1 .\" @(#) $Header: /tcpdump/master/tcpdump/tcpdump.1.in,v 1.2 2008-11-09 23:35:03 mcr Exp $ (LBL)
3 .\" $NetBSD: tcpdump.8,v 1.9 2003/03/31 00:18:17 perry Exp $
5 .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
6 .\" The Regents of the University of California. All rights reserved.
7 .\" All rights reserved.
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that: (1) source code distributions
11 .\" retain the above copyright notice and this paragraph in its entirety, (2)
12 .\" distributions including binary code include the above copyright notice and
13 .\" this paragraph in its entirety in the documentation or other materials
14 .\" provided with the distribution, and (3) all advertising materials mentioning
15 .\" features or use of this software display the following acknowledgement:
16 .\" ``This product includes software developed by the University of California,
17 .\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
18 .\" the University nor the names of its contributors may be used to endorse
19 .\" or promote products derived from this software without specific prior
20 .\" written permission.
21 .\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
22 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
23 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
25 .TH TCPDUMP 1 "05 March 2009"
27 tcpdump \- dump traffic on a network
32 .B \-AbdDefhHIJKlLnNOpqRStuUvxX
98 .I spi@ipaddr algo:secret,...
108 .I postrotate-command
122 \fITcpdump\fP prints out a description of the contents of packets on a
123 network interface that match the boolean \fIexpression\fP. It can also
126 flag, which causes it to save the packet data to a file for later
127 analysis, and/or with the
129 flag, which causes it to read from a saved packet file rather than to
130 read packets from a network interface. In all cases, only packets that
137 will, if not run with the
139 flag, continue capturing packets until it is interrupted by a SIGINT
140 signal (generated, for example, by typing your interrupt character,
141 typically control-C) or a SIGTERM signal (typically generated with the
143 command); if run with the
145 flag, it will capture packets until it is interrupted by a SIGINT or
146 SIGTERM signal or the specified number of packets have been processed.
150 finishes capturing packets, it will report counts of:
152 packets ``captured'' (this is the number of packets that
154 has received and processed);
156 packets ``received by filter'' (the meaning of this depends on the OS on
159 and possibly on the way the OS was configured - if a filter was
160 specified on the command line, on some OSes it counts packets regardless
161 of whether they were matched by the filter expression and, even if they
162 were matched by the filter expression, regardless of whether
164 has read and processed them yet, on other OSes it counts only packets that were
165 matched by the filter expression regardless of whether
167 has read and processed them yet, and on other OSes it counts only
168 packets that were matched by the filter expression and were processed by
171 packets ``dropped by kernel'' (this is the number of packets that were
172 dropped, due to a lack of buffer space, by the packet capture mechanism
175 is running, if the OS reports that information to applications; if not,
176 it will be reported as 0).
178 On platforms that support the SIGINFO signal, such as most BSDs
179 (including Mac OS X) and Digital/Tru64 UNIX, it will report those counts
180 when it receives a SIGINFO signal (generated, for example, by typing
181 your ``status'' character, typically control-T, although on some
182 platforms, such as Mac OS X, the ``status'' character is not set by
183 default, so you must set it with
185 in order to use it) and will continue capturing packets.
187 Reading packets from a network interface may require that you have
188 special privileges; see the
190 man page for details. Reading a saved packet file doesn't require
195 Print each packet (minus its link level header) in ASCII. Handy for
199 Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN
203 Set the operating system capture buffer size to \fIbuffer_size\fP, in
204 units of KiB (1024 bytes).
207 Exit after receiving \fIcount\fP packets.
210 Before writing a raw packet to a savefile, check whether the file is
211 currently larger than \fIfile_size\fP and, if so, close the current
212 savefile and open a new one. Savefiles after the first savefile will
213 have the name specified with the
215 flag, with a number after it, starting at 1 and continuing upward.
216 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
217 not 1,048,576 bytes).
220 Dump the compiled packet-matching code in a human readable form to
221 standard output and stop.
224 Dump packet-matching code as a
229 Dump packet-matching code as decimal numbers (preceded with a count).
232 Print the list of the network interfaces available on the system and on
235 can capture packets. For each network interface, a number and an
236 interface name, possibly followed by a text description of the
237 interface, is printed. The interface name or the number can be supplied
240 flag to specify an interface on which to capture.
242 This can be useful on systems that don't have a command to list them
243 (e.g., Windows systems, or UNIX systems lacking
244 .BR "ifconfig \-a" );
245 the number can be useful on Windows 2000 and later systems, where the
246 interface name is a somewhat complex string.
250 flag will not be supported if
252 was built with an older version of
255 .B pcap_findalldevs()
259 Print the link-level header on each dump line.
262 Use \fIspi@ipaddr algo:secret\fP for decrypting IPsec ESP packets that
263 are addressed to \fIaddr\fP and contain Security Parameter Index value
264 \fIspi\fP. This combination may be repeated with comma or newline separation.
266 Note that setting the secret for IPv4 ESP packets is supported at this time.
273 \fBcast128-cbc\fP, or
275 The default is \fBdes-cbc\fP.
276 The ability to decrypt packets is only present if \fItcpdump\fP was compiled
277 with cryptography enabled.
279 \fIsecret\fP is the ASCII text for ESP secret key.
280 If preceded by 0x, then a hex value will be read.
282 The option assumes RFC2406 ESP, not RFC1827 ESP.
283 The option is only for debugging purposes, and
284 the use of this option with a true `secret' key is discouraged.
285 By presenting IPsec secret key onto command line
286 you make it visible to others, via
290 In addition to the above syntax, the syntax \fIfile name\fP may be used
291 to have tcpdump read the provided file in. The file is opened upon
292 receiving the first ESP packet, so any special permissions that tcpdump
293 may have been given should already have been given up.
