1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-11-13 23:36:08 +00:00
freebsd-ports/net/smbtcpdump/files/patch-01
1998-09-15 03:06:26 +00:00

289 lines
8.7 KiB
Plaintext

--- tcpdump.1.orig Sun Jul 14 19:45:04 1996
+++ tcpdump.1 Mon Sep 14 20:03:37 1998
@@ -20,12 +20,12 @@
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
.\"
-.TH TCPDUMP 1 "14 July 1996"
+.TH SMBTCPDUMP 1 "14 July 1996"
.SH NAME
-tcpdump \- dump traffic on a network
+smbtcpdump \- dump traffic on a network (supports SMB related protocols)
.SH SYNOPSIS
.na
-.B tcpdump
+.B smbtcpdump
[
.B \-deflnNOpqStvx
] [
@@ -65,11 +65,20 @@
.ad
.SH DESCRIPTION
.LP
-\fITcpdump\fP prints out the headers of packets on a network interface
-that match the boolean \fIexpression\fP.
+\fIsmbTcpdump\fP prints out the headers of packets on a network interface
+that match the boolean \fIexpression\fP. The easiest way to capture
+SMB related traffic is to envoke
+.I smbtcpdump
+as:
+.in +.5i
+.nf
+\fBsmbtcpdump -s 1500 'port 139 and host foo'\fR
+.fi
+.in -.5i
+.LP
.B Under SunOS with nit or bpf:
To run
-.I tcpdump
+.I smbtcpdump
you must have read access to
.I /dev/net
or
@@ -86,7 +95,7 @@
promiscuous-mode operation using
.IR pfconfig (8),
any user may run
-.BR tcpdump .
+.BR smbtcpdump .
.B Under BSD:
You must have read access to
.IR /dev/bpf* .
@@ -122,7 +131,7 @@
.TP
.B \-i
Listen on \fIinterface\fP.
-If unspecified, \fItcpdump\fP searches the system interface list for the
+If unspecified, \fIsmbtcpdump\fP searches the system interface list for the
lowest numbered, configured up interface (excluding loopback).
Ties are broken by choosing the earliest match.
.TP
@@ -130,15 +139,15 @@
Make stdout line buffered. Useful if you want to see the data
while capturing it. E.g.,
.br
-``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
-``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
+``smbtcpdump\ \ \-l\ \ |\ \ tee dat'' or
+``smbtcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
.TP
.B \-n
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
.TP
.B \-N
Don't print domain name qualification of host names. E.g.,
-if you give this flag then \fItcpdump\fP will print ``nic''
+if you give this flag then \fIsmbtcpdump\fP will print ``nic''
instead of ``nic.ddn.mil''.
.TP
.B \-O
@@ -430,7 +439,7 @@
[In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the
protocol identification comes from the 802.2 Logical Link Control
(LLC) header, which is usually layered on top of the FDDI header.
-\fITcpdump\fP assumes, when filtering on the protocol identifier,
+\fIsmbTcpdump\fP assumes, when filtering on the protocol identifier,
that all FDDI packets include an LLC header, and that the LLC header
is in so-called SNAP format.]
.IP "\fBdecnet src \fIhost\fR"
@@ -462,7 +471,7 @@
.in -.5i
where \fIp\fR is one of the above protocols.
Note that
-\fItcpdump\fP does not currently know how to parse these protocols.
+\fIsmbtcpdump\fP does not currently know how to parse these protocols.
.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
Abbreviations for:
.in +.5i
@@ -541,7 +550,7 @@
.fi
.in -.5i
.LP
-Expression arguments can be passed to tcpdump as either a single argument
+Expression arguments can be passed to smbtcpdump as either a single argument
or as multiple arguments, whichever is more convenient.
