tcpdump.man.ps

3 网卡驱动相关实例 这是和网卡NT KMD驱动程序有关的一些资料和例子。

(Under IRIX with snoop:)5.542 F F0 -1.1(Yo)3.042 G 3.042(um)1.1 G .542
(ust be)-3.042 F .398(root or it must be installed setuid to root.)108
230.4 R F2 .398(Under Linux:)5.398 F F0 -1.1(Yo)2.898 G 2.898(um)1.1 G
.398(ust be root or it must be installed setuid to)-2.898 F(root.)108
242.4 Q F2 1.717(Under Ultrix and Digital UNIX:)6.717 F F0 1.717
(Once the super)4.217 F 1.716
(-user has enabled promiscuous-mode operation)-.2 F(using)108 254.4 Q F3
(pfcon\214g)2.5 E F0(\(8\), an).22 E 2.5(yu)-.15 G(ser may run)-2.5 E F2
(tcpdump)2.5 E F0(.)A F2(Under BSD:)5 E F0 -1.1(Yo)2.5 G 2.5(um)1.1 G
(ust ha)-2.5 E .3 -.15(ve r)-.2 H(ead access to).15 E F3(/de)2.5 E
(v/bpf*)-.15 E F0(.).42 E F1(OPTIONS)72 271.2 Q F2<ad61>108 283.2 Q F0
(Attempt to con)25.3 E -.15(ve)-.4 G(rt netw).15 E
(ork and broadcast addresses to names.)-.1 E F2<ad63>108 300 Q F0
(Exit after recei)25.86 E(ving)-.25 E F3(count)2.5 E F0(pack)2.5 E(ets.)
-.1 E F2<ad64>108 316.8 Q F0(Dump the compiled pack)24.74 E
(et-matching code in a human readable form to standard output and stop.)
-.1 E F2(\255dd)108 333.6 Q F0(Dump pack)19.18 E(et-matching code as a)
-.1 E F2(C)2.5 E F0(program fragment.)2.5 E F2(\255ddd)108 350.4 Q F0
(Dump pack)13.62 E
(et-matching code as decimal numbers \(preceded with a count\).)-.1 E F2
<ad65>108 367.2 Q F0(Print the link-le)25.86 E -.15(ve)-.25 G 2.5(lh).15
G(eader on each dump line.)-2.5 E F2<ad66>108 384 Q F0 .827(Print `fore\
ign' internet addresses numerically rather than symbolically \(this opt\
ion is intended to)26.97 F 1.163
(get around serious brain damage in Sun')144 396 R 3.663(sy)-.55 G 3.663
(ps)-3.663 G(erv)-3.663 E 1.162(er \212 usually it hangs fore)-.15 F
-.15(ve)-.25 G 3.662(rt).15 G 1.162(ranslating non-)-3.662 F
(local internet numbers\).)144 408 Q F2<ad46>108 424.8 Q F0(Use)24.19 E
F3(\214le)3.06 E F0 .56(as input for the \214lter e)3.06 F 3.06
(xpression. An)-.15 F .56(additional e)3.06 F .56(xpression gi)-.15 F
-.15(ve)-.25 G 3.06(no).15 G 3.06(nt)-3.06 G .56(he command line is)
-3.06 F(ignored.)144 436.8 Q F2<ad69>108 453.6 Q F0 .32(Listen on)27.52
F F3(interface)2.82 E F0 5.32(.I)C 2.82(fu)-5.32 G(nspeci\214ed,)-2.82 E
F3(tcpdump)2.819 E F0 .319(searches the system interf)2.819 F .319
(ace list for the lo)-.1 F .319(west num-)-.25 F 1.839
(bered, con\214gured up interf)144 465.6 R 1.839(ace \(e)-.1 F 1.839
(xcluding loopback\).)-.15 F -.35(Ti)6.839 G 1.839(es are brok).35 F
1.839(en by choosing the earliest)-.1 F(match.)144 477.6 Q F2<ad6c>108
494.4 Q F0(Mak)27.52 E 2.5(es)-.1 G(tdout line b)-2.5 E(uf)-.2 E 2.5
(fered. Useful)-.25 F(if you w)2.5 E
(ant to see the data while capturing it.)-.1 E(E.g.,)5 E -.74(``)144
506.4 S 2.5(tcpdump \255l | tee).74 F(dat')2.5 E 2.5('o)-.74 G 2.5(r`)
-2.5 G 2.5(`tcpdump \255l)-3.24 F 2.5(>d)7.5 G 2.5(at & tail \255f dat')
-2.5 F('.)-.74 E F2<ad6e>108 523.2 Q F0(Don')24.74 E 2.5(tc)-.18 G(on)
-2.5 E -.15(ve)-.4 G
