tcpdump(1M) DG/UX R4.11 tcpdump(1M)
NAME
tcpdump - dump traffic seen on a network
SYNOPSIS
tcpdump [ -aeflnNOpqStvx ] [ -B protocol ] [ -c count ] [ -d dump-
info[,root-protocol] ] [ -E protocol ] [ -F exprfile ]
[ -H htbl-elems ] [ -i interface ] [ -M mtbl-elems ]
[ -R output-fmt ] [ -r readfile ] [ -s snaplen ]
[ -w writefile ] [ filter expression ]
where:
protocol Protocol name: ether, fddi, tr (Token Ring), slip, llc,
snap, ip, tcp, telnet, udp, arp, rarp, icmp, tftp, igmp,
nfs, snmp, ntp, talk (AppleTalk), bootp, domain (domain
name system), or rip
count Number of packets to dump
dump-info bpf, binarybpf, command, expr, ifl, proto, ptree, pdefs,
or pdeps
root-protocol
Lowest level protocol for which dump information is
requested
exprfile Name of input file containing boolean expression
htbl-elems Maximum number of host table elements
interface Name of interface
mtbl-elems Maximum number of matrix table elements
output-fmt Raw output format: c, d, o, or x
readfile Name of file from which to read packets
snaplen Maximum number of bytes to read from each packet; default
= 68
writefile Name of file to which to write packets
filter expression
A boolean expression that selects which packets will be
dumped: a combination of protocol names, modifying
commands, and packet field specifiers (see Expressions
under DESCRIPTION). By default, all packets are dumped.
DESCRIPTION
Tcpdump prints network packets or portions of packets that match a
boolean expression. By default, all recognized protocol headers are
printed. Access is controlled by the permissions on /dev/bpf0. If
this file does not exist, you may invoke sysadm newdgux, add bpf() to
the system file, build a new kernel, and reboot your system.
Tcpdump obtains all protocol-specific information from a text file
called the protocol file, thereby making tcpdump easily extensible.
Options
-a Print the host and/or matrix table using hardware addresses, not
host names.
-B Begin printing of each packet at the protocol level. No packet
information lower on the protocol stack is printed. If no
boolean expression is specified, protocol is implied.
-c Exit after receiving count packets.
-d Dump the information specified by dump-info:
bpf the BPF code corresponding to filter expression in
ascii format. If a root-protocol is specified, the
lowest level protocol is assumed to be root-protocol;
otherwise, the lowest level protocol is determined by
the type of interface.
binarybpf
the BPF code corresponding to filter expression in
binary format. If a root-protocol is specified, the
lowest level protocol is assumed to be root-protocol;
otherwise, the lowest level protocol is determined by
the type of interface.
command
all commands in the protocol file, grouped by the
associated protocol. If a root-protocol is specified,
it has no effect.
expr the expanded boolean expression corresponding to
filter expression (this is useful for locating a parse
error in the expression). If a root-protocol is
specified, the lowest level protocol is assumed to be
root-protocol; otherwise, the lowest level protocol is
determined by the type of interface.
ifl the list of interfaces which may be attached to by
specifying the -i option. If a root-protocol is
specified, it has no effect. If the -q option is
specified, no header information is printed.
proto all protocol names referenced in the protocol file.
If a root-protocol is specified, it has no effect.
ptree all protocol names in the protocol file in a format
that shows which protocols are nested inside of which
protocols. If a root-protocol is specified, the
lowest level protocol is assumed to be root-protocol;
otherwise, the lowest level protocol is determined by
the type of interface.
pdefs all protocols defined in the protocol file. If a
root-protocol is specified, it has no effect.
pdeps all dependent protocols, i.e., referenced but not
defined, in the protocol file. If a root-protocol is
specified, it has no effect.
tcpdump exits after the required information has been printed.
-e Print the lowest-level header on each dump line; by default, the
lowest-level header (e.g. Ethernet header) is not printed.
-E End printing of each packet at the protocol level. No packet
information higher on the protocol stack is printed unless the
-R or -x options are specified.
-f Print 'foreign' internet addresses (those not on the same
network or subnetwork) numerically rather than symbolically.
-F Use file as input for the boolean expression. An additional
boolean expression given on the command line is ignored.
-H Keep a list of up to htbl-elems number of host table elements,
and print the host table when tcpdump terminates. This option
has no effect if the -r option is specified or if the type of
interface over which tcpdump is listening is not Ethernet.
-i Listen on interface. If unspecified, tcpdump searches the
system's interfaces for the lowest numbered interface (excluding
loopback) configured into the kernel. Ties are broken by
choosing the earliest match. This option has no effect if the
-r option is specified.
