TCPDUMP(8) System Manager's Manual TCPDUMP(8) NAME tcpdump - (SYNOPSIS) tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] (DESCRIPTION) Tcpdump , expression . SunOS nit bpf : tcpdump , /dev/nit /dev/bpf* . Solaris dlpi: (network pseudo device), /dev/le . HP-UX dlpi: root, root uid . IRIX snoop: root, root uid . Linux: root, root uid . Ultrix Digital UNIX: pfconfig(8) promiscuous (promiscuous-mode), tcpdump. BSD: /dev/bpf* . (OPTIONS) -a . -c count . -d (packet-matching code) , , . -dd (packet-matching code) C . -ddd (packet-matching code) ( ). -e . -f '' , ( SUN -- ). -F file . . -i interface. , tcpdump , , (loopback ). . -l . . , ``tcpdump -l | tee dat'' or ``tcpdump -l > dat & tail -f dat''. -n ( , ) -N . , , tcpdump ``nic'', ``nic.ddn.mil''. -O . bug . -p promiscuous() . , promiscuous ; , '-p' `ether host {local-hw-addr} ether broadcast' . -q . , . -r file ( -w ). file ``-'', . -s snaplen , 68 ( SunOS NIT, 96). 68 IP, ICMP, TCP UDP, NFS (). ``[|proto]'', tcpdump , proto . , , , . snaplen , . -T "expression" type. : rpc ( Remote Procedure Call), rtp ( Real-Time Applications protocol), rtcp ( Real-Time Applications control protocol), vat ( Visual Audio Tool), wb ( distributed White Board). -S , TCP . -t . -tt . -v () . , IP . -vv . , NFS . -w file, . -r . file ``-'', . -x 16 () . , snaplen . expression . expression , . , expression `true' . expression (primitive) . (id, ), (qualifier) . : type . host, net port. , `host foo', `net 128.3', `port 20'. , host . dir ( ). src, dst, src or dst src and dst. , `src foo', `dst net 128.3', `src or dst port ftp-data'. , src or dst . `null' ( slip ), inbound outbound . proto . : ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp udp. , `ether src foo', `arp net 128.3', `tcp port 21'. , . , `src foo' `(ip arp rarp) src foo' (), `net bar' `(ip arp rarp) net bar', `port 53' `(tcp udp) port 53'. [`fddi' `ether' ; `` .'' FDDI , , FDDI , . FDDI , .] , `' : gateway, broadcast, less, greater . , . and, or not . , `host foo and not port ftp and not port ftp-data'. , . , `tcp dst port ftp or ftp-data or domain' `tcp dst port ftp or tcp dst port ftp- data or tcp dst port domain'. : dst host host IP host, . host , . src host host IP host, . host host IP host, . host ip, arp, rarp , : ip host host : ether proto \ip and host host host IP , . ether dst ehost ehost, . Ehost (/etc/ethers ), ( ethers(3N) ). ether src ehost ehost, . ether host ehost ehost, . gateway host host , . , host, IP host. host , /etc/hosts /etc/ethers . ( ether host ehost and not host host host / ehost, , .) dst net net IP net, . net ( /etc/networks ), . ( networks(4)). src net net IP net, . net net IP net, . net net mask mask IP (netmask) net, . src dst . net net/len IP net, , len. src dst . dst port port ip/tcp ip/udp, port, . port , /etc/services ( tcp(4P) udp(4P)). , . , , (, dst port 513 tcp/login udp/who , port domain tcp/domain udp/domain ). src port port port, . port port port, . tcp udp , : tcp src port port port TCP . less length length, . : len <= length. greater length length, . : len >= length. ip proto protocol IP ( ip(4P)), protocol, . Protocol , : icmp, igrp, udp, nd, tcp. tcp, udp, icmp , (\) , C-shell \\ . ether broadcast , . ether . ip broadcast IP, . Tcpdump 0 1 , . ether multicast (multicast), . ether . `ether[0] & 1 != 0' . ip multicast IP, . ether proto protocol protocol, . Protocol , , ip, arp, rarp. , (\) . [ FDDI (, `fddi protocol arp'), 802.2 (LLC), FDDI . , Tcpdump FDDI LLC , LLC SNAP .] decnet src host