📄 tcpdump.man
字号:
be a name and must be found in both
/etc/hosts and /etc/ethers. (An equivalent
expression is
ether host ehost and not host host
which can be used with either names or num-
bers for host / ehost.)
dst net net
True if the IP destination address of the
packet has a network number of net. Net may
be either a name from /etc/networks or a
network number (see networks(4) for
details).
src net net
True if the IP source address of the packet
has a network number of net.
net net
True if either the IP source or destination
address of the packet has a network number
of net.
net net mask mask
True if the IP address matches net with the
specific netmask. May be qualified with src
or dst.
net net/len
True if the IP address matches net a netmask
len bits wide. May be qualified with src or
dst.
dst port port
True if the packet is ip/tcp or ip/udp and
has a destination port value of port. The
port can be a number or a name used in
/etc/services (see tcp(4P) and udp(4P)). If
a name is used, both the port number and
protocol are checked. If a number or
ambiguous name is used, only the port number
is checked (e.g., dst port 513 will print
both tcp/login traffic and udp/who traffic,
and port domain will print both tcp/domain
and udp/domain traffic).
src port port
True if the packet has a source port value
of port.
port port
True if either the source or destination
port of the packet is port. Any of the
above port expressions can be prepended with
the keywords, tcp or udp, as in:
tcp src port port
which matches only tcp packets whose source
port is port.
less length
True if the packet has a length less than or
equal to length. This is equivalent to:
len <= length.
greater length
True if the packet has a length greater than
or equal to length. This is equivalent to:
len >= length.
ip proto protocol
True if the packet is an ip packet (see
ip(4P)) of protocol type protocol. Protocol
can be a number or one of the names icmp,
igrp, udp, nd, or tcp. Note that the iden-
tifiers tcp, udp, and icmp are also keywords
and must be escaped via backslash (\), which
is \\ in the C-shell.
ether broadcast
True if the packet is an ethernet broadcast
packet. The ether keyword is optional.
ip broadcast
True if the packet is an IP broadcast
packet. It checks for both the all-zeroes
and all-ones broadcast conventions, and
looks up the local subnet mask.
ether multicast
True if the packet is an ethernet multicast
packet. The ether keyword is optional.
This is shorthand for `ether[0] & 1 != 0'.
ip multicast
True if the packet is an IP multicast
packet.
ether proto protocol
True if the packet is of ether type proto-
col. Protocol can be a number or a name
like ip, arp, or rarp. Note these identi-
fiers are also keywords and must be escaped
via backslash (\). [In the case of FDDI
(e.g., `fddi protocol arp'), the protocol
identification comes from the 802.2 Logical
Link Control (LLC) header, which is usually
layered on top of the FDDI header. Tcpdump
assumes, when filtering on the protocol
identifier, that all FDDI packets include an
LLC header, and that the LLC header is in
so-called SNAP format.]
decnet src host
True if the DECNET source address is host,
which may be an address of the form
``10.123'', or a DECNET host name. [DECNET
host name support is only available on
Ultrix systems that are configured to run
DECNET.]
decnet dst host
True if the DECNET destination address is
host.
decnet host host
True if either the DECNET source or destina-
tion address is host.
ip, arp, rarp, decnet
Abbreviations for:
ether proto p
where p is one of the above protocols.
lat, moprc, mopdl
Abbreviations for:
ether proto p
where p is one of the above protocols. Note
that tcpdump does not currently know how to
parse these protocols.
tcp, udp, icmp
Abbreviations for:
ip proto p
where p is one of the above protocols.
expr relop expr
True if the relation holds, where relop is
one of >, <, >=, <=, =, !=, and expr is an
arithmetic expression composed of integer
constants (expressed in standard C syntax),
the normal binary operators [+, -, *, /, &,
|], a length operator, and special packet
data accessors. To access data inside the
packet, use the following syntax:
proto [ expr : size ]
Proto is one of ether, fddi, ip, arp, rarp,
tcp, udp, or icmp, and indicates the proto-
col layer for the index operation. The byte
offset, relative to the indicated protocol
layer, is given by expr. Size is optional
and indicates the number of bytes in the
field of interest; it can be either one,
two, or four, and defaults to one. The
length operator, indicated by the keyword
len, gives the length of the packet.
For example, `ether[0] & 1 != 0' catches all
multicast traffic. The expression `ip[0] &
0xf != 5' catches all IP packets with
options. The expression `ip[6:2] & 0x1fff =
0' catches only unfragmented datagrams and
frag zero of fragmented datagrams. This
check is implicitly applied to the tcp and
udp index operations. For instance, tcp[0]
always means the first byte of the TCP
header, and never means the first byte of an
intervening fragment.
Primitives may be combined using:
A parenthesized group of primitives and
operators (parentheses are special to the
Shell and must be escaped).
Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').
Negation has highest precedence. Alternation and
concatenation have equal precedence and associate
left to right. Note that explicit and tokens, not
juxtaposition, are now required for concatenation.
If an identifier is given without a keyword, the
most recent keyword is assumed. For example,
not host vs and ace
is short for
not host vs and host ace
which should not be confused with
not ( host vs or ace )
Expression arguments can be passed to tcpdump as
either a single argument or as multiple arguments,
whichever is more convenient. Generally, if the
expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces
before being parsed.
EXAMPLES
To print all packets arriving at or departing from sun-
down:
tcpdump host sundown
To print traffic between helios and either hot or ace:
tcpdump host helios and \( hot or ace \)
To print all IP packets between ace and any host except
helios:
tcpdump ip host ace and not helios
To print all traffic between local hosts and hosts at
Berkeley:
tcpdump net ucb-ether
To print all ftp traffic through internet gateway snup:
(note that the expression is quoted to prevent the shell
from (mis-)interpreting the parentheses):
tcpdump 'gateway snup and (port ftp or ftp-data)'
To print traffic neither sourced from nor destined for
local hosts (if you gateway to one other net, this stuff
should never make it onto your local net).
tcpdump ip and not net localnet
To print the start and end packets (the SYN and FIN pack-
ets) of each TCP conversation that involves a non-local
host.
tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet'
To print IP packets longer than 576 bytes sent through
gateway snup:
tcpdump 'gateway snup and ip[2:2] > 576'
To print IP broadcast or multicast packets that were not
sent via ethernet broadcast or multicast:
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -