mirror of
https://git.FreeBSD.org/ports.git
synced 2024-11-13 23:36:08 +00:00
289 lines
8.7 KiB
Plaintext
289 lines
8.7 KiB
Plaintext
--- tcpdump.1.orig Sun Jul 14 19:45:04 1996
|
|
+++ tcpdump.1 Mon Sep 14 20:03:37 1998
|
|
@@ -20,12 +20,12 @@
|
|
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
|
.\"
|
|
-.TH TCPDUMP 1 "14 July 1996"
|
|
+.TH SMBTCPDUMP 1 "14 July 1996"
|
|
.SH NAME
|
|
-tcpdump \- dump traffic on a network
|
|
+smbtcpdump \- dump traffic on a network (supports SMB related protocols)
|
|
.SH SYNOPSIS
|
|
.na
|
|
-.B tcpdump
|
|
+.B smbtcpdump
|
|
[
|
|
.B \-deflnNOpqStvx
|
|
] [
|
|
@@ -65,11 +65,20 @@
|
|
.ad
|
|
.SH DESCRIPTION
|
|
.LP
|
|
-\fITcpdump\fP prints out the headers of packets on a network interface
|
|
-that match the boolean \fIexpression\fP.
|
|
+\fIsmbTcpdump\fP prints out the headers of packets on a network interface
|
|
+that match the boolean \fIexpression\fP. The easiest way to capture
|
|
+SMB related traffic is to envoke
|
|
+.I smbtcpdump
|
|
+as:
|
|
+.in +.5i
|
|
+.nf
|
|
+\fBsmbtcpdump -s 1500 'port 139 and host foo'\fR
|
|
+.fi
|
|
+.in -.5i
|
|
+.LP
|
|
.B Under SunOS with nit or bpf:
|
|
To run
|
|
-.I tcpdump
|
|
+.I smbtcpdump
|
|
you must have read access to
|
|
.I /dev/net
|
|
or
|
|
@@ -86,7 +95,7 @@
|
|
promiscuous-mode operation using
|
|
.IR pfconfig (8),
|
|
any user may run
|
|
-.BR tcpdump .
|
|
+.BR smbtcpdump .
|
|
.B Under BSD:
|
|
You must have read access to
|
|
.IR /dev/bpf* .
|
|
@@ -122,7 +131,7 @@
|
|
.TP
|
|
.B \-i
|
|
Listen on \fIinterface\fP.
|
|
-If unspecified, \fItcpdump\fP searches the system interface list for the
|
|
+If unspecified, \fIsmbtcpdump\fP searches the system interface list for the
|
|
lowest numbered, configured up interface (excluding loopback).
|
|
Ties are broken by choosing the earliest match.
|
|
.TP
|
|
@@ -130,15 +139,15 @@
|
|
Make stdout line buffered. Useful if you want to see the data
|
|
while capturing it. E.g.,
|
|
.br
|
|
-``tcpdump\ \ \-l\ \ |\ \ tee dat'' or
|
|
-``tcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
|
|
+``smbtcpdump\ \ \-l\ \ |\ \ tee dat'' or
|
|
+``smbtcpdump\ \ \-l \ \ > dat\ \ &\ \ tail\ \ \-f\ \ dat''.
|
|
.TP
|
|
.B \-n
|
|
Don't convert addresses (i.e., host addresses, port numbers, etc.) to names.
|
|
.TP
|
|
.B \-N
|
|
Don't print domain name qualification of host names. E.g.,
|
|
-if you give this flag then \fItcpdump\fP will print ``nic''
|
|
+if you give this flag then \fIsmbtcpdump\fP will print ``nic''
|
|
instead of ``nic.ddn.mil''.
|
|
.TP
|
|
.B \-O
|
|
@@ -430,7 +439,7 @@
|
|
[In the case of FDDI (e.g., `\fBfddi protocol arp\fR'), the
|
|
protocol identification comes from the 802.2 Logical Link Control
|
|
(LLC) header, which is usually layered on top of the FDDI header.
|
|
-\fITcpdump\fP assumes, when filtering on the protocol identifier,
|
|
+\fIsmbTcpdump\fP assumes, when filtering on the protocol identifier,
|
|
that all FDDI packets include an LLC header, and that the LLC header
|
|
is in so-called SNAP format.]
|
|
.IP "\fBdecnet src \fIhost\fR"
|
|
@@ -462,7 +471,7 @@
|
|
.in -.5i
|
|
where \fIp\fR is one of the above protocols.