296 Print `foreign' IPv4 addresses numerically rather than symbolically
297 (this option is intended to get around serious brain damage in
298 Sun's NIS server \(em usually it hangs forever translating non-local
301 The test for `foreign' IPv4 addresses is done using the IPv4 address and
302 netmask of the interface on which capture is being done. If that
303 address or netmask are not available, available, either because the
304 interface on which capture is being done has no address or netmask or
305 because the capture is being done on the Linux "any" interface, which
306 can capture on more than one interface, this option will not work
310 Use \fIfile\fP as input for the filter expression.
311 An additional expression given on the command line is ignored.
314 If specified, rotates the dump file specified with the
316 option every \fIrotate_seconds\fP seconds.
317 Savefiles will have the name specified by
319 which should include a time format as defined by
321 If no time format is specified, each new file will overwrite the previous.
323 If used in conjunction with the
325 option, filenames will take the form of `\fIfile\fP<count>'.
328 Print the tcpdump and libpcap version strings, print a usage message,
332 Attempt to detect 802.11s draft mesh headers.
335 Listen on \fIinterface\fP.
336 If unspecified, \fItcpdump\fP searches the system interface list for the
337 lowest numbered, configured up interface (excluding loopback).
338 Ties are broken by choosing the earliest match.
340 On Linux systems with 2.2 or later kernels, an
342 argument of ``any'' can be used to capture packets from all interfaces.
343 Note that captures on the ``any'' device will not be done in promiscuous
348 flag is supported, an interface number as printed by that flag can be
354 Put the interface in "monitor mode"; this is supported only on IEEE
355 802.11 Wi-Fi interfaces, and supported only on some operating systems.
357 Note that in monitor mode the adapter might disassociate from the
358 network with which it's associated, so that you will not be able to use
359 any wireless networks with that adapter. This could prevent accessing
360 files on a network server, or resolving host names or network addresses,
361 if you are capturing in monitor mode and are not connected to another
362 network with another adapter.
364 This flag will affect the output of the
368 isn't specified, only those link-layer types available when not in
369 monitor mode will be shown; if
371 is specified, only those link-layer types available when in monitor mode
375 Set the time stamp type for the capture to \fItstamp_type\fP. The names
376 to use for the time stamp types are given in
377 .BR pcap-tstamp-type (@MAN_MISC_INFO@);
378 not all the types listed there will necessarily be valid for any given
382 List the supported time stamp types for the interface and exit. If the
383 time stamp type cannot be set for the interface, no time stamp types are
387 Don't attempt to verify IP, TCP, or UDP checksums. This is useful for
388 interfaces that perform some or all of those checksum calculation in
389 hardware; otherwise, all outgoing TCP checksums will be flagged as bad.
392 Make stdout line buffered.
393 Useful if you want to see the data
400 \fBtcpdump \-l | tee dat\fP
410 \fBtcpdump \-l > dat & tail \-f dat\fP
415 Note that on Windows,``line buffered'' means ``unbuffered'', so that
416 WinDump will write each character individually if
423 in its behavior, but it will cause output to be ``packet-buffered'', so
424 that the output is written to stdout at the end of each packet rather
425 than at the end of each line; this is buffered on all platforms,
429 List the known data link types for the interface, in the specified mode,
430 and exit. The list of known data link types may be dependent on the
431 specified mode; for example, on some platforms, a Wi-Fi interface might
432 support one set of data link types when not in monitor mode (for
433 example, it might support only fake Ethernet headers, or might support
434 802.11 headers but not support 802.11 headers with radio information)
435 and another set of data link types when in monitor mode (for example, it
436 might support 802.11 headers, or 802.11 headers with radio information,
437 only in monitor mode).
440 Load SMI MIB module definitions from file \fImodule\fR.
442 can be used several times to load several MIB modules into \fItcpdump\fP.
445 Use \fIsecret\fP as a shared secret for validating the digests found in
446 TCP segments with the TCP-MD5 option (RFC 2385), if present.
449 Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
452 Don't print domain name qualification of host names.
454 if you give this flag then \fItcpdump\fP will print ``nic''
455 instead of ``nic.ddn.mil''.
458 Do not run the packet-matching code optimizer.
460 if you suspect a bug in the optimizer.
463 \fIDon't\fP put the interface
464 into promiscuous mode.
465 Note that the interface might be in promiscuous
466 mode for some other reason; hence, `-p' cannot be used as an abbreviation for
467 `ether host {local-hw-addr} or ether broadcast'.
470 Quick (quiet?) output.
471 Print less protocol information so output
475 Assume ESP/AH packets to be based on old specification (RFC1825 to RFC1829).
476 If specified, \fItcpdump\fP will not print replay prevention field.
477 Since there is no protocol version field in ESP/AH specification,
478 \fItcpdump\fP cannot deduce the version of ESP/AH protocol.
481 Read packets from \fIfile\fR (which was created with the
484 Standard input is used if \fIfile\fR is ``-''.
487 Print absolute, rather than relative, TCP sequence numbers.
490 Snarf \fIsnaplen\fP bytes of data from each packet rather than the
491 default of 65535 bytes.
492 Packets truncated because of a limited snapshot
493 are indicated in the output with ``[|\fIproto\fP]'', where \fIproto\fP
494 is the name of the protocol level at which the truncation has occurred.
495 Note that taking larger snapshots both increases
496 the amount of time it takes to process packets and, effectively,
497 decreases the amount of packet buffering.
498 This may cause packets to be
500 You should limit \fIsnaplen\fP to the smallest number that will
501 capture the protocol information you're interested in.
503 \fIsnaplen\fP to 0 sets it to the default of 65535,
504 for backwards compatibility with recent older versions of
508 Force packets selected by "\fIexpression\fP" to be interpreted the
509 specified \fItype\fR.
510 Currently known types are
511 \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol),
512 \fBcnfp\fR (Cisco NetFlow protocol),
513 \fBrpc\fR (Remote Procedure Call),
514 \fBrtp\fR (Real-Time Applications protocol),
515 \fBrtcp\fR (Real-Time Applications control protocol),
516 \fBsnmp\fR (Simple Network Management Protocol),
517 \fBtftp\fR (Trivial File Transfer Protocol),
518 \fBvat\fR (Visual Audio Tool),
520 \fBwb\fR (distributed White Board).
