Vieirae/APL
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
1afd59c3cc0e1fd7927cf2a6034e6e33a938947e
APL/APL1.2/SCR1.2/TP13/] [ -i interface ]

952 lines
63 KiB
Plaintext
Raw Normal View History

erwan beau
2022-02-15 16:20:32 +01:00
issiioonn==_t_s_t_a_m_p___p_r_e_c_i_s_i_o_n
When capturing, set the time stamp precision for the capture to _t_s_t_a_m_p___p_r_e_c_i_s_i_o_n.
Note that availability of high precision time stamps (nanoseconds) and their actual
accuracy is platform and hardware dependent. Also note that when writing captures
made with nanosecond accuracy to a savefile, the time stamps are written with
nanosecond resolution, and the file is written with a different magic number, to in
dicate that the time stamps are in seconds and nanoseconds; not all programs that
read pcap savefiles will be able to read those captures.
When reading a savefile, convert time stamps to the precision specified by _t_i_m_e_
_s_t_a_m_p___p_r_e_c_i_s_i_o_n, and display them with that resolution. If the precision specified
is less than the precision of time stamps in the file, the conversion will lose pre
cision.
The supported values for _t_i_m_e_s_t_a_m_p___p_r_e_c_i_s_i_o_n are mmiiccrroo for microsecond resolution and
nnaannoo for nanosecond resolution. The default is microsecond resolution.
----mmiiccrroo
----nnaannoo Shorthands for ----ttiimmee--ssttaammpp--pprreecciissiioonn==mmiiccrroo or ----ttiimmee--ssttaammpp--pprreecciissiioonn==nnaannoo, adjusting
the time stamp precision accordingly. When reading packets from a savefile, using
----mmiiccrroo truncates time stamps if the savefile was created with nanosecond precision.
In contrast, a savefile created with microsecond precision will have trailing zeroes
added to the time stamp when ----nnaannoo is used.
--KK
----ddoonntt--vveerriiffyy--cchheecckkssuummss
Don't attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces
that perform some or all of those checksum calculation in hardware; otherwise, all
outgoing TCP checksums will be flagged as bad.
--ll Make stdout line buffered. Useful if you want to see the data while capturing it.
E.g.,
ttccppdduummpp --ll || tteeee ddaatt
or
ttccppdduummpp --ll >> ddaatt && ttaaiill --ff ddaatt
Note that on Windows,``line buffered'' means ``unbuffered'', so that WinDump will
write each character individually if --ll is specified.
--UU is similar to --ll in its behavior, but it will cause output to be ``packet-
buffered'', so that the output is written to stdout at the end of each packet rather
than at the end of each line; this is buffered on all platforms, including Windows.
--LL
----lliisstt--ddaattaa--lliinnkk--ttyyppeess
List the known data link types for the interface, in the specified mode, and exit.
The list of known data link types may be dependent on the specified mode; for exam
ple, on some platforms, a Wi-Fi interface might support one set of data link types
when not in monitor mode (for example, it might support only fake Ethernet headers,
or might support 802.11 headers but not support 802.11 headers with radio informa
tion) and another set of data link types when in monitor mode (for example, it might
support 802.11 headers, or 802.11 headers with radio information, only in monitor
mode).
--mm _m_o_d_u_l_e
Load SMI MIB module definitions from file _m_o_d_u_l_e. This option can be used several
times to load several MIB modules into _t_c_p_d_u_m_p.
--MM _s_e_c_r_e_t
Use _s_e_c_r_e_t as a shared secret for validating the digests found in TCP segments with
the TCP-MD5 option (RFC 2385), if present.
--nn Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
--NN Don't print domain name qualification of host names. E.g., if you give this flag
then _t_c_p_d_u_m_p will print ``nic'' instead of ``nic.ddn.mil''.
--##
----nnuummbbeerr
Print an optional packet number at the beginning of the line.
--OO
----nnoo--ooppttiimmiizzee
Do not run the packet-matching code optimizer. This is useful only if you suspect a
bug in the optimizer.
--pp
----nnoo--pprroommiissccuuoouuss--mmooddee
_D_o_n_'_t put the interface into promiscuous mode. Note that the interface might be in
promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation
for `ether host {local-hw-addr} or ether broadcast'.
----pprriinntt
Print parsed packet output, even if the raw packets are being saved to a file with
the --ww flag.
--QQ _d_i_r_e_c_t_i_o_n
----ddiirreeccttiioonn==_d_i_r_e_c_t_i_o_n
Choose send/receive direction _d_i_r_e_c_t_i_o_n for which packets should be captured. Possi
ble values are `in', `out' and `inout'. Not available on all platforms.
--qq Quick (quiet?) output. Print less protocol information so output lines are shorter.
--rr _f_i_l_e
Read packets from _f_i_l_e (which was created with the --ww option or by other tools that
write pcap or pcapng files). Standard input is used if _f_i_l_e is ``-''.
--SS
----aabbssoolluuttee--ttccpp--sseeqquueennccee--nnuummbbeerrss
Print absolute, rather than relative, TCP sequence numbers.
--ss _s_n_a_p_l_e_n
----ssnnaappsshhoott--lleennggtthh==_s_n_a_p_l_e_n
Snarf _s_n_a_p_l_e_n bytes of data from each packet rather than the default of 262144 bytes.
Packets truncated because of a limited snapshot are indicated in the output with
``[|_p_r_o_t_o]'', where _p_r_o_t_o is the name of the protocol level at which the truncation
has occurred.
Note that taking larger snapshots both increases the amount of time it takes to
process packets and, effectively, decreases the amount of packet buffering. This may
cause packets to be lost. Note also that taking smaller snapshots will discard data
from protocols above the transport layer, which loses information that may be impor
tant. NFS and AFS requests and replies, for example, are very large, and much of the
detail won't be available if a too-short snapshot length is selected.
If you need to reduce the snapshot size below the default, you should limit _s_n_a_p_l_e_n
to the smallest number that will capture the protocol information you're interested
in. Setting _s_n_a_p_l_e_n to 0 sets it to the default of 262144, for backwards compatibil
ity with recent older versions of _t_c_p_d_u_m_p.
