Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ tcpdump(1M) — DG/UX 5.4R3.00

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

nfc(1)

bpf(4)



tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


NAME
       tcpdump - dump traffic seen on a network

SYNOPSIS
       tcpdump [ -aeflnNOpqStvx ] [ -B protocol ] [ -c count ] [ -d dump-
               info[,root-protocol] ] [ -E protocol ] [ -F exprfile ]
               [ -H htbl-elems ] [ -i interface ] [ -M mtbl-elems ]
               [ -R output-fmt ] [ -r readfile ] [ -s snaplen ]
               [ -w writefile ] [ filter expression ]

   where:
       protocol    Protocol name: ether, fddi, tr (Token Ring), slip, llc,
                   snap, ip, tcp, telnet, udp, arp, rarp, icmp, tftp, igmp,
                   nfs, snmp, ntp, talk (AppleTalk), bootp, domain (domain
                   name system), or rip
       count       Number of packets to dump
       dump-info   bpf, binarybpf, command, expr, ifl, proto, ptree, pdefs,
                   or pdeps
       root-protocol
                   Lowest level protocol for which dump information is
                   requested
       exprfile    Name of input file containing boolean expression
       htbl-elems  Maximum number of host table elements
       interface   Name of interface
       mtbl-elems  Maximum number of matrix table elements
       output-fmt  Raw output format: c, d, o, or x
       readfile    Name of file from which to read packets
       snaplen     Maximum number of bytes to read from each packet; default
                   = 68
       writefile   Name of file to which to write packets
       filter expression
                   A boolean expression that selects which packets will be
                   dumped: a combination of protocol names, modifying
                   commands, and packet field specifiers (see Expressions
                   under DESCRIPTION).  By default, all packets are dumped.

DESCRIPTION
       Tcpdump prints network packets or portions of packets that match a
       boolean expression.  By default, all recognized protocol headers are
       printed.  Access is controlled by the permissions on /dev/bpf0.  If
       this file does not exist, you may invoke sysadm newdgux, add bpf() to
       the system file, build a new kernel, and reboot your system.

       Tcpdump obtains all protocol-specific information from a text file
       called the protocol file, thereby making tcpdump easily extensible.

   Options
       -a   Print the host and/or matrix table using hardware addresses, not
            host names.

       -B   Begin printing of each packet at the protocol level.  No packet
            information lower on the protocol stack is printed.  If no
            boolean expression is specified, protocol is implied.




Licensed material--property of copyright holder(s)                         1




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       -c   Exit after receiving count packets.

       -d   Dump the information specified by dump-info:
               bpf    the BPF code corresponding to filter expression in
                      ascii format.  If a root-protocol is specified, the
                      lowest level protocol is assumed to be root-protocol;
                      otherwise, the lowest level protocol is determined by
                      the type of interface.
               binarybpf
                      the BPF code corresponding to filter expression in
                      binary format.  If a root-protocol is specified, the
                      lowest level protocol is assumed to be root-protocol;
                      otherwise, the lowest level protocol is determined by
                      the type of interface.
               command
                      all commands in the protocol file, grouped by the
                      associated protocol.  If a root-protocol is specified,
                      it has no effect.
               expr   the expanded boolean expression corresponding to
                      filter expression (this is useful for locating a parse
                      error in the expression).  If a root-protocol is
                      specified, the lowest level protocol is assumed to be
                      root-protocol; otherwise, the lowest level protocol is
                      determined by the type of interface.
               ifl    the list of interfaces which may be attached to by
                      specifying the -i option.  If a root-protocol is
                      specified, it has no effect.  If the -q option is
                      specified, no header information is printed.
               proto   all protocol names referenced in the protocol file.
                       If a root-protocol is specified, it has no effect.
               ptree   all protocol names in the protocol file in a format
                       that shows which protocols are nested inside of which
                       protocols.  If a root-protocol is specified, the
                       lowest level protocol is assumed to be root-protocol;
                       otherwise, the lowest level protocol is determined by
                       the type of interface.
               pdefs   all protocols defined in the protocol file.  If a
                       root-protocol is specified, it has no effect.
               pdeps   all dependent protocols, i.e., referenced but not
                       defined, in the protocol file.  If a root-protocol is
                       specified, it has no effect.
            tcpdump exits after the required information has been printed.

       -e   Print the lowest-level header on each dump line; by default, the
            lowest-level header (e.g. Ethernet header) is not printed.

       -E   End printing of each packet at the protocol level.  No packet
            information higher on the protocol stack is printed unless the
            -R or -x options are specified.

       -f   Print 'foreign' internet addresses (those not on the same
            network or subnetwork) numerically rather than symbolically.

       -F   Use file as input for the boolean expression.  An additional



Licensed material--property of copyright holder(s)                         2




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


            boolean expression given on the command line is ignored.

       -H   Keep a list of up to htbl-elems number of host table elements,
            and print the host table when tcpdump terminates.  This option
            has no effect if the -r option is specified or if the type of
            interface over which tcpdump is listening is not Ethernet.

       -i   Listen on interface.  If unspecified, tcpdump searches the
            system's interfaces for the lowest numbered interface (excluding
            loopback) configured into the kernel.  Ties are broken by
            choosing the earliest match.  This option has no effect if the
            -r option is specified.