DECNET host, , ``10.123'', DECNET . [ DECNET Ultrix DECNET .] decnet dst host DECNET host, . decnet host host DECNET host, . ip, arp, rarp, decnet : ether proto p , p . lat, moprc, mopdl : ether proto p , p . tcpdump . tcp, udp, icmp : ip proto p , p . expr relop expr , , relop >, <, >=, <=, =, != , expr , (C), [+, -, *, /, &, |], , . , : proto [ expr : size ] Proto ether, fddi, ip, arp, rarp, tcp, udp, or icmp , . expr , . Size , ; 1, 2, 4, 1 . len . , `ether[0] & 1 != 0' . `ip[0] & 0xf != 5' IP . `ip[6:2] & 0x1fff = 0' 0 . tcp udp . , tcp[0] TCP , IP . : ( Shell , ). (`!' or `not'). (`&&' or `and'). (`||' or `or'). . , . and , . , , . , not host vs and ace not host vs and host ace , not ( host vs or ace ) . , tcpdump, . , Shell (metacharacter), . . (EXAMPLES) sundown : tcpdump host sundown helios hot, ace : tcpdump host helios and \( hot or ace \) ace helios IP: tcpdump ip host ace and not helios Berkeley : tcpdump net ucb-ether snup ftp ( , shell ): tcpdump 'gateway snup and (port ftp or ftp-data)' , ( , ). tcpdump ip and not net localnet TCP (SYN FIN ), . tcpdump 'tcp[13] & 3 != 0 and not src and dst net localnet' snup 576 IP : tcpdump 'gateway snup and ip[2:2] > 576' IP , : tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' / ICMP (, ping ): tcpdump 'icmp[0] != 8 and icmp[0] != 0" (OUTPUT FORMAT) tcpdump . . (Link Level Headers) '-e' . , , . FDDI , '-e' tcpdump `(frame control)' , . (`' . ( IP ) `' , 0 7 (, `async4'). 802.2 (LLC) ; ISO SNAP , LLC . (: RFC-1144 SLIP .) SLIP , tcpdump (``I'' inbound(), ``O'' outbound()), . . ip, utcp ctcp. ip . TCP , . , . *S+n *SA+n , n ( ack) . , 0 . U (urgent pointer), W (window), A (ack), S (sequence number) I (packet ID) , (+n or -n), (=n). , . , TCP , ; (ack) 6, 49, ID 6; : O ctcp * A+6 S+49 I+6 3 (6) ARP/RARP Arp/rarp . . , rtsg csam 'rlogin' : arp who-has csam tell rtsg arp reply csam is-at CSAM rtsg arp internet csam . Csam (, , internet ). tcpdump -n : arp who-has 128.3.254.6 tell 128.3.254.68 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4 tcpdump -e, , : RTSG Broadcast 0806 64: arp who-has csam tell rtsg CSAM RTSG 0806 64: arp reply csam is-at CSAM RTSG, , 16 0806 ( ETHER_ARP), 64 . TCP (: RFC-793 TCP , , tcpdump ) tcp : src > dst: flags data-seqno ack window urgent options Src dst IP. Flags S (SYN), F (FIN), P (PUSH) R (RST) `.'(), . Data-seqno (). Ack (sequence number). Window . Urg `(urgent)' . Options tcp , (, ). Src, dst flags . tcp , . rtsg rlogin csam . rtsg.1023 > csam.login: S 768512:768512(0) win 4096 csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 rtsg.1023 > csam.login: . ack 1 win 4096 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096 csam.login > rtsg.1023: . ack 2 win 4096 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1 csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1 rtsg tcp 1023 csam login . S SYN . 768512, . ( `first:last(nbytes)', ` first last, last, nbytes '.) (piggy-backed ack), 4096 , (max-segment-size) , mss 1024 . Csam , rtsg SYN . Rtsg csam SYN. `.' . , . (1). tcpdump tcp , . , . , ( '1' ). `-S' , . , rtsg csam 19 ( 2 20). PUSH . csam rtsg , 21, 21 . socket , csam 19 . csam rtsg . csam rtsg. , tcpdump TCP , tcpdump , ``[|tcp]'', . ( ), tcpdump ``[bad opt]'' ( ). , IP , , tcpdump ``[bad hdr length]''. UDP UDP rwho : actinide.who > broadcast.who: udp 84 udp actinide who broadcast, Internet who . 