523 \fIDon't\fP print a timestamp on each dump line.
526 Print an unformatted timestamp on each dump line.
529 Print a delta (micro-second resolution) between current and previous line
533 Print a timestamp in default format proceeded by date on each dump line.
536 Print a delta (micro-second resolution) between current and first line
540 Print undecoded NFS handles.
545 option is not specified, make the printed packet output
546 ``packet-buffered''; i.e., as the description of the contents of each
547 packet is printed, it will be written to the standard output, rather
548 than, when not writing to a terminal, being written only when the output
553 option is specified, make the saved raw packet output
554 ``packet-buffered''; i.e., as each packet is saved, it will be written
555 to the output file, rather than being written only when the output
560 flag will not be supported if
562 was built with an older version of
569 When parsing and printing, produce (slightly more) verbose output.
570 For example, the time to live,
571 identification, total length and options in an IP packet are printed.
572 Also enables additional packet integrity checks such as verifying the
573 IP and ICMP header checksum.
575 When writing to a file with the
577 option, report, every 10 seconds, the number of packets captured.
580 Even more verbose output.
581 For example, additional fields are
582 printed from NFS reply packets, and SMB packets are fully decoded.
585 Even more verbose output.
587 telnet \fBSB\fP ... \fBSE\fP options
591 Telnet options are printed in hex as well.
594 Write the raw packets to \fIfile\fR rather than parsing and printing
596 They can later be printed with the \-r option.
597 Standard output is used if \fIfile\fR is ``-''.
599 This output will be buffered if written to a file or pipe, so a program
600 reading from the file or pipe may not see packets for an arbitrary
601 amount of time after they are received. Use the
603 flag to cause packets to be written as soon as they are received.
606 .BR pcap-savefile (@MAN_FILE_FORMATS@)
607 for a description of the file format.
610 Used in conjunction with the
612 option, this will limit the number
613 of files created to the specified number, and begin overwriting files
614 from the beginning, thus creating a 'rotating' buffer.
615 In addition, it will name
616 the files with enough leading 0s to support the maximum number of
617 files, allowing them to sort correctly.
619 Used in conjunction with the
621 option, this will limit the number of rotated dump files that get
622 created, exiting with status 0 when reaching the limit. If used with
624 as well, the behavior will result in cyclical files per timeslice.
627 When parsing and printing,
628 in addition to printing the headers of each packet, print the data of
629 each packet (minus its link level header) in hex.
630 The smaller of the entire packet or
632 bytes will be printed. Note that this is the entire link-layer
633 packet, so for link layers that pad (e.g. Ethernet), the padding bytes
634 will also be printed when the higher layer packet is shorter than the
638 When parsing and printing,
639 in addition to printing the headers of each packet, print the data of
642 its link level header, in hex.
645 When parsing and printing,
646 in addition to printing the headers of each packet, print the data of
647 each packet (minus its link level header) in hex and ASCII.
648 This is very handy for analysing new protocols.
651 When parsing and printing,
652 in addition to printing the headers of each packet, print the data of
655 its link level header, in hex and ASCII.
658 Set the data link type to use while capturing packets to \fIdatalinktype\fP.
661 Used in conjunction with the
665 options, this will make
671 is the savefile being closed after each rotation. For example, specifying
675 will compress each savefile using gzip or bzip2.
677 Note that tcpdump will run the command in parallel to the capture, using
678 the lowest priority so that this doesn't disturb the capture process.
680 And in case you would like to use a command that itself takes flags or
681 different arguments, you can always write a shell script that will take the
682 savefile name as the only argument, make the flags & arguments arrangements
683 and execute the command that you want.
688 is running as root, after opening the capture device or input savefile,
689 but before opening any savefiles for output, change the user ID to
691 and the group ID to the primary group of
694 This behavior can also be enabled by default at compile time.
695 .IP "\fI expression\fP"
697 selects which packets will be dumped.
698 If no \fIexpression\fP
699 is given, all packets on the net will be dumped.
701 only packets for which \fIexpression\fP is `true' will be dumped.
703 For the \fIexpression\fP syntax, see
704 .BR pcap-filter (@MAN_MISC_INFO@).
706 Expression arguments can be passed to \fItcpdump\fP as either a single
707 argument or as multiple arguments, whichever is more convenient.
708 Generally, if the expression contains Shell metacharacters, it is
709 easier to pass it as a single, quoted argument.
710 Multiple arguments are concatenated with spaces before being parsed.
713 To print all packets arriving at or departing from \fIsundown\fP:
716 \fBtcpdump host sundown\fP
720 To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
723 \fBtcpdump host helios and \\( hot or ace \\)\fP
727 To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
730 \fBtcpdump ip host ace and not helios\fP
734 To print all traffic between local hosts and hosts at Berkeley:
738 tcpdump net ucb-ether
742 To print all ftp traffic through internet gateway \fIsnup\fP:
743 (note that the expression is quoted to prevent the shell from
744 (mis-)interpreting the parentheses):
748 tcpdump 'gateway snup and (port ftp or ftp-data)'
752 To print traffic neither sourced from nor destined for local hosts
753 (if you gateway to one other net, this stuff should never make it
754 onto your local net).
758 tcpdump ip and not net \fIlocalnet\fP
762 To print the start and end packets (the SYN and FIN packets) of each
763 TCP conversation that involves a non-local host.
767 tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net \fIlocalnet\fP'
771 To print all IPv4 HTTP packets to and from port 80, i.e. print only
772 packets that contain data, not, for example, SYN and FIN packets and
773 ACK-only packets. (IPv6 is left as an exercise for the reader.)
777 tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
781 To print IP packets longer than 576 bytes sent through gateway \fIsnup\fP:
785 tcpdump 'gateway snup and ip[2:2] > 576'
789 To print IP broadcast or multicast packets that were
791 sent via Ethernet broadcast or multicast:
795 tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
799 To print all ICMP packets that are not echo requests/replies (i.e., not
804 tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
809 The output of \fItcpdump\fP is protocol dependent.
811 gives a brief description and examples of most of the formats.
