYN-ACK 00000010 SYN
1559 -------- --------
1575 tcpdump -i xl0 'tcp[13] & 2 == 2'
1581 field values are also available: tcp-fin, tcp-syn, tcp-rst,
1582 tcp-push, tcp-ack, tcp-urg, tcp-ece and tcp-cwr.
1587 tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
1659 `must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]'
1660 is printed, where \fIx\fP is the hex value of header bytes two and three.
1680 excluding TCP or UDP and IP headers.
1685 response code of non-existent domain (NXDomain) with no answers,
1692 Other flag characters that might appear are `\-' (recursion available,
1706 decode done if -v is used.
1707 Be warned that with -v a single SMB packet
1708 may take up a page or more, so only use -v if you really want all the
1741 excluding the UDP and IP headers.
1760 instead of the non-NFS port number of the packet.
1762 If the \-v (verbose) flag is given, additional information is printed.
1776 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1785 Because the \-v flag
1790 If the \-v flag is given more than once, even more details are printed.
1807 \fIsrc.sport > dst.dport: rx packet-type\fP
1808 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
1809 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
1836 The format is intended to be self-describing, but it will probably
1840 If the -v (verbose) flag is given twice, acknowledgement packets and
1844 If the -v flag is given twice, additional information is printed,
1848 If the -v flag is given three times, the security index and service id
1866 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
1879 16.1 icsd-net
1887 from a net by the 3rd octet in the number \-
1902 \f(CW144.1.209.2 > icsd-net.112.220
1903 office.2 > icsd-net.112.220
1904 jssmag.149.235 > icsd-net.2\fR
1917 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
1919 number \- for this reason it's a good idea to keep node names and
1932 \f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
1933 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
1934 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR
1952 \f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
1953 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
1954 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
1955 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
1956 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1957 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
1958 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1959 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
1960 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
1961 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
1962 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1963 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1964 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
1965 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR
1970 up to 8 packets (the `<0-7>').
1974 Helios responds with 8 512-byte packets.
1992 .B tcp-ece
1994 .B tcp-cwr
2008 .I https://www.iana.org/assignments/media-types/application/vnd.tcpdump.pcap
2037 To report a security issue please send an e-mail to \%[email protected].
2047 On Linux systems with 2.0[.x] kernels:
2055 will be copied from the kernel (the 2.0[.x] packet capture mechanism, if
2057 true length of the packet; this would cause most IP packets to get an
2065 Some attempt should be made to reassemble IP fragments or, at least
2069 question section is printed rather than real query in the answer
2078 not correctly handle source-routed Token Ring packets.