(rt addresses \(i.e., host addresses, port numbers, etc.\) to names.).15
E F2<ad4e>108 540 Q F0(Don')23.08 E 2.722(tp)-.18 G .222
(rint domain name quali\214cation of host names.)-2.722 F .221
(E.g., if you gi)5.221 F .521 -.15(ve t)-.25 H .221(his \215ag then).15
F F3(tcpdump)2.721 E F0(will)2.721 E(print `)144 552 Q(`nic')-.74 E 2.5
('i)-.74 G(nstead of `)-2.5 E(`nic.ddn.mil')-.74 E('.)-.74 E F2<ad4f>108
568.8 Q F0 1.075(Do not run the pack)22.52 F 1.075
(et-matching code optimizer)-.1 F 6.075(.T)-.55 G 1.075
(his is useful only if you suspect a b)-6.075 F 1.076(ug in the)-.2 F
(optimizer)144 580.8 Q(.)-.55 E F2<ad70>108 597.6 Q F3(Don')24.74 E(t)
-.3 E F0 .785(put the interf)3.285 F .785(ace into promiscuous mode.)-.1
F .785(Note that the interf)5.785 F .785(ace might be in promiscuous)-.1
F .6(mode for some other reason; hence, `-p' cannot be used as an abbre)
144 609.6 R .601(viation for `ether host {local-)-.25 F
(hw-addr} or ether broadcast'.)144 621.6 Q F2<ad71>108 638.4 Q F0
(Quick \(quiet?\) output.)24.74 E
(Print less protocol information so output lines are shorter)5 E(.)-.55
E F2<ad72>108 655.2 Q F0 1.104(Read pack)25.86 F 1.104(ets from)-.1 F F3
(\214le)3.604 E F0 1.104(\(which w)3.604 F 1.104
(as created with the -w option\).)-.1 F 1.103(Standard input is used if)
6.103 F F3(\214le)3.603 E F0(is)3.603 E -.74(``)144 667.2 S(-').74 E('.)
-.74 E F2<ad73>108 684 Q F0(Snarf)26.41 E F3(snaplen)2.814 E F0 .314
(bytes of data from each pack)2.814 F .315(et rather than the def)-.1 F
.315(ault of 68 \(with SunOS')-.1 F 2.815(sN)-.55 G(IT)-2.815 E 2.815
(,t)-.74 G(he)-2.815 E .317(minimum is actually 96\).)144 696 R .317
(68 bytes is adequate for IP)5.317 F 2.817(,I)-1.11 G(CMP)-2.817 E 2.817
(,T)-1.11 G .317(CP and UDP b)-2.817 F .317(ut may truncate pro-)-.2 F
.37(tocol information from name serv)144 708 R .37(er and NFS pack)-.15
F .37(ets \(see belo)-.1 F 2.87(w\). P)-.25 F(ack)-.15 E .37
(ets truncated because of a)-.1 F 2.132
(limited snapshot are indicated in the output with `)144 720 R(`[|)-.74
E F3(pr)A(oto)-.45 E F0(]')A 2.132(', where)-.74 F F3(pr)4.632 E(oto)
-.45 E F0 2.132(is the name of the)4.632 F(30 June 1997)279.335 768 Q(1)
202.335 E EP
%%Page: 2 2
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R 2.626
(protocol le)144 84 R -.15(ve)-.25 G 5.126(la).15 G 5.126(tw)-5.126 G
2.626(hich the truncation has occurred.)-5.126 F 2.626
(Note that taking lar)7.626 F 2.627(ger snapshots both)-.18 F .673
(increases the amount of time it tak)144 96 R .673(es to process pack)
-.1 F .673(ets and, ef)-.1 F(fecti)-.25 E -.15(ve)-.25 G(ly).15 E 3.172
(,d)-.65 G .672(ecreases the amount of)-3.172 F(pack)144 108 Q 1.426
(et b)-.1 F(uf)-.2 E 3.926(fering. This)-.25 F 1.426(may cause pack)
3.926 F 1.426(ets to be lost.)-.1 F -1.1(Yo)6.426 G 3.926(us)1.1 G 1.426
(hould limit)-3.926 F/F1 10/Times-Italic@0 SF(snaplen)3.926 E F0 1.426
(to the smallest)3.926 F
(number that will capture the protocol information you')144 120 Q