819 If the '-e' option is given, the link level header is printed out.
820 On Ethernets, the source and destination addresses, protocol,
821 and packet length are printed.
823 On FDDI networks, the '-e' option causes \fItcpdump\fP to print
824 the `frame control' field, the source and destination addresses,
825 and the packet length.
826 (The `frame control' field governs the
827 interpretation of the rest of the packet.
829 as those containing IP datagrams) are `async' packets, with a priority
830 value between 0 and 7; for example, `\fBasync4\fR'.
832 are assumed to contain an 802.2 Logical Link Control (LLC) packet;
833 the LLC header is printed if it is \fInot\fR an ISO datagram or a
834 so-called SNAP packet.
836 On Token Ring networks, the '-e' option causes \fItcpdump\fP to print
837 the `access control' and `frame control' fields, the source and
838 destination addresses, and the packet length.
840 packets are assumed to contain an LLC packet.
841 Regardless of whether
842 the '-e' option is specified or not, the source routing information is
843 printed for source-routed packets.
845 On 802.11 networks, the '-e' option causes \fItcpdump\fP to print
846 the `frame control' fields, all of the addresses in the 802.11 header,
847 and the packet length.
849 packets are assumed to contain an LLC packet.
851 \fI(N.B.: The following description assumes familiarity with
852 the SLIP compression algorithm described in RFC-1144.)\fP
854 On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound),
855 packet type, and compression information are printed out.
856 The packet type is printed first.
857 The three types are \fIip\fP, \fIutcp\fP, and \fIctcp\fP.
858 No further link information is printed for \fIip\fR packets.
859 For TCP packets, the connection identifier is printed following the type.
860 If the packet is compressed, its encoded header is printed out.
861 The special cases are printed out as
862 \fB*S+\fIn\fR and \fB*SA+\fIn\fR, where \fIn\fR is the amount by which
863 the sequence number (or sequence number and ack) has changed.
864 If it is not a special case,
865 zero or more changes are printed.
866 A change is indicated by U (urgent pointer), W (window), A (ack),
867 S (sequence number), and I (packet ID), followed by a delta (+n or -n),
869 Finally, the amount of data in the packet and compressed header length
872 For example, the following line shows an outbound compressed TCP packet,
873 with an implicit connection identifier; the ack has changed by 6,
874 the sequence number by 49, and the packet ID by 6; there are 3 bytes of
875 data and 6 bytes of compressed header:
878 \fBO ctcp * A+6 S+49 I+6 3 (6)\fP
884 Arp/rarp output shows the type of request and its arguments.
886 format is intended to be self explanatory.
887 Here is a short sample taken from the start of an `rlogin' from
888 host \fIrtsg\fP to host \fIcsam\fP:
892 \f(CWarp who-has csam tell rtsg
893 arp reply csam is-at CSAM\fR
897 The first line says that rtsg sent an arp packet asking
898 for the Ethernet address of internet host csam.
900 replies with its Ethernet address (in this example, Ethernet addresses
901 are in caps and internet addresses in lower case).
903 This would look less redundant if we had done \fItcpdump \-n\fP:
907 \f(CWarp who-has 128.3.254.6 tell 128.3.254.68
908 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
912 If we had done \fItcpdump \-e\fP, the fact that the first packet is
913 broadcast and the second is point-to-point would be visible:
917 \f(CWRTSG Broadcast 0806 64: arp who-has csam tell rtsg
918 CSAM RTSG 0806 64: arp reply csam is-at CSAM\fR
922 For the first packet this says the Ethernet source address is RTSG, the
923 destination is the Ethernet broadcast address, the type field
924 contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
928 \fI(N.B.:The following description assumes familiarity with
929 the TCP protocol described in RFC-793.
930 If you are not familiar
931 with the protocol, neither this description nor \fItcpdump\fP will
932 be of much use to you.)\fP
934 The general format of a tcp protocol line is:
938 \fIsrc > dst: flags data-seqno ack window urgent options\fP
942 \fISrc\fP and \fIdst\fP are the source and destination IP
944 \fIFlags\fP are some combination of S (SYN),
945 F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or
946 `.' (ACK), or `none' if no flags are set.
947 \fIData-seqno\fP describes the portion of sequence space covered
948 by the data in this packet (see example below).
949 \fIAck\fP is sequence number of the next data expected the other
950 direction on this connection.
951 \fIWindow\fP is the number of bytes of receive buffer space available
952 the other direction on this connection.
953 \fIUrg\fP indicates there is `urgent' data in the packet.
954 \fIOptions\fP are tcp options enclosed in angle brackets (e.g., <mss 1024>).
956 \fISrc, dst\fP and \fIflags\fP are always present.
958 depend on the contents of the packet's tcp protocol header and
959 are output only if appropriate.
961 Here is the opening portion of an rlogin from host \fIrtsg\fP to
966 \s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
967 csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
968 rtsg.1023 > csam.login: . ack 1 win 4096
969 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
970 csam.login > rtsg.1023: . ack 2 win 4096
971 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
972 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
973 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
974 csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fR\s+2
978 The first line says that tcp port 1023 on rtsg sent a packet
981 The \fBS\fP indicates that the \fISYN\fP flag was set.
982 The packet sequence number was 768512 and it contained no data.
983 (The notation is `first:last(nbytes)' which means `sequence
985 up to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.)
986 There was no piggy-backed ack, the available receive window was 4096
987 bytes and there was a max-segment-size option requesting an mss of
990 Csam replies with a similar packet except it includes a piggy-backed
992 Rtsg then acks csam's SYN.
993 The `.' means the ACK flag was set.
994 The packet contained no data so there is no data sequence number.
995 Note that the ack sequence
996 number is a small integer (1).
