📄 tcpdump.man
字号:
TCPDUMP(1) TCPDUMP(1)NNAAMMEE tcpdump - dump traffic on a networkSSYYNNOOPPSSIISS ttccppdduummpp [ --aaddeeffllnnNNOOppqqSSttvvxx ] [ --cc _c_o_u_n_t ] [ --FF _f_i_l_e ] [ --ii _i_n_t_e_r_f_a_c_e ] [ --rr _f_i_l_e ] [ --ss _s_n_a_p_l_e_n ] [ --TT _t_y_p_e ] [ --ww _f_i_l_e ] [ _e_x_p_r_e_s_s_i_o_n ]DDEESSCCRRIIPPTTIIOONN _T_c_p_d_u_m_p prints out the headers of packets on a network interface that match the boolean _e_x_p_r_e_s_s_i_o_n. UUnnddeerr SSuunnOOSS wwiitthh nniitt oorr bbppff:: To run _t_c_p_d_u_m_p you must have read access to _/_d_e_v_/_n_i_t or _/_d_e_v_/_b_p_f_*. UUnnddeerr SSoollaarriiss wwiitthh ddllppii:: You must have read access to the network pseudo device, e.g. _/_d_e_v_/_l_e. UUnnddeerr HHPP--UUXX wwiitthh ddllppii:: You must be root or it must be installed setuid to root. UUnnddeerr IIRRIIXX wwiitthh ssnnoooopp:: You must be root or it must be installed setuid to root. UUnnddeerr LLiinnuuxx:: You must be root or it must be installed setuid to root. UUnnddeerr UUllttrriixx aanndd DDiiggiittaall UUNNIIXX:: Once the super-user has enabled promiscuous-mode operation using _p_f_c_o_n_f_i_g(8), any user may run ttccppdduummpp. UUnnddeerr BBSSDD:: You must have read access to _/_d_e_v_/_b_p_f_*.OOPPTTIIOONNSS --aa Attempt to convert network and broadcast addresses to names. --cc Exit after receiving _c_o_u_n_t packets. --dd Dump the compiled packet-matching code in a human readable form to standard output and stop. --dddd Dump packet-matching code as a CC program fragment. --dddddd Dump packet-matching code as decimal numbers (pre- ceded with a count). --ee Print the link-level header on each dump line. --ff Print `foreign' internet addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's yp server -- usually it hangs forever translating non- local internet numbers). --FF Use _f_i_l_e as input for the filter expression. An additional expression given on the command line is ignored. --ii Listen on _i_n_t_e_r_f_a_c_e. If unspecified, _t_c_p_d_u_m_p searches the system interface list for the lowest numbered, configured up interface (excluding loop- back). Ties are broken by choosing the earliest 30 June 1997 1TCPDUMP(1) TCPDUMP(1) match. --ll Make stdout line buffered. Useful if you want to see the data while capturing it. E.g., ``tcpdump -l | tee dat'' or ``tcpdump -l > dat & tail -f dat''. --nn Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. --NN Don't print domain name qualification of host names. E.g., if you give this flag then _t_c_p_d_u_m_p will print ``nic'' instead of ``nic.ddn.mil''. --OO Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer. --pp _D_o_n_'_t put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw- addr} or ether broadcast'. --qq Quick (quiet?) output. Print less protocol infor- mation so output lines are shorter. --rr Read packets from _f_i_l_e (which was created with the -w option). Standard input is used if _f_i_l_e is ``-''. --ss Snarf _s_n_a_p_l_e_n bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the mini- mum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol infor- mation from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with ``[|_p_r_o_t_o]'', where _p_r_o_t_o is the name of the proto- col level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffer- ing. This may cause packets to be lost. You should limit _s_n_a_p_l_e_n to the smallest number that will capture the protocol information you're inter- ested in. --TT Force packets selected by "_e_x_p_r_e_s_s_i_o_n" to be inter- preted the specified _t_y_p_e. Currently known types are rrppcc (Remote Procedure Call), rrttpp (Real-Time Applications protocol), rrttccpp (Real-Time Applica- tions control protocol), vvaatt (Visual Audio Tool), and wwbb (distributed White Board). 30 June 1997 2TCPDUMP(1) TCPDUMP(1) --SS Print absolute, rather than relative, TCP sequence numbers. --tt _D_o_n_'_t print a timestamp on each dump line. --tttt Print an unformatted timestamp on each dump line. --vv (Slightly more) verbose output. For example, the time to live and type of service information in an IP packet is printed. --vvvv Even more verbose output. For example, additional fields are printed from NFS reply packets. --ww Write the raw packets to _f_i_l_e rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if _f_i_l_e is ``-''. --xx Print each packet (minus its link level header) in hex. The smaller of the entire packet or _s_n_a_p_l_e_n bytes will be printed. _e_x_p_r_e_s_s_i_o_n selects which packets will be dumped. If no _e_x_p_r_e_s_s_i_o_n is given, all packets on the net will be dumped. Otherwise, only packets for which _e_x_p_r_e_s_- _s_i_o_n is `true' will be dumped. The _e_x_p_r_e_s_s_i_o_n consists of one or more _p_r_i_m_i_t_i_v_e_s_. Primitives usually consist of an _i_d (name or num- ber) preceded by one or more qualifiers. There are three different kinds of qualifier: _t_y_p_e qualifiers say what kind of thing the id name or number refers to. Possible types are hhoosstt, nneett and ppoorrtt. E.g., `host foo', `net 128.3', `port 20'. If there is no type qualifier, hhoosstt is assumed. _d_i_r qualifiers specify a particular transfer direction to and/or from _i_d_. Possible directions are ssrrcc, ddsstt, ssrrcc oorr ddsstt and ssrrcc aanndd ddsstt. E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir qualifier, ssrrcc oorr ddsstt is assumed. For `null' link layers (i.e. point to point pro- tocols such as slip) the iinnbboouunndd and oouutt-- bboouunndd qualifiers can be used to specify a desired direction. _p_r_o_t_o qualifiers restrict the match to a particu- lar protocol. Possible protos are: eetthheerr, ffddddii, iipp, aarrpp, rraarrpp, ddeeccnneett, llaatt, ssccaa, 30 June 1997 3TCPDUMP(1) TCPDUMP(1) mmoopprrcc, mmooppddll, ttccpp and uuddpp. E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal syn- tax), `net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. [`fddi' is actually an alias for `ether'; the parser treats them identically as meaning ``the data link level used on the specified network interface.'' FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ether- net fields. FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression.] In addition to the above, there are some special `primitive' keywords that don't follow the pattern: ggaatteewwaayy, bbrrooaaddccaasstt, lleessss, ggrreeaatteerr and arithmetic expressions. All of these are described below. More complex filter expressions are built up by using the words aanndd, oorr and nnoott to combine primi- tives. E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical quali- fier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. Allowable primitives are: ddsstt hhoosstt _h_o_s_t True if the IP destination field of the packet is _h_o_s_t, which may be either an address or a name. ssrrcc hhoosstt _h_o_s_t True if the IP source field of the packet is _h_o_s_t. hhoosstt _h_o_s_t⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -