.\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1,v 1.185.2.6 2008-05-30 01:38:21 guy Exp $ (LBL).\".\"	$NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $.\".\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997.\"	The Regents of the University of California.  All rights reserved..\" All rights reserved..\".\" Redistribution and use in source and binary forms, with or without.\" modification, are permitted provided that: (1) source code distributions.\" retain the above copyright notice and this paragraph in its entirety, (2).\" distributions including binary code include the above copyright notice and.\" this paragraph in its entirety in the documentation or other materials.\" provided with the distribution, and (3) all advertising materials mentioning.\" features or use of this software display the following acknowledgement:.\" ``This product includes software developed by the University of California,.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of.\" the University nor the names of its contributors may be used to endorse.\" or promote products derived from this software without specific prior.\" written permission..\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE..\".TH TCPDUMP 1  "07 January 2008".SH NAMEtcpdump \- dump traffic on a network.SH SYNOPSIS.na.B tcpdump[.B \-AdDefIKlLnNOpqRStuUvxX] [.B \-B.I buffer_size] [.B \-c.I count].br.ti +8[.B \-C.I file_size] [.B \-G.I rotate_seconds] [.B \-F.I file].br.ti +8[.B \-i.I interface][.B \-m.I module][.B \-M.I secret].br.ti +8[.B \-r.I file][.B \-s.I snaplen][.B \-T.I type][.B \-w.I file].br.ti +8[.B \-W.I filecount].br.ti +8[.B \-E.I spi@ipaddr algo:secret,...].br.ti +8[.B \-y.I datalinktype][.B \-z.I postrotate-command][.B \-Z.I user].ti +8[.I expression].br.ad.SH DESCRIPTION.LP\fITcpdump\fP prints out a description of the contents of packets on anetwork interface that match the boolean \fIexpression\fP.  It can alsobe run with the.B \-wflag, which causes it to save the packet data to a file for lateranalysis, and/or with the.B \-rflag, which causes it to read from a saved packet file rather than toread packets from a network interface.  In all cases, only packets thatmatch.I expressionwill be processed by.IR tcpdump ..LP.I Tcpdumpwill, if not run with the.B \-cflag, continue capturing packets until it is interrupted by a SIGINTsignal (generated, for example, by typing your interrupt character,typically control-C) or a SIGTERM signal (typically generated with the.BR kill (1)command); if run with the.B \-cflag, it will capture packets until it is interrupted by a SIGINT orSIGTERM signal or the specified number of packets have been processed..LPWhen.I tcpdumpfinishes capturing packets, it will report counts of:.IPpackets ``captured'' (this is the number of packets that.I tcpdumphas received and processed);.IPpackets ``received by filter'' (the meaning of this depends on the OS onwhich you're running.IR tcpdump ,and possibly on the way the OS was configured - if a filter wasspecified on the command line, on some OSes it counts packets regardlessof whether they were matched by the filter expression and, even if theywere matched by the filter expression, regardless of whether.I tcpdumphas read and processed them yet, on other OSes it counts only packets that werematched by the filter expression regardless of whether.I tcpdumphas read and processed them yet, and on other OSes it counts onlypackets that were matched by the filter expression and were processed by.IR tcpdump );.IPpackets ``dropped by kernel'' (this is the number of packets that weredropped, due to a lack of buffer space, by the packet capture mechanismin the OS on which.I tcpdumpis running, if the OS reports that information to applications; if not,it will be reported as 0)..LPOn platforms that support the SIGINFO signal, such as most BSDs(including Mac OS X) and Digital/Tru64 UNIX, it will report those countswhen it receives a SIGINFO signal (generated, for example, by typingyour ``status'' character, typically control-T, although on someplatforms, such as Mac OS X, the ``status'' character is not set bydefault, so you must set it with.BR stty (1)in order to use it) and will continue capturing packets..LPReading packets from a network interface may require that you havespecial privileges; see the.B pcap (3PCAP)man page for details.  Reading a saved packet file doesn't requirespecial privileges..SH OPTIONS.TP.B \-APrint each packet (minus its link level header) in ASCII.  Handy forcapturing web pages..TP.B \-BSet the operating system capture buffer size to \fIbuffer_size\fP..TP.B \-cExit after receiving \fIcount\fP packets..TP.B \-CBefore writing a raw packet to a savefile, check whether the file iscurrently larger than \fIfile_size\fP and, if so, close the currentsavefile and open a new one.  Savefiles after the first savefile willhave the name specified with the.B \-wflag, with a number after it, starting at 1 and continuing upward.The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,not 1,048,576 bytes)..TP.B \-dDump the compiled packet-matching code in a human readable form tostandard output and stop..TP.B \-ddDump packet-matching code as a.B Cprogram fragment..TP.B \-dddDump packet-matching code as decimal numbers (preceded with a count)..TP.B \-DPrint the list of the network interfaces available on the system and onwhich.I tcpdumpcan capture packets.  For each network interface, a number and aninterface name, possibly followed by a text description of theinterface, is printed.  