(re interested in.)-.5 E/F2 10/Times-Bold@0 SF<ad54>108 136.8 Q F0 -.15
(Fo)23.63 G .35(rce pack).15 F .35(ets selected by ")-.1 F F1 -.2(ex)C
(pr).2 E(ession)-.37 E F0 2.849("t)C 2.849(ob)-2.849 G 2.849(ei)-2.849 G
.349(nterpreted the speci\214ed)-2.849 F F1(type)2.849 E F0 2.849(.C)C
.349(urrently kno)-2.849 F .349(wn types)-.25 F(are)144 148.8 Q F2 -.1
(rp)2.999 G(c).1 E F0 .499(\(Remote Procedure Call\),)2.999 F F2(rtp)
2.999 E F0(\(Real-T)2.999 E .499(ime Applications protocol\),)-.35 F F2
(rtcp)2.999 E F0(\(Real-T)2.999 E .5(ime Appli-)-.35 F
(cations control protocol\),)144 160.8 Q F2 -.1(va)2.5 G(t).1 E F0(\(V)
2.5 E(isual Audio T)-.6 E(ool\), and)-.8 E F2(wb)2.5 E F0(\(distrib)2.5
E(uted White Board\).)-.2 E F2<ad53>108 177.6 Q F0
(Print absolute, rather than relati)24.74 E -.15(ve)-.25 G 2.5(,T).15 G
(CP sequence numbers.)-2.5 E F2<ad74>108 194.4 Q F1(Don')26.97 E(t)-.3 E
F0(print a timestamp on each dump line.)2.5 E F2(\255tt)108 211.2 Q F0
(Print an unformatted timestamp on each dump line.)23.64 E F2<ad76>108
228 Q F0 .032(\(Slightly more\) v)25.3 F .032(erbose output.)-.15 F -.15
(Fo)5.032 G 2.531(re).15 G .031(xample, the time to li)-2.681 F .331
-.15(ve a)-.25 H .031(nd type of service information in an).15 F
(IP pack)144 240 Q(et is printed.)-.1 E F2(\255vv)108 256.8 Q F0(Ev)20.3
E(en more v)-.15 E(erbose output.)-.15 E -.15(Fo)5 G 2.5(re).15 G
(xample, additional \214elds are printed from NFS reply pack)-2.65 E
(ets.)-.1 E F2<ad77>108 273.6 Q F0 .593(Write the ra)23.08 F 3.093(wp)
-.15 G(ack)-3.093 E .593(ets to)-.1 F F1(\214le)3.093 E F0 .594
(rather than parsing and printing them out.)3.093 F(The)5.594 E 3.094
(yc)-.15 G .594(an later be printed)-3.094 F(with the \255r option.)144
285.6 Q(Standard output is used if)5 E F1(\214le)2.5 E F0(is `)2.5 E
(`-')-.74 E('.)-.74 E F2<ad78>108 302.4 Q F0 .418(Print each pack)25.3 F
.418(et \(minus its link le)-.1 F -.15(ve)-.25 G 2.918(lh).15 G .418
(eader\) in he)-2.918 F 2.918(x. The)-.15 F .417
(smaller of the entire pack)2.918 F .417(et or)-.1 F F1(snaplen)2.917 E
F0(bytes will be printed.)144 314.4 Q F1 -.2(ex)110.5 331.2 S(pr).2 E
(ession)-.37 E F0 1.241(selects which pack)144 343.2 R 1.241
(ets will be dumped.)-.1 F 1.242(If no)6.242 F F1 -.2(ex)3.742 G(pr).2 E
(ession)-.37 E F0 1.242(is gi)3.742 F -.15(ve)-.25 G 1.242(n, all pack)
.15 F 1.242(ets on the net will be)-.1 F 2.5(dumped. Otherwise,)144
355.2 R(only pack)2.5 E(ets for which)-.1 E F1 -.2(ex)2.5 G(pr).2 E
(ession)-.37 E F0(is `true' will be dumped.)2.5 E(The)144 372 Q F1 -.2
(ex)3.578 G(pr).2 E(ession)-.37 E F0 1.078(consists of one or more)3.578
F F1(primitives.)3.578 E F0(Primiti)6.078 E -.15(ve)-.25 G 3.578(su).15
G 1.078(sually consist of an)-3.578 F F1(id)3.578 E F0 1.078(\(name or)
3.578 F(number\) preceded by one or more quali\214ers.)144 384 Q
(There are three dif)5 E(ferent kinds of quali\214er:)-.25 E F1(type)144
400.8 Q F0 .02
(quali\214ers say what kind of thing the id name or number refers to.)
