This chapter describes the following network testing tools included with TCPware:
ARPSNMP |
Keeps track of ARP information and notifies of changes |
CHARGEND |
Sends strings of characters, ignoring data received |
DAYTIMED |
Sends the current date and time |
DISCARD |
Discards any data it receives |
ECHOD |
Returns any data it receives |
FINGER |
Extracts user information from a remote user information program |
IDENT |
Other servers use this to determine the user associated with a connection |
NETCU DEBUG |
TCPware's NETCU provides debugging commands |
NSLOOKUP |
Verifies DNS name server and host domain information |
PEERNAME |
Shows IP address and port information for a connection. |
PING |
Verifies that a host on the network is up and reachable |
QUOTED |
Checks for TCP connectivity between hosts |
TCPDUMP |
Tracks TCP packets over the network |
TIME |
Time service |
TRACEROUTE |
Tracks TCP routes over the network |
ARPSNMP is a program that reads TCPware’s ARP information and keeps track of information that it has seen in ARP.DAT. TCPWARE:ETHERCODES.DAT is used to display information about the manufacturer of the Ethernet address.
To use, create an empty ARP.DAT in your local directory and define the following symbol:
$ arpsnmp :== $tcpware:arpsnmp
Command syntax is as follows:
arpsnmp [-d] [-f file_specification]
-d |
debug mode: information is displayed to the terminal and not mailed to SYSTEM |
-f file_specification |
specifies location for ARP.DAT if it isn’t in the current working directory |
The first time that ARPSNMP is run with an empty ARP.DAT, it reports all ARP entries as new as it adds them to the file, for example:
new station 192.168.0.69 aa:1:2:3:4:5
Each subsequent time that ARPSNMP is run, it compares the ARP table to the contents of ARP.DAT and reports any differences by sending email to the SYSTEM account (unless –d is specified on the command line).
CHARGEND is the Character Generator Protocol server, defined in RFC 864. It sends strings of characters, ignoring data received, and is a useful debugging tool. CHARGEND can be TCP- or UDP-based. STARTNET starts the service automatically using the TCPWARE:MISC_CONTROL.COM file. The TCPWARE_COMMON:[TCPWARE.EXAMPLES] directory provides the source code. You can test this service through a TELNET connection to it.
DAYTIMED is the Daytime Protocol server, defined in RFC 867. It sends the current date and time as a character string without regard to input. It is a useful debugging and measurement tool. DAYTIMED can be TCP- or UDP-based. STARTNET starts the service automatically using the TCPWARE:MISC_CONTROL.COM file. The TCPWARE_COMMON:[TCPWARE.EXAMPLES] directory provides the source code. You can test this service through a TELNET connection to it.
DISCARD is the Discard Protocol client and DISCARDD is the Discard Protocol server, defined in RFC 863. It simply throws away any data it receives, and is a useful debugging and measurement tool. It can be TCP- or UDP-based. STARTNET starts the service automatically using the TCPWARE:MISC_CONTROL.COM file. The TCPWARE_COMMON:[TCPWARE.EXAMPLES] directory provides the source code for DISCARD and DISCARDD. You can test the service using a TELNET connection to it.
ECHOD is the Echo Protocol server, defined in RFC 862. It returns any data it receives and is a useful debugging and measurement tool. It can be TCP- or UDP-based. STARTNET starts the service automatically using the TCPWARE:MISC_CONTROL.COM file. You can test this service using a TELNET connection to it.
FINGER is the Finger User Information Protocol, defined in RFC 1288. It is used to extract user information from a remote user information program (RUIP). FINGER is TCP-based. STARTNET starts the service automatically using the TCPWARE:MISC_CONTROL.COM file. The TCPWARE_COMMON:[TCPWARE.EXAMPLES] directory provides the source code for FINGERD.
Use FINGER at the DCL level as follows:
$ FINGER user@host
The user is the user to extract information about on the specified host. You must use both parameters.
FINGERD reports the day of the week, hours, and minutes of a login time only if the user has been logged in for LESS than seven days. If the user has been logged on for MORE than seven days, the date in the format dd-mm-yy is reported.
