Date: Thu, 28 Oct 2010 19:08:56 +0000 (UTC) From: Rui Paulo <rpaulo@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r214481 - head/usr.sbin/tcpdump/tcpdump Message-ID: <201010281908.o9SJ8u3K025827@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rpaulo Date: Thu Oct 28 19:08:56 2010 New Revision: 214481 URL: http://svn.freebsd.org/changeset/base/214481 Log: Update for the new tcpdump 4.1.1. The man page is a result of running tcpdump's autoconf on FreeBSD. Added: head/usr.sbin/tcpdump/tcpdump/tcpdump.1 (contents, props changed) Modified: head/usr.sbin/tcpdump/tcpdump/Makefile Modified: head/usr.sbin/tcpdump/tcpdump/Makefile ============================================================================== --- head/usr.sbin/tcpdump/tcpdump/Makefile Thu Oct 28 19:08:50 2010 (r214480) +++ head/usr.sbin/tcpdump/tcpdump/Makefile Thu Oct 28 19:08:56 2010 (r214481) @@ -15,7 +15,7 @@ SRCS = addrtoname.c af.c checksum.c cpac print-cfm.c print-chdlc.c print-cip.c print-cnfp.c print-dccp.c \ print-decnet.c print-domain.c print-dtp.c print-dvmrp.c print-enc.c \ print-egp.c print-eap.c print-eigrp.c \ - print-esp.c print-ether.c print-fddi.c print-fr.c \ + print-esp.c print-ether.c print-fddi.c print-forces.c print-fr.c \ print-gre.c print-hsrp.c print-icmp.c print-igmp.c \ print-igrp.c print-ip.c print-ipcomp.c print-ipfc.c \ print-ipx.c print-isakmp.c print-isoclns.c print-juniper.c print-krb.c \ @@ -33,7 +33,7 @@ SRCS = addrtoname.c af.c checksum.c cpac print-timed.c print-token.c print-udld.c print-udp.c print-vjc.c \ print-vqp.c print-vrrp.c print-vtp.c \ print-wb.c print-zephyr.c setsignal.c tcpdump.c util.c \ - print-smb.c smbutil.c \ + print-smb.c signature.c smbutil.c \ version.c CLEANFILES+= version.c Added: head/usr.sbin/tcpdump/tcpdump/tcpdump.1 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/usr.sbin/tcpdump/tcpdump/tcpdump.1 Thu Oct 28 19:08:56 2010 (r214481) @@ -0,0 +1,1722 @@ +.\" $FreeBSD$ +.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL) +.\" +.\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $ +.\" +.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997 +.\" The Regents of the University of California. All rights reserved. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that: (1) source code distributions +.\" retain the above copyright notice and this paragraph in its entirety, (2) +.\" distributions including binary code include the above copyright notice and +.\" this paragraph in its entirety in the documentation or other materials +.\" provided with the distribution, and (3) all advertising materials mentioning +.\" features or use of this software display the following acknowledgement: +.\" ``This product includes software developed by the University of California, +.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of +.\" the University nor the names of its contributors may be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED +.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. +.\" +.TH TCPDUMP 1 "05 March 2009" +.SH NAME +tcpdump \- dump traffic on a network +.SH SYNOPSIS +.na +.B tcpdump +[ +.B \-AbdDefIKlLnNOpqRStuUvxX +] [ +.B \-B +.I buffer_size +] [ +.B \-c +.I count +] +.br +.ti +8 +[ +.B \-C +.I file_size +] [ +.B \-G +.I rotate_seconds +] [ +.B \-F +.I file +] +.br +.ti +8 +[ +.B \-i +.I interface +] +[ +.B \-m +.I module +] +[ +.B \-M +.I secret +] +.br +.ti +8 +[ +.B \-r +.I file +] +[ +.B \-s +.I snaplen +] +[ +.B \-T +.I type +] +[ +.B \-w +.I file +] +.br +.ti +8 +[ +.B \-W +.I filecount +] +.br +.ti +8 +[ +.B \-E +.I spi@ipaddr algo:secret,... +] +.br +.ti +8 +[ +.B \-y +.I datalinktype +] +[ +.B \-z +.I postrotate-command +] +[ +.B \-Z +.I user +] +.ti +8 +[ +.I expression +] +.br +.ad +.SH DESCRIPTION +.LP +\fITcpdump\fP prints out a description of the contents of packets on a +network interface that match the boolean \fIexpression\fP. It can also +be run with the +.B \-w +flag, which causes it to save the packet data to a file for later +analysis, and/or with the +.B \-r +flag, which causes it to read from a saved packet file rather than to +read packets from a network interface. In all cases, only packets that +match +.I expression +will be processed by +.IR tcpdump . +.LP +.I Tcpdump +will, if not run with the +.B \-c +flag, continue capturing packets until it is interrupted by a SIGINT +signal (generated, for example, by typing your interrupt character, +typically control-C) or a SIGTERM signal (typically generated with the +.BR kill (1) +command); if run with the +.B \-c +flag, it will capture packets until it is interrupted by a SIGINT or +SIGTERM signal or the specified number of packets have been processed. +.LP +When +.I tcpdump +finishes capturing packets, it will report counts of: +.IP +packets ``captured'' (this is the number of packets that +.I tcpdump +has received and processed); +.IP +packets ``received by filter'' (the meaning of this depends on the OS on +which you're running +.IR tcpdump , +and possibly on the way the OS was configured - if a filter was +specified on the command line, on some OSes it counts packets regardless +of whether they were matched by the filter expression and, even if they +were matched by the filter expression, regardless of whether +.I tcpdump +has read and processed them yet, on other OSes it counts only packets that were +matched by the filter expression regardless of whether +.I tcpdump +has read and processed them yet, and on other OSes it counts only +packets that were matched by the filter expression and were processed by +.IR tcpdump ); +.IP +packets ``dropped by kernel'' (this is the number of packets that were +dropped, due to a lack of buffer space, by the packet capture mechanism +in the OS on which +.I tcpdump +is running, if the OS reports that information to applications; if not, +it will be reported as 0). +.LP +On platforms that support the SIGINFO signal, such as most BSDs +(including Mac OS X) and Digital/Tru64 UNIX, it will report those counts +when it receives a SIGINFO signal (generated, for example, by typing +your ``status'' character, typically control-T, although on some +platforms, such as Mac OS X, the ``status'' character is not set by +default, so you must set it with +.BR stty (1) +in order to use it) and will continue capturing packets. +.LP +Reading packets from a network interface may require that you have +special privileges; see the +.B pcap (3PCAP) +man page for details. Reading a saved packet file doesn't require +special privileges. +.SH OPTIONS +.TP +.B \-A +Print each packet (minus its link level header) in ASCII. Handy for +capturing web pages. +.TP +.B \-b +Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN +notation. +.TP +.B \-B +Set the operating system capture buffer size to \fIbuffer_size\fP. +.TP +.B \-c +Exit after receiving \fIcount\fP packets. +.TP +.B \-C +Before writing a raw packet to a savefile, check whether the file is +currently larger than \fIfile_size\fP and, if so, close the current +savefile and open a new one. Savefiles after the first savefile will +have the name specified with the +.B \-w +flag, with a number after it, starting at 1 and continuing upward. +The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes, +not 1,048,576 bytes). +.TP +.B \-d +Dump the compiled packet-matching code in a human readable form to +standard output and stop. +.TP +.B \-dd +Dump packet-matching code as a +.B C +program fragment. +.TP +.B \-ddd +Dump packet-matching code as decimal numbers (preceded with a count). +.TP +.B \-D +Print the list of the network interfaces available on the system and on +which +.I tcpdump +can capture packets. For each network interface, a number and an +interface name, possibly followed by a text description of the +interface, is printed. The interface name or the number can be supplied +to the +.B \-i +flag to specify an interface on which to capture. +.IP +This can be useful on systems that don't have a command to list them +(e.g., Windows systems, or UNIX systems lacking +.BR "ifconfig \-a" ); +the number can be useful on Windows 2000 and later systems, where the +interface name is a somewhat complex string. +.IP +The +.B \-D +flag will not be supported if +.I tcpdump +was built with an older version of +.I libpcap +that lacks the +.B pcap_findalldevs() +function. +.TP +.B \-e +Print the link-level header on each dump line. +.TP +.B \-E +Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that +are addressed to \fIaddr\fP and contain Security Parameter Index value +\fIspi\fP. This combination may be repeated with comma or newline seperation. +.IP +Note that setting the secret for IPv4 ESP packets is supported at this time. +.IP +Algorithms may be +\fBdes-cbc\fP, +\fB3des-cbc\fP, +\fBblowfish-cbc\fP, +\fBrc3-cbc\fP, +\fBcast128-cbc\fP, or +\fBnone\fP. +The default is \fBdes-cbc\fP. +The ability to decrypt packets is only present if \fItcpdump\fP was compiled +with cryptography enabled. +.IP +\fIsecret\fP is the ASCII text for ESP secret key. +If preceeded by 0x, then a hex value will be read. +.IP +The option assumes RFC2406 ESP, not RFC1827 ESP. +The option is only for debugging purposes, and +the use of this option with a true `secret' key is discouraged. +By presenting IPsec secret key onto command line +you make it visible to others, via +.IR ps (1) +and other occasions. +.IP +In addition to the above syntax, the syntax \fIfile name\fP may be used +to have tcpdump read the provided file in. The file is opened upon +receiving the first ESP packet, so any special permissions that tcpdump +may have been given should already have been given up. +.TP +.B \-f +Print `foreign' IPv4 addresses numerically rather than symbolically +(this option is intended to get around serious brain damage in +Sun's NIS server \(em usually it hangs forever translating non-local +internet numbers). +.IP +The test for `foreign' IPv4 addresses is done using the IPv4 address and +netmask of the interface on which capture is being done. If that +address or netmask are not available, available, either because the +interface on which capture is being done has no address or netmask or +because the capture is being done on the Linux "any" interface, which +can capture on more than one interface, this option will not work +correctly. +.TP +.B \-F +Use \fIfile\fP as input for the filter expression. +An additional expression given on the command line is ignored. +.TP +.B \-G +If specified, rotates the dump file specified with the +.B \-w +option every \fIrotate_seconds\fP seconds. +Savefiles will have the name specified by +.B \-w +which should include a time format as defined by +.BR strftime (3). +If no time format is specified, each new file will overwrite the previous. +.IP +If used in conjunction with the +.B \-C +option, filenames will take the form of `\fIfile\fP<count>'. +.TP +.B \-i +Listen on \fIinterface\fP. +If unspecified, \fItcpdump\fP searches the system interface list for the +lowest numbered, configured up interface (excluding loopback). +Ties are broken by choosing the earliest match. +.IP +On Linux systems with 2.2 or later kernels, an +.I interface +argument of ``any'' can be used to capture packets from all interfaces. +Note that captures on the ``any'' device will not be done in promiscuous +mode. +.IP +If the +.B \-D +flag is supported, an interface number as printed by that flag can be +used as the +.I interface +argument. +.TP +.B \-I +Put the interface in "monitor mode"; this is supported only on IEEE +802.11 Wi-Fi interfaces, and supported only on some operating systems. +.IP +Note that in monitor mode the adapter might disassociate from the +network with which it's associated, so that you will not be able to use +any wireless networks with that adapter. This could prevent accessing +files on a network server, or resolving host names or network addresses, +if you are capturing in monitor mode and are not connected to another +network with another adapter. +.IP +This flag will affect the output of the +.B \-L +flag. If +.B \-I +isn't specified, only those link-layer types available when not in +monitor mode will be shown; if +.B \-I +is specified, only those link-layer types available when in monitor mode +will be shown. +.TP +.B \-K +Don't attempt to verify IP, TCP, or UDP checksums. This is useful for +interfaces that perform some or all of those checksum calculation in +hardware; otherwise, all outgoing TCP checksums will be flagged as bad. +.TP +.B \-l +Make stdout line buffered. +Useful if you want to see the data +while capturing it. +E.g., +.br +``tcpdump\ \ \-l\ \ |\ \ tee dat'' or +``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''. +.TP +.B \-L +List the known data link types for the interface, in the specified mode, +and exit. The list of known data link types may be dependent on the +specified mode; for example, on some platforms, a Wi-Fi interface might +support one set of data link types when not in monitor mode (for +example, it might support only fake Ethernet headers, or might support +802.11 headers but not support 802.11 headers with radio information) +and another set of data link types when in monitor mode (for example, it +might support 802.11 headers, or 802.11 headers with radio information, +only in monitor mode). +.TP +.B \-m +Load SMI MIB module definitions from file \fImodule\fR. +This option +can be used several times to load several MIB modules into \fItcpdump\fP. +.TP +.B \-M +Use \fIsecret\fP as a shared secret for validating the digests found in +TCP segments with the TCP-MD5 option (RFC 2385), if present. +.TP +.B \-n +Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. +.TP +.B \-N +Don't print domain name qualification of host names. +E.g., +if you give this flag then \fItcpdump\fP will print ``nic'' +instead of ``nic.ddn.mil''. +.TP +.B \-O +Do not run the packet-matching code optimizer. +This is useful only +if you suspect a bug in the optimizer. +.TP +.B \-p +\fIDon't\fP put the interface +into promiscuous mode. +Note that the interface might be in promiscuous +mode for some other reason; hence, `-p' cannot be used as an abbreviation for +`ether host {local-hw-addr} or ether broadcast'. +.TP +.B \-q +Quick (quiet?) output. +Print less protocol information so output +lines are shorter. +.TP +.B \-R +Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829). +If specified, \fItcpdump\fP will not print replay prevention field. +Since there is no protocol version field in ESP/AH specification, +\fItcpdump\fP cannot deduce the version of ESP/AH protocol. +.TP +.B \-r +Read packets from \fIfile\fR (which was created with the +.B \-w +option). +Standard input is used if \fIfile\fR is ``-''. +.TP +.B \-S +Print absolute, rather than relative, TCP sequence numbers. +.TP +.B \-s +Snarf \fIsnaplen\fP bytes of data from each packet rather than the +default of 65535 bytes. +Packets truncated because of a limited snapshot +are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP +is the name of the protocol level at which the truncation has occurred. +Note that taking larger snapshots both increases +the amount of time it takes to process packets and, effectively, +decreases the amount of packet buffering. +This may cause packets to be +lost. +You should limit \fIsnaplen\fP to the smallest number that will +capture the protocol information you're interested in. +Setting +\fIsnaplen\fP to 0 sets it to the default of 65535, +for backwards compatibility with recent older versions of +.IR tcpdump . +.TP +.B \-T +Force packets selected by "\fIexpression\fP" to be interpreted the +specified \fItype\fR. +Currently known types are +\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol), +\fBcnfp\fR (Cisco NetFlow protocol), +\fBrpc\fR (Remote Procedure Call), +\fBrtp\fR (Real-Time Applications protocol), +\fBrtcp\fR (Real-Time Applications control protocol), +\fBsnmp\fR (Simple Network Management Protocol), +\fBtftp\fR (Trivial File Transfer Protocol), +\fBvat\fR (Visual Audio Tool), +and +\fBwb\fR (distributed White Board). +.TP +.B \-t +\fIDon't\fP print a timestamp on each dump line. +.TP +.B \-tt +Print an unformatted timestamp on each dump line. +.TP +.B \-ttt +Print a delta (micro-second resolution) between current and previous line +on each dump line. +.TP +.B \-tttt +Print a timestamp in default format proceeded by date on each dump line. +.TP +.B \-ttttt +Print a delta (micro-second resolution) between current and first line +on each dump line. +.TP +.B \-u +Print undecoded NFS handles. +.TP +.B \-U +Make output saved via the +.B \-w +option ``packet-buffered''; i.e., as each packet is saved, it will be +written to the output file, rather than being written only when the +output buffer fills. +.IP +The +.B \-U +flag will not be supported if +.I tcpdump +was built with an older version of +.I libpcap +that lacks the +.B pcap_dump_flush() +function. +.TP +.B \-v +When parsing and printing, produce (slightly more) verbose output. +For example, the time to live, +identification, total length and options in an IP packet are printed. +Also enables additional packet integrity checks such as verifying the +IP and ICMP header checksum. +.IP +When writing to a file with the +.B \-w +option, report, every 10 seconds, the number of packets captured. +.TP +.B \-vv +Even more verbose output. +For example, additional fields are +printed from NFS reply packets, and SMB packets are fully decoded. +.TP +.B \-vvv +Even more verbose output. +For example, +telnet \fBSB\fP ... \fBSE\fP options +are printed in full. +With +.B \-X +Telnet options are printed in hex as well. +.TP +.B \-w +Write the raw packets to \fIfile\fR rather than parsing and printing +them out. +They can later be printed with the \-r option. +Standard output is used if \fIfile\fR is ``-''. +See +.BR pcap-savefile (5) +for a description of the file format. +.TP +.B \-W +Used in conjunction with the +.B \-C +option, this will limit the number +of files created to the specified number, and begin overwriting files +from the beginning, thus creating a 'rotating' buffer. +In addition, it will name +the files with enough leading 0s to support the maximum number of +files, allowing them to sort correctly. +.IP +Used in conjunction with the +.B \-G +option, this will limit the number of rotated dump files that get +created, exiting with status 0 when reaching the limit. If used with +.B \-C +as well, the behavior will result in cyclical files per timeslice. +.TP +.B \-x +When parsing and printing, +in addition to printing the headers of each packet, print the data of +each packet (minus its link level header) in hex. +The smaller of the entire packet or +.I snaplen +bytes will be printed. Note that this is the entire link-layer +packet, so for link layers that pad (e.g. Ethernet), the padding bytes +will also be printed when the higher layer packet is shorter than the +required padding. +.TP +.B \-xx +When parsing and printing, +in addition to printing the headers of each packet, print the data of +each packet, +.I including +its link level header, in hex. +.TP +.B \-X +When parsing and printing, +in addition to printing the headers of each packet, print the data of +each packet (minus its link level header) in hex and ASCII. +This is very handy for analysing new protocols. +.TP +.B \-XX +When parsing and printing, +in addition to printing the headers of each packet, print the data of +each packet, +.I including +its link level header, in hex and ASCII. +.TP +.B \-y +Set the data link type to use while capturing packets to \fIdatalinktype\fP. +.TP +.B \-z +Used in conjunction with the +.B -C +or +.B -G +options, this will make +.I tcpdump +run " +.I command file +" where +.I file +is the savefile being closed after each rotation. For example, specifying +.B \-z gzip +or +.B \-z bzip2 +will compress each savefile using gzip or bzip2. +.IP +Note that tcpdump will run the command in parallel to the capture, using +the lowest priority so that this doesn't disturb the capture process. +.IP +And in case you would like to use a command that itself takes flags or +different arguments, you can always write a shell script that will take the +savefile name as the only argument, make the flags & arguments arrangements +and execute the command that you want. +.TP +.B \-Z +Drops privileges (if root) and changes user ID to +.I user +and the group ID to the primary group of +.IR user . +.IP +This behavior can also be enabled by default at compile time. +.IP "\fI expression\fP" +.RS +selects which packets will be dumped. +If no \fIexpression\fP +is given, all packets on the net will be dumped. +Otherwise, +only packets for which \fIexpression\fP is `true' will be dumped. +.LP +For the \fIexpression\fP syntax, see +.BR pcap-filter (7). +.LP +Expression arguments can be passed to \fItcpdump\fP as either a single +argument or as multiple arguments, whichever is more convenient. +Generally, if the expression contains Shell metacharacters, it is +easier to pass it as a single, quoted argument. +Multiple arguments are concatenated with spaces before being parsed. +.SH EXAMPLES +.LP +To print all packets arriving at or departing from \fIsundown\fP: +.RS +.nf +\fBtcpdump host sundown\fP +.fi +.RE +.LP +To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR: +.RS +.nf +\fBtcpdump host helios and \\( hot or ace \\)\fP +.fi +.RE +.LP +To print all IP packets between \fIace\fR and any host except \fIhelios\fR: +.RS +.nf +\fBtcpdump ip host ace and not helios\fP +.fi +.RE +.LP +To print all traffic between local hosts and hosts at Berkeley: +.RS +.nf +.B +tcpdump net ucb-ether +.fi +.RE +.LP +To print all ftp traffic through internet gateway \fIsnup\fP: +(note that the expression is quoted to prevent the shell from +(mis-)interpreting the parentheses): +.RS +.nf +.B +tcpdump 'gateway snup and (port ftp or ftp-data)' +.fi +.RE +.LP +To print traffic neither sourced from nor destined for local hosts +(if you gateway to one other net, this stuff should never make it +onto your local net). +.RS +.nf +.B +tcpdump ip and not net \fIlocalnet\fP +.fi +.RE +.LP +To print the start and end packets (the SYN and FIN packets) of each +TCP conversation that involves a non-local host. +.RS +.nf +.B +tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP' +.fi +.RE +.LP +To print all IPv4 HTTP packets to and from port 80, i.e. print only +packets that contain data, not, for example, SYN and FIN packets and +ACK-only packets. (IPv6 is left as an exercise for the reader.) +.RS +.nf +.B +tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' +.fi +.RE +.LP +To print IP packets longer than 576 bytes sent through gateway \fIsnup\fP: +.RS +.nf +.B +tcpdump 'gateway snup and ip[2:2] > 576' +.fi +.RE +.LP +To print IP broadcast or multicast packets that were +.I not +sent via Ethernet broadcast or multicast: +.RS +.nf +.B +tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' +.fi +.RE +.LP +To print all ICMP packets that are not echo requests/replies (i.e., not +ping packets): +.RS +.nf +.B +tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply' +.fi +.RE +.SH OUTPUT FORMAT +.LP +The output of \fItcpdump\fP is protocol dependent. +The following +gives a brief description and examples of most of the formats. +.de HD +.sp 1.5 +.B +.. +.HD +Link Level Headers +.LP +If the '-e' option is given, the link level header is printed out. +On Ethernets, the source and destination addresses, protocol, +and packet length are printed. +.LP +On FDDI networks, the '-e' option causes \fItcpdump\fP to print +the `frame control' field, the source and destination addresses, +and the packet length. +(The `frame control' field governs the +interpretation of the rest of the packet. +Normal packets (such +as those containing IP datagrams) are `async' packets, with a priority +value between 0 and 7; for example, `\fBasync4\fR'. +Such packets +are assumed to contain an 802.2 Logical Link Control (LLC) packet; +the LLC header is printed if it is \fInot\fR an ISO datagram or a +so-called SNAP packet. +.LP +On Token Ring networks, the '-e' option causes \fItcpdump\fP to print +the `access control' and `frame control' fields, the source and +destination addresses, and the packet length. +As on FDDI networks, +packets are assumed to contain an LLC packet. +Regardless of whether +the '-e' option is specified or not, the source routing information is +printed for source-routed packets. +.LP +On 802.11 networks, the '-e' option causes \fItcpdump\fP to print +the `frame control' fields, all of the addresses in the 802.11 header, +and the packet length. +As on FDDI networks, +packets are assumed to contain an LLC packet. +.LP +\fI(N.B.: The following description assumes familiarity with +the SLIP compression algorithm described in RFC-1144.)\fP +.LP +On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound), +packet type, and compression information are printed out. +The packet type is printed first. +The three types are \fIip\fP, \fIutcp\fP, and \fIctcp\fP. +No further link information is printed for \fIip\fR packets. +For TCP packets, the connection identifier is printed following the type. +If the packet is compressed, its encoded header is printed out. +The special cases are printed out as +\fB*S+\fIn\fR and \fB*SA+\fIn\fR, where \fIn\fR is the amount by which +the sequence number (or sequence number and ack) has changed. +If it is not a special case, +zero or more changes are printed. +A change is indicated by U (urgent pointer), W (window), A (ack), +S (sequence number), and I (packet ID), followed by a delta (+n or -n), +or a new value (=n). +Finally, the amount of data in the packet and compressed header length +are printed. +.LP +For example, the following line shows an outbound compressed TCP packet, +with an implicit connection identifier; the ack has changed by 6, +the sequence number by 49, and the packet ID by 6; there are 3 bytes of +data and 6 bytes of compressed header: +.RS +.nf +\fBO ctcp * A+6 S+49 I+6 3 (6)\fP +.fi +.RE +.HD +ARP/RARP Packets +.LP +Arp/rarp output shows the type of request and its arguments. +The +format is intended to be self explanatory. +Here is a short sample taken from the start of an `rlogin' from +host \fIrtsg\fP to host \fIcsam\fP: +.RS +.nf +.sp .5 +\f(CWarp who-has csam tell rtsg +arp reply csam is-at CSAM\fR +.sp .5 +.fi +.RE +The first line says that rtsg sent an arp packet asking +for the Ethernet address of internet host csam. +Csam +replies with its Ethernet address (in this example, Ethernet addresses +are in caps and internet addresses in lower case). +.LP +This would look less redundant if we had done \fItcpdump \-n\fP: +.RS +.nf +.sp .5 +\f(CWarp who-has 128.3.254.6 tell 128.3.254.68 +arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP +.fi +.RE +.LP +If we had done \fItcpdump \-e\fP, the fact that the first packet is +broadcast and the second is point-to-point would be visible: +.RS +.nf +.sp .5 +\f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg +CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR +.sp .5 +.fi +.RE +For the first packet this says the Ethernet source address is RTSG, the +destination is the Ethernet broadcast address, the type field +contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes. +.HD +TCP Packets +.LP +\fI(N.B.:The following description assumes familiarity with +the TCP protocol described in RFC-793. +If you are not familiar +with the protocol, neither this description nor \fItcpdump\fP will +be of much use to you.)