tcpdump.1

TCPDUMP的C语言源代码,是在数据链路层的应用

the amount of time it takes to process packets and, effectively,
decreases the amount of packet buffering.
This may cause packets to be
lost.
You should limit \fIsnaplen\fP to the smallest number that will
capture the protocol information you're interested in.
Setting
\fIsnaplen\fP to 0 means use the required length to catch whole packets.
.TP
.B \-T
Force packets selected by "\fIexpression\fP" to be interpreted the
specified \fItype\fR.
Currently known types are
\fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
\fBcnfp\fR (Cisco NetFlow protocol),
\fBrpc\fR (Remote Procedure Call),
\fBrtp\fR (Real-Time Applications protocol),
\fBrtcp\fR (Real-Time Applications control protocol),
\fBsnmp\fR (Simple Network Management Protocol),
\fBtftp\fR (Trivial File Transfer Protocol),
\fBvat\fR (Visual Audio Tool),
and
\fBwb\fR (distributed White Board).
.TP
.B \-t
\fIDon't\fP print a timestamp on each dump line.
.TP
.B \-tt
Print an unformatted timestamp on each dump line.
.TP
.B \-ttt
Print a delta (micro-second resolution) between current and previous line
on each dump line.
.TP
.B \-tttt
Print a timestamp in default format proceeded by date on each dump line.
.TP
.B \-ttttt
Print a delta (micro-second resolution) between current and first line
on each dump line.
.TP
.B \-u
Print undecoded NFS handles.
.TP
.B \-U
Make output saved via the
.B \-w
option ``packet-buffered''; i.e., as each packet is saved, it will be
written to the output file, rather than being written only when the
output buffer fills.
.IP
The
.B \-U
flag will not be supported if
.I tcpdump
was built with an older version of
.I libpcap
that lacks the
.B pcap_dump_flush()
function.
.TP
.B \-v
When parsing and printing, produce (slightly more) verbose output.
For example, the time to live,
identification, total length and options in an IP packet are printed.
Also enables additional packet integrity checks such as verifying the
IP and ICMP header checksum.
.IP
When writing to a file with the
.B \-w
option, report, every 10 seconds, the number of packets captured.
.TP
.B \-vv
Even more verbose output.
For example, additional fields are
printed from NFS reply packets, and SMB packets are fully decoded.
.TP
.B \-vvv
Even more verbose output.
For example,
telnet \fBSB\fP ... \fBSE\fP options
are printed in full.
With
.B \-X
Telnet options are printed in hex as well.
.TP
.B \-w
Write the raw packets to \fIfile\fR rather than parsing and printing
them out.
They can later be printed with the \-r option.
Standard output is used if \fIfile\fR is ``-''.
.TP
.B \-W
Used in conjunction with the 
.B \-C 
option, this will limit the number
of files created to the specified number, and begin overwriting files
from the beginning, thus creating a 'rotating' buffer. 
In addition, it will name
the files with enough leading 0s to support the maximum number of
files, allowing them to sort correctly.
.IP
Used in conjunction with the 
.B \-G
option, this will limit the number of rotated dump files that get
created, exiting with status 0 when reaching the limit. If used with
.B \-C
as well, the behavior will result in cyclical files per timeslice.
.TP
.B \-x
When parsing and printing,
in addition to printing the headers of each packet, print the data of
each packet (minus its link level header) in hex. 
The smaller of the entire packet or
.I snaplen
bytes will be printed.  Note that this is the entire link-layer
packet, so for link layers that pad (e.g. Ethernet), the padding bytes
will also be printed when the higher layer packet is shorter than the
required padding.
.TP
.B \-xx
When parsing and printing,
in addition to printing the headers of each packet, print the data of
each packet,
.I including
its link level header, in hex.
.TP
.B \-X
When parsing and printing,
in addition to printing the headers of each packet, print the data of
each packet (minus its link level header) in hex and ASCII.