997 The first time \fItcpdump\fP sees a
998 tcp `conversation', it prints the sequence number from the packet.
999 On subsequent packets of the conversation, the difference between
1000 the current packet's sequence number and this initial sequence number
1002 This means that sequence numbers after the
1003 first can be interpreted
1004 as relative byte positions in the conversation's data stream (with the
1005 first data byte each direction being `1').
1006 `-S' will override this
1007 feature, causing the original sequence numbers to be output.
1009 On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20
1010 in the rtsg \(-> csam side of the conversation).
1011 The PUSH flag is set in the packet.
1012 On the 7th line, csam says it's received data sent by rtsg up to
1013 but not including byte 21.
1014 Most of this data is apparently sitting in the
1015 socket buffer since csam's receive window has gotten 19 bytes smaller.
1016 Csam also sends one byte of data to rtsg in this packet.
1017 On the 8th and 9th lines,
1018 csam sends two bytes of urgent, pushed data to rtsg.
1020 If the snapshot was small enough that \fItcpdump\fP didn't capture
1021 the full TCP header, it interprets as much of the header as it can
1022 and then reports ``[|\fItcp\fP]'' to indicate the remainder could not
1024 If the header contains a bogus option (one with a length
1025 that's either too small or beyond the end of the header), \fItcpdump\fP
1026 reports it as ``[\fIbad opt\fP]'' and does not interpret any further
1027 options (since it's impossible to tell where they start).
1029 length indicates options are present but the IP datagram length is not
1030 long enough for the options to actually be there, \fItcpdump\fP reports
1031 it as ``[\fIbad hdr length\fP]''.
1033 .B Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
1035 There are 8 bits in the control bits section of the TCP header:
1037 .I CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
1039 Let's assume that we want to watch packets used in establishing
1041 Recall that TCP uses a 3-way handshake protocol
1042 when it initializes a new connection; the connection sequence with
1043 regard to the TCP control bits is
1049 2) Recipient responds with SYN, ACK
1055 Now we're interested in capturing packets that have only the
1056 SYN bit set (Step 1).
1057 Note that we don't want packets from step 2
1058 (SYN-ACK), just a plain initial SYN.
1059 What we need is a correct filter
1060 expression for \fItcpdump\fP.
1062 Recall the structure of a TCP header without options:
1066 -----------------------------------------------------------------
1067 | source port | destination port |
1068 -----------------------------------------------------------------
1070 -----------------------------------------------------------------
1071 | acknowledgment number |
1072 -----------------------------------------------------------------
1073 | HL | rsvd |C|E|U|A|P|R|S|F| window size |
1074 -----------------------------------------------------------------
1075 | TCP checksum | urgent pointer |
1076 -----------------------------------------------------------------
1079 A TCP header usually holds 20 octets of data, unless options are
1081 The first line of the graph contains octets 0 - 3, the
1082 second line shows octets 4 - 7 etc.
1084 Starting to count with 0, the relevant TCP control bits are contained
1089 ----------------|---------------|---------------|----------------
1090 | HL | rsvd |C|E|U|A|P|R|S|F| window size |
1091 ----------------|---------------|---------------|----------------
1092 | | 13th octet | | |
1095 Let's have a closer look at octet no. 13:
1105 These are the TCP control bits we are interested
1107 We have numbered the bits in this octet from 0 to 7, right to
1108 left, so the PSH bit is bit number 3, while the URG bit is number 5.
1110 Recall that we want to capture packets with only SYN set.
1111 Let's see what happens to octet 13 if a TCP datagram arrives
1112 with the SYN bit set in its header:
1123 control bits section we see that only bit number 1 (SYN) is set.
1125 Assuming that octet number 13 is an 8-bit unsigned integer in
1126 network byte order, the binary value of this octet is
1130 and its decimal representation is
1134 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2
1137 We're almost done, because now we know that if only SYN is set,
1138 the value of the 13th octet in the TCP header, when interpreted
1139 as a 8-bit unsigned integer in network byte order, must be exactly 2.
1141 This relationship can be expressed as
1147 We can use this expression as the filter for \fItcpdump\fP in order
1148 to watch packets which have only SYN set:
1151 tcpdump -i xl0 tcp[13] == 2
1154 The expression says "let the 13th octet of a TCP datagram have
1155 the decimal value 2", which is exactly what we want.
1157 Now, let's assume that we need to capture SYN packets, but we
1158 don't care if ACK or any other TCP control bit is set at the
1160 Let's see what happens to octet 13 when a TCP datagram
1161 with SYN-ACK set arrives:
1171 Now bits 1 and 4 are set in the 13th octet.
1177 which translates to decimal
1181 0*2 + 0*2 + 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2 = 18
1184 Now we can't just use 'tcp[13] == 18' in the \fItcpdump\fP filter
1185 expression, because that would select only those packets that have
1186 SYN-ACK set, but not those with only SYN set.
1187 Remember that we don't care
1188 if ACK or any other control bit is set as long as SYN is set.
1190 In order to achieve our goal, we need to logically AND the
1191 binary value of octet 13 with some other value to preserve
1193 We know that we want SYN to be set in any case,
1194 so we'll logically AND the value in the 13th octet with
1195 the binary value of a SYN:
1199 00010010 SYN-ACK 00000010 SYN
1200 AND 00000010 (we want SYN) AND 00000010 (we want SYN)
1202 = 00000010 = 00000010
1205 We see that this AND operation delivers the same result
1206 regardless whether ACK or another TCP control bit is set.
1207 The decimal representation of the AND value as well as
1208 the result of this operation is 2 (binary 00000010),
1209 so we know that for packets with SYN set the following
1210 relation must hold true:
1212 ( ( value of octet 13 ) AND ( 2 ) ) == ( 2 )
1214 This points us to the \fItcpdump\fP filter expression
1217 tcpdump -i xl0 'tcp[13] & 2 == 2'
1220 Some offsets and field values may be expressed as names
1221 rather than as numeric values. For example tcp[13] may
1222 be replaced with tcp[tcpflags]. The following TCP flag
1223 field values are also available: tcp-fin, tcp-syn, tcp-rst,
1224 tcp-push, tcp-act, tcp-urg.