--TT _t_y_p_e
Force packets selected by "_e_x_p_r_e_s_s_i_o_n" to be interpreted the specified _t_y_p_e. Cur
rently known types are aaooddvv (Ad-hoc On-demand Distance Vector protocol), ccaarrpp (Common
Address Redundancy Protocol), ccnnffpp (Cisco NetFlow protocol), ddoommaaiinn (Domain Name Sys
tem), llmmpp (Link Management Protocol), ppggmm (Pragmatic General Multicast), ppggmm__zzmmttpp11
(ZMTP/1.0 inside PGM/EPGM), ppttpp (Precision Time Protocol), rraaddiiuuss (RADIUS), rreesspp (RE
dis Serialization Protocol), rrppcc (Remote Procedure Call), rrttccpp (Real-Time Applica
tions control protocol), rrttpp (Real-Time Applications protocol), ssnnmmpp (Simple Network
Management Protocol), ssoommeeiipp (SOME/IP), ttffttpp (Trivial File Transfer Protocol), vvaatt
(Visual Audio Tool), vvxxllaann (Virtual eXtensible Local Area Network), wwbb (distributed
White Board) and zzmmttpp11 (ZeroMQ Message Transport Protocol 1.0).
Note that the ppggmm type above affects UDP interpretation only, the native PGM is al
ways recognised as IP protocol 113 regardless. UDP-encapsulated PGM is often called
"EPGM" or "PGM/UDP".
Note that the ppggmm__zzmmttpp11 type above affects interpretation of both native PGM and UDP
at once. During the native PGM decoding the application data of an ODATA/RDATA packet
would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames. During the UDP decoding
in addition to that any UDP packet would be treated as an encapsulated PGM packet.
--tt _D_o_n_'_t print a timestamp on each dump line.
--tttt Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions
of a second since that time, on each dump line.
--tttttt Print a delta (microsecond or nanosecond resolution depending on the ----ttiimmee--ssttaammpp--
pprreecciissiioonn option) between current and previous line on each dump line. The default
is microsecond resolution.
--tttttttt Print a timestamp, as hours, minutes, seconds, and fractions of a second since mid
night, preceded by the date, on each dump line.
--tttttttttt Print a delta (microsecond or nanosecond resolution depending on the ----ttiimmee--ssttaammpp--
pprreecciissiioonn option) between current and first line on each dump line. The default is
microsecond resolution.
--uu Print undecoded NFS handles.
--UU
----ppaacckkeett--bbuuffffeerreedd
If the --ww option is not specified, or if it is specified but the ----pprriinntt flag is also
specified, make the printed packet output ``packet-buffered''; i.e., as the descrip
tion of the contents of each packet is printed, it will be written to the standard
output, rather than, when not writing to a terminal, being written only when the out
put buffer fills.
If the --ww option is specified, make the saved raw packet output ``packet-buffered'';
i.e., as each packet is saved, it will be written to the output file, rather than be
ing written only when the output buffer fills.
The --UU flag will not be supported if _t_c_p_d_u_m_p was built with an older version of _l_i_b_p_
_c_a_p that lacks the ppccaapp__dduummpp__fflluusshh((33PPCCAAPP)) function.
--vv When parsing and printing, produce (slightly more) verbose output. For example, the
time to live, identification, total length and options in an IP packet are printed.
Also enables additional packet integrity checks such as verifying the IP and ICMP
header checksum.
When writing to a file with the --ww option and at the same time not reading from a
file with the --rr option, report to stderr, once per second, the number of packets
captured. In Solaris, FreeBSD and possibly other operating systems this periodic up
date currently can cause loss of captured packets on their way from the kernel to
tcpdump.
--vvvv Even more verbose output. For example, additional fields are printed from NFS reply
packets, and SMB packets are fully decoded.
--vvvvvv Even more verbose output. For example, telnet SSBB ... SSEE options are printed in full.
With --XX Telnet options are printed in hex as well.
--VV _f_i_l_e
Read a list of filenames from _f_i_l_e. Standard input is used if _f_i_l_e is ``-''.
--ww _f_i_l_e
Write the raw packets to _f_i_l_e rather than parsing and printing them out. They can
later be printed with the -r option. Standard output is used if _f_i_l_e is ``-''.
This output will be buffered if written to a file or pipe, so a program reading from
the file or pipe may not see packets for an arbitrary amount of time after they are
received. Use the --UU flag to cause packets to be written as soon as they are re
ceived.
The MIME type _a_p_p_l_i_c_a_t_i_o_n_/_v_n_d_._t_c_p_d_u_m_p_._p_c_a_p has been registered with IANA for _p_c_a_p
files. The filename extension _._p_c_a_p appears to be the most commonly used along with
_._c_a_p and _._d_m_p. _T_c_p_d_u_m_p itself doesn't check the extension when reading capture files
and doesn't add an extension when writing them (it uses magic numbers in the file
header instead). However, many operating systems and applications will use the exten
sion if it is present and adding one (e.g. .pcap) is recommended.
See ppccaapp--ssaavveeffiillee() for a description of the file format.
--WW _f_i_l_e_c_o_u_n_t
Used in conjunction with the --CC option, this will limit the number of files created
to the specified number, and begin overwriting files from the beginning, thus creat
ing a 'rotating' buffer. In addition, it will name the files with enough leading 0s
to support the maximum number of files, allowing them to sort correctly.
Used in conjunction with the --GG option, this will limit the number of rotated dump
files that get created, exiting with status 0 when reaching the limit.
If used in conjunction with both --CC and --GG,, the --WW option will currently be ignored,
and will only affect the file name.
--xx When parsing and printing, in addition to printing the headers of each packet, print
the data of each packet (minus its link level header) in hex. The smaller of the en
tire packet or _s_n_a_p_l_e_n bytes will be printed. Note that this is the entire link-
layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will
also be printed when the higher layer packet is shorter than the required padding.
In the current implementation this flag may have the same effect as --xxxx if the packet
is truncated.
--xxxx When parsing and printing, in addition to printing the headers of each packet, print
the data of each packet, _i_n_c_l_u_d_i_n_g its link level header, in hex.
--XX When parsing and printing, in addition to printing the headers of each packet, print
the data of each packet (minus its link level header) in hex and ASCII. This is very
handy for analysing new protocols. In the current implementation this flag may have
the same effect as --XXXX if the packet is truncated.
--XXXX When parsing and printing, in addition to printing the headers of each packet, print
the data of each packet, _i_n_c_l_u_d_i_n_g its link level header, in hex and ASCII.
