--- tcpdump.1.orig Sun Jul 14 19:45:04 1996 +++ tcpdump.1 Mon Sep 14 20:03:37 1998 @@ -20,12 +20,12 @@ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. .\" -.TH TCPDUMP 1 "14 July 1996" +.TH SMBTCPDUMP 1 "14 July 1996" .SH NAME -tcpdump \- dump traffic on a network +smbtcpdump \- dump traffic on a network (supports SMB related protocols) .SH SYNOPSIS .na -.B tcpdump +.B smbtcpdump [ .B \-deflnNOpqStvx ] [ @@ -65,11 +65,20 @@ .ad .SH DESCRIPTION .LP -\fITcpdump\fP prints out the headers of packets on a network interface -that match the boolean \fIexpression\fP. +\fIsmbTcpdump\fP prints out the headers of packets on a network interface +that match the boolean \fIexpression\fP. The easiest way to capture +SMB related traffic is to envoke +.I smbtcpdump +as: +.in +.5i +.nf +\fBsmbtcpdump -s 1500 'port 139 and host foo'\fR +.fi +.in -.5i +.LP .B Under SunOS with nit or bpf: To run -.I tcpdump +.I smbtcpdump you must have read access to .I /dev/net or @@ -86,7 +95,7 @@ promiscuous-mode operation using .IR pfconfig (8), any user may run -.BR tcpdump . +.BR smbtcpdump . .B Under BSD: You must have read access to .IR /dev/bpf* . @@ -122,7 +131,7 @@ .TP .B \-i Listen on \fIinterface\fP. -If unspecified, \fItcpdump\fP searches the system interface list for the +If unspecified, \fIsmbtcpdump\fP searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match. .TP @@ -130,15 +139,15 @@ Make stdout line buffered. Useful if you want to see the data while capturing it. E.g., .br -``tcpdump\ \ \-l\ \ |\ \ tee dat'' or -``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''. +``smbtcpdump\ \ \-l\ \ |\ \ tee dat'' or +``smbtcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''. .TP .B \-n Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. .TP .B \-N Don't print domain name qualification of host names. E.g., -if you give this flag then \fItcpdump\fP will print ``nic'' +if you give this flag then \fIsmbtcpdump\fP will print ``nic'' instead of ``nic.ddn.mil''. .TP .B \-O @@ -430,7 +439,7 @@ [In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI header. -\fITcpdump\fP assumes, when filtering on the protocol identifier, +\fIsmbTcpdump\fP assumes, when filtering on the protocol identifier, that all FDDI packets include an LLC header, and that the LLC header is in so-called SNAP format.] .IP "\fBdecnet src \fIhost\fR" @@ -462,7 +471,7 @@ .in -.5i where \fIp\fR is one of the above protocols. Note that -\fItcpdump\fP does not currently know how to parse these protocols. +\fIsmbtcpdump\fP does not currently know how to parse these protocols. .IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR" Abbreviations for: .in +.5i @@ -541,7 +550,7 @@ .fi .in -.5i .LP -Expression arguments can be passed to tcpdump as either a single argument +Expression arguments can be passed to smbtcpdump as either a single argument or as multiple arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, it is easier to pass it as a single, quoted argument. @@ -551,21 +560,21 @@ To print all packets arriving at or departing from \fIsundown\fP: .RS .nf -\fBtcpdump host sundown\fP +\fBsmbtcpdump host sundown\fP .fi .RE .LP To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR: .RS .nf -\fBtcpdump host helios and \\( hot or ace \\)\fP +\fBsmbtcpdump host helios and \\( hot or ace \\)\fP .fi .RE .LP To print all IP packets between \fIace\fR and any host except \fIhelios\fR: .RS .nf -\fBtcpdump ip host ace and not helios\fP +\fBsmbtcpdump ip host ace and not helios\fP .fi .RE .LP @@ -573,7 +582,7 @@ .RS .nf .B -tcpdump net ucb-ether +smbtcpdump net ucb-ether .fi .RE .LP @@ -583,7 +592,7 @@ .RS .nf .B -tcpdump 'gateway snup and (port ftp or ftp-data)' +smbtcpdump 'gateway snup and (port ftp or ftp-data)' .fi .RE .LP @@ -593,7 +602,7 @@ .RS .nf .B -tcpdump ip and not net \fIlocalnet\fP +smbtcpdump ip and not net \fIlocalnet\fP .fi .RE .LP @@ -602,7 +611,7 @@ .RS .nf .B -tcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP' +smbtcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP' .fi .RE .LP @@ -610,7 +619,7 @@ .RS .nf .B -tcpdump 'gateway snup and ip[2:2] > 576' +smbtcpdump 'gateway snup and ip[2:2] > 576' .fi .RE .LP @@ -620,7 +629,7 @@ .RS .nf .B -tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' +smbtcpdump 'ether[0] & 1 = 0 and ip[16] >= 224' .fi .RE .LP @@ -629,12 +638,12 @@ .RS .nf .B -tcpdump 'icmp[0] != 8 and icmp[0] != 0" +smbtcpdump 'icmp[0] != 8 and icmp[0] != 0" .fi .RE .SH OUTPUT FORMAT .LP -The output of \fItcpdump\fP is protocol dependent. The following +The output of \fIsmbtcpdump\fP is protocol dependent. The following gives a brief description and examples of most of the formats. .de HD .sp 1.5 @@ -647,7 +656,7 @@ On ethernets, the source and destination addresses, protocol, and packet length are printed. .LP -On FDDI networks, the '-e' option causes \fItcpdump\fP to print +On FDDI networks, the '-e' option causes \fIsmbtcpdump\fP to print the `frame control' field, the source and destination addresses, and the packet length. (The `frame control' field governs the interpretation of the rest of the packet. Normal packets (such @@ -707,7 +716,7 @@ replies with its ethernet address (in this example, ethernet addresses are in caps and internet addresses in lower case). .LP -This would look less redundant if we had done \fBtcpdump \-n\fP: +This would look less redundant if we had done \fBsmbtcpdump \-n\fP: .RS .nf .sp .5 @@ -716,7 +725,7 @@ .fi .RE .LP -If we had done \fBtcpdump \-e\fP, the fact that the first packet is +If we had done \fBsmbtcpdump \-e\fP, the fact that the first packet is broadcast and the second is point-to-point would be visible: .RS .nf @@ -734,7 +743,7 @@ .LP \fI(N.B.:The following description assumes familiarity with the TCP protocol described in RFC-793. If you are not familiar -with the protocol, neither this description nor tcpdump will +with the protocol, neither this description nor smbtcpdump will be of much use to you.)\fP .LP The general format of a tcp protocol line is: @@ -794,7 +803,7 @@ flags were set. The packet contained no data so there is no data sequence number. Note that the ack sequence -number is a small integer (1). The first time \fBtcpdump\fP sees a +number is a small integer (1). The first time \fBsmbtcpdump\fP sees a tcp `conversation', it prints the sequence number from the packet. On subsequent packets of the conversation, the difference between the current packet's sequence number and this initial sequence number @@ -982,7 +991,7 @@ NFS traffic. .LP NFS reply packets do not explicitly identify the RPC operation. Instead, -\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the +\fIsmbtcpdump\fP keeps track of ``recent'' requests, and matches them to the replies using the transaction ID. If a reply does not closely follow the corresponding request, it might not be parsable. .HD @@ -1170,12 +1179,13 @@ Steven McCanne (mccanne@ee.lbl.gov), all of the Lawrence Berkeley Laboratory, University of California, Berkeley, CA. .SH BUGS -Please send bug reports to tcpdump@ee.lbl.gov or libpcap@ee.lbl.gov. +This is a modified version of tcpdump. Please do not bother the tcpdump +authors with bug reports. .LP NIT doesn't let you watch your own outbound traffic, BPF will. We recommend that you use the latter. .LP -\fItcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel +\fIsmbtcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel has to have been built with the \fIpacketfilter\fP pseudo-device driver (see .IR packetfilter (4)). @@ -1190,7 +1200,7 @@ you're monitoring a busy network. .LP On Sun systems prior to release 3.2, NIT is very buggy. -If run on an old system, tcpdump may crash the machine. +If run on an old system, smbtcpdump may crash the machine. .LP Some attempt should be made to reassemble IP fragments or, at least to compute the right length for the higher level protocol. @@ -1198,7 +1208,7 @@ Name server inverse queries are not dumped correctly: The (empty) question section is printed rather than real query in the answer section. Some believe that inverse queries are themselves a bug and -prefer to fix the program generating them rather than tcpdump. +prefer to fix the program generating them rather than smbtcpdump. .LP Apple Ethertalk DDP packets could be dumped as easily as KIP DDP packets but aren't.