1226 This can be demonstrated as:
1229 tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
1232 Note that you should use single quotes or a backslash
1233 in the expression to hide the AND ('&') special character
1239 UDP format is illustrated by this rwho packet:
1243 \f(CWactinide.who > broadcast.who: udp 84\fP
1247 This says that port \fIwho\fP on host \fIactinide\fP sent a udp
1248 datagram to port \fIwho\fP on host \fIbroadcast\fP, the Internet
1250 The packet contained 84 bytes of user data.
1252 Some UDP services are recognized (from the source or destination
1253 port number) and the higher level protocol information printed.
1254 In particular, Domain Name service requests (RFC-1034/1035) and Sun
1255 RPC calls (RFC-1050) to NFS.
1257 UDP Name Server Requests
1259 \fI(N.B.:The following description assumes familiarity with
1260 the Domain Service protocol described in RFC-1035.
1261 If you are not familiar
1262 with the protocol, the following description will appear to be written
1265 Name server requests are formatted as
1269 \fIsrc > dst: id op? flags qtype qclass name (len)\fP
1271 \f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fR
1275 Host \fIh2opolo\fP asked the domain server on \fIhelios\fP for an
1276 address record (qtype=A) associated with the name \fIucbvax.berkeley.edu.\fP
1277 The query id was `3'.
1278 The `+' indicates the \fIrecursion desired\fP flag
1280 The query length was 37 bytes, not including the UDP and
1281 IP protocol headers.
1282 The query operation was the normal one, \fIQuery\fP,
1283 so the op field was omitted.
1284 If the op had been anything else, it would
1285 have been printed between the `3' and the `+'.
1286 Similarly, the qclass was the normal one,
1287 \fIC_IN\fP, and omitted.
1288 Any other qclass would have been printed
1289 immediately after the `A'.
1291 A few anomalies are checked and may result in extra fields enclosed in
1292 square brackets: If a query contains an answer, authority records or
1293 additional records section,
1298 are printed as `[\fIn\fPa]', `[\fIn\fPn]' or `[\fIn\fPau]' where \fIn\fP
1299 is the appropriate count.
1300 If any of the response bits are set (AA, RA or rcode) or any of the
1301 `must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]'
1302 is printed, where \fIx\fP is the hex value of header bytes two and three.
1304 UDP Name Server Responses
1306 Name server responses are formatted as
1310 \fIsrc > dst: id op rcode flags a/n/au type class data (len)\fP
1312 \f(CWhelios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
1313 helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fR
1317 In the first example, \fIhelios\fP responds to query id 3 from \fIh2opolo\fP
1318 with 3 answer records, 3 name server records and 7 additional records.
1319 The first answer record is type A (address) and its data is internet
1320 address 128.32.137.3.
1321 The total size of the response was 273 bytes,
1322 excluding UDP and IP headers.
1323 The op (Query) and response code
1324 (NoError) were omitted, as was the class (C_IN) of the A record.
1326 In the second example, \fIhelios\fP responds to query 2 with a
1327 response code of non-existent domain (NXDomain) with no answers,
1328 one name server and no authority records.
1329 The `*' indicates that
1330 the \fIauthoritative answer\fP bit was set.
1332 answers, no type, class or data were printed.
1334 Other flag characters that might appear are `\-' (recursion available,
1335 RA, \fInot\fP set) and `|' (truncated message, TC, set).
1337 `question' section doesn't contain exactly one entry, `[\fIn\fPq]'
1342 \fItcpdump\fP now includes fairly extensive SMB/CIFS/NBT decoding for data
1343 on UDP/137, UDP/138 and TCP/139.
1344 Some primitive decoding of IPX and
1345 NetBEUI SMB data is also done.
1347 By default a fairly minimal decode is done, with a much more detailed
1348 decode done if -v is used.
1349 Be warned that with -v a single SMB packet
1350 may take up a page or more, so only use -v if you really want all the
1353 For information on SMB packet formats and what all the fields mean see
1354 www.cifs.org or the pub/samba/specs/ directory on your favorite
1355 samba.org mirror site.
1356 The SMB patches were written by Andrew Tridgell
1359 NFS Requests and Replies
1361 Sun NFS (Network File System) requests and replies are printed as:
1365 \fIsrc.xid > dst.nfs: len op args\fP
1366 \fIsrc.nfs > dst.xid: reply stat len op results\fP
1369 sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
1370 wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
1371 sushi.201b > wrl.nfs:
1372 144 lookup fh 9,74/4096.6878 "xcolors"
1373 wrl.nfs > sushi.201b:
1374 reply ok 128 lookup fh 9,74/4134.3150
1379 In the first line, host \fIsushi\fP sends a transaction with id \fI6709\fP
1380 to \fIwrl\fP (note that the number following the src host is a
1381 transaction id, \fInot\fP the source port).
1382 The request was 112 bytes,
1383 excluding the UDP and IP headers.
1384 The operation was a \fIreadlink\fP
1385 (read symbolic link) on file handle (\fIfh\fP) 21,24/10.731657119.
1386 (If one is lucky, as in this case, the file handle can be interpreted
1387 as a major,minor device number pair, followed by the inode number and
1389 \fIWrl\fP replies `ok' with the contents of the link.
1391 In the third line, \fIsushi\fP asks \fIwrl\fP to lookup the name
1392 `\fIxcolors\fP' in directory file 9,74/4096.6878.
1393 Note that the data printed
1394 depends on the operation type.
1395 The format is intended to be self
1396 explanatory if read in conjunction with
1397 an NFS protocol spec.
