tcpdump.1

网卡驱动相关实例 这是和网卡NT KMD驱动程序有关的一些资料和例子。主要是以下三方面内容: 3.1 article 一些有用的文档 3.2 Canberra 网络诊听工具Ethern

.\" @(#) $Header: tcpdump.1,v 1.67 97/06/30 16:31:50 leres Exp $ (LBL)
.\"
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
.\"	The Regents of the University of California.  All rights reserved.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that: (1) source code distributions
.\" retain the above copyright notice and this paragraph in its entirety, (2)
.\" distributions including binary code include the above copyright notice and
.\" this paragraph in its entirety in the documentation or other materials
.\" provided with the distribution, and (3) all advertising materials mentioning
.\" features or use of this software display the following acknowledgement:
.\" ``This product includes software developed by the University of California,
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
.\" the University nor the names of its contributors may be used to endorse
.\" or promote products derived from this software without specific prior
.\" written permission.
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
.TH TCPDUMP 1  "30 June 1997"
.SH NAME
tcpdump \- dump traffic on a network
.SH SYNOPSIS
.na
.B tcpdump
[
.B \-adeflnNOpqStvx
] [
.B \-c
.I count
] [
.B \-F
.I file
]
.br
.ti +8
[
.B \-i
.I interface
] [
.B \-r
.I file
]
[
.B \-s
.I snaplen
]
.br
.ti +8
[
.B \-T
.I type
]
[
.B \-w
.I file
]
[
.I expression
]
.br
.ad
.SH DESCRIPTION
.LP
\fITcpdump\fP prints out the headers of packets on a network interface
that match the boolean \fIexpression\fP.
.LP
.B Under SunOS with nit or bpf:
To run
.I tcpdump
you must have read access to
.I /dev/nit
or
.IR /dev/bpf* .
.B Under Solaris with dlpi:
You must have read access to the network pseudo device, e.g.
.IR /dev/le .
.B Under HP-UX with dlpi:
You must be root or it must be installed setuid to root.
.B Under IRIX with snoop:
You must be root or it must be installed setuid to root.
.B Under Linux:
You must be root or it must be installed setuid to root.
.B Under Ultrix and Digital UNIX:
Once the super-user has enabled promiscuous-mode operation using
.IR pfconfig (8),
any user may run
.BR tcpdump .
.B Under BSD:
You must have read access to
.IR /dev/bpf* .
.SH OPTIONS
.TP
.B \-a
Attempt to convert network and broadcast addresses to names.
.TP
.B \-c
Exit after receiving \fIcount\fP packets.
.TP
.B \-d
Dump the compiled packet-matching code in a human readable form to
standard output and stop.
.TP
.B \-dd
Dump packet-matching code as a
.B C
program fragment.
.TP
.B \-ddd
Dump packet-matching code as decimal numbers (preceded with a count).
.TP
.B \-e
Print the link-level header on each dump line.
.TP
.B \-f
Print `foreign' internet addresses numerically rather than symbolically
(this option is intended to get around serious brain damage in
Sun's yp server \(em usually it hangs forever translating non-local
internet numbers).
.TP
.B \-F
Use \fIfile\fP as input for the filter expression.
An additional expression given on the command line is ignored.
.TP
.B \-i
Listen on \fIinterface\fP.
If unspecified, \fItcpdump\fP searches the system interface list for the
lowest numbered, configured up interface (excluding loopback).
Ties are broken by choosing the earliest match.
.TP
.B \-l
Make stdout line buffered.  Useful if you want to see the data
while capturing it.  E.g.,
.br
``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
.TP
.B \-n
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
.TP
.B \-N
Don't print domain name qualification of host names.  E.g.,
if you give this flag then \fItcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
.B \-O
Do not run the packet-matching code optimizer.  This is useful only
if you suspect a bug in the optimizer.
.TP
.B \-p
\fIDon't\fP put the interface
into promiscuous mode.  Note that the interface might be in promiscuous
mode for some other reason; hence, `-p' cannot be used as an abbreviation for
`ether host {local-hw-addr} or ether broadcast'.