19.34 F .02(Possible types are)5.02 F F2(host)2.52 E F0(,)A F2(net)180
412.8 Q F0(and)2.886 E F2(port)2.886 E F0 5.386(.E)C .386
(.g., `host foo', `net 128.3', `port 20'.)-5.386 F .386
(If there is no type quali\214er)5.386 F(,)-.4 E F2(host)2.885 E F0(is)
2.885 E(assumed.)180 424.8 Q F1(dir)144 441.6 Q F0 .376
(quali\214ers specify a particular transfer direction to and/or from)
24.33 F F1(id.)2.876 E F0 .376(Possible directions are)5.376 F F2(sr)180
453.6 Q(c)-.18 E F0(,)A F2(dst)3.16 E F0(,)A F2(sr)3.16 E 3.16(co)-.18 G
3.16(rd)-3.16 G(st)-3.16 E F0(and)3.16 E F2(sr)3.16 E 3.16(ca)-.18 G .66
(nd dst)-3.16 F F0 5.66(.E)C .66
(.g., `src foo', `dst net 128.3', `src or dst port ftp-)-5.66 F 3.101
(data'. If)180 465.6 R .601(there is no dir quali\214er)3.101 F(,)-.4 E
F2(sr)3.101 E 3.101(co)-.18 G 3.101(rd)-3.101 G(st)-3.101 E F0 .601
(is assumed.)3.101 F -.15(Fo)5.601 G 3.101(r`).15 G .602
(null' link layers \(i.e. point)-3.101 F .092
(to point protocols such as slip\) the)180 477.6 R F2(inbound)2.592 E F0
(and)2.592 E F2(outbound)2.592 E F0 .092
(quali\214ers can be used to spec-)2.592 F(ify a desired direction.)180
489.6 Q F1(pr)144 506.4 Q(oto)-.45 E F0 .644
(quali\214ers restrict the match to a particular protocol.)14.78 F .644
(Possible protos are:)5.644 F F2(ether)3.144 E F0(,)A F2(fddi)3.144 E F0
(,)A F2(ip)3.144 E F0(,)A F2(ar)180 518.4 Q(p)-.1 E F0(,)A F2(rar)3.381
E(p)-.1 E F0(,)A F2(decnet)3.381 E F0(,)A F2(lat)3.381 E F0(,)A F2(sca)
3.381 E F0(,)A F2(mopr)3.381 E(c)-.18 E F0(,)A F2(mopdl)3.381 E F0(,)A
F2(tcp)3.381 E F0(and)3.381 E F2(udp)3.381 E F0 5.881(.E)C .88
(.g., `ether src foo', `arp net)-5.881 F .658(128.3', `tcp port 21'.)180
530.4 R .659(If there is no proto quali\214er)5.658 F 3.159(,a)-.4 G
.659(ll protocols consistent with the type)-3.159 F .996(are assumed.)
180 542.4 R .995
(E.g., `src foo' means `\(ip or arp or rarp\) src foo' \(e)5.996 F .995
(xcept the latter is not)-.15 F(le)180 554.4 Q -.05(ga)-.15 G 3.531(ls)
.05 G 1.031(yntax\), `net bar' means `\(ip or arp or rarp\) net bar' an\
d `port 53' means `\(tcp or)-3.531 F(udp\) port 53'.)180 566.4 Q .566([\
`fddi' is actually an alias for `ether'; the parser treats them identic\
ally as meaning `)144 583.2 R .565(`the data link)-.74 F(le)144 595.2 Q
-.15(ve)-.25 G 3.927(lu).15 G 1.427(sed on the speci\214ed netw)-3.927 F
1.427(ork interf)-.1 F(ace.)-.1 E 5.408 -.74('' F)-.7 H 1.428
(DDI headers contain Ethernet-lik).74 F 3.928(es)-.1 G 1.428(ource and)
-3.928 F 1.956(destination addresses, and often contain Ethernet-lik)144
607.2 R 4.456(ep)-.1 G(ack)-4.456 E 1.956
(et types, so you can \214lter on these)-.1 F .193
(FDDI \214elds just as with the analogous Ethernet \214elds.)144 619.2 R
.194(FDDI headers also contain other \214elds, b)5.193 F(ut)-.2 E
(you cannot name them e)144 631.2 Q(xplicitly in a \214lter e)-.15 E
(xpression.])-.15 E .281(In addition to the abo)144 648 R -.15(ve)-.15 G
2.781(,t).15 G .281(here are some special `primiti)-2.781 F -.15(ve)-.25
