1 .\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1,v 1.167.2.6 2005/09/05 09:14:37 guy Exp $ (LBL)
3 .\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
5 .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
6 .\" The Regents of the University of California. All rights reserved.
7 .\" All rights reserved.
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that: (1) source code distributions
11 .\" retain the above copyright notice and this paragraph in its entirety, (2)
12 .\" distributions including binary code include the above copyright notice and
13 .\" this paragraph in its entirety in the documentation or other materials
14 .\" provided with the distribution, and (3) all advertising materials mentioning
15 .\" features or use of this software display the following acknowledgement:
16 .\" ``This product includes software developed by the University of California,
17 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
18 .\" the University nor the names of its contributors may be used to endorse
19 .\" or promote products derived from this software without specific prior
20 .\" written permission.
21 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
22 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
23 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
27 .TH TCPDUMP 1 "18 April 2005"
29 tcpdump \- dump traffic on a network
34 .B \-AdDeflLnNOpqRStuUvxX
90 .I spi@ipaddr algo:secret,...
115 \fITcpdump\fP prints out the headers of packets on a network interface
116 that match the boolean \fIexpression\fP. It can also be run with the
118 flag, which causes it to save the packet data to a file for later
119 analysis, and/or with the
121 flag, which causes it to read from a saved packet file rather than to
122 read packets from a network interface. In all cases, only packets that
129 will, if not run with the
131 flag, continue capturing packets until it is interrupted by a SIGINT
132 signal (generated, for example, by typing your interrupt character,
133 typically control-C) or a SIGTERM signal (typically generated with the
135 command); if run with the
137 flag, it will capture packets until it is interrupted by a SIGINT or
138 SIGTERM signal or the specified number of packets have been processed.
142 finishes capturing packets, it will report counts of:
144 packets ``captured'' (this is the number of packets that
146 has received and processed);
148 packets ``received by filter'' (the meaning of this depends on the OS on
151 and possibly on the way the OS was configured - if a filter was
152 specified on the command line, on some OSes it counts packets regardless
153 of whether they were matched by the filter expression and, even if they
154 were matched by the filter expression, regardless of whether
156 has read and processed them yet, on other OSes it counts only packets that were
157 matched by the filter expression regardless of whether
159 has read and processed them yet, and on other OSes it counts only
160 packets that were matched by the filter expression and were processed by
163 packets ``dropped by kernel'' (this is the number of packets that were
164 dropped, due to a lack of buffer space, by the packet capture mechanism
167 is running, if the OS reports that information to applications; if not,
168 it will be reported as 0).
170 On platforms that support the SIGINFO signal, such as most BSDs
171 (including Mac OS X) and Digital/Tru64 UNIX, it will report those counts
172 when it receives a SIGINFO signal (generated, for example, by typing
173 your ``status'' character, typically control-T, although on some
174 platforms, such as Mac OS X, the ``status'' character is not set by
175 default, so you must set it with
177 in order to use it) and will continue capturing packets.
179 Reading packets from a network interface may require that you have
182 .B Under SunOS 3.x or 4.x with NIT or BPF:
183 You must have read access to
188 .B Under Solaris with DLPI:
189 You must have read/write access to the network pseudo device, e.g.
191 On at least some versions of Solaris, however, this is not sufficient to
194 to capture in promiscuous mode; on those versions of Solaris, you must
197 must be installed setuid to root, in order to capture in promiscuous
198 mode. Note that, on many (perhaps all) interfaces, if you don't capture
199 in promiscuous mode, you will not see any outgoing packets, so a capture
200 not done in promiscuous mode may not be very useful.
202 .B Under HP-UX with DLPI:
205 must be installed setuid to root.
207 .B Under IRIX with snoop:
210 must be installed setuid to root.
215 must be installed setuid to root (unless your distribution has a kernel
216 that supports capability bits such as CAP_NET_RAW and code to allow
217 those capability bits to be given to particular accounts and to cause
218 those bits to be set on a user's initial processes when they log in, in
219 which case you must have CAP_NET_RAW in order to capture and
220 CAP_NET_ADMIN to enumerate network devices with, for example, the
224 .B Under ULTRIX and Digital UNIX/Tru64 UNIX:
225 Any user may capture network traffic with
227 However, no user (not even the super-user) can capture in promiscuous
228 mode on an interface unless the super-user has enabled promiscuous-mode
229 operation on that interface using
231 and no user (not even the super-user) can capture unicast traffic
232 received by or sent by the machine on an interface unless the super-user
233 has enabled copy-all-mode operation on that interface using
237 packet capture on an interface probably requires that either
238 promiscuous-mode or copy-all-mode operation, or both modes of
239 operation, be enabled on that interface.
241 .B Under BSD (this includes Mac OS X):
242 You must have read access to
244 On BSDs with a devfs (this includes Mac OS X), this might involve more
245 than just having somebody with super-user access setting the ownership
246 or permissions on the BPF devices - it might involve configuring devfs
247 to set the ownership or permissions every time the system is booted,
248 if the system even supports that; if it doesn't support that, you might
249 have to find some other way to make that happen at boot time.
251 Reading a saved packet file doesn't require special privileges.
255 Print each packet (minus its link level header) in ASCII. Handy for
259 Exit after receiving \fIcount\fP packets.
262 Before writing a raw packet to a savefile, check whether the file is
263 currently larger than \fIfile_size\fP and, if so, close the current
264 savefile and open a new one. Savefiles after the first savefile will
265 have the name specified with the
267 flag, with a number after it, starting at 1 and continuing upward.
268 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
269 not 1,048,576 bytes).
272 Dump the compiled packet-matching code in a human readable form to
273 standard output and stop.
276 Dump packet-matching code as a
281 Dump packet-matching code as decimal numbers (preceded with a count).
284 Print the list of the network interfaces available on the system and on
287 can capture packets. For each network interface, a number and an
288 interface name, possibly followed by a text description of the
289 interface, is printed. The interface name or the number can be supplied
292 flag to specify an interface on which to capture.
294 This can be useful on systems that don't have a command to list them
295 (e.g., Windows systems, or UNIX systems lacking
296 .BR "ifconfig \-a" );
297 the number can be useful on Windows 2000 and later systems, where the
298 interface name is a somewhat complex string.
302 flag will not be supported if
304 was built with an older version of
307 .B pcap_findalldevs()
311 Print the link-level header on each dump line.
314 Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
315 are addressed to \fIaddr\fP and contain Security Parameter Index value
316 \fIspi\fP. This combination may be repeated with comma or newline seperation.
318 Note that setting the secret for IPv4 ESP packets is supported at this time.
325 \fBcast128-cbc\fP, or
327 The default is \fBdes-cbc\fP.
328 The ability to decrypt packets is only present if \fItcpdump\fP was compiled
329 with cryptography enabled.
331 \fIsecret\fP is the ASCII text for ESP secret key.
332 If preceeded by 0x, then a hex value will be read.
334 The option assumes RFC2406 ESP, not RFC1827 ESP.
335 The option is only for debugging purposes, and
336 the use of this option with a true `secret' key is discouraged.
337 By presenting IPsec secret key onto command line
338 you make it visible to others, via
342 In addition to the above syntax, the syntax \fIfile name\fP may be used
343 to have tcpdump read the provided file in. The file is opened upon
344 receiving the first ESP packet, so any special permissions that tcpdump
345 may have been given should already have been given up.
348 Print `foreign' IPv4 addresses numerically rather than symbolically
349 (this option is intended to get around serious brain damage in
350 Sun's NIS server \(em usually it hangs forever translating non-local
353 The test for `foreign' IPv4 addresses is done using the IPv4 address and
354 netmask of the interface on which capture is being done. If that
355 address or netmask are not available, available, either because the
356 interface on which capture is being done has no address or netmask or
357 because the capture is being done on the Linux "any" interface, which
358 can capture on more than one interface, this option will not work
362 Use \fIfile\fP as input for the filter expression.
363 An additional expression given on the command line is ignored.
366 Listen on \fIinterface\fP.
367 If unspecified, \fItcpdump\fP searches the system interface list for the
368 lowest numbered, configured up interface (excluding loopback).
369 Ties are broken by choosing the earliest match.
371 On Linux systems with 2.2 or later kernels, an
373 argument of ``any'' can be used to capture packets from all interfaces.