       -l   Buffer each standard output line.  This is useful if you want to
            see the data while capturing it; e.g., tcpdump  -l  |  tee dat
            or tcpdump  -l   > dat  &  tail  -f  dat.

       -M   Keep a list of up to mtbl-elems number of matrix table elements,
            and print the matrix table when tcpdump terminates.  This option
            has no effect if the -r option is specified or if the type of
            interface over which tcpdump is listening is not Ethernet.

       -n   Don't convert addresses (i.e., host addresses, port numbers,
            etc.) to names.

       -N   Don't print domain name qualification of host names.  E.g., if
            you give this flag then tcpdump prints nic instead of
            nic.ddn.mil.

       -O   Do not run the packet-matching code optimizer.  This is useful
            only if you suspect a bug in the optimizer.

       -p   Don't put the interface into promiscuous mode.  Promiscuous mode
            makes tcpdump see all packets, not just those originating from
            or destined to the local host.  Note that the interface may have
            been set to promiscuous mode by another process (e.g. another
            instance of tcpdump); hence, -p may not serve as an abbreviation
            for host localhost or broadcast.

       -q   Produce quiet output, printing less protocol information so
            output lines are shorter.

       -r   Read packets from file (which was created with the -w option).
            Standard input is used if file is -.

       -R   Specify the raw output format.  For each packet received, print
            the remainder of the captured packet (i.e. the portion of the
            captured packet not printed in a formatted manner) in character
            (c), decimal (d), octal (o), or hexadecimal (x) format.  For
            example, tcpdump -Etcp -Ro prints all tcp packets; formatted
            printing stops at the tcp level and the remainder of the
            captured packet is printed in octal.  In character output mode,
            the null byte is printed as ' ' while all other non-printable
            characters are printed in octal.  Offsets (in the left-most



Licensed material--property of copyright holder(s)                         3




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


            column) are always printed in decimal.  Note that the -x option
            has the same effect as -Rx.

       -s   Capture snaplen bytes of data from each packet.  The default, 68
            bytes, is adequate for IP, ICMP, TCP and UDP but may truncate
            protocol information from name server and NFS packets (see
            below).  Packets truncated because of a limited snapshot are
            indicated in the output with [|proto], where proto is the name
            of the protocol level at which the truncation has occurred.
            Note that taking larger snapshots both increases the amount of
            time it takes to process packets and, effectively, decreases the
            amount of packet buffering.  This may cause packets to be lost.
            You should limit snaplen to the smallest number that will
            capture the protocol information you're interested in.

       -S   Print absolute, rather than relative, TCP sequence numbers.

       -t   Don't print a timestamp on each dump line.

       -tt  Print an unformatted timestamp on each dump line.

       -v   Produce verbose output.  For example, the time to live and type
            of service information in an IP packet is printed.

       -w   Write the raw packets to file rather than parsing and printing
            them out.  They can later be printed with the -r option.
            Standard output is used if file is -.

       -x   Print nonformatted output in hexadecimal format.  For each
            packet received, print the remainder of the captured packet,
            i.e. after the last byte which is printed in a formatted manner,
            in hex.  Note that -x has the same effect as -Rx.

   Boolean Expressions
       You can select which packets will be dumped by specifying a boolean
       expression consisting of one or more of the following:

       protocol      says to print protocol type packets.  Any protocol name
                     is a valid boolean expression.  For example, tcpdump
                     telnet prints all TELNET packets.

                     Since tcpdump obtains all protocol-specific information
                     from the protocol file so that new protocols can be
                     easily added by the user, an up-to-date list of
                     protocols can be obtained as follows:
                          tcpdump -d proto

       command       is a quick way to specify additional characteristics
                     (i.e. in addition to a protocol name) of the packets
                     you want tcpdump to print.  For example,
                          tcpdump src host your-host
                     prints all IP packets whose source IP address is the
                     host, your-host.  The command name in this case is src
                     host and the argument is your-host.  Arguments of a



Licensed material--property of copyright holder(s)                         4




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


                     command can also be placed inside parentheses and
                     separated by commas.  For example,
                          tcpdump 'src host (your-host)'
                     is equivalent to the previous command line.

                     Each command, except global commands, implies a
                     particular protocol.  In the example above, the
                     command, src host, implies the IP protocol.  In fact,
                          tcpdump src host your-host
                     is equivalent to
                          tcpdump ip src host your-host

                     Each command is described in the COMMANDS section of
                     this man page.  Since new commands can be added to
                     tcpdump's protocol file, an up-to-date list of commands
                     grouped according to their implied protocol can be
                     obtained as follows:
                          tcpdump -d command

                     Global commands do not imply a protocol.  An additional
                     protocol or command may be required.  For example,
                          tcpdump -c 10 trigger llc
                     prints the first 10 packets seen beginning with an llc
                     packet.  In this example, trigger is the command and
                     llc is the protocol specifier.

       fieldspec    specifies arbitrary fields of a packet.  The basic
                     syntax is [offset[:size]], where offset is the offset
                     in bytes into the packet and size is the size of the
                     field in bytes (1,2, or 4 bytes).  If you omit :size, a
                     value of 1 is assumed.

