tcpdump.man.ps

3 网卡驱动相关实例 这是和网卡NT KMD驱动程序有关的一些资料和例子。

(ehost)2.5 E F0(.)A F1(gateway)144 340.8 Q F2(host)2.5 E F0 -.35(Tr)180
352.8 S .439(ue if the pack).35 F .439(et used)-.1 F F2(host)2.939 E F0
.439(as a g)2.939 F(ate)-.05 E -.1(wa)-.25 G 4.239 -.65(y. I).1 H .44
(.e., the ethernet source or destination address).65 F -.1(wa)180 364.8
S(s).1 E F2(host)3 E F0 -.2(bu)3 G 3(tn).2 G .5
(either the IP source nor the IP destination w)-3 F(as)-.1 E F2(host)
2.999 E F0(.)A F2(Host)5.499 E F0 .499(must be a name)2.999 F
(and must be found in both /etc/hosts and /etc/ethers.)180 376.8 Q
(\(An equi)5 E -.25(va)-.25 G(lent e).25 E(xpression is)-.15 E F1
(ether host)216 388.8 Q F2(ehost)2.5 E F1(and not host)2.5 E F2(host)2.5
E F0(which can be used with either names or numbers for)180 400.8 Q F2
(host / ehost)2.5 E F0(.\))A F1(dst net)144 417.6 Q F2(net)2.5 E F0 -.35
(Tr)180 429.6 S .396(ue if the IP destination address of the pack).35 F
.396(et has a netw)-.1 F .396(ork number of)-.1 F F2(net)2.896 E F0(.)A
F2(Net)2.896 E F0 .396(may be)2.896 F(either a name from /etc/netw)180
441.6 Q(orks or a netw)-.1 E(ork number \(see)-.1 E F2(networks\(4\))2.5
E F0(for details\).)2.5 E F1(sr)144 458.4 Q 2.5(cn)-.18 G(et)-2.5 E F2
(net)2.5 E F0 -.35(Tr)180 470.4 S
(ue if the IP source address of the pack).35 E(et has a netw)-.1 E
(ork number of)-.1 E F2(net)2.5 E F0(.)A F1(net)144 487.2 Q F2(net)2.5 E
F0 -.35(Tr)7.95 G .456
(ue if either the IP source or destination address of the pack).35 F
.456(et has a netw)-.1 F .456(ork number of)-.1 F F2(net)180 499.2 Q F0
(.)A F1(net)144 516 Q F2(net)2.5 E F1(mask)2.5 E F2(mask)2.5 E F0 -.35
(Tr)180 528 S .65(ue if the IP address matches).35 F F2(net)3.15 E F0
.65(with the speci\214c netmask.)3.15 F .65(May be quali\214ed with)5.65
F F1(sr)3.15 E(c)-.18 E F0(or)180 540 Q F1(dst)2.5 E F0(.)A F1(net)144
556.8 Q F2(net)2.5 E F0(/)A F2(len)A F0 -.35(Tr)180 568.8 S .378
(ue if the IP address matches).35 F F2(net)2.878 E F0 2.878(an)2.878 G
(etmask)-2.878 E F2(len)2.878 E F0 .378(bits wide.)2.878 F .377
(May be quali\214ed with)5.377 F F1(sr)2.877 E(c)-.18 E F0(or)2.877 E F1
(dst)180 580.8 Q F0(.)A F1(dst port)144 597.6 Q F2(port)2.5 E F0 -.35
(Tr)180 609.6 S .909(ue if the pack).35 F .909
(et is ip/tcp or ip/udp and has a destination port v)-.1 F .91(alue of)
-.25 F F2(port)3.41 E F0 5.91(.T)C(he)-5.91 E F2(port)3.41 E F0 .523
(can be a number or a name used in /etc/services \(see)180 621.6 R F2
(tcp)3.022 E F0 .522(\(4P\) and).19 F F2(udp)3.022 E F0 3.022
(\(4P\)\). If).19 F 3.022(an)3.022 G .522(ame is)-3.022 F .344
(used, both the port number and protocol are check)180 633.6 R 2.845
(ed. If)-.1 F 2.845(an)2.845 G .345(umber or ambiguous name is)-2.845 F
.526(used, only the port number is check)180 645.6 R .525(ed \(e.g.,)-.1
F F1 .525(dst port 513)3.025 F F0 .525(will print both tcp/login traf)
3.025 F<8c63>-.25 E .043(and udp/who traf)180 657.6 R .043(\214c, and)
-.25 F F1 .043(port domain)2.543 F F0 .044
(will print both tcp/domain and udp/domain traf)2.543 F(\214c\).)-.25 E