374 Note that captures on the ``any'' device will not be done in promiscuous
379 flag is supported, an interface number as printed by that flag can be
385 Make stdout line buffered.
386 Useful if you want to see the data
390 ``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
391 ``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
394 List the known data link types for the interface and exit.
397 Load SMI MIB module definitions from file \fImodule\fR.
399 can be used several times to load several MIB modules into \fItcpdump\fP.
402 Use \fIsecret\fP as a shared secret for validating the digests found in
403 TCP segments with the TCP-MD5 option (RFC 2385), if present.
406 Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
409 Don't print domain name qualification of host names.
411 if you give this flag then \fItcpdump\fP will print ``nic''
412 instead of ``nic.ddn.mil''.
415 Do not run the packet-matching code optimizer.
417 if you suspect a bug in the optimizer.
420 \fIDon't\fP put the interface
421 into promiscuous mode.
422 Note that the interface might be in promiscuous
423 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
424 `ether host {local-hw-addr} or ether broadcast'.
427 Quick (quiet?) output.
428 Print less protocol information so output
432 Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829).
433 If specified, \fItcpdump\fP will not print replay prevention field.
434 Since there is no protocol version field in ESP/AH specification,
435 \fItcpdump\fP cannot deduce the version of ESP/AH protocol.
438 Read packets from \fIfile\fR (which was created with the
441 Standard input is used if \fIfile\fR is ``-''.
444 Print absolute, rather than relative, TCP sequence numbers.
447 Snarf \fIsnaplen\fP bytes of data from each packet rather than the
448 default of 68 (with SunOS's NIT, the minimum is actually 96).
449 68 bytes is adequate for IP, ICMP, TCP
450 and UDP but may truncate protocol information from name server and NFS
452 Packets truncated because of a limited snapshot
453 are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
454 is the name of the protocol level at which the truncation has occurred.
455 Note that taking larger snapshots both increases
456 the amount of time it takes to process packets and, effectively,
457 decreases the amount of packet buffering.
458 This may cause packets to be
460 You should limit \fIsnaplen\fP to the smallest number that will
461 capture the protocol information you're interested in.
463 \fIsnaplen\fP to 0 means use the required length to catch whole packets.
466 Force packets selected by "\fIexpression\fP" to be interpreted the
467 specified \fItype\fR.
468 Currently known types are
469 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
470 \fBcnfp\fR (Cisco NetFlow protocol),
471 \fBrpc\fR (Remote Procedure Call),
472 \fBrtp\fR (Real-Time Applications protocol),
473 \fBrtcp\fR (Real-Time Applications control protocol),
474 \fBsnmp\fR (Simple Network Management Protocol),
475 \fBtftp\fR (Trivial File Transfer Protocol),
476 \fBvat\fR (Visual Audio Tool),
478 \fBwb\fR (distributed White Board).
481 \fIDon't\fP print a timestamp on each dump line.
484 Print an unformatted timestamp on each dump line.
487 Print a delta (in micro-seconds) between current and previous line
491 Print a timestamp in default format proceeded by date on each dump line.
494 Print undecoded NFS handles.
497 Make output saved via the
499 option ``packet-buffered''; i.e., as each packet is saved, it will be
500 written to the output file, rather than being written only when the
505 flag will not be supported if
507 was built with an older version of
514 When parsing and printing, produce (slightly more) verbose output.
515 For example, the time to live,
516 identification, total length and options in an IP packet are printed.
517 Also enables additional packet integrity checks such as verifying the
518 IP and ICMP header checksum.
520 When writing to a file with the
522 option, report, every 10 seconds, the number of packets captured.
525 Even more verbose output.
526 For example, additional fields are
527 printed from NFS reply packets, and SMB packets are fully decoded.
530 Even more verbose output.
532 telnet \fBSB\fP ... \fBSE\fP options
536 Telnet options are printed in hex as well.
539 Write the raw packets to \fIfile\fR rather than parsing and printing
541 They can later be printed with the \-r option.
542 Standard output is used if \fIfile\fR is ``-''.
545 Used in conjunction with the
547 option, this will limit the number
548 of files created to the specified number, and begin overwriting files
549 from the beginning, thus creating a 'rotating' buffer.
550 In addition, it will name
551 the files with enough leading 0s to support the maximum number of
552 files, allowing them to sort correctly.
555 Print each packet (minus its link level header) in hex.
556 The smaller of the entire packet or
558 bytes will be printed. Note that this is the entire link-layer
559 packet, so for link layers that pad (e.g. Ethernet), the padding bytes
560 will also be printed when the higher layer packet is shorter than the
566 its link level header, in hex.
569 Print each packet (minus its link level header) in hex and ASCII.
570 This is very handy for analysing new protocols.
575 its link level header, in hex and ASCII.
578 Set the data link type to use while capturing packets to \fIdatalinktype\fP.
581 Drops privileges (if root) and changes user ID to
583 and the group ID to the primary group of
586 This behavior can also be enabled by default at compile time.
587 .IP "\fI expression\fP"
589 selects which packets will be dumped.
590 If no \fIexpression\fP
591 is given, all packets on the net will be dumped.
593 only packets for which \fIexpression\fP is `true' will be dumped.
595 The \fIexpression\fP consists of one or more
597 Primitives usually consist of an
599 (name or number) preceded by one or more qualifiers.
601 different kinds of qualifier:
603 qualifiers say what kind of thing the id name or number refers to.
610 E.g., `host foo', `net 128.3', `port 20', `portrange 6000-6008'.
616 qualifiers specify a particular transfer direction to and/or from
618 Possible directions are
625 E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
627 there is no dir qualifier,
630 For some link layers, such as SLIP and the ``cooked'' Linux capture mode
631 used for the ``any'' device and for some other device types, the
635 qualifiers can be used to specify a desired direction.
637 qualifiers restrict the match to a particular protocol.
661 E.g., `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange
664 no proto qualifier, all protocols consistent with the type are
666 E.g., `src foo' means `(ip or arp or rarp) src foo'
667 (except the latter is not legal syntax), `net bar' means `(ip or
668 arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
670 [`fddi' is actually an alias for `ether'; the parser treats them
671 identically as meaning ``the data link level used on the specified
672 network interface.'' FDDI headers contain Ethernet-like source
673 and destination addresses, and often contain Ethernet-like packet
674 types, so you can filter on these FDDI fields just as with the
675 analogous Ethernet fields.
676 FDDI headers also contain other fields,
677 but you cannot name them explicitly in a filter expression.
679 Similarly, `tr' and `wlan' are aliases for `ether'; the previous
680 paragraph's statements about FDDI headers also apply to Token Ring
681 and 802.11 wireless LAN headers. For 802.11 headers, the destination
682 address is the DA field and the source address is the SA field; the
683 BSSID, RA, and TA fields aren't tested.]
685 In addition to the above, there are some special `primitive' keywords
686 that don't follow the pattern:
691 and arithmetic expressions.
692 All of these are described below.
694 More complex filter expressions are built up by using the words
699 to combine primitives.
700 E.g., `host foo and not port ftp and not port ftp-data'.
701 To save typing, identical qualifier lists can be omitted.
703 `tcp dst port ftp or ftp-data or domain' is exactly the same as
704 `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
706 Allowable primitives are:
707 .IP "\fBdst host \fIhost\fR"
708 True if the IPv4/v6 destination field of the packet is \fIhost\fP,
709 which may be either an address or a name.
710 .IP "\fBsrc host \fIhost\fR"
711 True if the IPv4/v6 source field of the packet is \fIhost\fP.
712 .IP "\fBhost \fIhost\fP
713 True if either the IPv4/v6 source or destination of the packet is \fIhost\fP.
715 Any of the above host expressions can be prepended with the keywords,
716 \fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in:
719 \fBip host \fIhost\fR
722 which is equivalent to:
725 \fBether proto \fI\\ip\fB and host \fIhost\fR
728 If \fIhost\fR is a name with multiple IP addresses, each address will
729 be checked for a match.
730 .IP "\fBether dst \fIehost\fP
731 True if the Ethernet destination address is \fIehost\fP.
733 may be either a name from /etc/ethers or a number (see
736 .IP "\fBether src \fIehost\fP
737 True if the Ethernet source address is \fIehost\fP.
738 .IP "\fBether host \fIehost\fP
739 True if either the Ethernet source or destination address is \fIehost\fP.
740 .IP "\fBgateway\fP \fIhost\fP
741 True if the packet used \fIhost\fP as a gateway.
743 source or destination address was \fIhost\fP but neither the IP source
744 nor the IP destination was \fIhost\fP.