--yy _d_a_t_a_l_i_n_k_t_y_p_e
----lliinnkkttyyppee==_d_a_t_a_l_i_n_k_t_y_p_e
Set the data link type to use while capturing packets (see --LL) or just compiling and
dumping packet-matching code (see --dd) to _d_a_t_a_l_i_n_k_t_y_p_e.
--zz _p_o_s_t_r_o_t_a_t_e_-_c_o_m_m_a_n_d
Used in conjunction with the --CC or --GG options, this will make _t_c_p_d_u_m_p run " _p_o_s_t_r_o_
_t_a_t_e_-_c_o_m_m_a_n_d _f_i_l_e " where _f_i_l_e is the savefile being closed after each rotation. For
example, specifying --zz ggzziipp or --zz bbzziipp22 will compress each savefile using gzip or
bzip2.
Note that tcpdump will run the command in parallel to the capture, using the lowest
priority so that this doesn't disturb the capture process.
And in case you would like to use a command that itself takes flags or different ar
guments, you can always write a shell script that will take the savefile name as the
only argument, make the flags & arguments arrangements and execute the command that
you want.
--ZZ _u_s_e_r
----rreelliinnqquuiisshh--pprriivviilleeggeess==_u_s_e_r
If _t_c_p_d_u_m_p is running as root, after opening the capture device or input savefile,
but before opening any savefiles for output, change the user ID to _u_s_e_r and the group
ID to the primary group of _u_s_e_r.
This behavior can also be enabled by default at compile time.
_e_x_p_r_e_s_s_i_o_n
selects which packets will be dumped. If no _e_x_p_r_e_s_s_i_o_n is given, all packets on the
net will be dumped. Otherwise, only packets for which _e_x_p_r_e_s_s_i_o_n is `true' will be
dumped.
For the _e_x_p_r_e_s_s_i_o_n syntax, see ppccaapp--ffiilltteerr().
The _e_x_p_r_e_s_s_i_o_n argument can be passed to _t_c_p_d_u_m_p as either a single Shell argument,
or as multiple Shell arguments, whichever is more convenient. Generally, if the ex
pression contains Shell metacharacters, such as backslashes used to escape protocol
names, it is easier to pass it as a single, quoted argument rather than to escape the
Shell metacharacters. Multiple arguments are concatenated with spaces before being
parsed.
EEXXAAMMPPLLEESS
To print all packets arriving at or departing from _s_u_n_d_o_w_n:
ttccppdduummpp hhoosstt ssuunnddoowwnn
To print traffic between _h_e_l_i_o_s and either _h_o_t or _a_c_e:
ttccppdduummpp hhoosstt hheelliiooss aanndd \\(( hhoott oorr aaccee \\))
To print all IP packets between _a_c_e and any host except _h_e_l_i_o_s:
ttccppdduummpp iipp hhoosstt aaccee aanndd nnoott hheelliiooss
To print all traffic between local hosts and hosts at Berkeley:
ttccppdduummpp nneett uuccbb--eetthheerr
To print all ftp traffic through internet gateway _s_n_u_p: (note that the expression is quoted
to prevent the shell from (mis-)interpreting the parentheses):
ttccppdduummpp ''ggaatteewwaayy ssnnuupp aanndd ((ppoorrtt ffttpp oorr ffttpp--ddaattaa))''
To print traffic neither sourced from nor destined for local hosts (if you gateway to one
other net, this stuff should never make it onto your local net).
ttccppdduummpp iipp aanndd nnoott nneett _l_o_c_a_l_n_e_t
To print the start and end packets (the SYN and FIN packets) of each TCP conversation that
involves a non-local host.
ttccppdduummpp ''ttccpp[[ttccppffllaaggss]] && ((ttccpp--ssyynn||ttccpp--ffiinn)) !!== 00 aanndd nnoott ssrrcc aanndd ddsstt nneett _l_o_c_a_l_n_e_t''
To print the TCP packets with flags RST and ACK both set. (i.e. select only the RST and ACK
flags in the flags field, and if the result is "RST and ACK both set", match)
ttccppdduummpp ''ttccpp[[ttccppffllaaggss]] && ((ttccpp--rrsstt||ttccpp--aacckk)) ==== ((ttccpp--rrsstt||ttccpp--aacckk))''
To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain
data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exer
cise for the reader.)
ttccppdduummpp ''ttccpp ppoorrtt 8800 aanndd ((((((iipp[[22::22]] -- ((((iipp[[00]]&&00xxff))<<<<22)))) -- ((((ttccpp[[1122]]&&00xxff00))>>>>22)))) !!== 00))''
To print IP packets longer than 576 bytes sent through gateway _s_n_u_p:
ttccppdduummpp ''ggaatteewwaayy ssnnuupp aanndd iipp[[22::22]] >> 557766''
To print IP broadcast or multicast packets that were _n_o_t sent via Ethernet broadcast or mul
ticast:
ttccppdduummpp ''eetthheerr[[00]] && 11 == 00 aanndd iipp[[1166]] >>== 222244''
To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):
ttccppdduummpp ''iiccmmpp[[iiccmmppttyyppee]] !!== iiccmmpp--eecchhoo aanndd iiccmmpp[[iiccmmppttyyppee]] !!== iiccmmpp--eecchhoorreeppllyy''
OOUUTTPPUUTT FFOORRMMAATT
The output of _t_c_p_d_u_m_p is protocol dependent. The following gives a brief description and
examples of most of the formats.
TTiimmeessttaammppss
By default, all output lines are preceded by a timestamp. The timestamp is the current
clock time in the form
_h_h_:_m_m_:_s_s_._f_r_a_c
and is as accurate as the kernel's clock. The timestamp reflects the time the kernel ap
plied a time stamp to the packet. No attempt is made to account for the time lag between
when the network interface finished receiving the packet from the network and when the ker
nel applied a time stamp to the packet; that time lag could include a delay between the time
when the network interface finished receiving a packet from the network and the time when an
interrupt was delivered to the kernel to get it to read the packet and a delay between the
time when the kernel serviced the `new packet' interrupt and the time when it applied a time
stamp to the packet.
LLiinnkk LLeevveell HHeeaaddeerrss
If the '-e' option is given, the link level header is printed out. On Ethernets, the source
and destination addresses, protocol, and packet length are printed.
On FDDI networks, the '-e' option causes _t_c_p_d_u_m_p to print the `frame control' field, the
source and destination addresses, and the packet length. (The `frame control' field governs
the interpretation of the rest of the packet. Normal packets (such as those containing IP
datagrams) are `async' packets, with a priority value between 0 and 7; for example,
`aassyynncc44'. Such packets are assumed to contain an 802.2 Logical Link Control (LLC) packet;
the LLC header is printed if it is _n_o_t an ISO datagram or a so-called SNAP packet.