This is very handy for analysing new protocols.
.TP
.B \-XX
When parsing and printing,
in addition to printing the headers of each packet, print the data of
each packet,
.I including
its link level header, in hex and ASCII.
.TP
.B \-y
Set the data link type to use while capturing packets to \fIdatalinktype\fP.
.TP
.B \-z
Used in conjunction with the
.B -C
or
.B -G
options, this will make
.I tcpdump
run "
.I command file
" where
.I file
is the savefile being closed after each rotation. For example, specifying
.B \-z gzip
or
.B \-z bzip2
will compress each savefile using gzip or bzip2.
.IP
Note that tcpdump will run the command in parallel to the capture, using
the lowest priority so that this doesn't disturb the capture process.
.IP
And in case you would like to use a command that itself takes flags or
different arguments, you can always write a shell script that will take the
savefile name as the only argument, make the flags & arguments arrangements
and execute the command that you want.
.TP
.B \-Z
Drops privileges (if root) and changes user ID to
.I user
and the group ID to the primary group of
.IR user .
.IP
This behavior can also be enabled by default at compile time.
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.
If no \fIexpression\fP
is given, all packets on the net will be dumped.
Otherwise,
only packets for which \fIexpression\fP is `true' will be dumped.
.LP
For the \fIexpression\fP syntax, see
.BR pcap-filter (4).
.LP
Expression arguments can be passed to \fItcpdump\fP as either a single
argument or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces before being parsed.
.SH EXAMPLES
.LP
To print all packets arriving at or departing from \fIsundown\fP:
.RS
.nf
\fBtcpdump host sundown\fP
.fi
.RE
.LP
To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
.RS
.nf
\fBtcpdump host helios and \\( hot or ace \\)\fP
.fi
.RE
.LP
To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
.RS
.nf
\fBtcpdump ip host ace and not helios\fP
.fi
.RE
.LP
To print all traffic between local hosts and hosts at Berkeley:
.RS
.nf
.B
tcpdump net ucb-ether
.fi
.RE
.LP
To print all ftp traffic through internet gateway \fIsnup\fP:
(note that the expression is quoted to prevent the shell from
(mis-)interpreting the parentheses):
.RS
.nf
.B
tcpdump 'gateway snup and (port ftp or ftp-data)'
.fi
.RE
.LP
To print traffic neither sourced from nor destined for local hosts
(if you gateway to one other net, this stuff should never make it
onto your local net).
.RS
.nf
.B
tcpdump ip and not net \fIlocalnet\fP
.fi
.RE
.LP
To print the start and end packets (the SYN and FIN packets) of each
TCP conversation that involves a non-local host.
.RS
.nf
.B
tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
.fi
.RE
.LP
To print all IPv4 HTTP packets to and from port 80, i.e. print only
packets that contain data, not, for example, SYN and FIN packets and
ACK-only packets.  (IPv6 is left as an exercise for the reader.)
.RS
.nf
.B
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
.fi
.RE
.LP
To print IP packets longer than 576 bytes sent through gateway \fIsnup\fP:
.RS
.nf
.B
tcpdump 'gateway snup and ip[2:2] > 576'
.fi
.RE
.LP
To print IP broadcast or multicast packets that were
.I not
sent via Ethernet broadcast or multicast:
.RS
.nf
.B
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
.fi
.RE
.LP
To print all ICMP packets that are not echo requests/replies (i.e., not
ping packets):
.RS
.nf
.B
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
.fi
.RE
.SH OUTPUT FORMAT
.LP
The output of \fItcpdump\fP is protocol dependent.
The following
gives a brief description and examples of most of the formats.
.de HD
.sp 1.5
.B
..
.HD
Link Level Headers
.LP
If the '-e' option is given, the link level header is printed out.
On Ethernets, the source and destination addresses, protocol,
and packet length are printed.
.LP
On FDDI networks, the  '-e' option causes \fItcpdump\fP to print
the `frame control' field,  the source and destination addresses,
and the packet length.