Generally, if the expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
@@ -551,21 +560,21 @@
To print all packets arriving at or departing from \fIsundown\fP:
.RS
.nf
-\fBtcpdump host sundown\fP
+\fBsmbtcpdump host sundown\fP
.fi
.RE
.LP
To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
.RS
.nf
-\fBtcpdump host helios and \\( hot or ace \\)\fP
+\fBsmbtcpdump host helios and \\( hot or ace \\)\fP
.fi
.RE
.LP
To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
.RS
.nf
-\fBtcpdump ip host ace and not helios\fP
+\fBsmbtcpdump ip host ace and not helios\fP
.fi
.RE
.LP
@@ -573,7 +582,7 @@
.RS
.nf
.B
-tcpdump net ucb-ether
+smbtcpdump net ucb-ether
.fi
.RE
.LP
@@ -583,7 +592,7 @@
.RS
.nf
.B
-tcpdump 'gateway snup and (port ftp or ftp-data)'
+smbtcpdump 'gateway snup and (port ftp or ftp-data)'
.fi
.RE
.LP
@@ -593,7 +602,7 @@
.RS
.nf
.B
-tcpdump ip and not net \fIlocalnet\fP
+smbtcpdump ip and not net \fIlocalnet\fP
.fi
.RE
.LP
@@ -602,7 +611,7 @@
.RS
.nf
.B
-tcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
+smbtcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
.fi
.RE
.LP
@@ -610,7 +619,7 @@
.RS
.nf
.B
-tcpdump 'gateway snup and ip[2:2] > 576'
+smbtcpdump 'gateway snup and ip[2:2] > 576'
.fi
.RE
.LP
@@ -620,7 +629,7 @@
.RS
.nf
.B
-tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
+smbtcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
.fi
.RE
.LP
@@ -629,12 +638,12 @@
.RS
.nf
.B
-tcpdump 'icmp[0] != 8 and icmp[0] != 0"
+smbtcpdump 'icmp[0] != 8 and icmp[0] != 0"
.fi
.RE
.SH OUTPUT FORMAT
.LP
-The output of \fItcpdump\fP is protocol dependent. The following
+The output of \fIsmbtcpdump\fP is protocol dependent. The following
gives a brief description and examples of most of the formats.
.de HD
.sp 1.5
@@ -647,7 +656,7 @@
On ethernets, the source and destination addresses, protocol,
and packet length are printed.
.LP
-On FDDI networks, the '-e' option causes \fItcpdump\fP to print
+On FDDI networks, the '-e' option causes \fIsmbtcpdump\fP to print
the `frame control' field, the source and destination addresses,
and the packet length. (The `frame control' field governs the
interpretation of the rest of the packet. Normal packets (such
@@ -707,7 +716,7 @@
replies with its ethernet address (in this example, ethernet addresses
are in caps and internet addresses in lower case).
.LP
-This would look less redundant if we had done \fBtcpdump \-n\fP:
+This would look less redundant if we had done \fBsmbtcpdump \-n\fP:
.RS
.nf
.sp .5
@@ -716,7 +725,7 @@
.fi
.RE
.LP
-If we had done \fBtcpdump \-e\fP, the fact that the first packet is
+If we had done \fBsmbtcpdump \-e\fP, the fact that the first packet is
broadcast and the second is point-to-point would be visible:
.RS
.nf
@@ -734,7 +743,7 @@
.LP
\fI(N.B.:The following description assumes familiarity with
the TCP protocol described in RFC-793. If you are not familiar
-with the protocol, neither this description nor tcpdump will
+with the protocol, neither this description nor smbtcpdump will
be of much use to you.)\fP
.LP
The general format of a tcp protocol line is:
@@ -794,7 +803,7 @@
flags were set.
The packet contained no data so there is no data sequence number.
Note that the ack sequence
-number is a small integer (1). The first time \fBtcpdump\fP sees a
+number is a small integer (1). The first time \fBsmbtcpdump\fP sees a
tcp `conversation', it prints the sequence number from the packet.
On subsequent packets of the conversation, the difference between
the current packet's sequence number and this initial sequence number
@@ -982,7 +991,7 @@
NFS traffic.
.LP
NFS reply packets do not explicitly identify the RPC operation. Instead,
-\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
+\fIsmbtcpdump\fP keeps track of ``recent'' requests, and matches them to the
replies using the transaction ID. If a reply does not closely follow the
corresponding request, it might not be parsable.
.HD
@@ -1170,12 +1179,13 @@
Steven McCanne (mccanne@ee.lbl.gov), all of the
Lawrence Berkeley Laboratory, University of California, Berkeley, CA.
.SH BUGS
-Please send bug reports to tcpdump@ee.lbl.gov or libpcap@ee.lbl.gov.
+This is a modified version of tcpdump. Please do not bother the tcpdump
+authors with bug reports.
.LP
NIT doesn't let you watch your own outbound traffic, BPF will.
We recommend that you use the latter.
.LP
-\fItcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
+\fIsmbtcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
has to have been built with the \fIpacketfilter\fP pseudo-device driver
(see
.IR packetfilter (4)).
@@ -1190,7 +1200,7 @@
you're monitoring a busy network.
.LP
On Sun systems prior to release 3.2, NIT is very buggy.
-If run on an old system, tcpdump may crash the machine.
+If run on an old system, smbtcpdump may crash the machine.
.LP
Some attempt should be made to reassemble IP fragments or, at least
to compute the right length for the higher level protocol.
@@ -1198,7 +1208,7 @@
Name server inverse queries are not dumped correctly: The (empty)
question section is printed rather than real query in the answer
section. Some believe that inverse queries are themselves a bug and
-prefer to fix the program generating them rather than tcpdump.
+prefer to fix the program generating them rather than smbtcpdump.
.LP
Apple Ethertalk DDP packets could be dumped as easily as KIP DDP
packets but aren't.