-l Buffer each standard output line. This is useful if you want to
see the data while capturing it; e.g., tcpdump -l | tee dat
or tcpdump -l > dat & tail -f dat.
-M Keep a list of up to mtbl-elems number of matrix table elements,
and print the matrix table when tcpdump terminates. This option
has no effect if the -r option is specified or if the type of
interface over which tcpdump is listening is not Ethernet.
-n Don't convert addresses (i.e., host addresses, port numbers,
etc.) to names.
-N Don't print domain name qualification of host names. E.g., if
you give this flag then tcpdump prints nic instead of
nic.ddn.mil.
-O Do not run the packet-matching code optimizer. This is useful
only if you suspect a bug in the optimizer.
-p Don't put the interface into promiscuous mode. Promiscuous mode
makes tcpdump see all packets, not just those originating from
or destined to the local host. Note that the interface may have
been set to promiscuous mode by another process (e.g. another
instance of tcpdump); hence, -p may not serve as an abbreviation
for host localhost or broadcast.
-q Produce quiet output, printing less protocol information so
output lines are shorter.
-r Read packets from file (which was created with the -w option).
Standard input is used if file is -.
-R Specify the raw output format. For each packet received, print
the remainder of the captured packet (i.e. the portion of the
captured packet not printed in a formatted manner) in character
(c), decimal (d), octal (o), or hexadecimal (x) format. For
example, tcpdump -Etcp -Ro prints all tcp packets; formatted
printing stops at the tcp level and the remainder of the
captured packet is printed in octal. In character output mode,
the null byte is printed as ' ' while all other non-printable
characters are printed in octal. Offsets (in the left-most
column) are always printed in decimal. Note that the -x option
has the same effect as -Rx.
-s Capture snaplen bytes of data from each packet. The default, 68
bytes, is adequate for IP, ICMP, TCP and UDP but may truncate
protocol information from name server and NFS packets (see
below). Packets truncated because of a limited snapshot are
indicated in the output with [|proto], where proto is the name
of the protocol level at which the truncation has occurred.
Note that taking larger snapshots both increases the amount of
time it takes to process packets and, effectively, decreases the
amount of packet buffering. This may cause packets to be lost.
You should limit snaplen to the smallest number that will
capture the protocol information you're interested in.
-S Print absolute, rather than relative, TCP sequence numbers.
-t Don't print a timestamp on each dump line.
-tt Print an unformatted timestamp on each dump line.
-v Produce verbose output. For example, the time to live and type
of service information in an IP packet is printed.
-w Write the raw packets to file rather than parsing and printing
them out. They can later be printed with the -r option.
Standard output is used if file is -.
-x Print nonformatted output in hexadecimal format. For each
packet received, print the remainder of the captured packet,
i.e. after the last byte which is printed in a formatted manner,
in hex. Note that -x has the same effect as -Rx.
Boolean Expressions
You can select which packets will be dumped by specifying a boolean
expression consisting of one or more of the following:
protocol says to print protocol type packets. Any protocol name
is a valid boolean expression. For example, tcpdump
telnet prints all TELNET packets.
Since tcpdump obtains all protocol-specific information
from the protocol file so that new protocols can be
easily added by the user, an up-to-date list of
protocols can be obtained as follows:
tcpdump -d proto
command is a quick way to specify additional characteristics
(i.e. in addition to a protocol name) of the packets
you want tcpdump to print. For example,
tcpdump src host your-host
prints all IP packets whose source IP address is the
host, your-host. The command name in this case is src
host and the argument is your-host. Arguments of a
command can also be placed inside parentheses and
separated by commas. For example,
tcpdump 'src host (your-host)'
is equivalent to the previous command line.
Each command, except global commands, implies a
particular protocol. In the example above, the
command, src host, implies the IP protocol. In fact,
tcpdump src host your-host
is equivalent to
tcpdump ip src host your-host
Each command is described in the COMMANDS section of
this man page. Since new commands can be added to
tcpdump's protocol file, an up-to-date list of commands
grouped according to their implied protocol can be
obtained as follows:
tcpdump -d command
Global commands do not imply a protocol. An additional
protocol or command may be required. For example,
tcpdump -c 10 trigger llc
prints the first 10 packets seen beginning with an llc
packet. In this example, trigger is the command and
llc is the protocol specifier.
fieldspec specifies arbitrary fields of a packet. The basic
syntax is [offset[:size]], where offset is the offset
in bytes into the packet and size is the size of the
field in bytes (1,2, or 4 bytes). If you omit :size, a
value of 1 is assumed.
You can build more complex boolean expressions by using
additional operators. The allowable relational
operators are: ==, !=, <=, >=, <, and >.
