NAME
tcpdump - dump traffic on a network
RESTRICTIONS IN NIOS EXPERT MODE
tcpdump can access the LAN1, LAN2, MGMT and HA ports.
tcpdump –D shows the names of the interfaces.
The “any”, “tun*” and loopback “lo” interfaces cannot be accessed.
The following options are not allowed:
–C <file_size>: specifies file size.
–F <file>: uses file as input for the filter expression.
–G <rotate>: rotates dump file.
–m <file>: loads SMI MIB module.
–r <file>: reads packets from file.
–U: makes output saved via the –w option “packet-buffered”.
–w <file>: writes raw packets to file.
–W <filecount>: limits the number of files.
–z <file>: runs command file.
–Z <usreid>: drops privileges to specified user id.
On an Infoblox-4030 appliance, you can only run one instance of tcpdump. You will
get an error message if you run multiple instances of tcpdump.
SYNOPSIS
tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -s snaplen ] [ -T type ]
[ -E spi@ipaddr algo:secret,...]
[ -y datalinktype ]
[ expression ]
DESCRIPTION
Tcpdump prints out a description of the contents of packets on a network
interface that matches the boolean expression.
Only packets that match expression will be processed by
tcpdump.
...
Reading packets from a network interface may require that you have special
privileges; see the pcap (3PCAP) man page for details. Reading a
saved packet file doesn’t require special privileges.
OPTIONS
-A Print each packet (minus its link level header) in ASCII. Handy
for capturing web pages.
-B Set the operating system capture buffer size to buffer_size.
-c Exit after receiving count packets.
-d Dump the compiled packet-matching code in a human readable form
to standard output and stop.
-dd Dump packet-matching code as a C program fragment.
-ddd Dump packet-matching code as decimal numbers (preceded with a
count).
-D Print the list of the network interfaces available on the system
and on which tcpdump can capture packets. For each network
interface, a number and an interface name, possibly followed by
a text description of the interface, is printed. The interface
name or the number can be supplied to the -i flag to specify an
interface on which to capture.
This can be useful on systems that don’t have a command to list
them (e.g., Windows systems, or UNIX systems lacking ifconfig
-a); the number can be useful on Windows 2000 and later systems,
where the interface name is a somewhat complex string.
...
This flag will affect the output of the -L flag. If -I isn’t
specified, only those link-layer types available when not in
monitor mode will be shown; if -I is specified, only those linklayer
types available when in monitor mode will be shown.
-K Don’t attempt to verify IP, TCP, or UDP checksums. This is useful
for interfaces that perform some or all of those checksum
calculation in hardware; otherwise, all outgoing TCP checksums
will be flagged as bad.
-l Make stdout line buffered. Useful if you want to see the data
while capturing it. E.g.,
“tcpdump -l |teedat” or “tcpdump -l >
dat & tail -fdat”.
...
To print all ICMP packets that are not echo requests/replies (i.e., not
ping packets):
tcpdump ‘icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply’
OUTPUT FORMAT
The output of tcpdump is protocol dependent. The following gives a
brief description and examples of most of the formats.
...
By default, all output lines are preceded by a timestamp. The timestamp
is the current clock time in the form
hh:mm:ss.frac
and is as accurate as the kernel’s clock. The timestamp reflects the
time the kernel first saw the packet. No attempt is made to account
for the time lag between when the Ethernet interface removed the packet
from the wire and when the kernel serviced the ’new packet’ interrupt.
SEE ALSO
stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(5), pcap-filter(7)
AUTHORS
The original authors are:
...
IPv6/IPsec support isadded by WIDE/KAME project. This program uses
Eric Young’s SSLeay library, under specific configurations.
BUGS
Please send problems, bugs, questions, desirable enhancements, patches
etc. to:
tcpdump-workers@lists.tcpdump.org
...