.TP
.B \-q
Quick (quiet?) output.  Print less protocol information so output
lines are shorter.
.TP
.B \-r
Read packets from \fIfile\fR (which was created with the -w option).
Standard input is used if \fIfile\fR is ``-''.
.TP
.B \-s
Snarf \fIsnaplen\fP bytes of data from each packet rather than the
default of 68 (with SunOS's NIT, the minimum is actually 96).
68 bytes is adequate for IP, ICMP, TCP
and UDP but may truncate protocol information from name server and NFS
packets (see below).  Packets truncated because of a limited snapshot
are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
is the name of the protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases
the amount of time it takes to process packets and, effectively,
decreases the amount of packet buffering.  This may cause packets to be
lost.  You should limit \fIsnaplen\fP to the smallest number that will
capture the protocol information you're interested in.
.TP
.B \-T
Force packets selected by "\fIexpression\fP" to be interpreted the
specified \fItype\fR. Currently known types are
\fBrpc\fR (Remote Procedure Call),
\fBrtp\fR (Real-Time Applications protocol),
\fBrtcp\fR (Real-Time Applications control protocol),
\fBvat\fR (Visual Audio Tool),
and
\fBwb\fR (distributed White Board).
.TP
.B \-S
Print absolute, rather than relative, TCP sequence numbers.
.TP
.B \-t
\fIDon't\fP print a timestamp on each dump line.
.TP
.B \-tt
Print an unformatted timestamp on each dump line.
.TP
.B \-v
(Slightly more) verbose output.  For example, the time to live
and type of service information in an IP packet is printed.
.TP
.B \-vv
Even more verbose output.  For example, additional fields are
printed from NFS reply packets.
.TP
.B \-w
Write the raw packets to \fIfile\fR rather than parsing and printing
them out.  They can later be printed with the \-r option.
Standard output is used if \fIfile\fR is ``-''.
.TP
.B \-x
Print each packet (minus its link level header) in hex.
The smaller of the entire packet or
.I snaplen
bytes will be printed.
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.  If no \fIexpression\fP
is given, all packets on the net will be dumped.  Otherwise,
only packets for which \fIexpression\fP is `true' will be dumped.
.LP
The \fIexpression\fP consists of one or more
.I primitives.
Primitives usually consist of an
.I id
(name or number) preceded by one or more qualifiers.  There are three
different kinds of qualifier:
.IP \fItype\fP
qualifiers say what kind of thing the id name or number refers to.
Possible types are
.BR host ,
.B net
and
.BR port .
E.g., `host foo', `net 128.3', `port 20'.  If there is no type
qualifier,
.B host
is assumed.
.IP \fIdir\fP
qualifiers specify a particular transfer direction to and/or from
.I id.
Possible directions are
.BR src ,
.BR dst ,
.B "src or dst"
and
.B "src and"
.BR dst .
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.  If
there is no dir qualifier,
.B "src or dst"
is assumed.
For `null' link layers (i.e. point to point protocols such as slip) the
.B inbound
and
.B outbound
qualifiers can be used to specify a desired direction.
.IP \fIproto\fP
qualifiers restrict the match to a particular protocol.  Possible
protos are:
.BR ether ,
.BR fddi ,
.BR ip ,
.BR arp ,
.BR rarp ,
.BR decnet ,
.BR lat ,
.BR sca ,
.BR moprc ,
.BR mopdl ,
.B tcp
and
.BR udp .
E.g., `ether src foo', `arp net 128.3', `tcp port 21'.  If there is
no proto qualifier, all protocols consistent with the type are
assumed.  E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
.LP
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.''  FDDI headers contain Ethernet-like source
and destination addresses, and often contain Ethernet-like packet
types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields.  FDDI headers also contain other fields,
but you cannot name them explicitly in a filter expression.]
.LP
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
.BR gateway ,
.BR broadcast ,
.BR less ,
.B greater
and arithmetic expressions.  All of these are described below.