The set of bit-wise operators are: &, |, <<, and >>.
The arithmetic operators are: +, -, *, and /.
The boolean operators are: and, or, and ! (not).
For example, tcpdump '[12:2]<=1500' prints all packets
whose 2-byte field at offset 12 is less than or equal
to 1500, and tcpdump 'nfs[1:1]&0x0f==0x0f' prints all
NFS packets such that the least significant four bits
of the first byte of the NFS packet header are all
ones. In general, an arbitrary field of a protocol
header can be referenced by following the protocol name
with the syntax described above.
Integer constants can be in hexadecimal by using a
leading 0x (e.g., 0xff), octal by using a leading 0
(e.g., 0777), or decimal by using a leading 1 through 9
(e.g., 123).
Addresses
IP addresses are recognized in the format a.b.c.d, where a, b, c, and
d are decimal integers. For example, tcpdump 'src 111.222.3.4'
prints all packets whose source IP address is 111.222.3.4.
Ethernet addresses are recognized in the format x:x:x:x:x:x, where x
represents a single- or double-digit hexadecimal value. For example,
tcpdump 'esrc 1:2:3a:4b:5:6c' prints all packets whose source
Ethernet address is 1:2:3a:4b:5:6c.
Commands
Commands are a convenient way to specify additional characteristics
(i.e. in addition to a protocol name) of the packets you want tcpdump
to print. All commands, except global commands, are associated with
a particular protocol; therefore, these commands are grouped
according to the protocol to which they are associated. Since new
commands can be added to the protocol file, an up-to-date list of
commands can be obtained as follows:
tcpdump -d command
GLOBAL COMMANDS
trigger condition
Begin printing packets only when a packet is seen for which
condition is true. For example,
tcpdump -c50 'trigger(nfs[1]==10)' prints 50 packets beginning
with an NFS packet in which the first byte of the NFS header
is 10.
true Print all packets. This is the default.
false Print no packets. This is useful if you want to gather host
table information using the -H option or matrix table
information using the -M option, but you don't want to print
any individual packets.
not condition
This is the same as ! condition. This is often useful to
avoid having to escape the ! character while using the C
shell. For example,
tcpdump 'not telnet'
is equivalent to
tcpdump '\!telnet'
in the C shell.
less length
Print only packets with length less than or equal to length.
greater length
Print only packets with length greater than or equal to
length.
ETHERNET COMMANDS
Each command in this section is valid only when listening on an
Ethernet type interface.
eproto protocol-name-or-number
Print only Ethernet packets with a type field equal to
protocol-name-or-number. The protocol names which are
recognized are arp, rarp, ip, and llc.
esrc|{src ehost} hostname-or-ethernet-address
Print only Ethernet packets from hostname-or-ethernet-address.
If the argument is a hostname, /etc/ethers is searched for the
Ethernet address; otherwise, the Ethernet address should be in
the form, x:x:x:x:x:x, where x is a single or double digit hex
value. For example,
tcpdump 'esrc your-host'
prints all packets whose source Ethernet address is your-host,
and
tcpdump 'esrc 1:2:3a:4b:5:6c'
prints all packets whose source Ethernet address is
1:2:3a:4b:5:6c.
edst|{dst ehost} hostname-or-ethernet-address
Same as esrc, except this is the destination instead of the
source address.
ehost|{esrc or edst}|{edst or esrc} hostname-or-ethernet-address
Print all packets whose source or destination Ethernet address
equals hostname-or-ethernet-address.
broadcast
Print all Ethernet broadcast packets.
gateway hostname
Print all packets which use host as a gateway; i.e., the
Ethernet source or destination address was host but neither
the IP source nor the IP destination was host. Host must be a
name found in both /etc/hosts and /etc/ethers. An equivalent
expression is
ehost etherhost and not host iphost
which can be used with either names or numbers for etherhost /
iphost.
IP COMMANDS
src [host] hostname-or-ip-address
Print all packets with a source IP address of hostname-or-ip-
address. If a hostname is specified, it must be found in
/etc/hosts; an IP address must be specified with the notation,
a.b.c.d, where a, b, c, and d are decimal values. For
example, tcpdump 'src your-host' prints all IP packets
containing a source IP address of your-host, and tcpdump 'src
111.222.3.4' prints all IP packets containing a source IP
address of 111.222.3.4.
dst [host] hostname-or-ip-address
Same as src, except this is the destination instead of the
source address.
host|{src or dst}|{dst or src} hostname-or-ip-address
Print both src and dst packets.
src port portname-or-portnum
Print IP packets whose TCP and/or UDP source port equals
portname-or-portnum. A portname must be found in
/etc/services. If a portname corresponds to both a tcp and a
udp port, this command is equivalent to:
tcp src port portname-or-portnum or udp src port portname-or-
portnum
If a portname corresponds to a tcp port but not a udp port,
this command is equivalent to:
tcp src port portname-or-portnum
If a portname corresponds to a udp port but not a tcp port,
this command is equivalent to:
udp src port portname-or-portnum
A port number implies that both tcp and udp packets with the
appropriate port value will be printed.
dst port portname-or-portnum
Same as src port portname-or-portnum, except look at the
destination instead of the source port value.
port portname-or-portnum
Same as src port portname-or-portnum or dst port portname-or-
portnum.
proto protocol-name-or-number
Print only IP packets with a type field equal to protocol-
name-or-number. Recognized protocol names are icmp, tcp, and
udp.
dst net net
Print only IP packets with the network net in their
destination address, where net is a network name or address.
src net net
Print only IP packets with the network net in their source
address, where net is a network name or address.
net net
Print only IP packets with the network number net in their
source or destination address; net is a network name or
address.
TCP AND UDP COMMANDS
The commands listed below pertain to TCP or UDP packets, depending on
which kind of packets are being dumped.
src port portname-or-portnum
Print TCP or UDP packets whose source port equals portname-or-
portnum. A portname must be found in /etc/services as a TCP
or UDP service.
dst port portname-or-portnum
Print TCP or UDP packets whose destination port equals
portname-or-portnum. A portname must be found in
/etc/services as a TCP or UDP service.
port portname-or-portnum
Print TCP or UDP packets whose source or destination port
equals portname-or-portnum. A portname must be found in
/etc/services as a TCP or UDP service.
Output Format
By default, all output lines are preceded by a timestamp. The
timestamp is the current clock time in the form
hh:mm:ss.frac
and is as accurate as the kernel's clock. The timestamp reflects the
time the kernel first saw the packet. No attempt is made to account
for the time lag between when the hardware interface removed the
packet from the wire and when the kernel serviced the 'new packet'
interrupt.
All header output is protocol dependent. The following gives a brief
description and examples for each protocol. The names enclosed in
angle brackets are always variable names.
ARP/RARP PACKETS
ARP/RARP output shows the type of request and its arguments. The
format is intended to be self explanatory. Here is a short sample:
arp: who-has ham tell spam
arp: reply ham is-at HAM
The first line says that spam sent an arp packet asking for the
Ethernet address of internet host ham. Spam replies with its
Ethernet address (in this example, Ethernet addresses are in caps and
internet addresses in lower case).
This would look less redundant if we had done tcpdump -n:
arp: who-has 111.222.3.4 tell 111.222.3.5
arp: reply 111.222.3.4 is-at 1:2:3a:4b:5:6c
If we had done tcpdump -e on an Ethernet interface, the fact that the
first packet is broadcast and the second is point-to-point would be
visible:
08:15:12.80
ether: MY-HOST->Broadcast,arp,64
arp: who-has your-host tell my-host
08:15:12.90
ether: YOUR-HOST->MY-HOST,arp,64
arp: reply your-host is-at YOUR-HOST
If the lowest level protocol is not the ethernet protocol, the format
of the ARP protocol line is:
arp: oper for proto #protocol (plen) hardware hardw (hlen)
Oper specifies the operation; protocol is the protocol type; plen is
the length of the protocol address. Hardw specifies the hardware
type (1 for Ethernet) and hlen the length of the hardware address.
KIP APPLETALK (DDP IN UDP)
AppleTalk DDP packets encapsulated in UDP datagrams are de-
encapsulated and dumped as DDP packets. The file /etc/atalk.names
(if it exists) is used to translate AppleTalk net and node numbers to
names. Lines in this file have the form
number name
1.254 ether
16.1 your-net
1.254.110 ace
The first two lines give the names of AppleTalk networks. The third
line gives the name of a particular host (a host number has three
octets, a net number has two octets). The number and name should be
separated by spaces or tabs. The /etc/atalk.names file may contain
blank lines or comment lines (lines starting with a #).
AppleTalk addresses are printed in the form
net.host.port
The general format of tcpdump output for AppleTalk addresses is:
talk: srcnet.srchost.srcport->dstnet.dsthost.dstport
(If /etc/atalk.names doesn't exist or doesn't contain an entry for
some AppleTalk host/net number, addresses are printed in numeric
form.)
Examples:
talk: 111.22.33.4->your-net.112.220
talk: office.2->your-net.112.220
talk: my-net.149.235->your-net.2
In the first example, NBP (DDP port 4) on net 111.22 node 33 is
sending to whatever is listening on port 220 of net your-net node
112. The second line is the same except the full name of the source
node is known ('office'). The third line is a send from port 235 on
net my-net node 149 to broadcast on the your-net NBP port. Note that
the broadcast address (255) is indicated by a net name with no host
number. For this reason, it's a good idea to keep node names and net
names distinct in /etc/atalk.names.