On Token Ring networks, the '-e' option causes _t_c_p_d_u_m_p to print the `access control' and
`frame control' fields, the source and destination addresses, and the packet length. As on
FDDI networks, packets are assumed to contain an LLC packet. Regardless of whether the '-e'
option is specified or not, the source routing information is printed for source-routed
packets.
On 802.11 networks, the '-e' option causes _t_c_p_d_u_m_p to print the `frame control' fields, all
of the addresses in the 802.11 header, and the packet length. As on FDDI networks, packets
are assumed to contain an LLC packet.
_(_N_._B_._: _T_h_e _f_o_l_l_o_w_i_n_g _d_e_s_c_r_i_p_t_i_o_n _a_s_s_u_m_e_s _f_a_m_i_l_i_a_r_i_t_y _w_i_t_h _t_h_e _S_L_I_P _c_o_m_p_r_e_s_s_i_o_n _a_l_g_o_r_i_t_h_m _d_e_
_s_c_r_i_b_e_d _i_n _R_F_C_-_1_1_4_4_._)
On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound), packet type,
and compression information are printed out. The packet type is printed first. The three
types are _i_p, _u_t_c_p, and _c_t_c_p. No further link information is printed for _i_p packets. For
TCP packets, the connection identifier is printed following the type. If the packet is com
pressed, its encoded header is printed out. The special cases are printed out as **SS++_n and
**SSAA++_n, where _n is the amount by which the sequence number (or sequence number and ack) has
changed. If it is not a special case, zero or more changes are printed. A change is indi
cated by U (urgent pointer), W (window), A (ack), S (sequence number), and I (packet ID),
followed by a delta (+n or -n), or a new value (=n). Finally, the amount of data in the
packet and compressed header length are printed.
For example, the following line shows an outbound compressed TCP packet, with an implicit
connection identifier; the ack has changed by 6, the sequence number by 49, and the packet
ID by 6; there are 3 bytes of data and 6 bytes of compressed header:
OO ccttccpp ** AA++66 SS++4499 II++66 33 ((66))
AARRPP//RRAARRPP PPaacckkeettss
ARP/RARP output shows the type of request and its arguments. The format is intended to be
self explanatory. Here is a short sample taken from the start of an `rlogin' from host _r_t_s_g
to host _c_s_a_m:
arp who-has csam tell rtsg
arp reply csam is-at CSAM
The first line says that rtsg sent an ARP packet asking for the Ethernet address of internet
host csam. Csam replies with its Ethernet address (in this example, Ethernet addresses are
in caps and internet addresses in lower case).
This would look less redundant if we had done _t_c_p_d_u_m_p _-_n:
arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4
If we had done _t_c_p_d_u_m_p _-_e, the fact that the first packet is broadcast and the second is
point-to-point would be visible:
RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM
For the first packet this says the Ethernet source address is RTSG, the destination is the
Ethernet broadcast address, the type field contained hex 0806 (type ETHER_ARP) and the total
length was 64 bytes.
IIPPvv44 PPaacckkeettss
If the link-layer header is not being printed, for IPv4 packets, IIPP is printed after the
time stamp.
If the --vv flag is specified, information from the IPv4 header is shown in parentheses after
the IIPP or the link-layer header. The general format of this information is:
tos _t_o_s, ttl _t_t_l, id _i_d, offset _o_f_f_s_e_t, flags [_f_l_a_g_s], proto _p_r_o_t_o, length _l_e_n_g_t_h, options (_o_p_t_i_o_n_s)
_t_o_s is the type of service field; if the ECN bits are non-zero, those are reported as
EECCTT((11)), EECCTT((00)), or CCEE. _t_t_l is the time-to-live; it is not reported if it is zero. _i_d is
the IP identification field. _o_f_f_s_e_t is the fragment offset field; it is printed whether
this is part of a fragmented datagram or not. _f_l_a_g_s are the MF and DF flags; ++ is reported
if MF is set, and DDFF is reported if F is set. If neither are set, .. is reported. _p_r_o_t_o is
the protocol ID field. _l_e_n_g_t_h is the total length field. _o_p_t_i_o_n_s are the IP options, if
any.
Next, for TCP and UDP packets, the source and destination IP addresses and TCP or UDP ports,
with a dot between each IP address and its corresponding port, will be printed, with a >
separating the source and destination. For other protocols, the addresses will be printed,
with a > separating the source and destination. Higher level protocol information, if any,
will be printed after that.
For fragmented IP datagrams, the first fragment contains the higher level protocol header;
fragments after the first contain no higher level protocol header. Fragmentation informa
tion will be printed only with the --vv flag, in the IP header information, as described
above.
TTCCPP PPaacckkeettss
_(_N_._B_._:_T_h_e _f_o_l_l_o_w_i_n_g _d_e_s_c_r_i_p_t_i_o_n _a_s_s_u_m_e_s _f_a_m_i_l_i_a_r_i_t_y _w_i_t_h _t_h_e _T_C_P _p_r_o_t_o_c_o_l _d_e_s_c_r_i_b_e_d _i_n
_R_F_C_-_7_9_3_. _I_f _y_o_u _a_r_e _n_o_t _f_a_m_i_l_i_a_r _w_i_t_h _t_h_e _p_r_o_t_o_c_o_l_, _t_h_i_s _d_e_s_c_r_i_p_t_i_o_n _w_i_l_l _n_o_t _b_e _o_f _m_u_c_h
_u_s_e _t_o _y_o_u_._)
The general format of a TCP protocol line is:
_s_r_c > _d_s_t: Flags [_t_c_p_f_l_a_g_s], seq _d_a_t_a_-_s_e_q_n_o, ack _a_c_k_n_o, win _w_i_n_d_o_w, urg _u_r_g_e_n_t, options [_o_p_t_s], length _l_e_n
_S_r_c and _d_s_t are the source and destination IP addresses and ports. _T_c_p_f_l_a_g_s are some combi
nation of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or `.'
(ACK), or `none' if no flags are set. _D_a_t_a_-_s_e_q_n_o describes the portion of sequence space
covered by the data in this packet (see example below). _A_c_k_n_o is sequence number of the
next data expected the other direction on this connection. _W_i_n_d_o_w is the number of bytes of
receive buffer space available the other direction on this connection. _U_r_g indicates there
is `urgent' data in the packet. _O_p_t_s are TCP options (e.g., mss 1024). _L_e_n is the length
of payload data.