Other servers use the Identification server (formerly the Authentication Server) to determine the user associated with a connection. The MISC_CONTROL command procedure starts the IDENT server automatically.
TCPware's Network Control Utility (NETCU) includes DEBUG commands for the IP, TCP, and UDP layers. They display information about IP datagrams, TCP segments, and UDP datagrams sent and received over the network. You can use them to debug network problems.
See the NETCU Command Reference for the DEBUG IP, DEBUG TCP, and DEBUG UDP command descriptions.
The NSLOOKUP utility sends test queries to a DNS name server to test the DNS configuration. You would use NSLOOKUP to find information such as the following for a selected host or domain:
· Default name server
· DNS database records, such as all, A, CNAME, and MX
· All the hosts in a domain
· User processes
The NSLOOKUP utility has two modes, noninteractive and interactive:
Noninteractive mode |
Query a host and exit NSLOOKUP |
Interactive mode |
Query a host and enter further NSLOOKUP commands |
Setting the mode depends on the syntax you use in entering the NSLOOKUP command. You access noninteractive mode if you use the following syntax at the DCL prompt:
$ nslookup host-to-find [server-to-query]
$
You access interactive mode if you use the following syntax at the DCL prompt:
$ nslookup [- server-to-query]
>
The difference is that noninteractive mode requires at least the host-to-find parameter, while interactive mode is signaled by either the lack of a parameter altogether or a dash preceding the server-to-query parameter. Also, after a noninteractive query, you are back at the DCL prompt, while the interactive query puts you at the > prompt so that you can enter further NSLOOKUP commands.
Both modes allow you to enter options, as described in Setting Options.
The full noninteractive mode syntax is as follows:
nslookup[-option[-option...]]host-to-find [server-to-query]
-option |
Sets the state information for a group of lookups. (See Setting Options for details on state information.) You can have multiple options, each prefixed by a dash and separated by a space. |
host-to-find |
Hostname or IP address of the host about which to seek information. |
server-to-query |
Hostname or IP address of the DNS server to query. You can specify a server only if you also specify a host-to-find. If omitted, TCPware uses the current default server. |
Enter the nslookup command and options in lowercase but enter the hostname and server name values in their proper case. To interrupt noninteractive mode, use Ctrl+C.
The full interactive mode syntax is as follows:
$ nslookup [-option[-option...]] [- server-to-query]
>{ host-to-find | command }
-option |
Sets the state information for a group of lookups. (See Setting Options for details on state information.) You can have multiple options, each prefixed by a dash and separated by a space. |
- server-to-query |
Hostname or IP address of the DNS server to query. Precede the parameter with a dash and a space. |
host-to-find |
Hostname or IP address of the host about which to seek information, as entered at the NSLOOKUP prompt (>). |
command |
One of the query commands listed in the section. The command must be less than 256 characters; its case does not matter. |
Enter the nslookup command and options in lowercase but enter the hostname or server name in its proper case. The nslookup command alone always returns the default server information before presenting the > prompt, at which you can enter either the host-to-find or a command. To interrupt interactive mode, use Ctrl+C. To exit, enter exit or Ctrl+Z.
You can enter the host-to-find as a hostname or an IP address. If you enter an IP address, the hostname is returned by default.
To look up a host not in the current domain, add a trailing period, such as:
$ nslookup iris.example.com.
If the trailing period is missing, the default domain name (as determined by the set domain, set srchlist, set defname, or set search commands) is appended.
See the set command description in the Query Command Reference.
NSLOOKUP options set the state information for the query. You can set options using the -option parameter, or in interactive mode using the set command. Each option corresponds to a set command keyword.
See the set command description for the keywords that correspond to the options.
For example, the following command uses -option parameters to set the querytype and timeout parameters for the next series of interactive lookups to server AMOS.