NBP (name binding protocol) and ATP (AppleTalk transaction protocol)
packets have their contents interpreted. Other protocols just dump
the protocol name (or number if no name is registered for the
protocol) and packet size.
NBP packets are formatted like the following examples:
talk: your-net.112.220->my-net.2: nbp-lkup 190: "=:LaserWriter@*"
talk: my-net.209.2->your-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
talk: techpit.2->your-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
The first line is a name lookup request for laserwriters sent by net
your-net host 112 and broadcast on net my-net. The nbp id for the
lookup is 190. The second line shows a reply for this request (note
that it has the same id) from host my-net.209 saying that it has a
laserwriter resource named "RM1140" registered on port 250. The
third line is another reply to the same request saying host techpit
has laserwriter "techpit" registered on port 186.
ATP packets are formatted like the following example:
talk: my-net.209.165->your-host.132: atp-req 12266<0-7> 0xae030001
talk: your-host.132->my-net.209.165: atp-resp 12266:0 (512) 0xae040000
talk: your-host.132->my-net.209.165: atp-resp 12266:1 (512) oxae040000
talk: your-host.132->my-net.209.165: atp-resp 12266:2 (512) 0xae040000
talk: your-host.132->my-net.209.165: atp-resp 12266:3 (512) 0xae040000
talk: your-host.132->my-net.209.165: atp-resp 12266:4 (512) 0xae040000
talk: your-host.132->my-net.209.165: atp-resp 12266:5 (512) 0xae040000
talk: your-host.132->my-net.209.165: atp-resp 12266:6 (512) 0xae040000
talk: your-host.132->my-net.209.165: atp-resp*12266:7 (512) 0xae040000
talk: my-net.209.165->your-host.132: atp-req 12266<3,5> 0xae030001
talk: your-host.132->my-net.209.165: atp-resp 12266:3 (512) 0xae040000
talk: your-host.132->my-net.209.165: atp-resp 12266:6 (512) 0xae040000
talk: my-net.209.165->your-host.132: atp-rel 12266<0-7> oxae030001
talk: my-net.209.165->your-host.132: atp-req* 12267<0-7> 0xae030002
My-net.209 initiates transaction id 12266 with host your-host by
requesting up to 8 packets (the 0-7). The hex number at the end of
the line is the value of the 'userdata' field in the request.
Your-host responds with 8 512-byte packets. The :digit following the
transaction ID gives the packet sequence number in the transaction
and the number in parens is the amount of data in the packet,
excluding the ATP header. The * on packet 7 indicates that the EOM
bit was set.
My-net.209 then requests that packets 3 & 5 be retransmitted.
Your-host resends them, then my-net.209 releases the transaction.
Finally, my-net.209 initiates the next request. The * on the request
indicates that XO ('exactly once') was not set.
BOOTP PACKETS
The general format of a BOOTP protocol line is:
bootp[type,hops:hopsn,xid:xid,secs:sec,C:client,Y:you,S:server,G:gate]
Type is the packet opcode type (either request, reply, or bootp-#op,
where op is the opcode in decimal). Hopsn is the number of gateway
hops, xid is the transaction id (in hex), sec is the number of
seconds since boot began. Client, you, server, and gate describe the
four IP addresses.
If they are captured, the server host name and the boot file name are
printed also. If the interface hardware type is not Ethernet, the
hardware type and the length of the hardware address (in bytes) are
printed after the packet opcode type.
DOMAIN PACKETS
The output for domain packets depends on the type of the message. If
the message is a response, the format of the protocol line is:
domain[IDopcodeRCODEaaRAtc,(qdcountq),ancount/nscount/arcount]
ID is the query identification number. Opcode describes the purpose
of the message; this value is set by the originator of a query and
copied into the response. RCODE is the response code. After these
values three flags follow. Aa is the authoritative answer flag,
specifying that the responding name server is an authority for the
domain name in the question section (= * if true). RA is the
recursion available flag, denoting whether recursive query support is
available in the name server (= - if not). Tc is the truncation
flag, specifying that this message was truncated due to length
greater than that permitted on the transmission channel (= | if
true). Qdcount is the number of entries in the question section
(printed only if not equal to 1). Ancount specifies the number of
resource records in the answer section. Nscount is the number of
name server resource records in the authority records section.
Arcount describes the number of resource records in the additional
records section. If ancount is not zero, the class (IN for Internet)
and the type of the query are printed too, but only if they are
different from IP.