_I_p_t_y_p_e, _S_r_c, _d_s_t, and _f_l_a_g_s are always present. The other fields depend on the contents of
the packet's TCP protocol header and are output only if appropriate.
Here is the opening portion of an rlogin from host _r_t_s_g to host _c_s_a_m.
IP rtsg.1023 > csam.login: Flags [S], seq 768512:768512, win 4096, opts [mss 1024]
IP csam.login > rtsg.1023: Flags [S.], seq, 947648:947648, ack 768513, win 4096, opts [mss 1024]
IP rtsg.1023 > csam.login: Flags [.], ack 1, win 4096
IP rtsg.1023 > csam.login: Flags [P.], seq 1:2, ack 1, win 4096, length 1
IP csam.login > rtsg.1023: Flags [.], ack 2, win 4096
IP rtsg.1023 > csam.login: Flags [P.], seq 2:21, ack 1, win 4096, length 19
IP csam.login > rtsg.1023: Flags [P.], seq 1:2, ack 21, win 4077, length 1
IP csam.login > rtsg.1023: Flags [P.], seq 2:3, ack 21, win 4077, urg 1, length 1
IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1
The first line says that TCP port 1023 on rtsg sent a packet to port _l_o_g_i_n on csam. The SS
indicates that the _S_Y_N flag was set. The packet sequence number was 768512 and it contained
no data. (The notation is `first:last' which means `sequence numbers _f_i_r_s_t up to but not
including _l_a_s_t'.) There was no piggy-backed ACK, the available receive window was 4096
bytes and there was a max-segment-size option requesting an MSS of 1024 bytes.
Csam replies with a similar packet except it includes a piggy-backed ACK for rtsg's SYN.
Rtsg then ACKs csam's SYN. The `.' means the ACK flag was set. The packet contained no
data so there is no data sequence number or length. Note that the ACK sequence number is a
small integer (1). The first time _t_c_p_d_u_m_p sees a TCP `conversation', it prints the sequence
number from the packet. On subsequent packets of the conversation, the difference between
the current packet's sequence number and this initial sequence number is printed. This
means that sequence numbers after the first can be interpreted as relative byte positions in
the conversation's data stream (with the first data byte each direction being `1'). `-S'
will override this feature, causing the original sequence numbers to be output.
On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20 in the rtsg → csam
side of the conversation). The PUSH flag is set in the packet. On the 7th line, csam says
it's received data sent by rtsg up to but not including byte 21. Most of this data is ap
parently sitting in the socket buffer since csam's receive window has gotten 19 bytes
smaller. Csam also sends one byte of data to rtsg in this packet. On the 8th and 9th
lines, csam sends two bytes of urgent, pushed data to rtsg.
If the snapshot was small enough that _t_c_p_d_u_m_p didn't capture the full TCP header, it inter
prets as much of the header as it can and then reports ``[|_t_c_p]'' to indicate the remainder
could not be interpreted. If the header contains a bogus option (one with a length that's
either too small or beyond the end of the header), _t_c_p_d_u_m_p reports it as ``[_b_a_d _o_p_t]'' and
does not interpret any further options (since it's impossible to tell where they start). If
the header length indicates options are present but the IP datagram length is not long
enough for the options to actually be there, _t_c_p_d_u_m_p reports it as ``[_b_a_d _h_d_r _l_e_n_g_t_h]''.
CCaappttuurriinngg TTCCPP ppaacckkeettss wwiitthh ppaarrttiiccuullaarr ffllaagg ccoommbbiinnaattiioonnss ((SSYYNN--AACCKK,, UURRGG--AACCKK,, eettcc..))
There are 8 bits in the control bits section of the TCP header:
_C_W_R _| _E_C_E _| _U_R_G _| _A_C_K _| _P_S_H _| _R_S_T _| _S_Y_N _| _F_I_N
Let's assume that we want to watch packets used in establishing a TCP connection. Recall
that TCP uses a 3-way handshake protocol when it initializes a new connection; the connec
tion sequence with regard to the TCP control bits is
1) Caller sends SYN
2) Recipient responds with SYN, ACK
3) Caller sends ACK
Now we're interested in capturing packets that have only the SYN bit set (Step 1). Note
that we don't want packets from step 2 (SYN-ACK), just a plain initial SYN. What we need is
a correct filter expression for _t_c_p_d_u_m_p.
Recall the structure of a TCP header without options:
0 15 31
-----------------------------------------------------------------
| source port | destination port |
-----------------------------------------------------------------
| sequence number |
-----------------------------------------------------------------
| acknowledgment number |
-----------------------------------------------------------------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
-----------------------------------------------------------------
| TCP checksum | urgent pointer |
-----------------------------------------------------------------
A TCP header usually holds 20 octets of data, unless options are present. The first line of
the graph contains octets 0 - 3, the second line shows octets 4 - 7 etc.
Starting to count with 0, the relevant TCP control bits are contained in octet 13:
0 7| 15| 23| 31
----------------|---------------|---------------|----------------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
----------------|---------------|---------------|----------------
| | 13th octet | | |
Let's have a closer look at octet no. 13:
| |
|---------------|
|C|E|U|A|P|R|S|F|
|---------------|
|7 5 3 0|
These are the TCP control bits we are interested in. We have numbered the bits in this
octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is num
ber 5.
Recall that we want to capture packets with only SYN set. Let's see what happens to octet
13 if a TCP datagram arrives with the SYN bit set in its header:
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 0 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|
Looking at the control bits section we see that only bit number 1 (SYN) is set.
Assuming that octet number 13 is an 8-bit unsigned integer in network byte order, the binary
value of this octet is
00000010
and its decimal representation is
7 6 5 4 3 2 1 0
0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2
We're almost done, because now we know that if only SYN is set, the value of the 13th octet
in the TCP header, when interpreted as a 8-bit unsigned integer in network byte order, must
be exactly 2.
This relationship can be expressed as
ttccpp[[1133]] ==== 22
We can use this expression as the filter for _t_c_p_d_u_m_p in order to watch packets which have
only SYN set:
ttccppdduummpp --ii xxll00 ttccpp[[1133]] ==== 22
The expression says "let the 13th octet of a TCP datagram have the decimal value 2", which
is exactly what we want.