745 \fIHost\fP must be a name and
746 must be found both by the machine's host-name-to-IP-address resolution
747 mechanisms (host name file, DNS, NIS, etc.) and by the machine's
748 host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
749 (An equivalent expression is
752 \fBether host \fIehost \fBand not host \fIhost\fR
755 which can be used with either names or numbers for \fIhost / ehost\fP.)
756 This syntax does not work in IPv6-enabled configuration at this moment.
757 .IP "\fBdst net \fInet\fR"
758 True if the IPv4/v6 destination address of the packet has a network
760 \fINet\fP may be either a name from /etc/networks
761 or a network number (see \fInetworks(4)\fP for details).
762 .IP "\fBsrc net \fInet\fR"
763 True if the IPv4/v6 source address of the packet has a network
765 .IP "\fBnet \fInet\fR"
766 True if either the IPv4/v6 source or destination address of the packet has a network
768 .IP "\fBnet \fInet\fR \fBmask \fInetmask\fR"
769 True if the IPv4 address matches \fInet\fR with the specific \fInetmask\fR.
770 May be qualified with \fBsrc\fR or \fBdst\fR.
771 Note that this syntax is not valid for IPv6 \fInet\fR.
772 .IP "\fBnet \fInet\fR/\fIlen\fR"
773 True if the IPv4/v6 address matches \fInet\fR with a netmask \fIlen\fR
775 May be qualified with \fBsrc\fR or \fBdst\fR.
776 .IP "\fBdst port \fIport\fR"
777 True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
778 destination port value of \fIport\fP.
779 The \fIport\fP can be a number or a name used in /etc/services (see
783 If a name is used, both the port
784 number and protocol are checked.
785 If a number or ambiguous name is used,
786 only the port number is checked (e.g., \fBdst port 513\fR will print both
787 tcp/login traffic and udp/who traffic, and \fBport domain\fR will print
788 both tcp/domain and udp/domain traffic).
789 .IP "\fBsrc port \fIport\fR"
790 True if the packet has a source port value of \fIport\fP.
791 .IP "\fBport \fIport\fR"
792 True if either the source or destination port of the packet is \fIport\fP.
793 .IP "\fBdst portrange \fIport1\fB-\fIport2\fR"
794 True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
795 destination port value between \fIport1\fP and \fIport2\fP.
799 are interpreted in the same fashion as the
803 .IP "\fBsrc portrange \fIport1\fB-\fIport2\fR"
804 True if the packet has a source port value between \fIport1\fP and
806 .IP "\fBportrange \fIport1\fB-\fIport2\fR"
807 True if either the source or destination port of the packet is between
808 \fIport1\fP and \fIport2\fP.
810 Any of the above port or port range expressions can be prepended with
811 the keywords, \fBtcp\fP or \fBudp\fP, as in:
814 \fBtcp src port \fIport\fR
817 which matches only tcp packets whose source port is \fIport\fP.
818 .IP "\fBless \fIlength\fR"
819 True if the packet has a length less than or equal to \fIlength\fP.
820 This is equivalent to:
823 \fBlen <= \fIlength\fP.
826 .IP "\fBgreater \fIlength\fR"
827 True if the packet has a length greater than or equal to \fIlength\fP.
828 This is equivalent to:
831 \fBlen >= \fIlength\fP.
834 .IP "\fBip proto \fIprotocol\fR"
835 True if the packet is an IPv4 packet (see
837 of protocol type \fIprotocol\fP.
838 \fIProtocol\fP can be a number or one of the names
839 \fBicmp\fP, \fBicmp6\fP, \fBigmp\fP, \fBigrp\fP, \fBpim\fP, \fBah\fP,
840 \fBesp\fP, \fBvrrp\fP, \fBudp\fP, or \fBtcp\fP.
841 Note that the identifiers \fBtcp\fP, \fBudp\fP, and \fBicmp\fP are also
842 keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell.
843 Note that this primitive does not chase the protocol header chain.
844 .IP "\fBip6 proto \fIprotocol\fR"
845 True if the packet is an IPv6 packet of protocol type \fIprotocol\fP.
846 Note that this primitive does not chase the protocol header chain.
847 .IP "\fBip6 protochain \fIprotocol\fR"
848 True if the packet is IPv6 packet,
849 and contains protocol header with type \fIprotocol\fR
850 in its protocol header chain.
854 \fBip6 protochain 6\fR
857 matches any IPv6 packet with TCP protocol header in the protocol header chain.
858 The packet may contain, for example,
859 authentication header, routing header, or hop-by-hop option header,
860 between IPv6 header and TCP header.
861 The BPF code emitted by this primitive is complex and
862 cannot be optimized by BPF optimizer code in \fItcpdump\fP,
863 so this can be somewhat slow.
864 .IP "\fBip protochain \fIprotocol\fR"
865 Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4.
866 .IP "\fBether broadcast\fR"
867 True if the packet is an Ethernet broadcast packet.
870 .IP "\fBip broadcast\fR"
871 True if the packet is an IPv4 broadcast packet.
872 It checks for both the all-zeroes and all-ones broadcast conventions,
873 and looks up the subnet mask on the interface on which the capture is
876 If the subnet mask of the interface on which the capture is being done
877 is not available, either because the interface on which capture is being
878 done has no netmask or because the capture is being done on the Linux
879 "any" interface, which can capture on more than one interface, this
880 check will not work correctly.
881 .IP "\fBether multicast\fR"
882 True if the packet is an Ethernet multicast packet.
885 This is shorthand for `\fBether[0] & 1 != 0\fP'.
886 .IP "\fBip multicast\fR"
887 True if the packet is an IPv4 multicast packet.
888 .IP "\fBip6 multicast\fR"
889 True if the packet is an IPv6 multicast packet.
890 .IP "\fBether proto \fIprotocol\fR"
891 True if the packet is of ether type \fIprotocol\fR.
892 \fIProtocol\fP can be a number or one of the names
893 \fBip\fP, \fBip6\fP, \fBarp\fP, \fBrarp\fP, \fBatalk\fP, \fBaarp\fP,
894 \fBdecnet\fP, \fBsca\fP, \fBlat\fP, \fBmopdl\fP, \fBmoprc\fP,
895 \fBiso\fP, \fBstp\fP, \fBipx\fP, or \fBnetbeui\fP.
896 Note these identifiers are also keywords
897 and must be escaped via backslash (\\).
899 [In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), Token Ring
900 (e.g., `\fBtr protocol arp\fR'), and IEEE 802.11 wireless LANS (e.g.,
901 `\fBwlan protocol arp\fR'), for most of those protocols, the
902 protocol identification comes from the 802.2 Logical Link Control (LLC)
903 header, which is usually layered on top of the FDDI, Token Ring, or
906 When filtering for most protocol identifiers on FDDI, Token Ring, or
907 802.11, \fItcpdump\fR checks only the protocol ID field of an LLC header
908 in so-called SNAP format with an Organizational Unit Identifier (OUI) of
909 0x000000, for encapsulated Ethernet; it doesn't check whether the packet
910 is in SNAP format with an OUI of 0x000000.
915 \fItcpdump\fR checks the DSAP (Destination Service Access Point) and
916 SSAP (Source Service Access Point) fields of the LLC header;
918 \fBstp\fP and \fBnetbeui\fP
919 \fItcpdump\fR checks the DSAP of the LLC header;
922 \fItcpdump\fR checks for a SNAP-format packet with an OUI of 0x080007
923 and the AppleTalk etype.
926 In the case of Ethernet, \fItcpdump\fR checks the Ethernet type field
927 for most of those protocols. The exceptions are:
930 \fBiso\fP, \fBstp\fP, and \fBnetbeui\fP
931 \fItcpdump\fR checks for an 802.3 frame and then checks the LLC header as
932 it does for FDDI, Token Ring, and 802.11;
935 \fItcpdump\fR checks both for the AppleTalk etype in an Ethernet frame and
936 for a SNAP-format packet as it does for FDDI, Token Ring, and 802.11;
939 \fItcpdump\fR checks for the AppleTalk ARP etype in either an Ethernet
940 frame or an 802.2 SNAP frame with an OUI of 0x000000;
943 \fItcpdump\fR checks for the IPX etype in an Ethernet frame, the IPX
944 DSAP in the LLC header, the 802.3-with-no-LLC-header encapsulation of
945 IPX, and the IPX etype in a SNAP frame.
947 .IP "\fBdecnet src \fIhost\fR"
948 True if the DECNET source address is
950 which may be an address of the form ``10.123'', or a DECNET host
952 [DECNET host name support is only available on ULTRIX systems
953 that are configured to run DECNET.]