                     You can build more complex boolean expressions by using
                     additional operators.  The allowable relational
                     operators are: ==, !=, <=, >=, <, and >.
                     The set of bit-wise operators are: &, |, <<, and >>.
                     The arithmetic operators are: +, -, *, and /.
                     The boolean operators are: and, or, and ! (not).

                     For example, tcpdump '[12:2]<=1500' prints all packets
                     whose 2-byte field at offset 12 is less than or equal
                     to 1500, and tcpdump 'nfs[1:1]&0x0f==0x0f' prints all
                     NFS packets such that the least significant four bits
                     of the first byte of the NFS packet header are all
                     ones.  In general, an arbitrary field of a protocol
                     header can be referenced by following the protocol name
                     with the syntax described above.

                     Integer constants can be in hexadecimal by using a
                     leading 0x (e.g., 0xff), octal by using a leading 0
                     (e.g., 0777), or decimal by using a leading 1 through 9
                     (e.g., 123).





Licensed material--property of copyright holder(s)                         5




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


   Addresses
       IP addresses are recognized in the format a.b.c.d, where a, b, c, and
       d are decimal integers.  For example, tcpdump 'src 111.222.3.4'
       prints all packets whose source IP address is 111.222.3.4.

       Ethernet addresses are recognized in the format x:x:x:x:x:x, where x
       represents a single- or double-digit hexadecimal value.  For example,
       tcpdump 'esrc 1:2:3a:4b:5:6c' prints all packets whose source
       Ethernet address is 1:2:3a:4b:5:6c.

   Commands
       Commands are a convenient way to specify additional characteristics
       (i.e. in addition to a protocol name) of the packets you want tcpdump
       to print.  All commands, except global commands, are associated with
       a particular protocol; therefore, these commands are grouped
       according to the protocol to which they are associated.  Since new
       commands can be added to the protocol file, an up-to-date list of
       commands can be obtained as follows:
            tcpdump -d command

       GLOBAL COMMANDS

       trigger condition
              Begin printing packets only when a packet is seen for which
              condition is true.  For example,
              tcpdump -c50 'trigger(nfs[1]==10)' prints 50 packets beginning
              with an NFS packet in which the first byte of the NFS header
              is 10.

       true   Print all packets.  This is the default.

       false  Print no packets.  This is useful if you want to gather host
              table information using the -H option or matrix table
              information using the -M option, but you don't want to print
              any individual packets.

       not condition
              This is the same as ! condition.  This is often useful to
              avoid having to escape the ! character while using the C
              shell.  For example,
                   tcpdump 'not telnet'
              is equivalent to
                   tcpdump '\!telnet'
              in the C shell.

       less length
              Print only packets with length less than or equal to length.

       greater length
              Print only packets with length greater than or equal to
              length.

       ETHERNET COMMANDS




Licensed material--property of copyright holder(s)                         6




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       Each command in this section is valid only when listening on an
       Ethernet type interface.

       eproto protocol-name-or-number
              Print only Ethernet packets with a type field equal to
              protocol-name-or-number.  The protocol names which are
              recognized are arp, rarp, ip, and llc.

       esrc|{src ehost} hostname-or-ethernet-address
              Print only Ethernet packets from hostname-or-ethernet-address.
              If the argument is a hostname, /etc/ethers is searched for the
              Ethernet address; otherwise, the Ethernet address should be in
              the form, x:x:x:x:x:x, where x is a single or double digit hex
              value.  For example,
                   tcpdump 'esrc your-host'
              prints all packets whose source Ethernet address is your-host,
              and
                   tcpdump 'esrc 1:2:3a:4b:5:6c'
              prints all packets whose source Ethernet address is
              1:2:3a:4b:5:6c.

       edst|{dst ehost} hostname-or-ethernet-address
              Same as esrc, except this is the destination instead of the
              source address.

       ehost|{esrc or edst}|{edst or esrc} hostname-or-ethernet-address
              Print all packets whose source or destination Ethernet address
              equals hostname-or-ethernet-address.

       broadcast
              Print all Ethernet broadcast packets.

       gateway hostname
              Print all packets which use host as a gateway; i.e., the
              Ethernet source or destination address was host but neither
              the IP source nor the IP destination was host.  Host must be a
              name found in both /etc/hosts and /etc/ethers.  An equivalent
              expression is
                   ehost etherhost and not host iphost
              which can be used with either names or numbers for etherhost /
              iphost.

       IP COMMANDS

       src [host] hostname-or-ip-address
              Print all packets with a source IP address of hostname-or-ip-
              address.  If a hostname is specified, it must be found in
              /etc/hosts; an IP address must be specified with the notation,
              a.b.c.d, where a, b, c, and d are decimal values.  For
              example, tcpdump 'src your-host' prints all IP packets
              containing a source IP address of your-host, and tcpdump 'src
              111.222.3.4' prints all IP packets containing a source IP
              address of 111.222.3.4.