$ nslookup -querytype=hinfo -timeout=10 - amos
The alternative would be:
$ nslookup
> set querytype=hinfo
> set timeout=10
> amos
The following command tries to get information about node SIRIUS in domain EXAMPLE.COM by querying server ANDY. If unsuccessful, NSLOOKUP tries ten more times and returns to the DCL prompt.
$ nslookup -domain=example.com -retry=10 sirius andy
This section describes the NSLOOKUP query commands accessible at the > prompt. Enter the commands in lowercase or they are considered to be uppercase host-to-find entries.
Exits NSLOOKUP.
> exit
Enter the command in lowercase or it is considered to be hostname "EXIT".
Ctrl+Z
This example displays information about the server and exits NSLOOKUP.
$ nslookup
Default Server: sirius.example.com
Address: 192.168.95.1
>exit
$
Connects with the FINGER server on the (previously defined) host to display FINGER information. With the optional username parameter, you can focus the lookup on one user.
You can redirect the output from the finger command to a file using the greater-than symbol, as follows:
> finger> filename.ext
> finger>> filename.ext
The > places the output into filename.ext. The >> appends the output onto file filename.ext. When you direct output to a file, NSLOOKUP prints hash marks after every 50 records received from the server.
> finger [username]
Enter the command in lowercase or it is considered to be hostname "FINGER".
username
Focuses the lookup to one username. The username can be case-sensitive.
This example defines the current host as SIRIUS and connects with the FINGER server on SIRIUS to display FINGER information on user GANDALF.
$ nslookup
>sirius
Default Server: sirius.example.com
Address: 192.168.95.1
Name: sirius.example.com
Address: 192.168.95.1
>finger gandalf
[sirius.example.com]
Status of VMScluster on node NENE at 23-JUN-2020 16:52:04.62
Username Node Name New Mail When Terminal
GANDALF SIRIUS Gandalf 3 Mon 08:34 FTA1211:
GANDALF SIRIUS Gandalf 3 Mon 08:34 FTA1212:
Displays a brief summary of NSLOOKUP commands.
> help
Enter the command in lowercase or it is considered to be hostname "HELP".
>? (question mark)
> help
NSLOOKUP
COMMAND SUMMARY
(identifiers are shown in uppercase, [] means optional)
Command Meaning
---------------------------------------------------------------------
NAME - print info about the host/domain NAME using default server
NAME1 NAME2 - as above, but use NAME2 as server
ls [opt] DOMAIN [> FILE] - list entities in DOMAIN (optional: output to
FILE)
-a - list canonical names and aliases
-h - list HINFO (CPU type and operating system)
-s - list well-known services
-d - list all records
-t TYPE - list records of the given type (e.g., A,CNAME,MX, etc.)
view FILE - sort an 'ls' output file and view it
help or ? - display this screen
spawn or ! [command] - create child process and execute command
finger [USER] - finger the optional NAME at the current default host
root - set current default server to the root
server NAME - set default server to NAME, using current default server
lserver NAME - set default server to NAME, using initial server
set OPTION - set an option
all - print options, current server and host
[no]defname - append domain name to each query
[no]recurse - ask for recursive answer to query
[no]vc - always use a virtual circuit
domain=NAME - set default domain name to NAME
srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.
root=NAME - set root server to NAME
retry=X - set number of retries to X
timeout=X - set initial time-out interval to X seconds
querytype=X - set query type, e.g., A,ANY,CNAME,HINFO,MX,NS,PTR,SOA,WKS
type=X - synonym for querytype
class=X - set query class to one of IN (Internet), CHAOS, HESIOD or ANY
[no]debug - print debugging information
[no]d2 - print exhaustive debugging information
exit - exit the program, ^Z also exits
Lists the information for a domain. The default output contains host names and their Internet addresses.
You can redirect the output from the ls command to a file as follows:
> ls...> filename.ext
> ls ...>> filename.ext
The > places the output into filename.ext. The >> appends the output onto file filename.ext. When you direct output to a file, NSLOOKUP prints hash marks after every 50 records received from the server.
> ls [-option [-option...]] domain
Enter the command in lowercase or it is considered to be hostname "LS".
-option
See the Options that follow for a list of available options. Always precede an option with a hyphen. Separate multiple options with spaces.
domain
Domain for which to list information.
-a
Lists aliases of hosts in the domain. Synonym for ls -t CNAME.
-d
Lists all records for the domain. Synonym for ls -t ANY.
-h
Lists CPU and operating system information for the domain. Synonym for ls -t HINFO.
-s
Lists well-known services of hosts in the domain. Synonym for ls -t WKS.
-t [type]
Lists all records of the type specified by the set type command, as in the below table.
Value... |
Means... |
any |
All records for the domain |
a |
Host internet address |
afsdb |
AFS database |
axfr |
Zone transfer |
cname |
Canonical name for an alias |
hinfo |
Host CPU and operating system type |
isdn |
ISDN information |
mb |
Mailbox |
mg |
Mail group |
minfo |
Mail information |
mr |
Mailbox rename |
mx |
Mail exchanger |
ns |
Name server for the named zone |
ptr |
Host name if query is Internet address, otherwise pointer to other information |
rp |
Responsible person |
rt |
Route through binding |
soa |
Domain "start-of-authority" information |
txt |
Text information |
uinfo |
User information |
wks |
Supported well-known services |
x25 |
X.25 information |
1. This example lists information for domain SIRIUS:
>ls example.com
[sirius.example.com]
example.com. server = sirius.example.com
sirius 192.168.95.1
example.com. server = nic.example.net
nic.near.net. 192.52.71.4
2. This example lists all records for domain SIRIUS:
>ls -d example.com
[sirius.example.com]
example.com. SOA sirius.example.com leary.sirius.example.com
.(76 86400 1800 3600000 86400)
example.com. NS sirius.example.com
3. This example appends the output in Example 2 onto an existing FOOBAR.TXT file:
>ls -d example.com >> foobar.txt
[sirius.example.com]
###
Received 165 records.
>
Changes the default server to the domain namespace root server.
The default host is a.root-servers.net.
You can change the name of the root server with the set root command.
>root
Enter the command in lowercase or it is considered to be hostname "ROOT".
>lserver a.root-servers.net
This example lists the root server name and address.
>root
Default Server: a.root-servers.net
Address: 198.41.0.4
Changes the default server to the specified host:
· The server command uses the current default server to look up information about the host.
· The lserver command uses the initial server to look up information about the host.
If NSLOOKUP cannot find an authoritative answer, it returns the names of servers that might have the answer.
> server host
> lserver host
Enter the command in lowercase or it is considered to be hostname "SERVER" or "LSERVER".
host
Domain name of the host.
1. This example changes the default server to GEMMA.
> server gemma
Default Server: gemma.example.com
Served by:
- NIC.NEAR.NET
192.168.71.4
EXAMPLE.COM
- BU.EDU
128.197.27.7
EXAMPLE.COM
2. This example changes the default server back to SIRIUS.
> lserver sirius
Default Server: sirius.example.com
Address: 192.168.95.1
Changes state information that affects the lookups.
> set option
Enter the command in lowercase or it is considered to be hostname "SET".
The options are listed as under the Options heading. The abbreviated form of the option is underlined.
$ nslookup -option [-option...]
all
Prints the current value of all keyword options and information about the current default server and host.
class=value
Changes the query class to one of the values in the below table. The class specifies the protocol group of the information.
Value |
Description |
in |
Internet class (default value) |
chaos |
Chaos class |
hesiod |
MIT Athena Hesiod class |
any |
Wildcard for any of the above |
debug
Turns debug mode on. Debug provides information about the packet sent to
the server and the resulting answer.
d2
Turns exhaustive debug mode on, which essentially displays all fields of every packet.
defname
nodefname
Appends (defname) the default domain name to every single-component lookup, or disables this function (nodefname). You should probably leave the append function on in most cases.
domain=name
Changes the default domain name to name and appends the default domain name to a lookup request, if defname and searchare set. The domain search list contains the parents of the default domain if it has at least two components in its name. The default is the local domain.
ignoretc
noignoretc
Ignores packet truncation errors (ignoretc) on output or disables this function (noignoretc). In most cases, you would want to display these errors. The default is noignoretc.
port=number
Changes the default TCP/UDP name server port to number.
querytype=value
Changes the type of information returned by a query to one of the values in the below table. The default value is a. The synonym is type.
Value |
Description |
any |
All records for the domain |
a |
Host internet address |
afsdb |
AFS database |
axfr |
Zone transfer |
cname |
Canonical name for an alias |
hinfo |
Host CPU and operating system type |
isdn |
ISDN information |
mb |
Mailbox |
mg |
Mail group |
minfo |
Mail information |
mr |
Mailbox rename |
mx |
Mail exchanger |
ns |
Name server for the named zone |
ptr |
Host name if query is Internet address, otherwise pointer to other information |
rp |
Responsible person |
rt |
Route through binding |
soa |
Domain "start-of-authority" information |
txt |
Text information |
uinfo |
User information |
wks |
Supported well-known services |
x25 |
X.25 information |
retry=number
Sets the number of retries to number. If NSLOOKUP does not receive a reply to a request within the amount of time specified by set timeout, it resends the request. The retry value controls how many times NSLOOKUP resends a request before giving up. The default is 2 retries.
root=host
Changes the name of the root server to host. This changes the default root server when using the root command. The default is a.root.servers.net.
recurse
norecurse
The name server recursively queries other servers if it does not have the information (recurse), or does not do this (norecurse). You would normally want recursive queries, and this is the default.
search
nosearch
Searches for each name in parent domains of the current domain (search), or disables this function (nosearch). If the lookup request contains at least one period but does not end with a trailing period, search appends the domain names in the domain search list to the request until the server returns an answer. The default is search.
srchlist=name1 [ /name2 /... /name6]
Sets up a search list by changing the default domain name to name1 and the domain search list to name1, name2, and so on, up to six names, each separated by a slash (/). This command overrides the default domain name and search list of the set domain command.
timeout=interval
Changes the timeout interval NSLOOKUP uses while waiting for a reply to the interval number of seconds. The default is 10. (See also retry.)
type=value
See querytype.
vc
novc
Uses a TCP virtual circuit when sending requests to the server (vc), or uses UDP or allows NSLOOKUP to determine whether to use a virtual circuit based on the size of the request (novc). You would normally use the default of novc.
1. This example sets the search list to EXAMPLE.COM and COM.
>set srchl=example.com/com
2. This example sets the query type to ANY. When listing the host, all records appear.
>set q=any
>sirius
Server: sirius.example.com
Address: 192.168.1.1
sirius.example.com internet
address = 192.168.1.1
sirius.example.com CPU = VAXstation 4000-90 OS = VMS V5.5-2
SET SRCHL=EXAMPLE.COM/COMP.PROTOCOLS.SMTP
Spawns a subprocess to execute a DCL command.
Note: You cannot SPAWN with CAPTIVE accounts.
|
> spawn [command]
Enter the command in lowercase or it is considered to be hostname "SPAWN".
> ! [command]
command
Command to execute. If omitted, TCPware starts a DCL subprocess.
Sorts and lists previous ls command output redirected to a filename.
> view filename
Enter the command in lowercase or it is considered to be hostname "VIEW".
filename
Filename to which you redirected output during an ls command.
This example redirects a listing output to the FOOBAR.TXT file, and views the contents of the file.
>ls sirius > foobar.txt
[sirius.example.com]
###
Received 165 records.
>view foobar.txt
[sirius.example.com]
example.com. server = sirius.example.com
sirius 192.168.95.1
example.com. server = nic.near.net
nic.near.net. 192.52.71.4
If the lookup request was not successful, NSLOOKUP prints an error message. Valid error messages are:
Timed-out |
The server did not respond to a request after the amount of time specified in timeout and the number of retries specified in retry. |
Non-existent domain |
The host or domain name does not exist. |
No response from server |
The server machine does not run a name server. |
No records |
The server does not have resource records of the currently specified query type for the host, although the host name is valid. |
Connection Refused or Network Is Unreachable |
NSLOOKUP could not make a connection to the name or finger server. Common error with finger and ls requests. |
Server failure |
The name server found an internal inconsistency in its database and could not return a valid answer. |
Refused |
The name server refused to service the request. |
Format error |
The name server found that the request packet was not in the proper format. |
PEERNAME is a utility that displays the local and remote IP addresses and ports for a given connection. PEERNAME can handle all kinds of network devices: INET, TCP, or BG.
To use, define the following symbol:
$ peername :== $tcpware:peername
Command syntax is as follows:
$ peername network-device
For example, if you have used TELNET to log into a system, you can use PEERNAME to obtain information about that connection:
$ peername TT:
Local address: 192.168.0.69, port: 23
Remote address: 192.168.0.119, port: 21895
The PING utility tells you whether a host is up and whether you can reach it. The PING utility uses the ICMP echo and echo reply messages. To use the PING utility, you need BYPASS or SYSPRV privilege. Also, always run the PING utility from an account that has NETMBX privileges.
Before using the PING utility, enter the following:
$ PING :== $TCPWARE:PING
To "ping" a host, enter:
$ PING [-rv] host [data-size [npackets]]
· -r - Do not route: do not use another gateway to reach the destination; the destination must be on a local network
· -v - Verbose mode, which displays information on an invalid response
· host - Hostname or internet address of the host to "ping"
· data-size - Size, in bytes, of the ICMP echo data
· npackets - Number of packets to send; if omitted, PING sends an infinite number of packets
To terminate or interrupt PING, enter Ctrl+C.
The below example shows a PING command and the resulting output. The Ctrl+C appears because the user interrupted the output with Ctrl+C.
NETCU> PING process-gw
PING process-gw.example.com
(192.168.95.126): 56 data bytes
64 bytes from 192.168.95.126: icmp_seq=0. time=10.ms
64 bytes from 192.168.95.126: icmp_seq=1. time=0.ms
64 bytes from 192.168.95.126: icmp_seq=2. time=0.ms
64 bytes from 192.168.95.126: icmp_seq=3. time=0.ms
Ctrl+C
----process-gw.example.com
PING Statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/2/10
$
The Quote-of-the-Day service (QUOTED) is a useful tool to check for connectivity. QUOTED is a TCP-based character generator service. As implemented, the QUOTED server listens for TCP connections on TCP port 17. Once you establish a connection, the service sends a short message. The service then throws away any data it receives and closes the connection.
It is your responsibility to provide the quote and define the TCPWARE_QUOTE logical.
There is no specific syntax for the quote. The quote can have a total of 512 characters and is limited to the following characters:
· ASCII printable
· Space
· Carriage return
· Line feed
You need to define a system logical, TCPWARE_QUOTE to specify the quote for the server. The TCPWARE_QUOTE logical name can be either a string or a filename that includes the quote text. Prefix a filename with the @ sign and enclose the definition or filename in quotation marks.
You need SYSNAM or SYSPRV privileges to define the system-wide logical. The following examples show three different ways to define the TCPWARE_QUOTE logical:
$ DEFINE/SYSTEM/EXEC TCPWARE_QUOTE
"Quote-of-the-day"
$ DEFINE/SYSTEM/EXEC
TCPWARE_QUOTE "@SYS$MANAGER:QUOTE.TXT"
$ DEFINE/SYSTEM/EXEC
TCPWARE_QUOTE "Today's quote is",-
_$ "@SYS$MANAGER:QUOTE.TXT"
To test QUOTED, TELNET to the host that has a defined quote-of-the-day, as follows:
$ TELNET host QUOTE
$ TELNET host 17
(Specifying QUOTE or 17 is identical since the QUOTE server port number is 17.)
For example, the following command does a TELNET operation to BARTLETT's quote-of-the-day server:
$ TELNET BARTLETT QUOTE
The system displays:
%TCPWARE_TELNET-I-TRYING, trying
BARTLETT,quote (192.168.5.75,17) ...
%TCPWARE_TELNET-I-ESCCHR, escape (attention) character is "^
"Quote-of-the-day"
If the system logical is not defined, the system displays:
%TCPWARE_TELNET-I-TRYING, trying
BARTLETT,quote (192.168.5.75,17) ...
%TCPWARE_TELNET-I-ESCCHR, escape (attention) character is "^
No quote-of-the-day is currently defined.
TCPDUMP is a useful mechanism for tracking TCP packets by displaying information in the packet headers. You can specify the type of packet information to extract by including the relevant options and expressions.
Use of TCPDUMP assumes a thorough understanding of the TCP protocol.
Before using TCPDUMP, enter the following foreign command definition:
$ TCPDUMP :== $TCPWARE:TCPDUMP
The TCPDUMP command syntax is as follows:
$ TCPDUMP [options] [expressions]
You can also use the TCPDUMP command on the Network Control Utility (NETCU) level. This allows you to use OpenVMS qualifiers in place of (or in addition to) UNIX-style options. To use TCPDUMP on the NETCU level, enter the following:
$ NETCU TCPDUMP [qualifiers | options] [expressions]
For complete details on the available options and expressions, see TCPDUMP Command Reference later in this chapter.
The output of TCPDUMP is protocol-dependent. The following gives a brief description and examples of most of the various output formats. The description assumes familiarity with RFC 793, Transmission Control Protocol.
Consider the command and its output in the below example:
$ tcpdump
host bart
Getting stats.
tcpdump: listening on ESA0:
18:21:59.000400 bart.example.com.1023 > marge.login: S
560913442:560913442(0) win 24576 <mss 1460,wscale 0,eol> (DF)
18:21:59.004000 bart.example.com.1023 > marge.login: . ack 513152385
win 24576 (DF)
18:21:59.004100 bart.example.com.1023 > marge.login: P 0:1(1) ack 1 win
24576 (DF)
The general format of a TCP protocol line is as follows, with references to the above example in the explanations given in parentheses:
timestamp src>dst: flags [ first-byte:last-byte
(total-bytes) ack seqno
win bytes urg <options>]
timestamp (18:21:59.000400) |
By default, all output lines are preceded by a time stamp, the current clock time in the form hours:minutes:seconds.decimal. The time stamp reflects the time the driver delivers the packet. No attempt is made to account for the time lag between when the Ethernet interface removed the packet from the wire and when the driver services the I/O request.
The additional -tt option you can use with the TCPDUMP command displays an unformatted time stamp, while the -t option removes the time stamp altogether. |
src>dst: (bart.example.com.1023 > marge.login:) |
Source and destination IP address and port. |
flags - S (SYN),
F (FIN), P (PUSH),
|
Transition flags that can appear in combination. |
first-byte:last-byte (total-bytes) (560913442:560913442(0)) |
Packet data sequence number, the first byte followed by the last byte of data, and the total bytes. |
ack seqno (ack 513152385) |
Sequence number of the next data expected in the other direction on this connection. |
win bytes (win 24576) |
Number of bytes of receive buffer space available in the other direction on this connection. |
urg (not shown) |
The packet contains "Urgent" data. |
<options> (not shown) |
TCP options, enclosed in angle brackets (<>). |
(DF) (various lines) |
The IP do-not-fragment flag is included with the packet. |
The src and dst values and the flags (S, F, P, R, or .) are always present. The other fields depend on the contents of the packet's TCP protocol header and appear only if appropriate.