(The `frame control' field governs the
interpretation of the rest of the packet.
Normal packets (such
as those containing IP datagrams) are `async' packets, with a priority
value between 0 and 7; for example, `\fBasync4\fR'.
Such packets
are assumed to contain an 802.2 Logical Link Control (LLC) packet;
the LLC header is printed if it is \fInot\fR an ISO datagram or a
so-called SNAP packet.
.LP
On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
the `access control' and `frame control' fields, the source and
destination addresses, and the packet length.
As on FDDI networks,
packets are assumed to contain an LLC packet.
Regardless of whether
the '-e' option is specified or not, the source routing information is
printed for source-routed packets.
.LP
On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
the `frame control' fields, all of the addresses in the 802.11 header,
and the packet length.
As on FDDI networks,
packets are assumed to contain an LLC packet.
.LP
\fI(N.B.: The following description assumes familiarity with
the SLIP compression algorithm described in RFC-1144.)\fP
.LP
On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound),
packet type, and compression information are printed out.
The packet type is printed first.
The three types are \fIip\fP, \fIutcp\fP, and \fIctcp\fP.
No further link information is printed for \fIip\fR packets.
For TCP packets, the connection identifier is printed following the type.
If the packet is compressed, its encoded header is printed out.
The special cases are printed out as
\fB*S+\fIn\fR and \fB*SA+\fIn\fR, where \fIn\fR is the amount by which
the sequence number (or sequence number and ack) has changed.
If it is not a special case,
zero or more changes are printed.
A change is indicated by U (urgent pointer), W (window), A (ack),
S (sequence number), and I (packet ID), followed by a delta (+n or -n),
or a new value (=n).
Finally, the amount of data in the packet and compressed header length
are printed.
.LP
For example, the following line shows an outbound compressed TCP packet,
with an implicit connection identifier; the ack has changed by 6,
the sequence number by 49, and the packet ID by 6; there are 3 bytes of
data and 6 bytes of compressed header:
.RS
.nf
\fBO ctcp * A+6 S+49 I+6 3 (6)\fP
.fi
.RE
.HD
ARP/RARP Packets
.LP
Arp/rarp output shows the type of request and its arguments.
The
format is intended to be self explanatory.
Here is a short sample taken from the start of an `rlogin' from
host \fIrtsg\fP to host \fIcsam\fP:
.RS
.nf
.sp .5
\f(CWarp who-has csam tell rtsg
arp reply csam is-at CSAM\fR
.sp .5
.fi
.RE
The first line says that rtsg sent an arp packet asking
for the Ethernet address of internet host csam.
Csam
replies with its Ethernet address (in this example, Ethernet addresses
are in caps and internet addresses in lower case).
.LP
This would look less redundant if we had done \fItcpdump \-n\fP:
.RS
.nf
.sp .5
\f(CWarp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
.fi
.RE
.LP
If we had done \fItcpdump \-e\fP, the fact that the first packet is
broadcast and the second is point-to-point would be visible:
.RS
.nf
.sp .5
\f(CWRTSG Broadcast 0806  64: arp who-has csam tell rtsg
CSAM RTSG 0806  64: arp reply csam is-at CSAM\fR
.sp .5
.fi
.RE
For the first packet this says the Ethernet source address is RTSG, the
destination is the Ethernet broadcast address, the type field
contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
.HD
TCP Packets
.LP
\fI(N.B.:The following description assumes familiarity with
the TCP protocol described in RFC-793.
If you are not familiar
with the protocol, neither this description nor \fItcpdump\fP will
be of much use to you.)\fP
.LP
The general format of a tcp protocol line is:
.RS
.nf
.sp .5
\fIsrc > dst: flags data-seqno ack window urgent options\fP
.sp .5
.fi
.RE
\fISrc\fP and \fIdst\fP are the source and destination IP
addresses and ports.