tcpdump.1

<B>Digital的Unix操作系统VAX 4.2源码</B>

.TH tcpdump 1 "" "" Unsupported
.SH Name
tcpdump \- dump traffic on a network
.SH Syntax
.B /usr/etc/tcpdump
[
.B \-deflnNOpqStvx
] [
.B \-c
.I count
] [
.B \-F
.I file
][
.B \-i
.I interface
]
.br
.ti +8
[
.B \-r
.I file
]
[
.B \-s
.I snaplen
]
.br
.ti +8
[
.B \-w
.I file
]
.I expression
.SH Description
.NXR "tcpdump command"
The 
.PN tcpdump
command prints out the headers of packets on a network interface
that match the boolean \fIexpression\fP.
.B Under SunOS:
You must be root to invoke 
.PN tcpdump
or it must be installed setuid to root.
.B Under ULTRIX:
Any user can invoke 
.PN tcpdump
once the super-user has enabled promiscuous-mode operation using
.MS pfconfig 8c .
.B Under BSD:
Access is controlled by the permissions on 
.PN /dev/bpf \fIn\fR,
where \fIn\fP is the unit number of the device.
.SH Options
.TP
.B \-c
Exits after receiving \fIcount\fP packets.
.TP
.B \-d
Dumps the compiled packet-matching code to standard output and then stops.
.TP
.B \-e
Prints the link-level header on each dump line.
.TP
.B \-f
Prints `foreign' internet addresses numerically rather than symbolically
(this option is intended to get around serious problems in
Sun's Yellow Pages server \(em it usually hangs when translating non-local
internet numbers).
.TP
.B \-F
Uses \fIfile\fP as input for the filter expression.
Any additional expression given on the command line is ignored.
.TP
.B \-i
Listens on \fIinterface\fP.
If unspecified, 
.PN tcpdump
searches the system interface list for the
lowest numbered, configured interface that is up (excluding loopback).
.PP
Ties are broken by choosing the earliest match.
.TP
.B \-l
Makes stdout line buffered.  Useful if you want to see the data
while capturing it.  For example,
.br
``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''
.TP
.B \-n
Suppresses conversion of addresses (for example, host addresses, port numbers, 
etc.) to names.
.TP
.B \-N
Suppresses printing domain name qualification of host names.  For example,
if you specify this flag,
.PN tcpdump
prints ``nic''
instead of ``nic.ddn.mil''.
.TP
.B \-O
Do not run the packet-matching code optimizer.  This is useful only
if you suspect a bug in the optimizer.
.TP
.B \-p
Do not put the interface
into promiscuous mode.  Note that the interface might be in promiscuous
for some other reason; therefore, the
.PN \-p 
flag cannot be used as an abbreviation for
`ether host {localhost} or broadcast'.
.TP
.B \-q
Quiet mode.  Prints less protocol information so output
lines are shorter.
.TP
.B \-r
Reads packets from \fIfile\fR (which was created with the \-w option).
Standard input is used if \fIfile\fR is ``-''.
.TP
.B \-s
Use \fIsnaplen\fP bytes of data from each packet rather than the
default of 68 (with NIT, the minimum is actually 96).
68 bytes is adequate for IP, ICMP, TCP
and UDP but may truncate protocol information from name server and NFS
packets (see below).  Packets truncated because of a limited snapshot
are indicated in the output with ``[|]''.
Note that taking larger snapshots both increases
the amount of time it takes to process packets and, effectively,
decreases the amount of packet buffering.  This may cause packets to be
lost.  You should limit \fIsnaplen\fP to the smallest number that will
capture the protocol information you are interested in.
.TP
.B \-S
Prints absolute, rather than relative, TCP sequence numbers.
.TP
.B \-t
Do not print a timestamp on each dump line.
.TP
.B \-v
(Slightly more) verbose output.  For example, the time to live
and type of service information in an IP packet are printed.
.TP
.B \-w
Writes the raw packets to \fIfile\fR rather than parsing and printing 
them out.  They can later be printed with the \-r option.
Standard output is used if \fIfile\fR is ``-''.
.TP
.B \-x
Prints each packet (minus its link level header) in hexidecimal.
The smaller of the entire packet or
.I snaplen
bytes are printed.
.IP "\fI expression\fP"
.RS
Selects which packets are dumped.  If no \fIexpression\fP
is given, all packets on the net are dumped.  Otherwise,
only packets for which \fIexpression\fP is `true' are dumped.
.PP
The \fIexpression\fP consists of one or more
.I primitives.
Primitives usually consist of an
.I id
(name or number) preceded by one or more qualifiers.  There are three
different kinds of qualifiers:
.IP \fItype\fP
Say what kind of thing the id name or number refers to.
Possible types are
.BR host ,
.B net
and
.BR port .
For example, `host foo', `net 128.3', `port 20'.  If there is no type
qualifier,
.B host
is assumed.
.IP \fIdir\fP
Specify a particular transfer direction to and/or from
.I id.
Possible directions are
.BR src ,
.BR dst ,
.B "src or dst"
and
.BR "src and dst" .
For example, `src foo', `dst net 128.3', `src or dst port ftp-data'.  If
there is no dir qualifier,
.B "src or dst"
is assumed.
.IP \fIproto\fP
Restrict the match to a particular protocol.  Possible
protos are:
.BR ether ,
.BR ip ,
.BR arp ,
.BR rarp ,
.B tcp
and
.BR udp .