Now, let's assume that we need to capture SYN packets, but we don't care if ACK or any other
TCP control bit is set at the same time. Let's see what happens to octet 13 when a TCP
datagram with SYN-ACK set arrives:
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 1 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|
Now bits 1 and 4 are set in the 13th octet. The binary value of octet 13 is
00010010
which translates to decimal
7 6 5 4 3 2 1 0
0*2 + 0*2 + 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2 = 18
Now we can't just use 'tcp[13] == 18' in the _t_c_p_d_u_m_p filter expression, because that would
select only those packets that have SYN-ACK set, but not those with only SYN set. Remember
that we don't care if ACK or any other control bit is set as long as SYN is set.
In order to achieve our goal, we need to logically AND the binary value of octet 13 with
some other value to preserve the SYN bit. We know that we want SYN to be set in any case,
so we'll logically AND the value in the 13th octet with the binary value of a SYN:
00010010 SYN-ACK 00000010 SYN
AND 00000010 (we want SYN) AND 00000010 (we want SYN)
-------- --------
= 00000010 = 00000010
We see that this AND operation delivers the same result regardless whether ACK or another
TCP control bit is set. The decimal representation of the AND value as well as the result
of this operation is 2 (binary 00000010), so we know that for packets with SYN set the fol
lowing relation must hold true:
( ( value of octet 13 ) AND ( 2 ) ) == ( 2 )
This points us to the _t_c_p_d_u_m_p filter expression
ttccppdduummpp --ii xxll00 ''ttccpp[[1133]] && 22 ==== 22''
Some offsets and field values may be expressed as names rather than as numeric values. For
example tcp[13] may be replaced with tcp[tcpflags]. The following TCP flag field values are
also available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.
This can be demonstrated as:
ttccppdduummpp --ii xxll00 ''ttccpp[[ttccppffllaaggss]] && ttccpp--ppuusshh !!== 00''
Note that you should use single quotes or a backslash in the expression to hide the AND
('&') special character from the shell.
UUDDPP PPaacckkeettss
UDP format is illustrated by this rwho packet:
actinide.who > broadcast.who: udp 84
This says that port _w_h_o on host _a_c_t_i_n_i_d_e sent a UDP datagram to port _w_h_o on host _b_r_o_a_d_c_a_s_t,
the Internet broadcast address. The packet contained 84 bytes of user data.
Some UDP services are recognized (from the source or destination port number) and the higher
level protocol information printed. In particular, Domain Name service requests
(RFC-1034/1035) and Sun RPC calls (RFC-1050) to NFS.
TTCCPP oorr UUDDPP NNaammee SSeerrvveerr RReeqquueessttss
_(_N_._B_._:_T_h_e _f_o_l_l_o_w_i_n_g _d_e_s_c_r_i_p_t_i_o_n _a_s_s_u_m_e_s _f_a_m_i_l_i_a_r_i_t_y _w_i_t_h _t_h_e _D_o_m_a_i_n _S_e_r_v_i_c_e _p_r_o_t_o_c_o_l _d_e_
_s_c_r_i_b_e_d _i_n _R_F_C_-_1_0_3_5_. _I_f _y_o_u _a_r_e _n_o_t _f_a_m_i_l_i_a_r _w_i_t_h _t_h_e _p_r_o_t_o_c_o_l_, _t_h_e _f_o_l_l_o_w_i_n_g _d_e_s_c_r_i_p_t_i_o_n
_w_i_l_l _a_p_p_e_a_r _t_o _b_e _w_r_i_t_t_e_n _i_n _G_r_e_e_k_._)
Name server requests are formatted as
_s_r_c _> _d_s_t_: _i_d _o_p_? _f_l_a_g_s _q_t_y_p_e _q_c_l_a_s_s _n_a_m_e _(_l_e_n_)
h2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)
Host _h_2_o_p_o_l_o asked the domain server on _h_e_l_i_o_s for an address record (qtype=A) associated
with the name _u_c_b_v_a_x_._b_e_r_k_e_l_e_y_._e_d_u_. The query id was `3'. The `+' indicates the _r_e_c_u_r_s_i_o_n
_d_e_s_i_r_e_d flag was set. The query length was 37 bytes, excluding the TCP or UDP and IP proto
col headers. The query operation was the normal one, _Q_u_e_r_y, so the op field was omitted.
If the op had been anything else, it would have been printed between the `3' and the `+'.
Similarly, the qclass was the normal one, _C___I_N, and omitted. Any other qclass would have
been printed immediately after the `A'.
A few anomalies are checked and may result in extra fields enclosed in square brackets: If
a query contains an answer, authority records or additional records section, _a_n_c_o_u_n_t,
_n_s_c_o_u_n_t, or _a_r_c_o_u_n_t are printed as `[_na]', `[_nn]' or `[_nau]' where _n is the appropriate
count. If any of the response bits are set (AA, RA or rcode) or any of the `must be zero'
bits are set in bytes two and three, `[b2&3=_x]' is printed, where _x is the hex value of
header bytes two and three.
TTCCPP oorr UUDDPP NNaammee SSeerrvveerr RReessppoonnsseess
Name server responses are formatted as
_s_r_c _> _d_s_t_: _i_d _o_p _r_c_o_d_e _f_l_a_g_s _a_/_n_/_a_u _t_y_p_e _c_l_a_s_s _d_a_t_a _(_l_e_n_)
helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)
In the first example, _h_e_l_i_o_s responds to query id 3 from _h_2_o_p_o_l_o with 3 answer records, 3
name server records and 7 additional records. The first answer record is type A (address)
and its data is internet address 128.32.137.3. The total size of the response was 273
bytes, excluding TCP or UDP and IP headers. The op (Query) and response code (NoError) were
omitted, as was the class (C_IN) of the A record.
In the second example, _h_e_l_i_o_s responds to query 2 with a response code of non-existent do
main (NXDomain) with no answers, one name server and no authority records. The `*' indi
cates that the _a_u_t_h_o_r_i_t_a_t_i_v_e _a_n_s_w_e_r bit was set. Since there were no answers, no type,
class or data were printed.
Other flag characters that might appear are `-' (recursion available, RA, _n_o_t set) and `|'
(truncated message, TC, set). If the `question' section doesn't contain exactly one entry,
`[_nq]' is printed.
SSMMBB//CCIIFFSS ddeeccooddiinngg
_t_c_p_d_u_m_p now includes fairly extensive SMB/CIFS/NBT decoding for data on UDP/137, UDP/138 and
TCP/139. Some primitive decoding of IPX and NetBEUI SMB data is also done.