|
|
Note that
|
|
-\fItcpdump\fP does not currently know how to parse these protocols.
|
|
+\fIsmbtcpdump\fP does not currently know how to parse these protocols.
|
|
.IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
|
|
Abbreviations for:
|
|
.in +.5i
|
|
@@ -541,7 +550,7 @@
|
|
.fi
|
|
.in -.5i
|
|
.LP
|
|
-Expression arguments can be passed to tcpdump as either a single argument
|
|
+Expression arguments can be passed to smbtcpdump as either a single argument
|
|
or as multiple arguments, whichever is more convenient.
|
|
Generally, if the expression contains Shell metacharacters, it is
|
|
easier to pass it as a single, quoted argument.
|
|
@@ -551,21 +560,21 @@
|
|
To print all packets arriving at or departing from \fIsundown\fP:
|
|
.RS
|
|
.nf
|
|
-\fBtcpdump host sundown\fP
|
|
+\fBsmbtcpdump host sundown\fP
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To print traffic between \fIhelios\fR and either \fIhot\fR or \fIace\fR:
|
|
.RS
|
|
.nf
|
|
-\fBtcpdump host helios and \\( hot or ace \\)\fP
|
|
+\fBsmbtcpdump host helios and \\( hot or ace \\)\fP
|
|
.fi
|
|
.RE
|
|
.LP
|
|
To print all IP packets between \fIace\fR and any host except \fIhelios\fR:
|
|
.RS
|
|
.nf
|
|
-\fBtcpdump ip host ace and not helios\fP
|
|
+\fBsmbtcpdump ip host ace and not helios\fP
|
|
.fi
|
|
.RE
|
|
.LP
|
|
@@ -573,7 +582,7 @@
|
|
.RS
|
|
.nf
|
|
.B
|
|
-tcpdump net ucb-ether
|
|
+smbtcpdump net ucb-ether
|
|
.fi
|
|
.RE
|
|
.LP
|
|
@@ -583,7 +592,7 @@
|
|
.RS
|
|
.nf
|
|
.B
|
|
-tcpdump 'gateway snup and (port ftp or ftp-data)'
|
|
+smbtcpdump 'gateway snup and (port ftp or ftp-data)'
|
|
.fi
|
|
.RE
|
|
.LP
|
|
@@ -593,7 +602,7 @@
|
|
.RS
|
|
.nf
|
|
.B
|
|
-tcpdump ip and not net \fIlocalnet\fP
|
|
+smbtcpdump ip and not net \fIlocalnet\fP
|
|
.fi
|
|
.RE
|
|
.LP
|
|
@@ -602,7 +611,7 @@
|
|
.RS
|
|
.nf
|
|
.B
|
|
-tcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
|
|
+smbtcpdump 'tcp[13] & 3 != 0 and not src and dst net \fIlocalnet\fP'
|
|
.fi
|
|
.RE
|
|
.LP
|
|
@@ -610,7 +619,7 @@
|
|
.RS
|
|
.nf
|
|
.B
|
|
-tcpdump 'gateway snup and ip[2:2] > 576'
|
|
+smbtcpdump 'gateway snup and ip[2:2] > 576'
|
|
.fi
|
|
.RE
|
|
.LP
|
|
@@ -620,7 +629,7 @@
|
|
.RS
|
|
.nf
|
|
.B
|
|
-tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
|
|
+smbtcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
|
|
.fi
|
|
.RE
|
|
.LP
|
|
@@ -629,12 +638,12 @@
|
|
.RS
|
|
.nf
|
|
.B
|
|
-tcpdump 'icmp[0] != 8 and icmp[0] != 0"
|
|
+smbtcpdump 'icmp[0] != 8 and icmp[0] != 0"
|
|
.fi
|
|
.RE
|
|
.SH OUTPUT FORMAT
|
|
.LP
|
|
-The output of \fItcpdump\fP is protocol dependent. The following
|
|
+The output of \fIsmbtcpdump\fP is protocol dependent. The following
|
|
gives a brief description and examples of most of the formats.
|
|
.de HD
|
|
.sp 1.5
|
|
@@ -647,7 +656,7 @@
|
|
On ethernets, the source and destination addresses, protocol,
|
|
and packet length are printed.