.LP
More complex filter expressions are built up by using the words
.BR and ,
.B or
and
.B not
to combine primitives.  E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted.  E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
.LP
Allowable primitives are:
.IP "\fBdst host \fIhost\fR"
True if the IP destination field of the packet is \fIhost\fP,
which may be either an address or a name.
.IP "\fBsrc host \fIhost\fR"
True if the IP source field of the packet is \fIhost\fP.
.IP "\fBhost \fIhost\fP
True if either the IP source or destination of the packet is \fIhost\fP.
Any of the above host expressions can be prepended with the keywords,
\fBip\fP, \fBarp\fP, or \fBrarp\fP as in:
.in +.5i
.nf
\fBip host \fIhost\fR
.fi
.in -.5i
which is equivalent to:
.in +.5i
.nf
\fBether proto \fI\\ip\fB and host \fIhost\fR
.fi
.in -.5i
If \fIhost\fR is a name with multiple IP addresses, each address will
be checked for a match.
.IP "\fBether dst \fIehost\fP
True if the ethernet destination address is \fIehost\fP.  \fIEhost\fP
may be either a name from /etc/ethers or a number (see
.IR ethers (3N)
for numeric format).
.IP "\fBether src \fIehost\fP
True if the ethernet source address is \fIehost\fP.
.IP "\fBether host \fIehost\fP
True if either the ethernet source or destination address is \fIehost\fP.
.IP "\fBgateway\fP \fIhost\fP
True if the packet used \fIhost\fP as a gateway.  I.e., the ethernet
source or destination address was \fIhost\fP but neither the IP source
nor the IP destination was \fIhost\fP.  \fIHost\fP must be a name and
must be found in both /etc/hosts and /etc/ethers.  (An equivalent
expression is
.in +.5i
.nf
\fBether host \fIehost \fBand not host \fIhost\fR
.fi
.in -.5i
which can be used with either names or numbers for \fIhost / ehost\fP.)
.IP "\fBdst net \fInet\fR"
True if the IP destination address of the packet has a network
number of \fInet\fP. \fINet\fP may be either a name from /etc/networks
or a network number (see \fInetworks(4)\fP for details).
.IP "\fBsrc net \fInet\fR"
True if the IP source address of the packet has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR"
True if either the IP source or destination address of the packet has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR \fBmask \fImask\fR"
True if the IP address matches \fInet\fR with the specific netmask.
May be qualified with \fBsrc\fR or \fBdst\fR.
.IP "\fBnet \fInet\fR/\fIlen\fR"
True if the IP address matches \fInet\fR a netmask \fIlen\fR bits wide.
May be qualified with \fBsrc\fR or \fBdst\fR.
.IP "\fBdst port \fIport\fR"
True if the packet is ip/tcp or ip/udp and has a
destination port value of \fIport\fP.
The \fIport\fP can be a number or a name used in /etc/services (see
.IR tcp (4P)
and
.IR udp (4P)).
If a name is used, both the port
number and protocol are checked.  If a number or ambiguous name is used,
only the port number is checked (e.g., \fBdst port 513\fR will print both
tcp/login traffic and udp/who traffic, and \fBport domain\fR will print
both tcp/domain and udp/domain traffic).
.IP "\fBsrc port \fIport\fR"
True if the packet has a source port value of \fIport\fP.
.IP "\fBport \fIport\fR"
True if either the source or destination port of the packet is \fIport\fP.
Any of the above port expressions can be prepended with the keywords,
\fBtcp\fP or \fBudp\fP, as in:
.in +.5i
.nf
\fBtcp src port \fIport\fR
.fi
.in -.5i
which matches only tcp packets whose source port is \fIport\fP.
.IP "\fBless \fIlength\fR"
True if the packet has a length less than or equal to \fIlength\fP.
This is equivalent to:
.in +.5i
.nf
\fBlen <= \fIlength\fP.
.fi
.in -.5i
.IP "\fBgreater \fIlength\fR"
True if the packet has a length greater than or equal to \fIlength\fP.
This is equivalent to:
.in +.5i
.nf
\fBlen >= \fIlength\fP.
.fi
.in -.5i