Licensed material--property of copyright holder(s)                         7




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       dst [host] hostname-or-ip-address
              Same as src, except this is the destination instead of the
              source address.

       host|{src or dst}|{dst or src} hostname-or-ip-address
              Print both src and dst packets.

       src port portname-or-portnum
              Print IP packets whose TCP and/or UDP source port equals
              portname-or-portnum.  A portname must be found in
              /etc/services.  If a portname corresponds to both a tcp and a
              udp port, this command is equivalent to:

              tcp src port portname-or-portnum or udp src port portname-or-
              portnum

              If a portname corresponds to a tcp port but not a udp port,
              this command is equivalent to:

                   tcp src port portname-or-portnum

              If a portname corresponds to a udp port but not a tcp port,
              this command is equivalent to:

                   udp src port portname-or-portnum

              A port number implies that both tcp and udp packets with the
              appropriate port value will be printed.

       dst port portname-or-portnum
              Same as src port portname-or-portnum, except look at the
              destination instead of the source port value.

       port portname-or-portnum
              Same as src port portname-or-portnum or dst port portname-or-
              portnum.

       proto protocol-name-or-number
              Print only IP packets with a type field equal to protocol-
              name-or-number.  Recognized protocol names are icmp, tcp, and
              udp.

       dst net net
              Print only IP packets with the network net in their
              destination address, where net is a network name or address.

       src net net
              Print only IP packets with the network net in their source
              address, where net is a network name or address.

       net net
              Print only IP packets with the network number net in their
              source or destination address; net is a network name or
              address.



Licensed material--property of copyright holder(s)                         8




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       TCP AND UDP COMMANDS

       The commands listed below pertain to TCP or UDP packets, depending on
       which kind of packets are being dumped.

       src port portname-or-portnum
              Print TCP or UDP packets whose source port equals portname-or-
              portnum.  A portname must be found in /etc/services as a TCP
              or UDP service.

       dst port portname-or-portnum
              Print TCP or UDP packets whose destination port equals
              portname-or-portnum.  A portname must be found in
              /etc/services as a TCP or UDP service.

       port portname-or-portnum
              Print TCP or UDP packets whose source or destination port
              equals portname-or-portnum.  A portname must be found in
              /etc/services as a TCP or UDP service.

   Output Format
       By default, all output lines are preceded by a timestamp.  The
       timestamp is the current clock time in the form
              hh:mm:ss.frac
       and is as accurate as the kernel's clock.  The timestamp reflects the
       time the kernel first saw the packet.  No attempt is made to account
       for the time lag between when the hardware interface removed the
       packet from the wire and when the kernel serviced the 'new packet'
       interrupt.

       All header output is protocol dependent.  The following gives a brief
       description and examples for each protocol.  The names enclosed in
       angle brackets are always variable names.

       ARP/RARP PACKETS

       ARP/RARP output shows the type of request and its arguments.  The
       format is intended to be self explanatory.  Here is a short sample:
              arp: who-has ham tell spam
              arp: reply ham is-at HAM
       The first line says that spam sent an arp packet asking for the
       Ethernet address of internet host ham.  Spam replies with its
       Ethernet address (in this example, Ethernet addresses are in caps and
       internet addresses in lower case).

       This would look less redundant if we had done tcpdump -n:
              arp: who-has 111.222.3.4 tell 111.222.3.5
              arp: reply 111.222.3.4 is-at 1:2:3a:4b:5:6c

       If we had done tcpdump -e on an Ethernet interface, the fact that the
       first packet is broadcast and the second is point-to-point would be
       visible:
       08:15:12.80
            ether: MY-HOST->Broadcast,arp,64



Licensed material--property of copyright holder(s)                         9




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


            arp: who-has your-host tell my-host
       08:15:12.90
            ether: YOUR-HOST->MY-HOST,arp,64
            arp: reply your-host is-at YOUR-HOST

       If the lowest level protocol is not the ethernet protocol, the format
       of the ARP protocol line is:
              arp: oper for proto #protocol (plen) hardware hardw (hlen)
       Oper specifies the operation; protocol is the protocol type; plen is
       the length of the protocol address.  Hardw specifies the hardware
       type (1 for Ethernet) and hlen the length of the hardware address.

       KIP APPLETALK (DDP IN UDP)

       AppleTalk DDP packets encapsulated in UDP datagrams are de-
       encapsulated and dumped as DDP packets.  The file /etc/atalk.names
       (if it exists) is used to translate AppleTalk net and node numbers to
       names.  Lines in this file have the form
              number       name
              1.254        ether
              16.1         your-net
              1.254.110    ace
       The first two lines give the names of AppleTalk networks.  The third
       line gives the name of a particular host (a host number has three
       octets, a net number has two octets).  The number and name should be
       separated by spaces or tabs.  The /etc/atalk.names file may contain
       blank lines or comment lines (lines starting with a #).

       AppleTalk addresses are printed in the form
              net.host.port
       The general format of tcpdump output for AppleTalk addresses is:
              talk: srcnet.srchost.srcport->dstnet.dsthost.dstport
       (If /etc/atalk.names doesn't exist or doesn't contain an entry for
       some AppleTalk host/net number, addresses are printed in numeric
       form.)