If the message is a request, the format of the protocol line is:
domain[IDopcodeRD,(qdcountq),(ancounta),(nscountn),(arcountau) type(class)]
ID and opcode are the same as above. RD is the recursion desired
flag (= + if true), it directs the name server to pursue the query
recursively. If opcode specifies a query, qdcount is printed only if
it is not zero, and ancount is printed only if it is not 1;
otherwise, ancount is printed only if it is not zero, and qdcount is
printed only if it is not 1. Nscount and arcount are printed only if
they are not zero. Type and class are printed only if they are
different from IP.
ETHERNET PACKETS
For Ethernet packets the source and destination addresses, the nested
protocol type and the packet length are printed. You can define
names for the Ethernet addresses in the /etc/ethers file. If the -q
option is specified, the type will not be printed. Examples:
ether: 1:2:3a:4b:5:6c->1:2:3a:4b:5:6d,ip,60
ether: my-host->your-host,ip,64
ICMP PACKETS
The output for ICMP messages is very simple. It shows the message
and its arguments, if there are any. Here are some examples:
08:52:12.33
ip: my-host->your-host
icmp: echo request
08:52:12.35
ip: your-host->my-host
icmp: echo reply
08:52:12.40
ip: him->her
icmp: him udp port ntp unreachable
The first packet says, that my-host sent an icmp 'echo request' to
your-host. Your-host replies to this request with the icmp message
'echo reply'. In the third packet him sends the icmp message 'him
udp port ntp unreachable' to her.
IGMP PACKETS
IGMP output shows the type of the message and its arguments. The
format is intended to be self explanatory. Here are some examples for
each possible type of an IGMP message:
IGMP query:
igmp: query,(gaddr group),(len length),(vvers),(b1=unused)
Group is the group address; it is printed only if it is not equal to
zero. Length specifies the length of the protocol header; it is
printed only if not equal to 8. Vers is the version of the protocol;
it is printed only if not equal to 1. Unused contains the value of
offset 1 in the header; it is printed only if not zero.
IGMP report:
igmp: report group,(len length),(vvers),(b1=unused)
In this case group is always printed.
Default:
igmp: type,(vvers),(b1=unused)
Type describes the type of the igmp message.
IP PACKETS
The general format of an IP protocol line is:
ip: src->dst
Src and dst are the source and destination IP addresses. This is the
output format if the nested protocol is either TCP, UDP or ICMP. In
all other cases, the packet header is printed as:
ip: src->dst:ip-proto-type,length
Type is a numeric value and describes the type of the nested
protocol. Length is the total length of the IP packet excluding the
header length.
A packet with the IP don't fragment flag is marked with a trailing
(DF). If the -v option is used, additional information in the IP
header will be printed as follows:
ip: src->dst;(ttl time,id ident)
Time is the time to live value in seconds. Ident is the
identification of the datagram.
If the datagram header contains an options field, the protocol line
looks like following:
ip: src->dst;(ttl time,id ident,optlen=hlen option)
Hlen is the length of the options field in bytes. Option contains the
value of the option field (EOL, NOP, TS{len}, SECURITY{len}, RR{len},
SSRR, LSRR, IPOPT-op{len}).
Fragmented packets are printed as
ip: src->dst:(frag id:size@offset+)
ip: src->dst:(frag id:size@offset)
(The first form indicates there are more fragments. The second
indicates this is the last fragment.)
Id is the fragment id (in hex). Size is the fragment size (in bytes)
excluding the IP header. Offset is the fragment's offset (in bytes)
in the original datagram.
The fragment information is output for each fragment, but only the
first fragment is followed by the higher level protocol information.
For example, suppose the first fragment is as follows:
ip: mc->oj(frag 4c04:1480@0+)
udp: nfs->1019
nfs: 1f0e: reply ok 1472
The remaining fragments would then look similar to:
ip: mc->oj:(frag 4c04:1480@1480+)
ip: mc->oj:(frag 4c04:1480@2960+)
ip: mc->oj:(frag 4c04:1480@4440+)
ip: mc->oj:(frag 4c04:1480@5920+)
ip: mc->oj:(frag 4c04:900@7400)
Things to note: The NFS sequence information in the first line is
printed as if there were 1472 bytes of user data when, in fact, there
are 8252 bytes (1472 in the first 5 fragments and 892 in the last).
If you are looking for holes in the sequence space, this can fool
you. Also note that it is possible to avoid fragmentation altogether
by listening on the interface iptop; however, since this interface
can not be put into promiscuous mode, only local traffic will be
seen.
LLC PACKETS
The general format of an LLC packet is:
llc: ssap->dsap; command pf-bit
Ssap and dsap are the source and destination service access points.