For example, `ether src foo', `arp net 128.3', `tcp port 21'.  If there is
no proto qualifier, all protocols consistent with the type are
assumed.  For example, `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
.RE
.PP
In addition to the above, there are some special `primitive' keywords
that do not follow the pattern:
.BR gateway ,
.BR broadcast ,
.BR less ,
.B greater
and arithmetic expressions.  All of these are described below.
.PP
More complex filter expressions are built up by using the words
.BR and ,
.B or
and
.B not
to combine primitives.  For example, `host foo and not port ftp and 
not port ftp-data'.
To save typing, identical qualifier lists can be omitted.  For example,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
.PP
Allowable primitives are:
.IP "\fBdst host \fIhost\fR"
True if the IP destination field of the packet is \fIhost\fP,
which may be either an address or a name.
.IP "\fBsrc host \fIhost\fR"
True if the IP source field of the packet is \fIhost\fP.
.IP "\fBhost \fIhost\fP
True if either the IP source or destination of the packet is \fIhost\fP.
Any of the above host expressions can be prepended with the keywords,
\fBip\fP, \fBarp\fP, or \fBrarp\fP as in:
.in +.5i
.nf
\fBip host \fIhost\fR
.fi
.in -.5i
which is equivalent to:
.in +.5i
.nf
\fBether proto \fI\\ip\fB and host \fIhost\fR
.fi
.in -.5i
If \fIhost\fR is a name with multiple IP addresses, each address is
checked for a match.
.IP "\fBether dst \fIehost\fP
True if the ethernet destination address is \fIehost\fP.  \fIEhost\fP
may be either a name from the
.PN /etc/ethers 
file or a number (see
.MS ethers 3n
for numeric format).
.IP "\fBether src \fIehost\fP
True if the ethernet source address is \fIehost\fP.
.IP "\fBether host \fIehost\fP
True if either the ethernet source or destination address is \fIehost\fP.
.IP "\fBgateway\fP \fIhost\fP
True if the packet used \fIhost\fP as a gateway.  For example, the ethernet
source or destination address was \fIhost\fP but neither the IP source
nor the IP destination was \fIhost\fP.  \fIHost\fP must be a name and
must be found in both 
.PN /etc/hosts 
and 
.PN /etc/ethers .  
(An equivalent expression is
.in +.5i
.nf
\fBether host \fIehost \fBand not host \fIhost\fR
.fi
.in -.5i
which can be used with either names or numbers for \fIhost\fP and
\fIehost\fP.)
.IP "\fBdst net \fInet\fR"
True if the IP destination address of the packet has a network
number of \fInet\fP, which may be either an address or a name.
.IP "\fBsrc net \fInet\fR"
True if the IP source address of the packet has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR"
True if either the IP source or destination address of the packet has a network
number of \fInet\fP.
.IP "\fBdst port \fIport\fR"
True if the packet is ip/tcp or ip/udp and has a
destination port value of \fIport\fP.
The \fIport\fP can be a number or a name used in 
.PN /etc/services 
(see
.MS tcp 4p
and
.MS udp 4p ).
If a name is used, both the port
number and protocol are checked.  If a number or ambiguous name is used,
only the port number is checked (for example, \fBdst port 513\fR 
prints both
tcp/login traffic and udp/who traffic, and \fBport domain\fR prints
both tcp/domain and udp/domain traffic).
.IP "\fBsrc port \fIport\fR"
True if the packet has a source port value of \fIport\fP.
.IP "\fBport \fIport\fR"
True if either the source or destination port of the packet is \fIport\fP.
Any of the above port expressions can be prepended with the keywords,
\fBtcp\fP or \fBudp\fP, as in:
.in +.5i
.nf
\fBtcp src port \fIport\fR
.fi
.in -.5i
which matches only tcp packets.
.IP "\fBless \fIlength\fR"
True if the packet has a length less than or equal to \fIlength\fP.
This is equivalent to:
.EX
len <= \fIlength\fP
.EE
.IP "\fBgreater \fIlength\fR"
True if the packet has a length greater than or equal to \fIlength\fP.
This is equivalent to:
.EX 
len >= \fIlength\fP
.EE
.IP "\fBip proto \fIprotocol\fR"
True if the packet is an ip packet (see
.MS ip 4p )
of protocol type \fIprotocol\fP.
\fIProtocol\fP can be a number or one of the names
\fIicmp\fP, \fIudp\fP, \fInd\fP, or \fItcp\fP.
Note that the identifiers \fItcp\fP and \fIudp\fP are also keywords
and must be escaped using backslash (\\), which is \\\\ in the C-shell.
.IP \fBbroadcast\fR
True if the packet is a broadcast packet.
.IP  "\fBether proto \fIprotocol\fR"
True if the packet is of ether type \fIprotocol\fR.
\fIProtocol\fP can be a number or a name like
\fIip\fP, \fIarp\fP, or \fIrarp\fP.
Note these identifiers are also keywords
and must be escaped via backslash (\\).
.IP "\fBip\fR, \fBarp\fR, \fBrarp\fR"
Abbreviations for:
.in +.5i
.nf
\fBether proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
.IP  "\fBtcp\fR, \fBudp\fR"
Abbreviations for:
.in +.5i
.nf
\fBip proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
.IP  "\fIexpr relop expr\fR"
True if the relation holds, where \fIrelop\fR is one of >, <, >=, <=, =, !=,
and \fIexpr\fR is an arithmetic expression composed of integer constants
(expressed in standard C syntax), the normal binary operators
[+, -, *, /, &, |], a length operator, and special packet data accessors.  
To access
data inside the packet, use the following syntax:
.in +.5i
.nf