By default a fairly minimal decode is done, with a much more detailed decode done if -v is
used. Be warned that with -v a single SMB packet may take up a page or more, so only use -v
if you really want all the gory details.
For information on SMB packet formats and what all the fields mean see
https://download.samba.org/pub/samba/specs/ and other online resources. The SMB patches
were written by Andrew Tridgell (tridge@samba.org).
NNFFSS RReeqquueessttss aanndd RReepplliieess
Sun NFS (Network File System) requests and replies are printed as:
_s_r_c_._s_p_o_r_t _> _d_s_t_._n_f_s_: _N_F_S _r_e_q_u_e_s_t _x_i_d _x_i_d _l_e_n _o_p _a_r_g_s
_s_r_c_._n_f_s _> _d_s_t_._d_p_o_r_t_: _N_F_S _r_e_p_l_y _x_i_d _x_i_d _r_e_p_l_y _s_t_a_t _l_e_n _o_p _r_e_s_u_l_t_s
sushi.1023 > wrl.nfs: NFS request xid 26377
112 readlink fh 21,24/10.73165
wrl.nfs > sushi.1023: NFS reply xid 26377
reply ok 40 readlink "../var"
sushi.1022 > wrl.nfs: NFS request xid 8219
144 lookup fh 9,74/4096.6878 "xcolors"
wrl.nfs > sushi.1022: NFS reply xid 8219
reply ok 128 lookup fh 9,74/4134.3150
In the first line, host _s_u_s_h_i sends a transaction with id _2_6_3_7_7 to _w_r_l. The request was 112
bytes, excluding the UDP and IP headers. The operation was a _r_e_a_d_l_i_n_k (read symbolic link)
on file handle (_f_h) 21,24/10.731657119. (If one is lucky, as in this case, the file handle
can be interpreted as a major,minor device number pair, followed by the inode number and
generation number.) In the second line, _w_r_l replies `ok' with the same transaction id and
the contents of the link.
In the third line, _s_u_s_h_i asks (using a new transaction id) _w_r_l to lookup the name `_x_c_o_l_o_r_s'
in directory file 9,74/4096.6878. In the fourth line, _w_r_l sends a reply with the respective
transaction id.
Note that the data printed depends on the operation type. The format is intended to be self
explanatory if read in conjunction with an NFS protocol spec. Also note that older versions
of tcpdump printed NFS packets in a slightly different format: the transaction id (xid)
would be printed instead of the non-NFS port number of the packet.
If the -v (verbose) flag is given, additional information is printed. For example:
sushi.1023 > wrl.nfs: NFS request xid 79658
148 read fh 21,11/12.195 8192 bytes @ 24576
wrl.nfs > sushi.1023: NFS reply xid 79658
reply ok 1472 read REG 100664 ids 417/0 sz 29388
(-v also prints the IP header TTL, ID, length, and fragmentation fields, which have been
omitted from this example.) In the first line, _s_u_s_h_i asks _w_r_l to read 8192 bytes from file
21,11/12.195, at byte offset 24576. _W_r_l replies `ok'; the packet shown on the second line
is the first fragment of the reply, and hence is only 1472 bytes long (the other bytes will
follow in subsequent fragments, but these fragments do not have NFS or even UDP headers and
so might not be printed, depending on the filter expression used). Because the -v flag is
given, some of the file attributes (which are returned in addition to the file data) are
printed: the file type (``REG'', for regular file), the file mode (in octal), the UID and
GID, and the file size.
If the -v flag is given more than once, even more details are printed.
NFS reply packets do not explicitly identify the RPC operation. Instead, _t_c_p_d_u_m_p keeps
track of ``recent'' requests, and matches them to the replies using the transaction ID. If
a reply does not closely follow the corresponding request, it might not be parsable.
AAFFSS RReeqquueessttss aanndd RReepplliieess
Transarc AFS (Andrew File System) requests and replies are printed as:
_s_r_c_._s_p_o_r_t _> _d_s_t_._d_p_o_r_t_: _r_x _p_a_c_k_e_t_-_t_y_p_e
_s_r_c_._s_p_o_r_t _> _d_s_t_._d_p_o_r_t_: _r_x _p_a_c_k_e_t_-_t_y_p_e _s_e_r_v_i_c_e _c_a_l_l _c_a_l_l_-_n_a_m_e _a_r_g_s
_s_r_c_._s_p_o_r_t _> _d_s_t_._d_p_o_r_t_: _r_x _p_a_c_k_e_t_-_t_y_p_e _s_e_r_v_i_c_e _r_e_p_l_y _c_a_l_l_-_n_a_m_e _a_r_g_s
elvis.7001 > pike.afsfs:
rx data fs call rename old fid 536876964/1/1 ".newsrc.new"
new fid 536876964/1/1 ".newsrc"
pike.afsfs > elvis.7001: rx data fs reply rename
In the first line, host elvis sends a RX packet to pike. This was a RX data packet to the
fs (fileserver) service, and is the start of an RPC call. The RPC call was a rename, with
the old directory file id of 536876964/1/1 and an old filename of `.newsrc.new', and a new
directory file id of 536876964/1/1 and a new filename of `.newsrc'. The host pike responds
with a RPC reply to the rename call (which was successful, because it was a data packet and
not an abort packet).
In general, all AFS RPCs are decoded at least by RPC call name. Most AFS RPCs have at least
some of the arguments decoded (generally only the `interesting' arguments, for some defini
tion of interesting).
The format is intended to be self-describing, but it will probably not be useful to people
who are not familiar with the workings of AFS and RX.
If the -v (verbose) flag is given twice, acknowledgement packets and additional header in
formation is printed, such as the RX call ID, call number, sequence number, serial number,
and the RX packet flags.
If the -v flag is given twice, additional information is printed, such as the RX call ID,
serial number, and the RX packet flags. The MTU negotiation information is also printed
from RX ack packets.
If the -v flag is given three times, the security index and service id are printed.
Error codes are printed for abort packets, with the exception of Ubik beacon packets (be
cause abort packets are used to signify a yes vote for the Ubik protocol).
AFS reply packets do not explicitly identify the RPC operation. Instead, _t_c_p_d_u_m_p keeps
track of ``recent'' requests, and matches them to the replies using the call number and ser
vice ID. If a reply does not closely follow the corresponding request, it might not be
parsable.