954 .IP "\fBdecnet dst \fIhost\fR"
955 True if the DECNET destination address is
957 .IP "\fBdecnet host \fIhost\fR"
958 True if either the DECNET source or destination address is
960 .IP "\fBifname \fIinterface\fR"
961 True if the packet was logged as coming from the specified interface (applies
962 only to packets logged by OpenBSD's
964 .IP "\fBon \fIinterface\fR"
968 .IP "\fBrnr \fInum\fR"
969 True if the packet was logged as matching the specified PF rule number
970 (applies only to packets logged by OpenBSD's
972 .IP "\fBrulenum \fInum\fR"
976 .IP "\fBreason \fIcode\fR"
977 True if the packet was logged with the specified PF reason code. The known
986 (applies only to packets logged by OpenBSD's
988 .IP "\fBrset \fIname\fR"
989 True if the packet was logged as matching the specified PF ruleset
990 name of an anchored ruleset (applies only to packets logged by
992 .IP "\fBruleset \fIname\fR"
996 .IP "\fBsrnr \fInum\fR"
997 True if the packet was logged as matching the specified PF rule number
998 of an anchored ruleset (applies only to packets logged by
1000 .IP "\fBsubrulenum \fInum\fR"
1004 .IP "\fBaction \fIact\fR"
1005 True if PF took the specified action when the packet was logged. Known actions
1010 (applies only to packets logged by OpenBSD's
1012 .IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP"
1016 \fBether proto \fIp\fR
1019 where \fIp\fR is one of the above protocols.
1020 .IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR"
1024 \fBether proto \fIp\fR
1027 where \fIp\fR is one of the above protocols.
1029 \fItcpdump\fP does not currently know how to parse these protocols.
1030 .IP "\fBvlan \fI[vlan_id]\fR"
1031 True if the packet is an IEEE 802.1Q VLAN packet.
1032 If \fI[vlan_id]\fR is specified, only true if the packet has the specified
1034 Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR
1035 changes the decoding offsets for the remainder of \fIexpression\fR on
1036 the assumption that the packet is a VLAN packet. The \fBvlan
1037 \fI[vlan_id]\fR expression may be used more than once, to filter on VLAN
1038 hierarchies. Each use of that expression increments the filter offsets
1044 \fBvlan 100 && vlan 200\fR
1047 filters on VLAN 200 encapsulated within VLAN 100, and
1050 \fBvlan && vlan 300 && ip\fR
1053 filters IPv4 protocols encapsulated in VLAN 300 encapsulated within any
1055 .IP "\fBmpls \fI[label_num]\fR"
1056 True if the packet is an MPLS packet.
1057 If \fI[label_num]\fR is specified, only true is the packet has the specified
1059 Note that the first \fBmpls\fR keyword encountered in \fIexpression\fR
1060 changes the decoding offsets for the remainder of \fIexpression\fR on
1061 the assumption that the packet is a MPLS-encapsulated IP packet. The
1062 \fBmpls \fI[label_num]\fR expression may be used more than once, to
1063 filter on MPLS hierarchies. Each use of that expression increments the
1064 filter offsets by 4.
1069 \fBmpls 100000 && mpls 1024\fR
1072 filters packets with an outer label of 100000 and an inner label of
1076 \fBmpls && mpls 1024 && host 192.9.200.1\fR
1079 filters packets to or from 192.9.200.1 with an inner label of 1024 and
1082 True if the packet is a PPP-over-Ethernet Discovery packet (Ethernet
1085 True if the packet is a PPP-over-Ethernet Session packet (Ethernet
1087 Note that the first \fBpppoes\fR keyword encountered in \fIexpression\fR
1088 changes the decoding offsets for the remainder of \fIexpression\fR on
1089 the assumption that the packet is a PPPoE session packet.
1097 filters IPv4 protocols encapsulated in PPPoE.
1098 .IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
1102 \fBip proto \fIp\fR\fB or ip6 proto \fIp\fR
1105 where \fIp\fR is one of the above protocols.
1106 .IP "\fBiso proto \fIprotocol\fR"
1107 True if the packet is an OSI packet of protocol type \fIprotocol\fP.
1108 \fIProtocol\fP can be a number or one of the names
1109 \fBclnp\fP, \fBesis\fP, or \fBisis\fP.
1110 .IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR"
1114 \fBiso proto \fIp\fR
1117 where \fIp\fR is one of the above protocols.
1118 .IP "\fBl1\fR, \fBl2\fR, \fBiih\fR, \fBlsp\fR, \fBsnp\fR, \fBcsnp\fR, \fBpsnp\fR"
1119 Abbreviations for IS-IS PDU types.
1120 .IP "\fBvpi\fP \fIn\fR
1121 True if the packet is an ATM packet, for SunATM on Solaris, with a
1122 virtual path identifier of
1124 .IP "\fBvci\fP \fIn\fR
1125 True if the packet is an ATM packet, for SunATM on Solaris, with a
1126 virtual channel identifier of
1129 True if the packet is an ATM packet, for SunATM on Solaris, and is
1131 Note that the first \fBlane\fR keyword encountered in \fIexpression\fR
1132 changes the tests done in the remainder of \fIexpression\fR
1133 on the assumption that the packet is either a LANE emulated Ethernet
1134 packet or a LANE LE Control packet. If \fBlane\fR isn't specified, the
1135 tests are done under the assumption that the packet is an
1136 LLC-encapsulated packet.
1138 True if the packet is an ATM packet, for SunATM on Solaris, and is
1139 an LLC-encapsulated packet.
1141 True if the packet is an ATM packet, for SunATM on Solaris, and is
1142 a segment OAM F4 flow cell (VPI=0 & VCI=3).
1144 True if the packet is an ATM packet, for SunATM on Solaris, and is
1145 an end-to-end OAM F4 flow cell (VPI=0 & VCI=4).
1147 True if the packet is an ATM packet, for SunATM on Solaris, and is
1148 a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
1150 True if the packet is an ATM packet, for SunATM on Solaris, and is
1151 a segment or end-to-end OAM F4 flow cell (VPI=0 & (VCI=3 | VCI=4)).
1153 True if the packet is an ATM packet, for SunATM on Solaris, and is
1154 on a meta signaling circuit (VPI=0 & VCI=1).
1156 True if the packet is an ATM packet, for SunATM on Solaris, and is
1157 on a broadcast signaling circuit (VPI=0 & VCI=2).
1159 True if the packet is an ATM packet, for SunATM on Solaris, and is
1160 on a signaling circuit (VPI=0 & VCI=5).
1162 True if the packet is an ATM packet, for SunATM on Solaris, and is
1163 on an ILMI circuit (VPI=0 & VCI=16).
1164 .IP \fBconnectmsg\fP
1165 True if the packet is an ATM packet, for SunATM on Solaris, and is
1166 on a signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
1167 Connect Ack, Release, or Release Done message.
1168 .IP \fBmetaconnect\fP
1169 True if the packet is an ATM packet, for SunATM on Solaris, and is
1170 on a meta signaling circuit and is a Q.2931 Setup, Call Proceeding, Connect,
1171 Release, or Release Done message.
1172 .IP "\fIexpr relop expr\fR"
1173 True if the relation holds, where \fIrelop\fR is one of >, <, >=, <=, =,
1174 !=, and \fIexpr\fR is an arithmetic expression composed of integer
1175 constants (expressed in standard C syntax), the normal binary operators
1176 [+, -, *, /, &, |, <<, >>], a length operator, and special packet data
1177 accessors. Note that all comparisons are unsigned, so that, for example,
1178 0x80000000 and 0xffffffff are > 0.
1180 data inside the packet, use the following syntax:
1183 \fIproto\fB [ \fIexpr\fB : \fIsize\fB ]\fR
1186 \fIProto\fR is one of \fBether, fddi, tr, wlan, ppp, slip, link,
1187 ip, arp, rarp, tcp, udp, icmp, ip6\fR or \fBradio\fR, and
1188 indicates the protocol layer for the index operation.