1399 If the \-v (verbose) flag is given, additional information is printed.
1405 sushi.1372a > wrl.nfs:
1406 148 read fh 21,11/12.195 8192 bytes @ 24576
1407 wrl.nfs > sushi.1372a:
1408 reply ok 1472 read REG 100664 ids 417/0 sz 29388
1413 (\-v also prints the IP header TTL, ID, length, and fragmentation fields,
1414 which have been omitted from this example.) In the first line,
1415 \fIsushi\fP asks \fIwrl\fP to read 8192 bytes from file 21,11/12.195,
1416 at byte offset 24576.
1417 \fIWrl\fP replies `ok'; the packet shown on the
1418 second line is the first fragment of the reply, and hence is only 1472
1419 bytes long (the other bytes will follow in subsequent fragments, but
1420 these fragments do not have NFS or even UDP headers and so might not be
1421 printed, depending on the filter expression used).
1422 Because the \-v flag
1423 is given, some of the file attributes (which are returned in addition
1424 to the file data) are printed: the file type (``REG'', for regular file),
1425 the file mode (in octal), the uid and gid, and the file size.
1427 If the \-v flag is given more than once, even more details are printed.
1429 Note that NFS requests are very large and much of the detail won't be printed
1430 unless \fIsnaplen\fP is increased.
1431 Try using `\fB\-s 192\fP' to watch
1434 NFS reply packets do not explicitly identify the RPC operation.
1436 \fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
1437 replies using the transaction ID.
1438 If a reply does not closely follow the
1439 corresponding request, it might not be parsable.
1441 AFS Requests and Replies
1443 Transarc AFS (Andrew File System) requests and replies are printed
1449 \fIsrc.sport > dst.dport: rx packet-type\fP
1450 \fIsrc.sport > dst.dport: rx packet-type service call call-name args\fP
1451 \fIsrc.sport > dst.dport: rx packet-type service reply call-name args\fP
1454 elvis.7001 > pike.afsfs:
1455 rx data fs call rename old fid 536876964/1/1 ".newsrc.new"
1456 new fid 536876964/1/1 ".newsrc"
1457 pike.afsfs > elvis.7001: rx data fs reply rename
1462 In the first line, host elvis sends a RX packet to pike.
1464 a RX data packet to the fs (fileserver) service, and is the start of
1466 The RPC call was a rename, with the old directory file id
1467 of 536876964/1/1 and an old filename of `.newsrc.new', and a new directory
1468 file id of 536876964/1/1 and a new filename of `.newsrc'.
1470 responds with a RPC reply to the rename call (which was successful, because
1471 it was a data packet and not an abort packet).
1473 In general, all AFS RPCs are decoded at least by RPC call name.
1475 AFS RPCs have at least some of the arguments decoded (generally only
1476 the `interesting' arguments, for some definition of interesting).
1478 The format is intended to be self-describing, but it will probably
1479 not be useful to people who are not familiar with the workings of
1482 If the -v (verbose) flag is given twice, acknowledgement packets and
1483 additional header information is printed, such as the the RX call ID,
1484 call number, sequence number, serial number, and the RX packet flags.
1486 If the -v flag is given twice, additional information is printed,
1487 such as the the RX call ID, serial number, and the RX packet flags.
1488 The MTU negotiation information is also printed from RX ack packets.
1490 If the -v flag is given three times, the security index and service id
1493 Error codes are printed for abort packets, with the exception of Ubik
1494 beacon packets (because abort packets are used to signify a yes vote
1495 for the Ubik protocol).
1497 Note that AFS requests are very large and many of the arguments won't
1498 be printed unless \fIsnaplen\fP is increased.
1499 Try using `\fB-s 256\fP'
1500 to watch AFS traffic.
1502 AFS reply packets do not explicitly identify the RPC operation.
1504 \fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
1505 replies using the call number and service ID.
1506 If a reply does not closely
1508 corresponding request, it might not be parsable.
1511 KIP AppleTalk (DDP in UDP)
1513 AppleTalk DDP packets encapsulated in UDP datagrams are de-encapsulated
1514 and dumped as DDP packets (i.e., all the UDP header information is
1518 is used to translate AppleTalk net and node numbers to names.
1519 Lines in this file have the form
1531 The first two lines give the names of AppleTalk networks.
1533 line gives the name of a particular host (a host is distinguished
1534 from a net by the 3rd octet in the number \-
1535 a net number \fImust\fP have two octets and a host number \fImust\fP
1536 have three octets.) The number and name should be separated by
1537 whitespace (blanks or tabs).
1540 file may contain blank lines or comment lines (lines starting with
1543 AppleTalk addresses are printed in the form
1549 \f(CW144.1.209.2 > icsd-net.112.220
1550 office.2 > icsd-net.112.220
1551 jssmag.149.235 > icsd-net.2\fR
1557 doesn't exist or doesn't contain an entry for some AppleTalk
1558 host/net number, addresses are printed in numeric form.)
1559 In the first example, NBP (DDP port 2) on net 144.1 node 209
1560 is sending to whatever is listening on port 220 of net icsd node 112.
1561 The second line is the same except the full name of the source node
1562 is known (`office').
1563 The third line is a send from port 235 on
1564 net jssmag node 149 to broadcast on the icsd-net NBP port (note that
1565 the broadcast address (255) is indicated by a net name with no host
1566 number \- for this reason it's a good idea to keep node names and
1567 net names distinct in /etc/atalk.names).
1569 NBP (name binding protocol) and ATP (AppleTalk transaction protocol)
1570 packets have their contents interpreted.
1571 Other protocols just dump
1572 the protocol name (or number if no name is registered for the
1573 protocol) and packet size.
1575 \fBNBP packets\fP are formatted like the following examples:
1579 \s-2\f(CWicsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
1580 jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
1581 techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186\fR\s+2
1585 The first line is a name lookup request for laserwriters sent by net icsd host
1586 112 and broadcast on net jssmag.
1587 The nbp id for the lookup is 190.
1588 The second line shows a reply for this request (note that it has the
1589 same id) from host jssmag.209 saying that it has a laserwriter
1590 resource named "RM1140" registered on port 250.