       Examples:
              talk: 111.22.33.4->your-net.112.220
              talk: office.2->your-net.112.220
              talk: my-net.149.235->your-net.2
       In the first example, NBP (DDP port 4) on net 111.22 node 33 is
       sending to whatever is listening on port 220 of net your-net node
       112.  The second line is the same except the full name of the source
       node is known ('office').  The third line is a send from port 235 on
       net my-net node 149 to broadcast on the your-net NBP port.  Note that
       the broadcast address (255) is indicated by a net name with no host
       number.  For this reason, it's a good idea to keep node names and net
       names distinct in /etc/atalk.names.

       NBP (name binding protocol) and ATP (AppleTalk transaction protocol)
       packets have their contents interpreted.  Other protocols just dump
       the protocol name (or number if no name is registered for the
       protocol) and packet size.




Licensed material--property of copyright holder(s)                        10




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       NBP packets are formatted like the following examples:

 talk: your-net.112.220->my-net.2: nbp-lkup 190: "=:LaserWriter@*"
 talk: my-net.209.2->your-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
 talk: techpit.2->your-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186

       The first line is a name lookup request for laserwriters sent by net
       your-net host 112 and broadcast on net my-net.  The nbp id for the
       lookup is 190.  The second line shows a reply for this request (note
       that it has the same id) from host my-net.209 saying that it has a
       laserwriter resource named "RM1140" registered on port 250.  The
       third line is another reply to the same request saying host techpit
       has laserwriter "techpit" registered on port 186.

       ATP packets are formatted like the following example:

       talk: my-net.209.165->your-host.132: atp-req 12266<0-7> 0xae030001
       talk: your-host.132->my-net.209.165: atp-resp 12266:0 (512) 0xae040000
       talk: your-host.132->my-net.209.165: atp-resp 12266:1 (512) oxae040000
       talk: your-host.132->my-net.209.165: atp-resp 12266:2 (512) 0xae040000
       talk: your-host.132->my-net.209.165: atp-resp 12266:3 (512) 0xae040000
       talk: your-host.132->my-net.209.165: atp-resp 12266:4 (512) 0xae040000
       talk: your-host.132->my-net.209.165: atp-resp 12266:5 (512) 0xae040000
       talk: your-host.132->my-net.209.165: atp-resp 12266:6 (512) 0xae040000
       talk: your-host.132->my-net.209.165: atp-resp*12266:7 (512) 0xae040000
       talk: my-net.209.165->your-host.132: atp-req  12266<3,5> 0xae030001
       talk: your-host.132->my-net.209.165: atp-resp 12266:3 (512) 0xae040000
       talk: your-host.132->my-net.209.165: atp-resp 12266:6 (512) 0xae040000
       talk: my-net.209.165->your-host.132: atp-rel  12266<0-7> oxae030001
       talk: my-net.209.165->your-host.132: atp-req* 12267<0-7> 0xae030002

       My-net.209 initiates transaction id 12266 with host your-host by
       requesting up to 8 packets (the 0-7).  The hex number at the end of
       the line is the value of the 'userdata' field in the request.
       Your-host responds with 8 512-byte packets.  The :digit following the
       transaction ID gives the packet sequence number in the transaction
       and the number in parens is the amount of data in the packet,
       excluding the ATP header.  The * on packet 7 indicates that the EOM
       bit was set.
       My-net.209 then requests that packets 3 & 5 be retransmitted.
       Your-host resends them, then my-net.209 releases the transaction.
       Finally, my-net.209 initiates the next request.  The * on the request
       indicates that XO ('exactly once') was not set.

       BOOTP PACKETS

       The general format of a BOOTP protocol line is:
       bootp[type,hops:hopsn,xid:xid,secs:sec,C:client,Y:you,S:server,G:gate]

       Type is the packet opcode type (either request, reply, or bootp-#op,
       where op is the opcode in decimal).  Hopsn is the number of gateway
       hops, xid is the transaction id (in hex), sec is the number of
       seconds since boot began.  Client, you, server, and gate describe the
       four IP addresses.



Licensed material--property of copyright holder(s)                        11




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       If they are captured, the server host name and the boot file name are
       printed also. If the interface hardware type is not Ethernet, the
       hardware type and the length of the hardware address (in bytes) are
       printed after the packet opcode type.

       DOMAIN PACKETS

       The output for domain packets depends on the type of the message. If
       the message is a response, the format of the protocol line is:
       domain[IDopcodeRCODEaaRAtc,(qdcountq),ancount/nscount/arcount]

       ID is the query identification number.  Opcode describes the purpose
       of the message; this value is set by the originator of a query and
       copied into the response.  RCODE is the response code.  After these
       values three flags follow.  Aa is the authoritative answer flag,
       specifying that the responding name server is an authority for the
       domain name in the question section (= * if true).  RA is the
       recursion available flag, denoting whether recursive query support is
       available in the name server (= - if not).  Tc is the truncation
       flag, specifying that this message was truncated due to length
       greater than that permitted on the transmission channel (= | if
       true).  Qdcount is the number of entries in the question section
       (printed only if not equal to 1).  Ancount specifies the number of
       resource records in the answer section.  Nscount is the number of
       name server resource records in the authority records section.
       Arcount describes the number of resource records in the additional
       records section.  If ancount is not zero, the class (IN for Internet)
       and the type of the query are printed too, but only if they are
       different from IP.