1189 (\fBether, fddi, wlan, tr, ppp, slip\fR and \fBlink\fR all refer to the
1190 link layer. \fBradio\fR refers to the "radio header" added to some
1192 Note that \fItcp, udp\fR and other upper-layer protocol types only
1193 apply to IPv4, not IPv6 (this will be fixed in the future).
1194 The byte offset, relative to the indicated protocol layer, is
1195 given by \fIexpr\fR.
1196 \fISize\fR is optional and indicates the number of bytes in the
1197 field of interest; it can be either one, two, or four, and defaults to one.
1198 The length operator, indicated by the keyword \fBlen\fP, gives the
1199 length of the packet.
1201 For example, `\fBether[0] & 1 != 0\fP' catches all multicast traffic.
1202 The expression `\fBip[0] & 0xf != 5\fP'
1203 catches all IPv4 packets with options.
1205 `\fBip[6:2] & 0x1fff = 0\fP'
1206 catches only unfragmented IPv4 datagrams and frag zero of fragmented
1208 This check is implicitly applied to the \fBtcp\fP and \fBudp\fP
1210 For instance, \fBtcp[0]\fP always means the first
1211 byte of the TCP \fIheader\fP, and never means the first byte of an
1212 intervening fragment.
1214 Some offsets and field values may be expressed as names rather than
1216 The following protocol header field offsets are
1217 available: \fBicmptype\fP (ICMP type field), \fBicmpcode\fP (ICMP
1218 code field), and \fBtcpflags\fP (TCP flags field).
1220 The following ICMP type field values are available: \fBicmp-echoreply\fP,
1221 \fBicmp-unreach\fP, \fBicmp-sourcequench\fP, \fBicmp-redirect\fP,
1222 \fBicmp-echo\fP, \fBicmp-routeradvert\fP, \fBicmp-routersolicit\fP,
1223 \fBicmp-timxceed\fP, \fBicmp-paramprob\fP, \fBicmp-tstamp\fP,
1224 \fBicmp-tstampreply\fP, \fBicmp-ireq\fP, \fBicmp-ireqreply\fP,
1225 \fBicmp-maskreq\fP, \fBicmp-maskreply\fP.
1227 The following TCP flags field values are available: \fBtcp-fin\fP,
1228 \fBtcp-syn\fP, \fBtcp-rst\fP, \fBtcp-push\fP,
1229 \fBtcp-ack\fP, \fBtcp-urg\fP.
1231 Primitives may be combined using:
1233 A parenthesized group of primitives and operators
1234 (parentheses are special to the Shell and must be escaped).
1236 Negation (`\fB!\fP' or `\fBnot\fP').
1238 Concatenation (`\fB&&\fP' or `\fBand\fP').
1240 Alternation (`\fB||\fP' or `\fBor\fP').
1242 Negation has highest precedence.
1243 Alternation and concatenation have equal precedence and associate
1245 Note that explicit \fBand\fR tokens, not juxtaposition,
1246 are now required for concatenation.
1248 If an identifier is given without a keyword, the most recent keyword
1253 \fBnot host vs and ace\fR
1259 \fBnot host vs and host ace\fR
1262 which should not be confused with
1265 \fBnot ( host vs or ace )\fR
1269 Expression arguments can be passed to \fItcpdump\fP as either a single
1270 argument or as multiple arguments, whichever is more convenient.
1271 Generally, if the expression contains Shell metacharacters, it is
1272 easier to pass it as a single, quoted argument.
1273 Multiple arguments are concatenated with spaces before being parsed.
1276 To print all packets arriving at or departing from \fIsundown\fP:
1279 \fBtcpdump host sundown\fP
1283 To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
1286 \fBtcpdump host helios and \\( hot or ace \\)\fP
1290 To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
1293 \fBtcpdump ip host ace and not helios\fP
1297 To print all traffic between local hosts and hosts at Berkeley:
1301 tcpdump net ucb-ether
1305 To print all ftp traffic through internet gateway \fIsnup\fP:
1306 (note that the expression is quoted to prevent the shell from
1307 (mis-)interpreting the parentheses):
1311 tcpdump 'gateway snup and (port ftp or ftp-data)'
1315 To print traffic neither sourced from nor destined for local hosts
1316 (if you gateway to one other net, this stuff should never make it
1317 onto your local net).
1321 tcpdump ip and not net \fIlocalnet\fP
1325 To print the start and end packets (the SYN and FIN packets) of each
1326 TCP conversation that involves a non-local host.
1330 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
1334 To print all IPv4 HTTP packets to and from port 80, i.e. print only
1335 packets that contain data, not, for example, SYN and FIN packets and
1336 ACK-only packets. (IPv6 is left as an exercise for the reader.)
1340 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
1344 To print IP packets longer than 576 bytes sent through gateway \fIsnup\fP:
1348 tcpdump 'gateway snup and ip[2:2] > 576'
1352 To print IP broadcast or multicast packets that were
1354 sent via Ethernet broadcast or multicast:
1358 tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
1362 To print all ICMP packets that are not echo requests/replies (i.e., not
1367 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
1372 The output of \fItcpdump\fP is protocol dependent.
1374 gives a brief description and examples of most of the formats.
1382 If the '-e' option is given, the link level header is printed out.
1383 On Ethernets, the source and destination addresses, protocol,
1384 and packet length are printed.
1386 On FDDI networks, the '-e' option causes \fItcpdump\fP to print
1387 the `frame control' field, the source and destination addresses,
1388 and the packet length.
1389 (The `frame control' field governs the
1390 interpretation of the rest of the packet.
1391 Normal packets (such
1392 as those containing IP datagrams) are `async' packets, with a priority
1393 value between 0 and 7; for example, `\fBasync4\fR'.
1395 are assumed to contain an 802.2 Logical Link Control (LLC) packet;
1396 the LLC header is printed if it is \fInot\fR an ISO datagram or a
1397 so-called SNAP packet.
1399 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
1400 the `access control' and `frame control' fields, the source and
1401 destination addresses, and the packet length.
1402 As on FDDI networks,
1403 packets are assumed to contain an LLC packet.
1404 Regardless of whether
1405 the '-e' option is specified or not, the source routing information is
1406 printed for source-routed packets.
1408 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
1409 the `frame control' fields, all of the addresses in the 802.11 header,
1410 and the packet length.
1411 As on FDDI networks,
1412 packets are assumed to contain an LLC packet.
1414 \fI(N.B.: The following description assumes familiarity with
1415 the SLIP compression algorithm described in RFC-1144.)\fP
1417 On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound),
1418 packet type, and compression information are printed out.
1419 The packet type is printed first.
1420 The three types are \fIip\fP, \fIutcp\fP, and \fIctcp\fP.
1421 No further link information is printed for \fIip\fR packets.
1422 For TCP packets, the connection identifier is printed following the type.
1423 If the packet is compressed, its encoded header is printed out.
1424 The special cases are printed out as
1425 \fB*S+\fIn\fR and \fB*SA+\fIn\fR, where \fIn\fR is the amount by which
1426 the sequence number (or sequence number and ack) has changed.
1427 If it is not a special case,
1428 zero or more changes are printed.
1429 A change is indicated by U (urgent pointer), W (window), A (ack),
1430 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
1431 or a new value (=n).
1432 Finally, the amount of data in the packet and compressed header length
1435 For example, the following line shows an outbound compressed TCP packet,
1436 with an implicit connection identifier; the ack has changed by 6,
1437 the sequence number by 49, and the packet ID by 6; there are 3 bytes of
1438 data and 6 bytes of compressed header:
1441 \fBO ctcp * A+6 S+49 I+6 3 (6)\fP
1447 Arp/rarp output shows the type of request and its arguments.
1449 format is intended to be self explanatory.
1450 Here is a short sample taken from the start of an `rlogin' from
1451 host \fIrtsg\fP to host \fIcsam\fP:
1455 \f(CWarp who-has csam tell rtsg
1456 arp reply csam is-at CSAM\fR
1460 The first line says that rtsg sent an arp packet asking
1461 for the Ethernet address of internet host csam.
1463 replies with its Ethernet address (in this example, Ethernet addresses
1464 are in caps and internet addresses in lower case).