1592 another reply to the same request saying host techpit has laserwriter
1593 "techpit" registered on port 186.
1595 \fBATP packet\fP formatting is demonstrated by the following example:
1599 \s-2\f(CWjssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
1600 helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
1601 helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
1602 helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
1603 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1604 helios.132 > jssmag.209.165: atp-resp 12266:4 (512) 0xae040000
1605 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1606 helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
1607 helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
1608 jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
1609 helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
1610 helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
1611 jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
1612 jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002\fR\s+2
1616 Jssmag.209 initiates transaction id 12266 with host helios by requesting
1617 up to 8 packets (the `<0-7>').
1618 The hex number at the end of the line
1619 is the value of the `userdata' field in the request.
1621 Helios responds with 8 512-byte packets.
1622 The `:digit' following the
1623 transaction id gives the packet sequence number in the transaction
1624 and the number in parens is the amount of data in the packet,
1625 excluding the atp header.
1626 The `*' on packet 7 indicates that the
1629 Jssmag.209 then requests that packets 3 & 5 be retransmitted.
1631 resends them then jssmag.209 releases the transaction.
1633 jssmag.209 initiates the next request.
1634 The `*' on the request
1635 indicates that XO (`exactly once') was \fInot\fP set.
1640 Fragmented Internet datagrams are printed as
1644 \fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB+)\fR
1645 \fB(frag \fIid\fB:\fIsize\fB@\fIoffset\fB)\fR
1649 (The first form indicates there are more fragments.
1651 indicates this is the last fragment.)
1653 \fIId\fP is the fragment id.
1654 \fISize\fP is the fragment
1655 size (in bytes) excluding the IP header.
1656 \fIOffset\fP is this
1657 fragment's offset (in bytes) in the original datagram.
1659 The fragment information is output for each fragment.
1661 fragment contains the higher level protocol header and the frag
1662 info is printed after the protocol info.
1664 after the first contain no higher level protocol header and the
1665 frag info is printed after the source and destination addresses.
1666 For example, here is part of an ftp from arizona.edu to lbl-rtsg.arpa
1667 over a CSNET connection that doesn't appear to handle 576 byte datagrams:
1671 \s-2\f(CWarizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
1672 arizona > rtsg: (frag 595a:204@328)
1673 rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560\fP\s+2
1677 There are a couple of things to note here: First, addresses in the
1678 2nd line don't include port numbers.
1679 This is because the TCP
1680 protocol information is all in the first fragment and we have no idea
1681 what the port or sequence numbers are when we print the later fragments.
1682 Second, the tcp sequence information in the first line is printed as if there
1683 were 308 bytes of user data when, in fact, there are 512 bytes (308 in
1684 the first frag and 204 in the second).
1685 If you are looking for holes
1686 in the sequence space or trying to match up acks
1687 with packets, this can fool you.
1689 A packet with the IP \fIdon't fragment\fP flag is marked with a
1690 trailing \fB(DF)\fP.
1694 By default, all output lines are preceded by a timestamp.
1696 is the current clock time in the form
1702 and is as accurate as the kernel's clock.
1703 The timestamp reflects the time the kernel first saw the packet.
1705 is made to account for the time lag between when the
1706 Ethernet interface removed the packet from the wire and when the kernel
1707 serviced the `new packet' interrupt.
1709 stty(1), pcap(3), bpf(4), pcap-savefile(@MAN_FILE_FORMATS@),
1710 pcap-filter(@MAN_MISC_INFO@), pcap-tstamp-type(@MAN_MISC_INFO@)
1712 The original authors are:
1716 Steven McCanne, all of the
1717 Lawrence Berkeley National Laboratory, University of California, Berkeley, CA.
1719 It is currently being maintained by tcpdump.org.
1721 The current version is available via http:
1724 .I http://www.tcpdump.org/
1727 The original distribution is available via anonymous ftp:
1730 .I ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
1733 IPv6/IPsec support is added by WIDE/KAME project.
1734 This program uses Eric Young's SSLeay library, under specific configurations.
1736 Please send problems, bugs, questions, desirable enhancements, patches
1740 tcpdump-workers@lists.tcpdump.org
1743 NIT doesn't let you watch your own outbound traffic, BPF will.
1744 We recommend that you use the latter.
1746 On Linux systems with 2.0[.x] kernels:
1748 packets on the loopback device will be seen twice;
1750 packet filtering cannot be done in the kernel, so that all packets must
1751 be copied from the kernel in order to be filtered in user mode;
1753 all of a packet, not just the part that's within the snapshot length,
1754 will be copied from the kernel (the 2.0[.x] packet capture mechanism, if
1755 asked to copy only part of a packet to userland, will not report the
1756 true length of the packet; this would cause most IP packets to get an
1760 capturing on some PPP devices won't work correctly.
1762 We recommend that you upgrade to a 2.2 or later kernel.
1764 Some attempt should be made to reassemble IP fragments or, at least
1765 to compute the right length for the higher level protocol.
1767 Name server inverse queries are not dumped correctly: the (empty)
1768 question section is printed rather than real query in the answer
1770 Some believe that inverse queries are themselves a bug and
1771 prefer to fix the program generating them rather than \fItcpdump\fP.
1773 A packet trace that crosses a daylight savings time change will give
1774 skewed time stamps (the time change is ignored).
1776 Filter expressions on fields other than those in Token Ring headers will
1777 not correctly handle source-routed Token Ring packets.
1779 Filter expressions on fields other than those in 802.11 headers will not
1780 correctly handle 802.11 data packets with both To DS and From DS set.
1783 should chase header chain, but at this moment it does not.
1784 .BR "ip6 protochain"
1785 is supplied for this behavior.
1787 Arithmetic expression against transport layer headers, like \fBtcp[0]\fP,
1788 does not work against IPv6 packets.
1789 It only looks at IPv4 packets.