F1(sr)144 674.4 Q 2.5(cp)-.18 G(ort)-2.5 E F2(port)2.5 E F0 -.35(Tr)180
686.4 S(ue if the pack).35 E(et has a source port v)-.1 E(alue of)-.25 E
F2(port)2.5 E F0(.)A F1(port)144 703.2 Q F2(port)2.5 E F0 -.35(Tr)180
715.2 S .661(ue if either the source or destination port of the pack).35
F .661(et is)-.1 F F2(port)3.161 E F0 5.661(.A)C .961 -.15(ny o)-5.661 H
3.161(ft).15 G .661(he abo)-3.161 F .961 -.15(ve p)-.15 H(ort).15 E -.15
(ex)180 727.2 S(pressions can be prepended with the k).15 E -.15(ey)-.1
G -.1(wo).15 G(rds,).1 E F1(tcp)2.5 E F0(or)2.5 E F1(udp)2.5 E F0 2.5
(,a)C 2.5(si)-2.5 G(n:)-2.5 E(30 June 1997)279.335 768 Q(3)202.335 E EP
%%Page: 4 4
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R/F1 10
/Times-Bold@0 SF(tcp sr)216 84 Q 2.5(cp)-.18 G(ort)-2.5 E/F2 10
/Times-Italic@0 SF(port)2.5 E F0(which matches only tcp pack)180 96 Q
(ets whose source port is)-.1 E F2(port)2.5 E F0(.)A F1(less)144 112.8 Q
F2(length)2.5 E F0 -.35(Tr)180 124.8 S(ue if the pack).35 E
(et has a length less than or equal to)-.1 E F2(length)2.5 E F0 5(.T)C
(his is equi)-5 E -.25(va)-.25 G(lent to:).25 E F1(len <=)216 136.8 Q F2
(length)2.5 E F1(.)A(gr)144 153.6 Q(eater)-.18 E F2(length)2.5 E F0 -.35
(Tr)180 165.6 S(ue if the pack).35 E
(et has a length greater than or equal to)-.1 E F2(length)2.5 E F0 5(.T)
C(his is equi)-5 E -.25(va)-.25 G(lent to:).25 E F1(len >=)216 177.6 Q
F2(length)2.5 E F1(.)A(ip pr)144 194.4 Q(oto)-.18 E F2(pr)2.5 E(otocol)
-.45 E F0 -.35(Tr)180 206.4 S .029(ue if the pack).35 F .029
(et is an ip pack)-.1 F .029(et \(see)-.1 F F2(ip)2.529 E F0 .03
(\(4P\)\) of protocol type).19 F F2(pr)2.53 E(otocol)-.45 E F0(.)A F2
(Pr)5.03 E(otocol)-.45 E F0 .03(can be a)2.53 F .15
(number or one of the names)180 218.4 R F2(icmp)2.65 E F0(,)A F2(igrp)
2.65 E F0(,)A F2(udp)2.649 E F0(,)A F2(nd)2.649 E F0 2.649(,o)C(r)-2.649
E F2(tcp)2.649 E F0 5.149(.N)C .149(ote that the identi\214ers)-5.149 F
F2(tcp)2.649 E F0(,)A F2(udp)2.649 E F0(,)A(and)180 230.4 Q F2(icmp)3.21
E F0 .71(are also k)3.21 F -.15(ey)-.1 G -.1(wo).15 G .711
(rds and must be escaped via backslash \(\\\), which is \\\\ in the C-)
.1 F(shell.)180 242.4 Q F1(ether br)144 259.2 Q(oadcast)-.18 E F0 -.35
(Tr)180 271.2 S(ue if the pack).35 E(et is an ethernet broadcast pack)
-.1 E 2.5(et. The)-.1 F F2(ether)2.5 E F0 -.1(ke)2.5 G(yw)-.05 E
(ord is optional.)-.1 E F1(ip br)144 288 Q(oadcast)-.18 E F0 -.35(Tr)180
300 S .18(ue if the pack).35 F .18(et is an IP broadcast pack)-.1 F
2.679(et. It)-.1 F .179(checks for both the all-zeroes and all-ones)
2.679 F(broadcast con)180 312 Q -.15(ve)-.4 G
(ntions, and looks up the local subnet mask.).15 E F1(ether multicast)
144 328.8 Q F0 -.35(Tr)180 340.8 S .267(ue if the pack).35 F .267
(et is an ethernet multicast pack)-.1 F 2.767(et. The)-.1 F F2(ether)
2.767 E F0 -.1(ke)2.768 G(yw)-.05 E .268(ord is optional.)-.1 F .268
(This is)5.268 F(shorthand for `)180 352.8 Q F1(ether[0] & 1 != 0)A F0
('.)A F1(ip multicast)144 369.6 Q F0 -.35(Tr)180 381.6 S(ue if the pack)
.35 E(et is an IP multicast pack)-.1 E(et.)-.1 E F1(ether pr)144 398.4 Q
(oto)-.18 E F2(pr)2.5 E(otocol)-.45 E F0 -.35(Tr)180 410.4 S .502
(ue if the pack).35 F .501(et is of ether type)-.1 F F2(pr)3.001 E
(otocol)-.45 E F0(.)A F2(Pr)5.501 E(otocol)-.45 E F0 .501
(can be a number or a name lik)3.001 F(e)-.1 E F2(ip)3.001 E F0(,)A F2
(arp)180 422.4 Q F0 2.837(,o)C(r)-2.837 E F2 -.15(ra)2.837 G(rp).15 E F0
5.338(.N)C .338(ote these identi\214ers are also k)-5.338 F -.15(ey)-.1
G -.1(wo).15 G .338(rds and must be escaped via backslash).1 F 3.744
(\(\\\). [In)180 434.4 R 1.244(the case of FDDI \(e.g., `)3.744 F F1
1.244(fddi pr)B 1.244(otocol ar)-.18 F(p)-.1 E F0 1.244
('\), the protocol identi\214cation comes)B .085
(from the 802.2 Logical Link Control \(LLC\) header)180 446.4 R 2.585
(,w)-.4 G .086(hich is usually layered on top of the)-2.585 F .592
(FDDI header)180 458.4 R(.)-.55 E F2(Tcpdump)5.592 E F0 .592
(assumes, when \214ltering on the protocol identi\214er)3.092 F 3.091
(,t)-.4 G .591(hat all FDDI)-3.091 F(pack)180 470.4 Q
(ets include an LLC header)-.1 E 2.5(,a)-.4 G
(nd that the LLC header is in so-called SN)-2.5 E(AP format.])-.35 E F1
(decnet sr)144 487.2 Q(c)-.18 E F2(host)2.5 E F0 -.35(Tr)180 499.2 S
2.204(ue if the DECNET source address is).35 F F2(host)4.705 E F0 4.705
(,w).68 G 2.205(hich may be an address of the form)-4.705 F -.74(``)180
511.2 S(10.123').74 E .686(', or a DECNET host name.)-.74 F .686
([DECNET host name support is only a)5.686 F -.25(va)-.2 G .686
(ilable on).25 F(Ultrix systems that are con\214gured to run DECNET)180
523.2 Q(.])-.74 E F1(decnet dst)144 540 Q F2(host)2.5 E F0 -.35(Tr)180
552 S(ue if the DECNET destination address is).35 E F2(host)2.5 E F0(.)
.68 E F1(decnet host)144 568.8 Q F2(host)2.5 E F0 -.35(Tr)180 580.8 S
(ue if either the DECNET source or destination address is).35 E F2(host)
2.5 E F0(.).68 E F1(ip)144 597.6 Q F0(,)A F1(ar)2.5 E(p)-.1 E F0(,)A F1
(rar)2.5 E(p)-.1 E F0(,)A F1(decnet)2.5 E F0(Abbre)180 609.6 Q
(viations for:)-.25 E F1(ether pr)216 621.6 Q(oto)-.18 E F2(p)2.5 E F0
(where)180 633.6 Q F2(p)2.5 E F0(is one of the abo)2.5 E .3 -.15(ve p)
-.15 H(rotocols.).15 E F1(lat)144 650.4 Q F0(,)A F1(mopr)2.5 E(c)-.18 E
F0(,)A F1(mopdl)2.5 E F0(Abbre)180 662.4 Q(viations for:)-.25 E F1
(ether pr)216 674.4 Q(oto)-.18 E F2(p)2.5 E F0(where)180 686.4 Q F2(p)
2.518 E F0 .018(is one of the abo)2.518 F .319 -.15(ve p)-.15 H 2.519
(rotocols. Note).15 F(that)2.519 E F2(tcpdump)2.519 E F0 .019
(does not currently kno)2.519 F 2.519(wh)-.25 G .519 -.25(ow t)-2.519 H
(o).25 E(parse these protocols.)180 698.4 Q(30 June 1997)279.335 768 Q
(4)202.335 E EP
%%Page: 5 5
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R/F1 10
/Times-Bold@0 SF(tcp)144 84 Q F0(,)A F1(udp)2.5 E F0(,)A F1(icmp)2.5 E
F0(Abbre)180 96 Q(viations for:)-.25 E F1(ip pr)216 108 Q(oto)-.18 E/F2
10/Times-Italic@0 SF(p)2.5 E F0(where)180 120 Q F2(p)2.5 E F0
(is one of the abo)2.5 E .3 -.15(ve p)-.15 H(rotocols.).15 E F2 -.2(ex)
144 136.8 S(pr r).2 E(elop e)-.37 E(xpr)-.2 E F0 -.35(Tr)180 148.8 S
.529(ue if the relation holds, where).35 F F2 -.37(re)3.029 G(lop).37 E
F0 .529(is one of >, <, >=, <=, =, !=, and)3.029 F F2 -.2(ex)3.029 G(pr)
.2 E F0 .529(is an arith-)3.029 F 1.712(metic e)180 160.8 R 1.712
(xpression composed of inte)-.15 F 1.713(ger constants \(e)-.15 F 1.713
(xpressed in standard C syntax\), the)-.15 F .376
(normal binary operators [+, -, *, /, &, |], a length operator)180 172.8
R 2.875(,a)-.4 G .375(nd special pack)-2.875 F .375(et data acces-)-.1 F
2.5(sors. T)180 184.8 R 2.5(oa)-.8 G(ccess data inside the pack)-2.5 E
(et, use the follo)-.1 E(wing syntax:)-.25 E F2(pr)216 196.8 Q(oto)-.45
E F1([)2.5 E F2 -.2(ex)2.5 G(pr).2 E F1(:)2.5 E F2(size)2.5 E F1(])2.5 E
F2(Pr)180 208.8 Q(oto)-.45 E F0 .758(is one of)3.258 F F1(ether)3.258 E
3.259(,f)-.92 G .759(ddi, ip, ar)-3.259 F .759(p, rar)-.1 F .759
(p, tcp, udp,)-.1 F F0(or)3.259 E F1(icmp)3.259 E F0 3.259(,a)C .759
(nd indicates the protocol)-3.259 F .726(layer for the inde)180 220.8 R
3.226(xo)-.15 G 3.226(peration. The)-3.226 F .726(byte of)3.226 F .726
(fset, relati)-.25 F 1.026 -.15(ve t)-.25 H 3.226(ot).15 G .725
(he indicated protocol layer)-3.226 F 3.225(,i)-.4 G(s)-3.225 E(gi)180
232.8 Q -.15(ve)-.25 G 2.585(nb).15 G(y)-2.585 E F2 -.2(ex)2.585 G(pr).2
E F0(.)A F2(Size)5.086 E F0 .086(is optional and indicates the number o\
f bytes in the \214eld of interest; it)2.586 F .276
(can be either one, tw)180 244.8 R .276(o, or four)-.1 F 2.776(,a)-.4 G
.276(nd def)-2.776 F .276(aults to one.)-.1 F .275(The length operator)
5.275 F 2.775(,i)-.4 G .275(ndicated by the)-2.775 F -.1(ke)180 256.8 S
(yw)-.05 E(ord)-.1 E F1(len)2.5 E F0 2.5(,g)C -2.15 -.25(iv e)-2.5 H 2.5
(st).25 G(he length of the pack)-2.5 E(et.)-.1 E -.15(Fo)180 280.8 S
3.398(re).15 G .898(xample, `)-3.548 F F1 .898(ether[0] & 1 != 0)B F0
3.399('c)C .899(atches all multicast traf)-3.399 F 3.399(\214c. The)-.25
F -.15(ex)3.399 G .899(pression `).15 F F1 .899(ip[0] &)B 1.78(0xf != 5)
180 292.8 R F0 4.28('c)C 1.78(atches all IP pack)-4.28 F 1.779
(ets with options. The e)-.1 F 1.779(xpression `)-.15 F F1 1.779
(ip[6:2] & 0x1fff = 0)B F0(')A 2.565(catches only unfragmented datagram\
s and frag zero of fragmented datagrams.)180 304.8 R(This)7.565 E 1.692
(check is implicitly applied to the)180 316.8 R F1(tcp)4.192 E F0(and)
4.192 E F1(udp)4.191 E F0(inde)4.191 E 4.191(xo)-.15 G 4.191
(perations. F)-4.191 F 1.691(or instance,)-.15 F F1(tcp[0])4.191 E F0
(al)180 328.8 Q -.1(wa)-.1 G .246(ys means the \214rst byte of the TCP)
.1 F F2(header)2.746 E F0 2.746(,a)C .247(nd ne)-2.746 F -.15(ve)-.25 G
2.747(rm).15 G .247(eans the \214rst byte of an inter)-2.747 F(-)-.2 E
-.15(ve)180 340.8 S(ning fragment.).15 E(Primiti)144 357.6 Q -.15(ve)
-.25 G 2.5(sm).15 G(ay be combined using:)-2.5 E 3.651(Ap)180 374.4 S
1.151(arenthesized group of primiti)-3.651 F -.15(ve)-.25 G 3.651(sa).15
G 1.151(nd operators \(parentheses are special to the Shell)-3.651 F
(and must be escaped\).)180 386.4 Q(Ne)180 403.2 Q -.05(ga)-.15 G
(tion \(`).05 E F1(!)A F0 2.5('o)C 2.5(r`)-2.5 G F1(not)-2.5 E F0('\).)A
(Concatenation \(`)180 420 Q F1(&&)A F0 2.5('o)C 2.5(r`)-2.5 G F1(and)
-2.5 E F0('\).)A(Alternation \(`)180 436.8 Q F1(||)A F0 2.5('o)C 2.5(r`)
-2.5 G F1(or)-2.5 E F0('\).)A(Ne)144 453.6 Q -.05(ga)-.15 G .379
(tion has highest precedence.).05 F .379
(Alternation and concatenation ha)5.379 F .679 -.15(ve e)-.2 H .379
(qual precedence and asso-).15 F .048(ciate left to right.)144 465.6 R
.048(Note that e)5.048 F(xplicit)-.15 E F1(and)2.548 E F0(tok)2.548 E
.048(ens, not juxtaposition, are no)-.1 F 2.548(wr)-.25 G .048
(equired for concatena-)-2.548 F(tion.)144 477.6 Q
(If an identi\214er is gi)144 494.4 Q -.15(ve)-.25 G 2.5(nw).15 G
(ithout a k)-2.5 E -.15(ey)-.1 G -.1(wo).15 G(rd, the most recent k).1 E
-.15(ey)-.1 G -.1(wo).15 G(rd is assumed.).1 E -.15(Fo)5 G 2.5(re).15 G
(xample,)-2.65 E F1(not host vs and ace)180 506.4 Q F0(is short for)144
518.4 Q F1(not host vs and host ace)180 530.4 Q F0
(which should not be confused with)144 542.4 Q F1
(not \( host vs or ace \))180 554.4 Q F0 .792(Expression ar)144 571.2 R
.792(guments can be passed to tcpdump as either a single ar)-.18 F .792
(gument or as multiple ar)-.18 F(gu-)-.18 E .611(ments, whiche)144 583.2
R -.15(ve)-.25 G 3.111(ri).15 G 3.111(sm)-3.111 G .611(ore con)-3.111 F
-.15(ve)-.4 G 3.111(nient. Generally).15 F 3.111(,i)-.65 G 3.111(ft)
-3.111 G .611(he e)-3.111 F .611
(xpression contains Shell metacharacters,)-.15 F 1.686
(it is easier to pass it as a single, quoted ar)144 595.2 R 4.187
(gument. Multiple)-.18 F(ar)4.187 E 1.687(guments are concatenated with)
-.18 F(spaces before being parsed.)144 607.2 Q/F3 9/Times-Bold@0 SF
(EXAMPLES)72 624 Q F0 1.6 -.8(To p)108 636 T(rint all pack).8 E
(ets arri)-.1 E(ving at or departing from)-.25 E F2(sundown)2.5 E F0(:)A
F1(tcpdump host sundo)144 648 Q(wn)-.1 E F0 1.6 -.8(To p)108 664.8 T
(rint traf).8 E(\214c between)-.25 E F2(helios)2.5 E F0(and either)2.5 E
F2(hot)2.5 E F0(or)2.5 E F2(ace)2.5 E F0(:)A F1
(tcpdump host helios and \\\( hot or ace \\\))144 676.8 Q F0 1.6 -.8
(To p)108 693.6 T(rint all IP pack).8 E(ets between)-.1 E F2(ace)2.5 E
F0(and an)2.5 E 2.5(yh)-.15 G(ost e)-2.5 E(xcept)-.15 E F2(helios)2.5 E
F0(:)A F1(tcpdump ip host ace and not helios)144 705.6 Q F0 1.6 -.8
(To p)108 722.4 T(rint all traf).8 E
(\214c between local hosts and hosts at Berk)-.25 E(ele)-.1 E(y:)-.15 E
(30 June 1997)279.335 768 Q(5)202.335 E EP
%%Page: 6 6
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R/F1 10
/Times-Bold@0 SF(tcpdump net ucb-ether)144 84 Q F0 1.825 -.8(To p)108
100.8 T .225(rint all ftp traf).8 F .225(\214c through internet g)-.25 F
(ate)-.05 E -.1(wa)-.25 G(y).1 E/F2 10/Times-Italic@0 SF(snup)2.725 E F0
2.725(:\()C .225(note that the e)-2.725 F .225