HELPLIB.HLB  —  tcpdump
    Provides dump analysis and packet capturing.

    Format

      tcpdump  ["-B" | d | e | f | l | m | n | "-N" | "-O" | q | s |

               "-S" | t | v | x | "-X"]

               [-b buffers]

               [-c count]

               [-F file]

               [-r file]

               [-s snaplen]

               [-w file] expression

1  –  Description

    The tcpdump utility displays the headers and contents of packets
    on the network that match a boolean expression (filter). If
    no filter is supplied all packets processed by tcpdump will be
    displayed. The the packets that are processed can also be written
    to a binary file for later examination and filtering.

    For complete information about using tcpdump, refer to the HP
    TCP/IP Services for OpenVMS Tuning and Troubleshooting guide.

2  –  Parameters

 expression

    A boolean expression that provides a filter to select the packets
    to dump. If you do not specify the expression, all packets on
    the network are dumped. Otherwise, only packets that match the
    expression are dumped.

    For information about specifying expressions, see the HP TCP/IP
    Services for OpenVMS Tuning and Troubleshooting guide.

3  –  Options

 -b

    Specifies the number of buffers used to communicate with the
    TCP/IP kernel. The default is 400 on Alpha systems and 50 on VAX
    systems.

 "-B"

    Displays buffer diagnostics showing when dropped packets occur.
    Use quotation marks to preserve the case of uppercase options.

 -c

    Exits after receiving count packets.

 -d

    Dumps the compiled packet-matching code to standard output and
    stops.

 -e

    Displays the link-level header on each dump line.

 -f

    Displays foreign internet addresses numerically rather than
    symbolically.

 "-F" file

    Uses file as input for the filter expression. Any additional
    expressions on the command line are ignored. Use quotation marks
    to preserve the case of uppercase options.

 -l

    Buffers the stdout line. This is useful if you want to see the
    data while capturing it.

 -m

    Enables multiline output from some protocols. This affects most
    ONC RPC decoding, as those protocols are often difficult to
    display on a single line.

 -n

    Does not convert addresses (for example, host addresses and port
    numbers) to names.

 "-N"

    Does not display domain name qualification of host names.
    For example, with this option, tcpdump displays nic instead
    of nic.ddn.mil. Use quotation marks to preserve the case of
    uppercase options.

 "-O"

    Does not run the packet-matching code optimizer. This is useful
    only if you suspect a bug in the optimizer. Use quotation marks
    to preserve the case of uppercase options.

 -q

    Quick (quiet) output. Displays less protocol information so
    output line are shorter.

 -r file

    Reads packets from file (which was created with the -w option).
    Standard input is used if a hyphen (-) is used to specify the
    file.

 -s snaplen

    Displays the number of bytes of data from each packet as
    specified by the value of snaplen, rather than the default of
    68. The default of 68 bytes is adequate for IP, ICMP, TCP, and
    UDP, but may truncate protocol information from name server and
    NFS packets. Packets truncated because of a limited snapshot are
    indicated in the output with [|proto], where proto is the name of
    the protocol level at which the truncation has occurred.

                                   NOTE

       Taking larger snapshots both increases the amount of time it
       takes to process packets and decreases the amount of packet
       buffering. This may cause packets to be lost. You should
       limit the value of snaplen to the smallest number that will
       capture the protocol information you need.

 "-S"

    Displays absolute, rather than relative, TCP sequence numbers.
    Use quotation marks to preserve the case of uppercase options.

 -t

    Does not display a timestamp on each dump line.

 -tt

    Displays an unformatted timestamp on each dump line.

 -v

    Displays verbose output. For example, the time to live and type
    of service information in an IP packet is displayed. If -m is
    also specified, ONC RPC packets sent using TCP are decoded
    twice: first as RPC, then as TCP. By default, the TCP decoding
    is suppressed.

 -vv

    Displays detailed verbose output. For example, additional fields
    are displayed from NFS reply packets.

 -w file

    Writes the raw packets to file rather than parsing and displaying
    them. They can later be displayed with the -r option. Standard
    output is used if a hyphen (-) is used to specify the file.

 -x

    Displays each packet (minus its link level header) in hexadecimal
    format.

    The smaller of the entire packet or snaplen bytes is displayed.

 "-X"

    Displays packets in both hexadecimal and ASCII formats. Use
    quotation marks to preserve the case of uppercase options.

4  –  Examples

    1.$ tcpdump host sundown

      This example shows how to use the tcpdump utility to display
      all packets arriving at or departing from host sundown.

    2.$ tcpdump host sundown and ( hot or ace )

      This example shows how to use the tcpdump utility to display
      traffic between sundown and either host hot or host ace.

    3.$ tcpdump ip host ace and not helios

      This example shows how to use the tcpdump utility to display
      all IP packets between ace and any host except helios.

    4.$ tcpdump net office

      This example shows how to use the tcpdump utility to display
      all traffic between local hosts and hosts on the network
      office.

    5.$ tcpdump gateway snup and (port 21 or 20)

      This example shows how to use the tcpdump utility to display
      all FTP traffic through Internet gateway snup.

    6.$ tcpdump ip and not net localnet

      This example shows how to use the tcpdump utility to display
      traffic neither sourced from nor destined for local hosts. If
      your network is connected to one other network by a gateway,
      this command does not produce any results on your local
      network.

    7.$ tcpdump tcp[13] & 3 != 0 and not src and dst net localnet

      This example shows how to use the tcpdump utility to display
      the start and end packets (the SYN and FIN packets) of each TCP
      conversation that involves a nonlocal host.

    8.$ tcpdump gateway snup and ip[2:2] > 576

      This example shows how to use the tcpdump utility to display IP
      packets longer than 576 bytes sent through gateway snup.

    9.$ tcpdump ether[0] & 1 = 0 and ip[16] >= 224

      This example shows how to use the tcpdump utility to display
      IP broadcast or multicast packets that were not sent using
      Ethernet broadcast or multicast.

    10$ tcpdump icmp[0] != 8 and icmp[0] != 0

      This example shows how to use the tcpdump utility to display
      all ICMP packets that are not echo requests or replies (that
      is, not PING packets).

    11$ tcpdump -s 1500 -envv ip6 and udp port 521

      This example shows how to use the tcpdump utility to display
      all RIPv6 packets.

    12$ tcpdump -s 1500 -envv ip6 and ether host a:b:c:d:e:f

      This example shows how to use the tcpdump utility to display
      all IPv6 packets arriving at or departing from a host with the
      Ethernet address a:b:c:d:e:f.
Close Help