1466 This would look less redundant if we had done \fItcpdump \-n\fP:
1470 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
1471 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
1475 If we had done \fItcpdump \-e\fP, the fact that the first packet is
1476 broadcast and the second is point-to-point would be visible:
1480 \f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg
1481 CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR
1485 For the first packet this says the Ethernet source address is RTSG, the
1486 destination is the Ethernet broadcast address, the type field
1487 contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
1491 \fI(N.B.:The following description assumes familiarity with
1492 the TCP protocol described in RFC-793.
1493 If you are not familiar
1494 with the protocol, neither this description nor \fItcpdump\fP will
1495 be of much use to you.)\fP
1497 The general format of a tcp protocol line is:
1501 \fIsrc > dst: flags data-seqno ack window urgent options\fP
1505 \fISrc\fP and \fIdst\fP are the source and destination IP
1506 addresses and ports.
1507 \fIFlags\fP are some combination of S (SYN),
1508 F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single
1510 \fIData-seqno\fP describes the portion of sequence space covered
1511 by the data in this packet (see example below).
1512 \fIAck\fP is sequence number of the next data expected the other
1513 direction on this connection.
1514 \fIWindow\fP is the number of bytes of receive buffer space available
1515 the other direction on this connection.
1516 \fIUrg\fP indicates there is `urgent' data in the packet.
1517 \fIOptions\fP are tcp options enclosed in angle brackets (e.g., <mss 1024>).
1519 \fISrc, dst\fP and \fIflags\fP are always present.
1521 depend on the contents of the packet's tcp protocol header and
1522 are output only if appropriate.
1524 Here is the opening portion of an rlogin from host \fIrtsg\fP to
1529 \s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
1530 csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
1531 rtsg.1023 > csam.login: . ack 1 win 4096
1532 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
1533 csam.login > rtsg.1023: . ack 2 win 4096
1534 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
1535 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
1536 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
1537 csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fR\s+2
1541 The first line says that tcp port 1023 on rtsg sent a packet
1544 The \fBS\fP indicates that the \fISYN\fP flag was set.
1545 The packet sequence number was 768512 and it contained no data.
1546 (The notation is `first:last(nbytes)' which means `sequence
1548 up to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.)
1549 There was no piggy-backed ack, the available receive window was 4096
1550 bytes and there was a max-segment-size option requesting an mss of
1553 Csam replies with a similar packet except it includes a piggy-backed
1555 Rtsg then acks csam's SYN.
1558 The packet contained no data so there is no data sequence number.
1559 Note that the ack sequence
1560 number is a small integer (1).
1561 The first time \fItcpdump\fP sees a
1562 tcp `conversation', it prints the sequence number from the packet.
1563 On subsequent packets of the conversation, the difference between
1564 the current packet's sequence number and this initial sequence number
1566 This means that sequence numbers after the
1567 first can be interpreted
1568 as relative byte positions in the conversation's data stream (with the
1569 first data byte each direction being `1').
1570 `-S' will override this
1571 feature, causing the original sequence numbers to be output.
1573 On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20
1574 in the rtsg \(-> csam side of the conversation).
1575 The PUSH flag is set in the packet.
1576 On the 7th line, csam says it's received data sent by rtsg up to
1577 but not including byte 21.
1578 Most of this data is apparently sitting in the
1579 socket buffer since csam's receive window has gotten 19 bytes smaller.
1580 Csam also sends one byte of data to rtsg in this packet.
1581 On the 8th and 9th lines,
1582 csam sends two bytes of urgent, pushed data to rtsg.
1584 If the snapshot was small enough that \fItcpdump\fP didn't capture
1585 the full TCP header, it interprets as much of the header as it can
1586 and then reports ``[|\fItcp\fP]'' to indicate the remainder could not
1588 If the header contains a bogus option (one with a length
1589 that's either too small or beyond the end of the header), \fItcpdump\fP
1590 reports it as ``[\fIbad opt\fP]'' and does not interpret any further
1591 options (since it's impossible to tell where they start).
1593 length indicates options are present but the IP datagram length is not
1594 long enough for the options to actually be there, \fItcpdump\fP reports
1595 it as ``[\fIbad hdr length\fP]''.
1597 .B Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
1599 There are 8 bits in the control bits section of the TCP header:
1601 .I CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
1603 Let's assume that we want to watch packets used in establishing
1605 Recall that TCP uses a 3-way handshake protocol
1606 when it initializes a new connection; the connection sequence with
1607 regard to the TCP control bits is
1613 2) Recipient responds with SYN, ACK
1619 Now we're interested in capturing packets that have only the
1620 SYN bit set (Step 1).
1621 Note that we don't want packets from step 2
1622 (SYN-ACK), just a plain initial SYN.
1623 What we need is a correct filter
1624 expression for \fItcpdump\fP.
1626 Recall the structure of a TCP header without options:
1630 -----------------------------------------------------------------
1631 | source port | destination port |
1632 -----------------------------------------------------------------
1634 -----------------------------------------------------------------
1635 | acknowledgment number |
1636 -----------------------------------------------------------------
1637 | HL | rsvd |C|E|U|A|P|R|S|F| window size |
1638 -----------------------------------------------------------------
1639 | TCP checksum | urgent pointer |
1640 -----------------------------------------------------------------
1643 A TCP header usually holds 20 octets of data, unless options are
1645 The first line of the graph contains octets 0 - 3, the
1646 second line shows octets 4 - 7 etc.
1648 Starting to count with 0, the relevant TCP control bits are contained
1653 ----------------|---------------|---------------|----------------
1654 | HL | rsvd |C|E|U|A|P|R|S|F| window size |
1655 ----------------|---------------|---------------|----------------
1656 | | 13th octet | | |
1659 Let's have a closer look at octet no. 13:
1669 These are the TCP control bits we are interested
1671 We have numbered the bits in this octet from 0 to 7, right to
1672 left, so the PSH bit is bit number 3, while the URG bit is number 5.
1674 Recall that we want to capture packets with only SYN set.
1675 Let's see what happens to octet 13 if a TCP datagram arrives
1676 with the SYN bit set in its header:
1687 control bits section we see that only bit number 1 (SYN) is set.
1689 Assuming that octet number 13 is an 8-bit unsigned integer in
1690 network byte order, the binary value of this octet is
1694 and its decimal representation is
1698 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2
1701 We're almost done, because now we know that if only SYN is set,
1702 the value of the 13th octet in the TCP header, when interpreted
1703 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1705 This relationship can be expressed as
1711 We can use this expression as the filter for \fItcpdump\fP in order
1712 to watch packets which have only SYN set:
1715 tcpdump -i xl0 tcp[13] == 2
1718 The expression says "let the 13th octet of a TCP datagram have
1719 the decimal value 2", which is exactly what we want.
1721 Now, let's assume that we need to capture SYN packets, but we
1722 don't care if ACK or any other TCP control bit is set at the
1724 Let's see what happens to octet 13 when a TCP datagram
1725 with SYN-ACK set arrives:
1735 Now bits 1 and 4 are set in the 13th octet.
1741 which translates to decimal
1745 0*2 + 0*2 + 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2 = 18
1748 Now we can't just use 'tcp[13] == 18' in the \fItcpdump\fP filter
1749 expression, because that would select only those packets that have
1750 SYN-ACK set, but not those with only SYN set.
1751 Remember that we don't care
1752 if ACK or any other control bit is set as long as SYN is set.
1754 In order to achieve our goal, we need to logically AND the
1755 binary value of octet 13 with some other value to preserve
1757 We know that we want SYN to be set in any case,
1758 so we'll logically AND the value in the 13th octet with
1759 the binary value of a SYN:
1763 00010010 SYN-ACK 00000010 SYN
1764 AND 00000010 (we want SYN) AND 00000010 (we want SYN)
1766 = 00000010 = 00000010
1769 We see that this AND operation delivers the same result
1770 regardless whether ACK or another TCP control bit is set.
1771 The decimal representation of the AND value as well as
1772 the result of this operation is 2 (binary 00000010),
1773 so we know that for packets with SYN set the following
1774 relation must hold true:
1776 ( ( value of octet 13 ) AND ( 2 ) ) == ( 2 )
1778 This points us to the \fItcpdump\fP filter expression
1781 tcpdump -i xl0 'tcp[13] & 2 == 2'
1784 Note that you should use single quotes or a backslash
1785 in the expression to hide the AND ('&') special character
1791 UDP format is illustrated by this rwho packet:
1795 \f(CWactinide.who > broadcast.who: udp 84\fP
1799 This says that port \fIwho\fP on host \fIactinide\fP sent a udp
1800 datagram to port \fIwho\fP on host \fIbroadcast\fP, the Internet
1802 The packet contained 84 bytes of user data.
1804 Some UDP services are recognized (from the source or destination
1805 port number) and the higher level protocol information printed.