       If the message is a request, the format of the protocol line is:
   domain[IDopcodeRD,(qdcountq),(ancounta),(nscountn),(arcountau) type(class)]
       ID and opcode are the same as above.  RD is the recursion desired
       flag (= + if true), it directs the name server to pursue the query
       recursively.  If opcode specifies a query, qdcount is printed only if
       it is not zero, and ancount is printed only if it is not 1;
       otherwise, ancount is printed only if it is not zero, and qdcount is
       printed only if it is not 1.  Nscount and arcount are printed only if
       they are not zero.  Type and class are printed only if they are
       different from IP.

       ETHERNET PACKETS

       For Ethernet packets the source and destination addresses, the nested
       protocol type and the packet length are printed.  You can define
       names for the Ethernet addresses in the /etc/ethers file.  If the -q
       option is specified, the type will not be printed.  Examples:
              ether: 1:2:3a:4b:5:6c->1:2:3a:4b:5:6d,ip,60
              ether: my-host->your-host,ip,64

       ICMP PACKETS

       The output for ICMP messages is very simple.  It shows the message
       and its arguments, if there are any.  Here are some examples:



Licensed material--property of copyright holder(s)                        12




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


              08:52:12.33
                   ip: my-host->your-host
                   icmp: echo request
              08:52:12.35
                   ip: your-host->my-host
                   icmp: echo reply
              08:52:12.40
                   ip: him->her
                   icmp: him udp port ntp unreachable
       The first packet says, that my-host sent an icmp 'echo request' to
       your-host. Your-host replies to this request with the icmp message
       'echo reply'.  In the third packet him sends the icmp message 'him
       udp port ntp unreachable' to her.

       IGMP PACKETS

       IGMP output shows the type of the message and its arguments. The
       format is intended to be self explanatory. Here are some examples for
       each possible type of an IGMP message:
       IGMP query:
              igmp: query,(gaddr group),(len length),(vvers),(b1=unused)
       Group is the group address; it is printed only if it is not equal to
       zero.  Length specifies the length of the protocol header; it is
       printed only if not equal to 8.  Vers is the version of the protocol;
       it is printed only if not equal to 1.  Unused contains the value of
       offset 1 in the header; it is printed only if not zero.
       IGMP report:
              igmp: report group,(len length),(vvers),(b1=unused)
       In this case group is always printed.
       Default:
              igmp: type,(vvers),(b1=unused)
       Type describes the type of the igmp message.

       IP PACKETS

       The general format of an IP protocol line is:
              ip: src->dst
       Src and dst are the source and destination IP addresses.  This is the
       output format if the nested protocol is either TCP, UDP or ICMP.  In
       all other cases, the packet header is printed as:
              ip: src->dst:ip-proto-type,length
       Type is a numeric value and describes the type of the nested
       protocol.  Length is the total length of the IP packet excluding the
       header length.

       A packet with the IP don't fragment flag is marked with a trailing
       (DF).  If the -v option is used, additional information in the IP
       header will be printed as follows:
              ip: src->dst;(ttl time,id ident)
       Time is the time to live value in seconds. Ident is the
       identification of the datagram.
       If the datagram header contains an options field, the protocol line
       looks like following:
              ip: src->dst;(ttl time,id ident,optlen=hlen option)



Licensed material--property of copyright holder(s)                        13




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       Hlen is the length of the options field in bytes. Option contains the
       value of the option field (EOL, NOP, TS{len}, SECURITY{len}, RR{len},
       SSRR, LSRR, IPOPT-op{len}).

       Fragmented packets are printed as
              ip: src->dst:(frag id:size@offset+)
              ip: src->dst:(frag id:size@offset)
       (The first form indicates there are more fragments. The second
       indicates this is the last fragment.)

       Id is the fragment id (in hex).  Size is the fragment size (in bytes)
       excluding the IP header.  Offset is the fragment's offset (in bytes)
       in the original datagram.
       The fragment information is output for each fragment, but only the
       first fragment is followed by the higher level protocol information.
       For example, suppose the first fragment is as follows:
              ip: mc->oj(frag 4c04:1480@0+)
              udp: nfs->1019
              nfs: 1f0e: reply ok 1472
       The remaining fragments would then look similar to:
              ip: mc->oj:(frag 4c04:1480@1480+)
              ip: mc->oj:(frag 4c04:1480@2960+)
              ip: mc->oj:(frag 4c04:1480@4440+)
              ip: mc->oj:(frag 4c04:1480@5920+)
              ip: mc->oj:(frag 4c04:900@7400)
       Things to note: The NFS sequence information in the first line is
       printed as if there were 1472 bytes of user data when, in fact, there
       are 8252 bytes (1472 in the first 5 fragments and 892 in the last).
       If you are looking for holes in the sequence space, this can fool
       you.  Also note that it is possible to avoid fragmentation altogether
       by listening on the interface iptop; however, since this interface
       can not be put into promiscuous mode, only local traffic will be
       seen.

       LLC PACKETS

       The general format of an LLC packet is:
              llc: ssap->dsap; command pf-bit
       Ssap and dsap are the source and destination service access points.
       Command describes the operation. The pf-bit shows the status of the
       poll/final-bit.