\fP +.LP +The general format of a tcp protocol line is: +.RS +.nf +.sp .5 +\fIsrc > dst: flags data-seqno ack window urgent options\fP +.sp .5 +.fi +.RE +\fISrc\fP and \fIdst\fP are the source and destination IP +addresses and ports. +\fIFlags\fP are some combination of S (SYN), +F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single +`.' (no flags). +\fIData-seqno\fP describes the portion of sequence space covered +by the data in this packet (see example below). +\fIAck\fP is sequence number of the next data expected the other +direction on this connection. +\fIWindow\fP is the number of bytes of receive buffer space available +the other direction on this connection. +\fIUrg\fP indicates there is `urgent' data in the packet. +\fIOptions\fP are tcp options enclosed in angle brackets (e.g., <mss 1024>). +.LP +\fISrc, dst\fP and \fIflags\fP are always present. +The other fields +depend on the contents of the packet's tcp protocol header and +are output only if appropriate. +.LP +Here is the opening portion of an rlogin from host \fIrtsg\fP to +host \fIcsam\fP. +.RS +.nf +.sp .5 +\s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024> +csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024> +rtsg.1023 > csam.login: . ack 1 win 4096 +rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096 +csam.login > rtsg.1023: . ack 2 win 4096 +rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096 +csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077 +csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1 +csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fR\s+2 +.sp .5 +.fi +.RE +The first line says that tcp port 1023 on rtsg sent a packet +to port \fIlogin\fP +on csam. +The \fBS\fP indicates that the \fISYN\fP flag was set. +The packet sequence number was 768512 and it contained no data. +(The notation is `first:last(nbytes)' which means `sequence +numbers \fIfirst\fP +up to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.) +There was no piggy-backed ack, the available receive window was 4096 +bytes and there was a max-segment-size option requesting an mss of +1024 bytes. +.LP +Csam replies with a similar packet except it includes a piggy-backed +ack for rtsg's SYN. +Rtsg then acks csam's SYN. +The `.' means no +flags were set. +The packet contained no data so there is no data sequence number. +Note that the ack sequence +number is a small integer (1). +The first time \fItcpdump\fP sees a +tcp `conversation', it prints the sequence number from the packet. +On subsequent packets of the conversation, the difference between +the current packet's sequence number and this initial sequence number +is printed. +This means that sequence numbers after the +first can be interpreted +as relative byte positions in the conversation's data stream (with the +first data byte each direction being `1'). +`-S' will override this +feature, causing the original sequence numbers to be output. +.LP +On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20 +in the rtsg \(-> csam side of the conversation). +The PUSH flag is set in the packet. +On the 7th line, csam says it's received data sent by rtsg up to +but not including byte 21. +Most of this data is apparently sitting in the +socket buffer since csam's receive window has gotten 19 bytes smaller. +Csam also sends one byte of data to rtsg in this packet. +On the 8th and 9th lines, +csam sends two bytes of urgent, pushed data to rtsg. +.LP +If the snapshot was small enough that \fItcpdump\fP didn't capture +the full TCP header, it interprets as much of the header as it can +and then reports ``[|\fItcp\fP]'' to indicate the remainder could not +be interpreted. +If the header contains a bogus option (one with a length +that's either too small or beyond the end of the header), \fItcpdump\fP +reports it as ``[\fIbad opt\fP]'' and does not interpret any further +options (since it's impossible to tell where they start). +If the header +length indicates options are present but the IP datagram length is not +long enough for the options to actually be there, \fItcpdump\fP reports +it as ``[\fIbad hdr length\fP]''. +.HD +.B Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.) +.PP +There are 8 bits in the control bits section of the TCP header: +.IP +.I CWR | ECE | URG | ACK | PSH | RST | SYN | FIN +.PP +Let's assume that we want to watch packets used in establishing +a TCP connection. +Recall that TCP uses a 3-way handshake protocol +when it initializes a new connection; the connection sequence with +regard to the TCP control bits is +.PP +.RS +1) Caller sends SYN *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201010281908.o9SJ8u3K025827>