1806 In particular, Domain Name service requests (RFC-1034/1035) and Sun
1807 RPC calls (RFC-1050) to NFS.
1809 UDP Name Server Requests
1811 \fI(N.B.:The following description assumes familiarity with
1812 the Domain Service protocol described in RFC-1035.
1813 If you are not familiar
1814 with the protocol, the following description will appear to be written
1817 Name server requests are formatted as
1821 \fIsrc > dst: id op? flags qtype qclass name (len)\fP
1823 \f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fR
1827 Host \fIh2opolo\fP asked the domain server on \fIhelios\fP for an
1828 address record (qtype=A) associated with the name \fIucbvax.berkeley.edu.\fP
1829 The query id was `3'.
1830 The `+' indicates the \fIrecursion desired\fP flag
1832 The query length was 37 bytes, not including the UDP and
1833 IP protocol headers.
1834 The query operation was the normal one, \fIQuery\fP,
1835 so the op field was omitted.
1836 If the op had been anything else, it would
1837 have been printed between the `3' and the `+'.
1838 Similarly, the qclass was the normal one,
1839 \fIC_IN\fP, and omitted.
1840 Any other qclass would have been printed
1841 immediately after the `A'.
1843 A few anomalies are checked and may result in extra fields enclosed in
1844 square brackets: If a query contains an answer, authority records or
1845 additional records section,
1850 are printed as `[\fIn\fPa]', `[\fIn\fPn]' or `[\fIn\fPau]' where \fIn\fP
1851 is the appropriate count.
1852 If any of the response bits are set (AA, RA or rcode) or any of the
1853 `must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]'
1854 is printed, where \fIx\fP is the hex value of header bytes two and three.
1856 UDP Name Server Responses
1858 Name server responses are formatted as
1862 \fIsrc > dst: id op rcode flags a/n/au type class data (len)\fP
1864 \f(CWhelios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
1865 helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fR
1869 In the first example, \fIhelios\fP responds to query id 3 from \fIh2opolo\fP
1870 with 3 answer records, 3 name server records and 7 additional records.
1871 The first answer record is type A (address) and its data is internet
1872 address 128.32.137.3.
1873 The total size of the response was 273 bytes,
1874 excluding UDP and IP headers.
1875 The op (Query) and response code
1876 (NoError) were omitted, as was the class (C_IN) of the A record.
1878 In the second example, \fIhelios\fP responds to query 2 with a
1879 response code of non-existent domain (NXDomain) with no answers,
1880 one name server and no authority records.
1881 The `*' indicates that
1882 the \fIauthoritative answer\fP bit was set.
1884 answers, no type, class or data were printed.
1886 Other flag characters that might appear are `\-' (recursion available,
1887 RA, \fInot\fP set) and `|' (truncated message, TC, set).
1889 `question' section doesn't contain exactly one entry, `[\fIn\fPq]'
1892 Note that name server requests and responses tend to be large and the
1893 default \fIsnaplen\fP of 68 bytes may not capture enough of the packet
1895 Use the \fB\-s\fP flag to increase the snaplen if you
1896 need to seriously investigate name server traffic.
1898 has worked well for me.
1903 \fItcpdump\fP now includes fairly extensive SMB/CIFS/NBT decoding for data
1904 on UDP/137, UDP/138 and TCP/139.
1905 Some primitive decoding of IPX and
1906 NetBEUI SMB data is also done.
1908 By default a fairly minimal decode is done, with a much more detailed
1909 decode done if -v is used.
1910 Be warned that with -v a single SMB packet
1911 may take up a page or more, so only use -v if you really want all the
1914 For information on SMB packet formats and what all te fields mean see
1915 www.cifs.org or the pub/samba/specs/ directory on your favorite
1916 samba.org mirror site.
1917 The SMB patches were written by Andrew Tridgell
1921 NFS Requests and Replies
1923 Sun NFS (Network File System) requests and replies are printed as:
1927 \fIsrc.xid > dst.nfs: len op args\fP
1928 \fIsrc.nfs > dst.xid: reply stat len op results\fP
1931 sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
1932 wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
1933 sushi.201b > wrl.nfs:
1934 144 lookup fh 9,74/4096.6878 "xcolors"
1935 wrl.nfs > sushi.201b:
1936 reply ok 128 lookup fh 9,74/4134.3150
1941 In the first line, host \fIsushi\fP sends a transaction with id \fI6709\fP
1942 to \fIwrl\fP (note that the number following the src host is a
1943 transaction id, \fInot\fP the source port).
1944 The request was 112 bytes,
1945 excluding the UDP and IP headers.
1946 The operation was a \fIreadlink\fP
1947 (read symbolic link) on file handle (\fIfh\fP) 21,24/10.731657119.
1948 (If one is lucky, as in this case, the file handle can be interpreted
1949 as a major,minor device number pair, followed by the inode number and
1951 \fIWrl\fP replies `ok' with the contents of the link.
1953 In the third line, \fIsushi\fP asks \fIwrl\fP to lookup the name
1954 `\fIxcolors\fP' in directory file 9,74/4096.6878.
1955 Note that the data printed
1956 depends on the operation type.
1957 The format is intended to be self
1958 explanatory if read in conjunction with
1959 an NFS protocol spec.
1961 If the \-v (verbose) flag is given, additional information is printed.
1967 sushi.1372a > wrl.nfs:
1968 148 read fh 21,11/12.195 8192 bytes @ 24576
1969 wrl.nfs > sushi.1372a:
1970 reply ok 1472 read REG 100664 ids 417/0 sz 29388
1975 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1976 which have been omitted from this example.) In the first line,
1977 \fIsushi\fP asks \fIwrl\fP to read 8192 bytes from file 21,11/12.195,
1978 at byte offset 24576.
1979 \fIWrl\fP replies `ok'; the packet shown on the
1980 second line is the first fragment of the reply, and hence is only 1472
1981 bytes long (the other bytes will follow in subsequent fragments, but
1982 these fragments do not have NFS or even UDP headers and so might not be
1983 printed, depending on the filter expression used).
1984 Because the \-v flag
1985 is given, some of the file attributes (which are returned in addition
1986 to the file data) are printed: the file type (``REG'', for regular file),
1987 the file mode (in octal), the uid and gid, and the file size.
1989 If the \-v flag is given more than once, even more details are printed.
1991 Note that NFS requests are very large and much of the detail won't be printed
1992 unless \fIsnaplen\fP is increased.
1993 Try using `\fB\-s 192\fP' to watch
1996 NFS reply packets do not explicitly identify the RPC operation.
1998 \fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
1999 replies using the transaction ID.
2000 If a reply does not closely follow the
2001 corresponding request, it might not be parsable.
2003 AFS Requests and Replies
2005 Transarc AFS (Andrew File System) requests and replies are printed
2011 \fIsrc.sport > dst.dport: rx packet-type\fP
2012 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
2013 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
2016 elvis.7001 > pike.afsfs:
2017 rx data fs call rename old fid 536876964/1/1 ".newsrc.new"
2018 new fid 536876964/1/1 ".newsrc"
2019 pike.afsfs > elvis.7001: rx data fs reply rename
2024 In the first line, host elvis sends a RX packet to pike.
2026 a RX data packet to the fs (fileserver) service, and is the start of
2028 The RPC call was a rename, with the old directory file id
2029 of 536876964/1/1 and an old filename of `.newsrc.new', and a new directory
2030 file id of 536876964/1/1 and a new filename of `.newsrc'.
2032 responds with a RPC reply to the rename call (which was successful, because
2033 it was a data packet and not an abort packet).
2035 In general, all AFS RPCs are decoded at least by RPC call name.
2037 AFS RPCs have at least some of the arguments decoded (generally only
2038 the `interesting' arguments, for some definition of interesting).
2040 The format is intended to be self-describing, but it will probably
2041 not be useful to people who are not familiar with the workings of
2044 If the -v (verbose) flag is given twice, acknowledgement packets and
2045 additional header information is printed, such as the the RX call ID,
2046 call number, sequence number, serial number, and the RX packet flags.