       NFS REQUESTS AND REPLIES

       NFS (Network File System) requests and replies are printed as:
              nfs: xid: len op args
              nfs: xid: reply stat len
       Xid is the NFS id of the packet, op specifies the requested
       operation, args contains the arguments for the operation. Stat is the
       status of the reply, len is the length of the NFS packet.  Examples:
     08:52:12.40
          ip: vs->your-host
          udp: 1021->nfs
          nfs: e2766: 136 readdir fh 6.51 8192 bytes @ 0



Licensed material--property of copyright holder(s)                        14




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


     08:52:12.45
          ip: your-host->vs
          udp: nfs->1021
          nfs: e2766: reply ok 384
     08:52:12.50
          ip: vs->your-host
          udp: 1021->nfs
          nfs: e2767: 136 lookup fh 6.51 "RCS"

       In the first packet, host vs sends a transaction with id e2766 to
       your-host. The request was 136 bytes, excluding the UDP and IP
       headers.  The operation was a readdir (read directory) on file handle
       (fh) 6.51.  8192 bytes are read, starting at offset 0. Your-host
       replies 'ok' with 384 bytes of data.

       In the third packet, vs asks your-host to lookup the name RCS in
       directory file 6.51. Note that the data printed depends on the
       operation type. The format is intended to be self explanatory if read
       in conjunction with an NFS protocol specification.

       Note that NFS requests are very large and the above won't be printed
       unless snaplen is increased.  Use -s 192 to watch NFS traffic.

       NTP PACKETS

       The general format of an NTP protocol line is:
              ntp: vvers sec mode strat stratum poll ppoll prec pprec
       Vers is the NTP protocol version. Sec is either +1s or -1s, mode
       describes the operation mode.  Stratum contains the stratum level; it
       is printed only if it is among the captured data.  Ppoll is the poll
       value and is printed only if existent.  Pprec describes the precision
       value.

       If the -v option is specified, the distance, dispersion, reference,
       reference time, origin, rec, and xmt values are printed also.

       RIP PACKETS

       RIP output shows the type of the command, the datagram length and the
       arguments in the following format:
              rip: command length args,(vers version)
       Command specifies the purpose of the datagram, length is the datagram
       length, args contains the arguments of command and version is the
       protocol version.  The version is printed only if it is different
       from the default value 1.

       The content of args depends on the specified command.  For req, args
       is empty.  For resp, it contains the address family id (if different
       from IP), the IP address, and the port.  For the command traceon,
       args is equal to the name of the tracefile; for the command traceoff,
       it is empty.  For the commands poll and pollentry, it is also empty.

       SLIP PACKETS




Licensed material--property of copyright holder(s)                        15




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       (N.B.: The following description assumes familiarity with the SLIP
       compression algorithm described in RFC-1144.)

       On SLIP links, a direction indicator ("I" for inbound, "O" for
       outbound), packet type, and compression information are printed out.
       The packet type is printed first.  The three types are ip, utcp, and
       ctcp.  No further link information is printed for ip packets.  For
       TCP packets, the connection identifier is printed following the type.
       If the packet is compressed, its encoded header is printed out.  The
       special cases are printed out as *S+n and *SA+n, where n is the
       amount by which the sequence number (or sequence number and ack) has
       changed.  If it is not a special case, zero or more changes are
       printed.  A change is indicated by U (urgent pointer), W (window), A
       (ack), S (sequence number), and I (packet ID), followed by a delta
       (+n or -n), or a new value (=n).  Finally, the amount of data in the
       packet and compressed header length are printed.

       For example, the following line shows an outbound compressed TCP
       packet, with an implicit connection identifier; the ack has changed
       by 6, the sequence number by 49, and the packet ID by 6; there are 3
       bytes of data and 6 bytes of compressed header:
              slip: O ctcp * A+6 S+49 I+6 3 (6)

       SNAP PACKETS

       The general format of a SNAP protocol line is:
              snap: proto id:protocol
       Protocol specifies the type of the nested protocol.

       SNMP PACKETS

       The general format of a SNMP protocol line is:
              snmp: message(PDU)
       Message specifies the type of the SNMP message and PDU contains the
       protocol data unit of this message (or a part of it, if the
       information is truncated).

       TCP PACKETS

       The general format of a TCP protocol line is:
              tcp: src->dst: flags data-seqno,ack,win,urg options]
       Src and dst are the source and destination TCP ports.  Flags
       represents some combination of S (SYN), F (FIN), P (PUSH) or R (RST);
       the default is a period (.).  Data-seqno describes the portion of
       sequence space covered by the data in this packet.  Ack is sequence
       number of the next data expected in the other direction on this
       connection.  Win is the number of bytes of receive buffer space
       available in the other direction on this connection.  Urg indicates
       there is urgent data in the packet.  Options represents tcp options
       enclosed in angle brackets (e.g., <mss 1024>).

       The flags are always present. The other fields depend on the contents
       of the packet's tcp protocol header and are output only if
       appropriate.