The interface name or the number can be suppliedto the.B \-iflag to specify an interface on which to capture..IPThis can be useful on systems that don't have a command to list them(e.g., Windows systems, or UNIX systems lacking.BR "ifconfig \-a" );the number can be useful on Windows 2000 and later systems, where theinterface name is a somewhat complex string..IPThe.B \-Dflag will not be supported if.I tcpdumpwas built with an older version of.I libpcapthat lacks the.B pcap_findalldevs()function..TP.B \-ePrint the link-level header on each dump line..TP.B \-EUse \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets thatare addressed to \fIaddr\fP and contain Security Parameter Index value\fIspi\fP. This combination may be repeated with comma or newline seperation..IPNote that setting the secret for IPv4 ESP packets is supported at this time..IPAlgorithms may be\fBdes-cbc\fP,\fB3des-cbc\fP,\fBblowfish-cbc\fP,\fBrc3-cbc\fP,\fBcast128-cbc\fP, or\fBnone\fP.The default is \fBdes-cbc\fP.The ability to decrypt packets is only present if \fItcpdump\fP was compiledwith cryptography enabled..IP\fIsecret\fP is the ASCII text for ESP secret key. If preceeded by 0x, then a hex value will be read..IPThe option assumes RFC2406 ESP, not RFC1827 ESP.The option is only for debugging purposes, andthe use of this option with a true `secret' key is discouraged.By presenting IPsec secret key onto command lineyou make it visible to others, via.IR ps (1)and other occasions..IPIn addition to the above syntax, the syntax \fIfile name\fP may be usedto have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdumpmay have been given should already have been given up..TP.B \-fPrint `foreign' IPv4 addresses numerically rather than symbolically(this option is intended to get around serious brain damage inSun's NIS server \(em usually it hangs forever translating non-localinternet numbers)..IPThe test for `foreign' IPv4 addresses is done using the IPv4 address andnetmask of the interface on which capture is being done.  If thataddress or netmask are not available, available, either because theinterface on which capture is being done has no address or netmask orbecause the capture is being done on the Linux "any" interface, whichcan capture on more than one interface, this option will not workcorrectly..TP.B \-FUse \fIfile\fP as input for the filter expression.An additional expression given on the command line is ignored..TP.B \-GIf specified, rotates the dump file specified with the.B \-woption every \fIrotate_seconds\fP seconds.Savefiles will have the name specified by.B \-wwhich should include a time format as defined by.BR strftime (3).If no time format is specified, each new file will overwrite the previous..IPIf used in conjunction with the.B \-Coption, filenames will take the form of `\fIfile\fP<count>'..TP.B \-iListen on \fIinterface\fP.If unspecified, \fItcpdump\fP searches the system interface list for thelowest numbered, configured up interface (excluding loopback).Ties are broken by choosing the earliest match..IPOn Linux systems with 2.2 or later kernels, an.I interfaceargument of ``any'' can be used to capture packets from all interfaces.Note that captures on the ``any'' device will not be done in promiscuousmode..IPIf the.B \-Dflag is supported, an interface number as printed by that flag can beused as the.I interfaceargument..TP.B \-IPut the interface in "monitor mode"; this is supported only on IEEE802.11 Wi-Fi interfaces, and supported only on some operating systems..IPNote that in monitor mode the adapter might disassociate from thenetwork with which it's associated, so that you will not be able to useany wireless networks with that adapter.  This could prevent accessingfiles on a network server, or resolving host names or network addresses,if you are capturing in monitor mode and are not connected to anothernetwork with another adapter..TP.B \-KDon't attempt to verify TCP checksums.  This is useful for interfacesthat perform the TCP checksum calculation in hardware; otherwise,all outgoing TCP checksums will be flagged as bad..TP.B \-lMake stdout line buffered.Useful if you want to see the datawhile capturing it.E.g.,.br``tcpdump\ \ \-l\ \ |\ \ tee dat'' or``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''..TP.B \-LList the known data link types for the interface and exit..TP.B \-mLoad SMI MIB module definitions from file \fImodule\fR.This optioncan be used several times to load several MIB modules into \fItcpdump\fP..TP.B \-MUse \fIsecret\fP as a shared secret for validating the digests found inTCP segments with the TCP-MD5 option (RFC 2385), if present..TP.B \-nDon't convert addresses (i.e., host addresses, port numbers, etc.) to names..TP.B \-NDon't print domain name qualification of host names.E.g.,if you give this flag then \fItcpdump\fP will print ``nic''instead of ``nic.ddn.mil''..TP.B \-ODo not run the packet-matching code optimizer.This is useful onlyif you suspect a bug in the optimizer..TP.B \-p\fIDon't\fP put the interfaceinto promiscuous mode.Note that the interface might be in promiscuousmode for some other reason; hence, `-p' cannot be used as an abbreviation for`ether host {local-hw-addr} or ether broadcast'..TP.B \-qQuick (quiet?) output.Print less protocol information so outputlines are shorter..TP.B \-RAssume ESP/AH packets to be based on old specification (RFC1825 to RFC1829).If specified, \fItcpdump\fP will not print replay prevention field.Since there is no protocol version field in ESP/AH specification,\fItcpdump\fP cannot deduce the version of ESP/AH protocol..TP.B \-rRead packets from \fIfile\fR (which was created with the.B \-woption).Standard input is used if \fIfile\fR is ``-''..TP.B \-SPrint absolute, rather than relative, TCP sequence numbers..TP.B \-sSnarf \fIsnaplen\fP bytes of data from each packet rather than thedefault of 68 (with SunOS's NIT, the minimum is actually 96).68 bytes is adequate for IP, ICMP, TCPand UDP but may truncate protocol information from name server and NFSpackets (see below).Packets truncated because of a limited snapshotare indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fPis the name of the protocol level at which the truncation has occurred.Note that taking larger snapshots both increases