84 . UDP ( ), . (RFC-1034/1035) NFS RPC (RFC-1050). UDP (Name Server Requests) (: RFC-1035 . , .) src > dst: id op? flags qtype qclass name (len) h2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37) h2opolo helios , ucbvax.berkeley.edu. (qtype=A). `3'. `+' . 37 , UDP IP . Query , op . op , `3' `+' . , qclass C_IN , . qclass `A' . Tcpdump , : , , ancount, nscount, arcount `[na]', `[nn]' `[nau]', n . , (AA, RA rcode) `' , `[b2&3=x]', x 16. UDP src > dst: id op rcode flags a/n/au type class data (len) helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273) helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97) , helios h2opolo 3 , 3 , 3 7 . A (), internet 128.32.137.3. 273 , UDP IP . A class(C_IN) op () rcode (NoError). , helios 2 (NXDomain) , , , . `*' (authoritative answer). , type, class data. `-' ((RA)) `|' ( (TC)). `' , `[nq]'. , 68 snaplen . , -s . `-s 128' . NFS Sun NFS () : src.xid > dst.nfs: len op args src.nfs > dst.xid: reply stat len op results sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165 wrl.nfs > sushi.6709: reply ok 40 readlink "../var" sushi.201b > wrl.nfs: 144 lookup fh 9,74/4096.6878 "xcolors" wrl.nfs > sushi.201b: reply ok 128 lookup fh 9,74/4134.3150 , sushi wrl 6709 ( , ). 112 , UDP IP . (fh) 21,24/10.731657119 readlink ( ) . ( , , , i , (generation number). ) Wrl `ok' . , sushi wrl 9,74/4096.6878 `xcolors'. . . -v (verbose) . : sushi.1372a > wrl.nfs: 148 read fh 21,11/12.195 8192 bytes @ 24576 wrl.nfs > sushi.1372a: reply ok 1472 read REG 100664 ids 417/0 sz 29388 (-v IP TTL, ID, , .) , sushi wrl 21,11/12.195 24576 , 8192 . Wrl `ok'; , 1472 ( , NFS UDP , , ). -v ( ): ( ``REG''), (), uid gid, . -v (-vv), . NFS , snaplen, . `-s 192' . NFS RPC . tcpdump ``'' , . , . KIP Appletalk (UDP DDP) Appletalk DDP UDP , DDP (, UDP ). /etc/atalk.names appletalk . number name 1.254 ether 16.1 icsd-net 1.254.110 ace appletalk . ( - , .) (tab) . /etc/atalk.names (`#'). Appletalk net.host.port 144.1.209.2 > icsd-net.112.220 office.2 > icsd-net.112.220 jssmag.149.235 > icsd-net.2 ( /etc/atalk.names , , .) , 144.1 209 NBP (DDP 2) icsd 112 220 . , (`office'). jssmag 149 235 icsd-net NBP ( (255) - /etc/atalk.names ). Tcpdump NBP () ATP (Appletalk ) . (, ) . NBP : icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*" jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186 icsd 112 jssmag , laserwriter . nbp 190. ( ), jssmag.209 250 laserwriter , "RM1140". , techpit 186 laserwriter "techpit". ATP : jssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002 Jssmag.209 helios 12266 , 8 (`<0-7>'). `userdata' . Helios 8 512 . `:digit' , , atp . 7 `*' EOM . Jssmag.209 3 & 5 . Helios jssmag.209 . , jssmag.209 . `*' XO (exactly once) . IP Internet (frag id:size@offset+) (frag id:size@offset) ( . .) Id . Size (), IP . Offset (). . , . , . , arizona.edu lbl-rtsg.arpa ftp , CSNET 576 : arizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+) arizona > rtsg: (frag 595a:204@328) rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560 : , . TCP , . , tcp 308 , 512 ( 308 204 ). , (ack), . IP , (DF). , . , hh:mm:ss.frac . . '' , . (SEE ALSO) traffic(1C), nit(4P), bpf(4), pcap(3) (AUTHORS) Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Laboratory, University of California, Berkeley, CA. ftp : ftp://ftp.ee.lbl.gov/tcpdump.tar.Z BUGS tcpdump@ee.lbl.gov. NIT , BPF . . IP , . : (), . bug, , tcpdump. Ethertalk DDP KIP DDP , . Ethertalk (), LBL Ethertalk , . , . () FDDI FDDI . IP, ARP DECNET Phase IV , ISO CLNS . , . [] [] 2003/05/13 Linuxman http://cmpp.linuxforum.net man man https://github.com/man-pages-zh/manpages- zh 30 June 1997 TCPDUMP(8)