Command describes the operation. The pf-bit shows the status of the
poll/final-bit.
NFS REQUESTS AND REPLIES
NFS (Network File System) requests and replies are printed as:
nfs: xid: len op args
nfs: xid: reply stat len
Xid is the NFS id of the packet, op specifies the requested
operation, args contains the arguments for the operation. Stat is the
status of the reply, len is the length of the NFS packet. Examples:
08:52:12.40
ip: vs->your-host
udp: 1021->nfs
nfs: e2766: 136 readdir fh 6.51 8192 bytes @ 0
08:52:12.45
ip: your-host->vs
udp: nfs->1021
nfs: e2766: reply ok 384
08:52:12.50
ip: vs->your-host
udp: 1021->nfs
nfs: e2767: 136 lookup fh 6.51 "RCS"
In the first packet, host vs sends a transaction with id e2766 to
your-host. The request was 136 bytes, excluding the UDP and IP
headers. The operation was a readdir (read directory) on file handle
(fh) 6.51. 8192 bytes are read, starting at offset 0. Your-host
replies 'ok' with 384 bytes of data.
In the third packet, vs asks your-host to lookup the name RCS in
directory file 6.51. Note that the data printed depends on the
operation type. The format is intended to be self explanatory if read
in conjunction with an NFS protocol specification.
Note that NFS requests are very large and the above won't be printed
unless snaplen is increased. Use -s 192 to watch NFS traffic.
NTP PACKETS
The general format of an NTP protocol line is:
ntp: vvers sec mode strat stratum poll ppoll prec pprec
Vers is the NTP protocol version. Sec is either +1s or -1s, mode
describes the operation mode. Stratum contains the stratum level; it
is printed only if it is among the captured data. Ppoll is the poll
value and is printed only if existent. Pprec describes the precision
value.
If the -v option is specified, the distance, dispersion, reference,
reference time, origin, rec, and xmt values are printed also.
RIP PACKETS
RIP output shows the type of the command, the datagram length and the
arguments in the following format:
rip: command length args,(vers version)
Command specifies the purpose of the datagram, length is the datagram
length, args contains the arguments of command and version is the
protocol version. The version is printed only if it is different
from the default value 1.
The content of args depends on the specified command. For req, args
is empty. For resp, it contains the address family id (if different
from IP), the IP address, and the port. For the command traceon,
args is equal to the name of the tracefile; for the command traceoff,
it is empty. For the commands poll and pollentry, it is also empty.
SLIP PACKETS
(N.B.: The following description assumes familiarity with the SLIP
compression algorithm described in RFC-1144.)
On SLIP links, a direction indicator ("I" for inbound, "O" for
outbound), packet type, and compression information are printed out.
The packet type is printed first. The three types are ip, utcp, and
ctcp. No further link information is printed for ip packets. For
TCP packets, the connection identifier is printed following the type.
If the packet is compressed, its encoded header is printed out. The
special cases are printed out as *S+n and *SA+n, where n is the
amount by which the sequence number (or sequence number and ack) has
changed. If it is not a special case, zero or more changes are
printed. A change is indicated by U (urgent pointer), W (window), A
(ack), S (sequence number), and I (packet ID), followed by a delta
(+n or -n), or a new value (=n). Finally, the amount of data in the
packet and compressed header length are printed.
For example, the following line shows an outbound compressed TCP
packet, with an implicit connection identifier; the ack has changed
by 6, the sequence number by 49, and the packet ID by 6; there are 3
bytes of data and 6 bytes of compressed header:
slip: O ctcp * A+6 S+49 I+6 3 (6)
SNAP PACKETS
The general format of a SNAP protocol line is:
snap: proto id:protocol
Protocol specifies the type of the nested protocol.
SNMP PACKETS
The general format of a SNMP protocol line is:
snmp: message(PDU)
Message specifies the type of the SNMP message and PDU contains the
protocol data unit of this message (or a part of it, if the
information is truncated).
TCP PACKETS
The general format of a TCP protocol line is:
tcp: src->dst: flags data-seqno,ack,win,urg options]
Src and dst are the source and destination TCP ports. Flags
represents some combination of S (SYN), F (FIN), P (PUSH) or R (RST);
the default is a period (.). Data-seqno describes the portion of
sequence space covered by the data in this packet. Ack is sequence
number of the next data expected in the other direction on this
connection. Win is the number of bytes of receive buffer space
available in the other direction on this connection. Urg indicates
there is urgent data in the packet. Options represents tcp options
enclosed in angle brackets (e.g., <mss 1024>).
The flags are always present. The other fields depend on the contents
of the packet's tcp protocol header and are output only if
appropriate.