|
|
.LP
|
|
-On FDDI networks, the '-e' option causes \fItcpdump\fP to print
|
|
+On FDDI networks, the '-e' option causes \fIsmbtcpdump\fP to print
|
|
the `frame control' field, the source and destination addresses,
|
|
and the packet length. (The `frame control' field governs the
|
|
interpretation of the rest of the packet. Normal packets (such
|
|
@@ -707,7 +716,7 @@
|
|
replies with its ethernet address (in this example, ethernet addresses
|
|
are in caps and internet addresses in lower case).
|
|
.LP
|
|
-This would look less redundant if we had done \fBtcpdump \-n\fP:
|
|
+This would look less redundant if we had done \fBsmbtcpdump \-n\fP:
|
|
.RS
|
|
.nf
|
|
.sp .5
|
|
@@ -716,7 +725,7 @@
|
|
.fi
|
|
.RE
|
|
.LP
|
|
-If we had done \fBtcpdump \-e\fP, the fact that the first packet is
|
|
+If we had done \fBsmbtcpdump \-e\fP, the fact that the first packet is
|
|
broadcast and the second is point-to-point would be visible:
|
|
.RS
|
|
.nf
|
|
@@ -734,7 +743,7 @@
|
|
.LP
|
|
\fI(N.B.:The following description assumes familiarity with
|
|
the TCP protocol described in RFC-793. If you are not familiar
|
|
-with the protocol, neither this description nor tcpdump will
|
|
+with the protocol, neither this description nor smbtcpdump will
|
|
be of much use to you.)\fP
|
|
.LP
|
|
The general format of a tcp protocol line is:
|
|
@@ -794,7 +803,7 @@
|
|
flags were set.
|
|
The packet contained no data so there is no data sequence number.
|
|
Note that the ack sequence
|
|
-number is a small integer (1). The first time \fBtcpdump\fP sees a
|
|
+number is a small integer (1). The first time \fBsmbtcpdump\fP sees a
|
|
tcp `conversation', it prints the sequence number from the packet.
|
|
On subsequent packets of the conversation, the difference between
|
|
the current packet's sequence number and this initial sequence number
|
|
@@ -982,7 +991,7 @@
|
|
NFS traffic.
|
|
.LP
|
|
NFS reply packets do not explicitly identify the RPC operation. Instead,
|
|
-\fItcpdump\fP keeps track of ``recent'' requests, and matches them to the
|
|
+\fIsmbtcpdump\fP keeps track of ``recent'' requests, and matches them to the
|
|
replies using the transaction ID. If a reply does not closely follow the
|
|
corresponding request, it might not be parsable.
|
|
.HD
|
|
@@ -1170,12 +1179,13 @@
|
|
Steven McCanne (mccanne@ee.lbl.gov), all of the
|
|
Lawrence Berkeley Laboratory, University of California, Berkeley, CA.
|
|
.SH BUGS
|
|
-Please send bug reports to tcpdump@ee.lbl.gov or libpcap@ee.lbl.gov.
|
|
+This is a modified version of tcpdump. Please do not bother the tcpdump
|
|
+authors with bug reports.
|
|
.LP
|
|
NIT doesn't let you watch your own outbound traffic, BPF will.
|
|
We recommend that you use the latter.
|
|
.LP
|
|
-\fItcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
|
|
+\fIsmbtcpdump\fP for Ultrix requires Ultrix version 4.0 or later; the kernel
|
|
has to have been built with the \fIpacketfilter\fP pseudo-device driver
|
|
(see
|
|
.IR packetfilter (4)).
|
|
@@ -1190,7 +1200,7 @@
|
|
you're monitoring a busy network.
|
|
.LP
|
|
On Sun systems prior to release 3.2, NIT is very buggy.
|
|
-If run on an old system, tcpdump may crash the machine.
|
|
+If run on an old system, smbtcpdump may crash the machine.
|
|
.LP
|
|
Some attempt should be made to reassemble IP fragments or, at least
|
|
to compute the right length for the higher level protocol.
|
|
@@ -1198,7 +1208,7 @@
|
|
Name server inverse queries are not dumped correctly: The (empty)
|
|
question section is printed rather than real query in the answer
|
|
section. Some believe that inverse queries are themselves a bug and
|
|
-prefer to fix the program generating them rather than tcpdump.
|
|
+prefer to fix the program generating them rather than smbtcpdump.
|
|
.LP
|
|
Apple Ethertalk DDP packets could be dumped as easily as KIP DDP
|
|
packets but aren't.
|