2048 If the -v flag is given twice, additional information is printed,
2049 such as the the RX call ID, serial number, and the RX packet flags.
2050 The MTU negotiation information is also printed from RX ack packets.
2052 If the -v flag is given three times, the security index and service id
2055 Error codes are printed for abort packets, with the exception of Ubik
2056 beacon packets (because abort packets are used to signify a yes vote
2057 for the Ubik protocol).
2059 Note that AFS requests are very large and many of the arguments won't
2060 be printed unless \fIsnaplen\fP is increased.
2061 Try using `\fB-s 256\fP'
2062 to watch AFS traffic.
2064 AFS reply packets do not explicitly identify the RPC operation.
2066 \fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
2067 replies using the call number and service ID.
2068 If a reply does not closely
2070 corresponding request, it might not be parsable.
2073 KIP AppleTalk (DDP in UDP)
2075 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
2076 and dumped as DDP packets (i.e., all the UDP header information is
2080 is used to translate AppleTalk net and node numbers to names.
2081 Lines in this file have the form
2093 The first two lines give the names of AppleTalk networks.
2095 line gives the name of a particular host (a host is distinguished
2096 from a net by the 3rd octet in the number \-
2097 a net number \fImust\fP have two octets and a host number \fImust\fP
2098 have three octets.) The number and name should be separated by
2099 whitespace (blanks or tabs).
2102 file may contain blank lines or comment lines (lines starting with
2105 AppleTalk addresses are printed in the form
2111 \f(CW144.1.209.2 > icsd-net.112.220
2112 office.2 > icsd-net.112.220
2113 jssmag.149.235 > icsd-net.2\fR
2119 doesn't exist or doesn't contain an entry for some AppleTalk
2120 host/net number, addresses are printed in numeric form.)
2121 In the first example, NBP (DDP port 2) on net 144.1 node 209
2122 is sending to whatever is listening on port 220 of net icsd node 112.
2123 The second line is the same except the full name of the source node
2124 is known (`office').
2125 The third line is a send from port 235 on
2126 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
2127 the broadcast address (255) is indicated by a net name with no host
2128 number \- for this reason it's a good idea to keep node names and
2129 net names distinct in /etc/atalk.names).
2131 NBP (name binding protocol) and ATP (AppleTalk transaction protocol)
2132 packets have their contents interpreted.
2133 Other protocols just dump
2134 the protocol name (or number if no name is registered for the
2135 protocol) and packet size.
2137 \fBNBP packets\fP are formatted like the following examples:
2141 \s-2\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
2142 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
2143 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR\s+2
2147 The first line is a name lookup request for laserwriters sent by net icsd host
2148 112 and broadcast on net jssmag.
2149 The nbp id for the lookup is 190.
2150 The second line shows a reply for this request (note that it has the
2151 same id) from host jssmag.209 saying that it has a laserwriter
2152 resource named "RM1140" registered on port 250.
2154 another reply to the same request saying host techpit has laserwriter
2155 "techpit" registered on port 186.
2157 \fBATP packet\fP formatting is demonstrated by the following example:
2161 \s-2\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
2162 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
2163 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
2164 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
2165 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
2166 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
2167 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
2168 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
2169 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
2170 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
2171 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
2172 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
2173 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
2174 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR\s+2
2178 Jssmag.209 initiates transaction id 12266 with host helios by requesting
2179 up to 8 packets (the `<0-7>').
2180 The hex number at the end of the line
2181 is the value of the `userdata' field in the request.
2183 Helios responds with 8 512-byte packets.
2184 The `:digit' following the
2185 transaction id gives the packet sequence number in the transaction
2186 and the number in parens is the amount of data in the packet,
2187 excluding the atp header.
2188 The `*' on packet 7 indicates that the
2191 Jssmag.209 then requests that packets 3 & 5 be retransmitted.
2193 resends them then jssmag.209 releases the transaction.
2195 jssmag.209 initiates the next request.
2196 The `*' on the request
2197 indicates that XO (`exactly once') was \fInot\fP set.
2202 Fragmented Internet datagrams are printed as
2206 \fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB+)\fR
2207 \fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB)\fR
2211 (The first form indicates there are more fragments.
2213 indicates this is the last fragment.)
2215 \fIId\fP is the fragment id.
2216 \fISize\fP is the fragment
2217 size (in bytes) excluding the IP header.
2218 \fIOffset\fP is this
2219 fragment's offset (in bytes) in the original datagram.
2221 The fragment information is output for each fragment.
2223 fragment contains the higher level protocol header and the frag
2224 info is printed after the protocol info.
2226 after the first contain no higher level protocol header and the
2227 frag info is printed after the source and destination addresses.
2228 For example, here is part of an ftp from arizona.edu to lbl-rtsg.arpa
2229 over a CSNET connection that doesn't appear to handle 576 byte datagrams:
2233 \s-2\f(CWarizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
2234 arizona > rtsg: (frag 595a:204@328)
2235 rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560\fP\s+2
2239 There are a couple of things to note here: First, addresses in the
2240 2nd line don't include port numbers.
2241 This is because the TCP
2242 protocol information is all in the first fragment and we have no idea
2243 what the port or sequence numbers are when we print the later fragments.
2244 Second, the tcp sequence information in the first line is printed as if there
2245 were 308 bytes of user data when, in fact, there are 512 bytes (308 in
2246 the first frag and 204 in the second).
2247 If you are looking for holes
2248 in the sequence space or trying to match up acks
2249 with packets, this can fool you.
2251 A packet with the IP \fIdon't fragment\fP flag is marked with a
2252 trailing \fB(DF)\fP.
2256 By default, all output lines are preceded by a timestamp.
2258 is the current clock time in the form
2264 and is as accurate as the kernel's clock.
2265 The timestamp reflects the time the kernel first saw the packet.
2267 is made to account for the time lag between when the
2268 Ethernet interface removed the packet from the wire and when the kernel
2269 serviced the `new packet' interrupt.
2273 The original authors are:
2277 Steven McCanne, all of the
2278 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
2280 It is currently being maintained by tcpdump.org.
2282 The current version is available via http:
2285 .I http://www.tcpdump.org/
2288 The original distribution is available via anonymous ftp:
2291 .I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
2294 IPv6/IPsec support is added by WIDE/KAME project.
2295 This program uses Eric Young's SSLeay library, under specific configuration.
2297 Please send problems, bugs, questions, desirable enhancements, etc. to:
2300 tcpdump-workers@tcpdump.org
2303 Please send source code contributions, etc. to:
2309 NIT doesn't let you watch your own outbound traffic, BPF will.
2310 We recommend that you use the latter.
2316 option on a network interface supporting checksum off-loading,
2317 IP packets sourced from this machine will have many false 'bad cksum 0' errors.
2319 On Linux systems with 2.0[.x] kernels:
2321 packets on the loopback device will be seen twice;
2323 packet filtering cannot be done in the kernel, so that all packets must
2324 be copied from the kernel in order to be filtered in user mode;
2326 all of a packet, not just the part that's within the snapshot length,
2327 will be copied from the kernel (the 2.0[.x] packet capture mechanism, if
2328 asked to copy only part of a packet to userland, will not report the
2329 true length of the packet; this would cause most IP packets to get an
2333 capturing on some PPP devices won't work correctly.
2335 We recommend that you upgrade to a 2.2 or later kernel.
2337 Some attempt should be made to reassemble IP fragments or, at least
2338 to compute the right length for the higher level protocol.
2340 Name server inverse queries are not dumped correctly: the (empty)
2341 question section is printed rather than real query in the answer
2343 Some believe that inverse queries are themselves a bug and
2344 prefer to fix the program generating them rather than \fItcpdump\fP.
2346 A packet trace that crosses a daylight savings time change will give
2347 skewed time stamps (the time change is ignored).
2349 Filter expressions on fields other than those in Token Ring headers will
2350 not correctly handle source-routed Token Ring packets.
2352 Filter expressions on fields other than those in 802.11 headers will not
2353 correctly handle 802.11 data packets with both To DS and From DS set.
2356 should chase header chain, but at this moment it does not.
2357 .BR "ip6 protochain"
2358 is supplied for this behavior.
2360 Arithmetic expression against transport layer headers, like \fBtcp[0]\fP,
2361 does not work against IPv6 packets.
2362 It only looks at IPv4 packets.