Licensed material--property of copyright holder(s)                        16




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       If the -q option is specified only the length of the packet excluding
       the header is printed.  If the -S option is specified, absolute TCP
       sequence numbers are printed. Here are three examples:
       tcp: 1049->telnet: . 2:8(6),ack 9,win 8760
       tcp: 900->printer: P 1:7(6),ack 1,win 7300
       tcp: 900->printer: S 2519755370:2519755372(2),win 0 <mss 1460>

       TELNET PACKETS

       If the telnet packet contains only data, it is indicated by:
              telnet: data
       For example:
              08:52:12.40
                   ip: my-host->your-host
                   tcp: . 5:11(6),ack 21,win 8704
                   telnet: data
       This line means that my-host sends a telnet data packet to your-host.
       If the telnet packet is an acknowledgement for data received, it is
       indicated by:
              telnet: data ack
       If the telnet packet contains a command (IAC control code), the
       command is printed with its parameters. Here are some examples:
              08:52:12.40
                   ip: my-host->your-host
                   tcp: P 1:7(6),ack 1,win 8704
                   telnet:
                       IAC DO TERMINAL TYPE
                       IAC DO NAWS
              08:52:12.44
                   ip: your-host->my-host
                   tcp: P 1:16(15),ack 7,win 8704
                   telnet:
                       IAC WILL TERMINAL TYPE
                       IAC WILL NAWS
                       IAC SB
                       NAWS IS 6e000a
                       IAC SE
              08:52:12.51
                   ip: my-host->your-host
                   tcp: P 7:13(6),ack 16,win 8704
                   telnet:
                       IAC SB
                       TERMINAL TYPE SEND
                       IAC SE
              08:52:12.55
                   ip: your-host->my-host
                   tcp: P 16:27(11),ack 13,win 8704
                   telnet:
                       IAC SB
                       TERMINAL TYPE IS xterm
                       IAC SE
       In the first packet my-host sends the commands DO TERMINAL TYPE and
       DO NAWS to your-host.
       In the second packet your-host confirms the commands to my-host with



Licensed material--property of copyright holder(s)                        17




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


       WILL TERMINAL TYPE and WILL NAWS and sends a subnegotiation (begin
       (SB)) about NAWS with NAWS IS 6e000a.  SE indicates the end of
       subnegotiation parameters.
       In the third packet my-host sends subnegotiation parameters from the
       first example packet, DO TERMINAL TYPE, it wants to know the terminal
       type: TERMINAL TYPE SEND.
       In the fourth example, your-host answers to my-host with the
       subnegotiation parameters for WILL TERMINAL TYPE in the second
       example. The answer is: TERMINAL TYPE IS xterm.

       TFTP PACKETS

       The general format of a TFTP protocol line is:
              tftp: len opcode args
       Len is the length (in bytes) of the captured packet.  Opcode
       specifies the operation: RRQ (read request), WRQ (write request),
       DATA, ACK (Acknowledgment) and ERROR.  The value of args depends on
       the operation.  For RRQ/WRQ it contains the file name; for DATA it
       specifies the block number, for ERROR the error message and in case
       of ACK it is empty. For example, the following packet is a write
       request to a temporary file.
           08:15:12.80
                ip: mine->yours
                udp: 1040->tftp:26
                tftp: 26 WRQ "/tmp/motd1002"

       UDP PACKETS

       The general format of an UDP protocol line is:
              udp: src->dst:length
       Src and dst are the source and destination UDP ports.  Length
       specifies the length (in bytes) of the user data in the packet.

       Some UDP services are recognized (from the source or destination port
       number) and printed by name. Examples:
              udp: 968->somerpc:56
              udp: 632->632:32

EXAMPLES
       To print all packets arriving at or departing from sundown:
              tcpdump 'host sundown'

       To print traffic between your-host and either him or her:
              tcpdump 'host your-host and ( host him or host her )'

       To print all IP packets between him and any host except her:
              tcpdump 'ip host him and not host her'

       To print all ftp traffic through internet gateway gate:
              tcpdump 'gateway gate and (port ftp or port ftp-data)'

       To print traffic neither sourced from nor destined for a host on the
       your-lan LAN (if you gateway to one other net, this should never make
       it onto your local net).



Licensed material--property of copyright holder(s)                        18




tcpdump(1M)                    DG/UX 5.4R3.00                    tcpdump(1M)


              tcpdump ip and not net your-lan

       To print the start and end packets (the SYN and FIN packets) of each
       TCP conversation that involves a host not on the your-lan LAN:
              tcpdump 'tcp[13] & 3 != 0 and not (src and dst net your-lan)'

       To print IP packets longer than 576 bytes sent through gateway gate:
              tcpdump 'gateway gate and ip[2:2] > 576'

       To print IP broadcast or multicast packets that were not sent via
       Ethernet broadcast or multicast:
              tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

       To print all ICMP packets that are not echo requests/replies (i.e.,
       not ping packets):
              tcpdump 'icmp[0] != 8 and icmp[0] != 0'

FILE
       /usr/etc/tcpdump.d/pf   Default protocol file

SEE ALSO
       nfc(1), bpf(4).

BUGS
       A packet trace that crosses a daylight savings time change will give
       skewed time stamps (the time change is ignored).































Licensed material--property of copyright holder(s)                        19


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026