KKIIPP AApppplleeTTaallkk ((DDDDPP iinn UUDDPP))
AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated and dumped as DDP
packets (i.e., all the UDP header information is discarded). The file _/_e_t_c_/_a_t_a_l_k_._n_a_m_e_s is
used to translate AppleTalk net and node numbers to names. Lines in this file have the form
_n_u_m_b_e_r _n_a_m_e
1.254 ether
16.1 icsd-net
1.254.110 ace
The first two lines give the names of AppleTalk networks. The third line gives the name of
a particular host (a host is distinguished from a net by the 3rd octet in the number - a net
number _m_u_s_t have two octets and a host number _m_u_s_t have three octets.) The number and name
should be separated by whitespace (blanks or tabs). The _/_e_t_c_/_a_t_a_l_k_._n_a_m_e_s file may contain
blank lines or comment lines (lines starting with a `#').
AppleTalk addresses are printed in the form
_n_e_t_._h_o_s_t_._p_o_r_t
144.1.209.2 > icsd-net.112.220
office.2 > icsd-net.112.220
jssmag.149.235 > icsd-net.2
(If the _/_e_t_c_/_a_t_a_l_k_._n_a_m_e_s doesn't exist or doesn't contain an entry for some AppleTalk
host/net number, addresses are printed in numeric form.) In the first example, NBP (DDP
port 2) on net 144.1 node 209 is sending to whatever is listening on port 220 of net icsd
node 112. The second line is the same except the full name of the source node is known
(`office'). The third line is a send from port 235 on net jssmag node 149 to broadcast on
the icsd-net NBP port (note that the broadcast address (255) is indicated by a net name with
no host number - for this reason it's a good idea to keep node names and net names distinct
in /etc/atalk.names).
NBP (name binding protocol) and ATP (AppleTalk transaction protocol) packets have their con
tents interpreted. Other protocols just dump the protocol name (or number if no name is
registered for the protocol) and packet size.
NNBBPP ppaacckkeettss are formatted like the following examples:
icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
The first line is a name lookup request for laserwriters sent by net icsd host 112 and
broadcast on net jssmag. The nbp id for the lookup is 190. The second line shows a reply
for this request (note that it has the same id) from host jssmag.209 saying that it has a
laserwriter resource named "RM1140" registered on port 250. The third line is another reply
to the same request saying host techpit has laserwriter "techpit" registered on port 186.
AATTPP ppaacckkeett formatting is demonstrated by the following example:
jssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002
Jssmag.209 initiates transaction id 12266 with host helios by requesting up to 8 packets
(the `<0-7>'). The hex number at the end of the line is the value of the `userdata' field
in the request.
Helios responds with 8 512-byte packets. The `:digit' following the transaction id gives
the packet sequence number in the transaction and the number in parens is the amount of data
in the packet, excluding the ATP header. The `*' on packet 7 indicates that the EOM bit was
set.
Jssmag.209 then requests that packets 3 & 5 be retransmitted. Helios resends them then jss
mag.209 releases the transaction. Finally, jssmag.209 initiates the next request. The `*'
on the request indicates that XO (`exactly once') was _n_o_t set.
SSEEEE AALLSSOO
ssttttyy(1), ppccaapp(3PCAP), bbppff(4), nniitt(4P), ppccaapp--ssaavveeffiillee(), ppccaapp--ffiilltteerr(), ppccaapp--ttssttaammpp()
_h_t_t_p_s_:_/_/_w_w_w_._i_a_n_a_._o_r_g_/_a_s_s_i_g_n_m_e_n_t_s_/_m_e_d_i_a_-_t_y_p_e_s_/_a_p_p_l_i_c_a_t_i_o_n_/_v_n_d_._t_c_p_d_u_m_p_._p_c_a_p
AAUUTTHHOORRSS
The original authors are:
Van Jacobson, Craig Leres and Steven McCanne, all of the Lawrence Berkeley National Labora
tory, University of California, Berkeley, CA.
It is currently being maintained by tcpdump.org.
The current version is available via HTTPS:
_h_t_t_p_s_:_/_/_w_w_w_._t_c_p_d_u_m_p_._o_r_g_/
The original distribution is available via anonymous ftp:
_f_t_p_:_/_/_f_t_p_._e_e_._l_b_l_._g_o_v_/_o_l_d_/_t_c_p_d_u_m_p_._t_a_r_._Z
IPv6/IPsec support is added by WIDE/KAME project. This program uses OpenSSL/LibreSSL, under
specific configurations.
BBUUGGSS
To report a security issue please send an e-mail to security@tcpdump.org.
To report bugs and other problems, contribute patches, request a feature, provide generic
feedback etc. please see the file _C_O_N_T_R_I_B_U_T_I_N_G in the tcpdump source tree root.
NIT doesn't let you watch your own outbound traffic, BPF will. We recommend that you use
the latter.
On Linux systems with 2.0[.x] kernels:
packets on the loopback device will be seen twice;
packet filtering cannot be done in the kernel, so that all packets must be copied
from the kernel in order to be filtered in user mode;
all of a packet, not just the part that's within the snapshot length, will be copied
from the kernel (the 2.0[.x] packet capture mechanism, if asked to copy only part of
a packet to userspace, will not report the true length of the packet; this would
cause most IP packets to get an error from ttccppdduummpp);
capturing on some PPP devices won't work correctly.
We recommend that you upgrade to a 2.2 or later kernel.
Some attempt should be made to reassemble IP fragments or, at least to compute the right
length for the higher level protocol.
Name server inverse queries are not dumped correctly: the (empty) question section is
printed rather than real query in the answer section. Some believe that inverse queries are
themselves a bug and prefer to fix the program generating them rather than _t_c_p_d_u_m_p.
A packet trace that crosses a daylight savings time change will give skewed time stamps (the
time change is ignored).
Filter expressions on fields other than those in Token Ring headers will not correctly han
dle source-routed Token Ring packets.
Filter expressions on fields other than those in 802.11 headers will not correctly handle
802.11 data packets with both To DS and From DS set.
iipp66 pprroottoo should chase header chain, but at this moment it does not. iipp66 pprroottoocchhaaiinn is sup
plied for this behavior.
Arithmetic expression against transport layer headers, like ttccpp[[00]], does not work against
IPv6 packets. It only looks at IPv4 packets.
21 December 2020 TCPDUMP(1)
Reference in New Issue Copy Permalink