If the -q option is specified only the length of the packet excluding
the header is printed. If the -S option is specified, absolute TCP
sequence numbers are printed. Here are three examples:
tcp: 1049->telnet: . 2:8(6),ack 9,win 8760
tcp: 900->printer: P 1:7(6),ack 1,win 7300
tcp: 900->printer: S 2519755370:2519755372(2),win 0 <mss 1460>
TELNET PACKETS
If the telnet packet contains only data, it is indicated by:
telnet: data
For example:
08:52:12.40
ip: my-host->your-host
tcp: . 5:11(6),ack 21,win 8704
telnet: data
This line means that my-host sends a telnet data packet to your-host.
If the telnet packet is an acknowledgement for data received, it is
indicated by:
telnet: data ack
If the telnet packet contains a command (IAC control code), the
command is printed with its parameters. Here are some examples:
08:52:12.40
ip: my-host->your-host
tcp: P 1:7(6),ack 1,win 8704
telnet:
IAC DO TERMINAL TYPE
IAC DO NAWS
08:52:12.44
ip: your-host->my-host
tcp: P 1:16(15),ack 7,win 8704
telnet:
IAC WILL TERMINAL TYPE
IAC WILL NAWS
IAC SB
NAWS IS 6e000a
IAC SE
08:52:12.51
ip: my-host->your-host
tcp: P 7:13(6),ack 16,win 8704
telnet:
IAC SB
TERMINAL TYPE SEND
IAC SE
08:52:12.55
ip: your-host->my-host
tcp: P 16:27(11),ack 13,win 8704
telnet:
IAC SB
TERMINAL TYPE IS xterm
IAC SE
In the first packet my-host sends the commands DO TERMINAL TYPE and
DO NAWS to your-host.
In the second packet your-host confirms the commands to my-host with
WILL TERMINAL TYPE and WILL NAWS and sends a subnegotiation (begin
(SB)) about NAWS with NAWS IS 6e000a. SE indicates the end of
subnegotiation parameters.
In the third packet my-host sends subnegotiation parameters from the
first example packet, DO TERMINAL TYPE, it wants to know the terminal
type: TERMINAL TYPE SEND.
In the fourth example, your-host answers to my-host with the
subnegotiation parameters for WILL TERMINAL TYPE in the second
example. The answer is: TERMINAL TYPE IS xterm.
TFTP PACKETS
The general format of a TFTP protocol line is:
tftp: len opcode args
Len is the length (in bytes) of the captured packet. Opcode
specifies the operation: RRQ (read request), WRQ (write request),
DATA, ACK (Acknowledgment) and ERROR. The value of args depends on
the operation. For RRQ/WRQ it contains the file name; for DATA it
specifies the block number, for ERROR the error message and in case
of ACK it is empty. For example, the following packet is a write
request to a temporary file.
08:15:12.80
ip: mine->yours
udp: 1040->tftp:26
tftp: 26 WRQ "/tmp/motd1002"
UDP PACKETS
The general format of an UDP protocol line is:
udp: src->dst:length
Src and dst are the source and destination UDP ports. Length
specifies the length (in bytes) of the user data in the packet.
Some UDP services are recognized (from the source or destination port
number) and printed by name. Examples:
udp: 968->somerpc:56
udp: 632->632:32
EXAMPLES
To print all packets arriving at or departing from sundown:
tcpdump 'host sundown'
To print traffic between your-host and either him or her:
tcpdump 'host your-host and ( host him or host her )'
To print all IP packets between him and any host except her:
tcpdump 'ip host him and not host her'
To print all ftp traffic through internet gateway gate:
tcpdump 'gateway gate and (port ftp or port ftp-data)'
To print traffic neither sourced from nor destined for a host on the
your-lan LAN (if you gateway to one other net, this should never make
it onto your local net).
tcpdump ip and not net your-lan
To print the start and end packets (the SYN and FIN packets) of each
TCP conversation that involves a host not on the your-lan LAN:
tcpdump 'tcp[13] & 3 != 0 and not (src and dst net your-lan)'
To print IP packets longer than 576 bytes sent through gateway gate:
tcpdump 'gateway gate and ip[2:2] > 576'
To print IP broadcast or multicast packets that were not sent via
Ethernet broadcast or multicast:
tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
To print all ICMP packets that are not echo requests/replies (i.e.,
not ping packets):
tcpdump 'icmp[0] != 8 and icmp[0] != 0'
FILE
/usr/etc/tcpdump.d/pf Default protocol file
SEE ALSO
nfc(1), bpf(4).
BUGS
A packet trace that crosses a daylight savings time change will give
skewed time stamps (the time change is ignored).
Licensed material--property of copyright holder(s)