G 2.781('k).15 G -.15(ey)-2.881 G -.1(wo).15 G .28(rds that don').1 F
2.78(tf)-.18 G(ollo)-2.78 E 2.78(wt)-.25 G .28(he pattern:)-2.78 F F2
(gateway)144 660 Q F0(,)A F2(br)2.5 E(oadcast)-.18 E F0(,)A F2(less)2.5
E F0(,)A F2(gr)2.5 E(eater)-.18 E F0(and arithmetic e)2.5 E 2.5
(xpressions. All)-.15 F(of these are described belo)2.5 E -.65(w.)-.25 G
.161(More comple)144 676.8 R 2.661<788c>-.15 G .161(lter e)-2.661 F .161
(xpressions are b)-.15 F .161(uilt up by using the w)-.2 F(ords)-.1 E F2
(and)2.661 E F0(,)A F2(or)2.661 E F0(and)2.661 E F2(not)2.661 E F0 .162
(to combine prim-)2.662 F(iti)144 688.8 Q -.15(ve)-.25 G 3.565(s. E.g.,)
.15 F 1.064(`host foo and not port ftp and not port ftp-data'.)3.565 F
2.664 -.8(To s)6.064 H -2.25 -.2(av e).8 H 1.064
(typing, identical quali\214er)3.764 F .823(lists can be omitted.)144
700.8 R .823(E.g., `tcp dst port ftp or ftp-data or domain' is e)5.823 F
.824(xactly the same as `tcp dst)-.15 F
(port ftp or tcp dst port ftp-data or tcp dst port domain'.)144 712.8 Q
(Allo)144 729.6 Q -.1(wa)-.25 G(ble primiti).1 E -.15(ve)-.25 G 2.5(sa)
.15 G(re:)-2.5 E(30 June 1997)279.335 768 Q(2)202.335 E EP
%%Page: 3 3
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R/F1 10
/Times-Bold@0 SF(dst host)144 84 Q/F2 10/Times-Italic@0 SF(host)2.5 E F0
-.35(Tr)180 96 S .507(ue if the IP destination \214eld of the pack).35 F
.507(et is)-.1 F F2(host)3.007 E F0 3.007(,w)C .506
(hich may be either an address or a)-3.007 F(name.)180 108 Q F1(sr)144
124.8 Q 2.5(ch)-.18 G(ost)-2.5 E F2(host)2.5 E F0 -.35(Tr)180 136.8 S
(ue if the IP source \214eld of the pack).35 E(et is)-.1 E F2(host)2.5 E
F0(.)A F1(host)144 153.6 Q F2(host)2.5 E F0 -.35(Tr)180 165.6 S 1.053
(ue if either the IP source or destination of the pack).35 F 1.053
(et is)-.1 F F2(host)3.553 E F0 6.053(.A)C 1.353 -.15(ny o)-6.053 H
3.553(ft).15 G 1.053(he abo)-3.553 F 1.353 -.15(ve h)-.15 H(ost).15 E
-.15(ex)180 177.6 S(pressions can be prepended with the k).15 E -.15(ey)
-.1 G -.1(wo).15 G(rds,).1 E F1(ip)2.5 E F0(,)A F1(ar)2.5 E(p)-.1 E F0
2.5(,o)C(r)-2.5 E F1(rar)2.5 E(p)-.1 E F0(as in:)2.5 E F1(ip host)216
189.6 Q F2(host)2.5 E F0(which is equi)180 201.6 Q -.25(va)-.25 G
(lent to:).25 E F1(ether pr)216 213.6 Q(oto)-.18 E F2(\\ip)2.5 E F1
(and host)2.5 E F2(host)2.5 E F0(If)180 225.6 Q F2(host)2.5 E F0
(is a name with multiple IP addresses, each address will be check)2.5 E
(ed for a match.)-.1 E F1(ether dst)144 242.4 Q F2(ehost)2.5 E F0 -.35
(Tr)180 254.4 S 2.252(ue if the ethernet destination address is).35 F F2
(ehost)4.751 E F0(.)A F2(Ehost)7.251 E F0 2.251
(may be either a name from)4.751 F(/etc/ethers or a number \(see)180
266.4 Q F2(ether)2.5 E(s)-.1 E F0(\(3N\) for numeric format\).).27 E F1
(ether sr)144 283.2 Q(c)-.18 E F2(ehost)2.5 E F0 -.35(Tr)180 295.2 S
(ue if the ethernet source address is).35 E F2(ehost)2.5 E F0(.)A F1
(ether host)144 312 Q F2(ehost)2.5 E F0 -.35(Tr)180 324 S
(ue if either the ethernet source or destination address is).35 E F2