The below example shows the opening portion of an RLOGIN operation from BART to MARGE.
bart.1023 > marge.login: S
768512:768512(0) win 4096 <mss 1024>
marge.login > bart.1023: S 947648:947648(0) ack 768513 win 4096 <mss
1024>
bart.1023 > marge.login: .ack 1 win 4096
bart.1023 > marge.login: P 1:2(1) ack 1 win 4096
marge.login > bart.1023: . ack 2 win 4096
bart.1023 > marge.login: P 2:21(19) ack 1 win 4096
marge.login > bart.1023: P 1:2(1) ack 21 win 4077
marge.login > bart.1023: P 2:3(1) ack 21 win 4077 urg 1
marge.login > bart.1023: P 3:4(1) ack 21 win 4077 urg 1
Here is the explanation for each line in the example output:
· bart.1023 > marge.login: S 768512:768512(0) win 4096 <mss 1024>
TCP port 1023 on BART sends a packet to port LOGIN on MARGE. The S indicates that the SYN flag was set. The packet sequence number is 768512 and it contains no data. There is no piggybacked ACK, the available receive window is 4096 bytes, and there is a maximum segment size (MSS) option requesting an MSS of 1024 bytes.
· marge.login > bart.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
MARGE replies with a similar packet except that it includes a piggy-backed ACK in response to BART's SYN.
· bart.1023 > marge.login: . ack 1 win 4096
BART then sends an ACK in response to MARGE's SYN. The . means that no flags were set. The packet contains no data, so there is no data sequence number. Note that the ACK sequence number is a small integer (1). The first time TCPDUMP sees a TCP "conversation," it displays the sequence number from the packet.
· bart.1023 > marge.login: P 1:2(1) ack 1 win 4096
marge.login > bart.1023: .ack 2 win 4096
On subsequent packets of the conversation, the difference between the current packet's sequence number and this initial sequence number is displayed. This means that sequence numbers after the initial one can be interpreted as relative byte positions in the conversation's data stream (with the first data byte in each direction being 1). (The -s option would override this feature, causing the original sequence numbers to be output.)
· bart.1023 > marge.login: P 2:21(19) ack 1 win 4096
BART sends MARGE 19 bytes of data (bytes 2 through 20 in the BART-to-MARGE side of the conversation). The P (PUSH) flag is set in the packet.
· marge.login > bart.1023: P 1:2(1) ack 21 win 4077
MARGE indicates that it received data up to, but not including, byte 21. Most of this data is apparently sitting in the socket buffer, since MARGE's receive window decreased by 19 bytes. MARGE also sends one byte of data to BART in this packet.
· marge.login > bart.1023: P 2:3(1) ack 21 win 4077 urg 1
marge.login > bart.1023: P 3:4(1) ack 21 win 4077 urg 1
MARGE sends two bytes of urgent, pushed data to BART.
The UDP format is illustrated by this rwho packet:
molly.who > broadcast.who: udp 84
This says that port WHO on host MOLLY sent a UDP datagram to port WHO on host BROADCAST, the Internet broadcast address. The packet contained 84 bytes of user data.
Some UDP services are recognized (from the source or destination port number) and the higher-level protocol information is displayed; in particular, Domain Name System (DNS) service requests and Remote Procedure Calls to the Network File System (NFS).
The -e option of the TCPDUMP command displays the link level header of each dump line. On Ethernet systems, this displays the source and destination addresses, protocol, and packet length. For example, the following command displays the additional information shown in bold type:
$ tcpdump -e host bart -t
Getting stats.
tcpdump: listening on ESA0:
aa:0:4:0:3a:8 aa:0:4:0:15:a ip 62: bart.1023 > marge.login: S
176494692:176494692(0) win 24576 <mss 1460,wscale 0,eol> (DF)
aa:0:4:0:3a:8 aa:0:4:0:15:a ip 60: bart.1023 > marge.login: . ack
128739885 win 24576 (DF)
aa:0:4:0:3a:8 aa:0:4:0:15:a ip 60: bart.1023 > marge.login: P
0:1(1) ack 1 win 24576 (DF)
The link level headers begin with aa. (Note that time stamps were omitted since the -t option was used.)
On FDDI networks, the -e option displays the frame control field – the source and destination addresses, and the packet length – that governs the interpretation of the rest of the packet.
Normal packets (such as those containing IP datagrams) are asynchronous, with a priority value between 0 and 7; for example, async4. Such packets are assumed to contain an 802.2 Logical Link Control (LLC) packet; the LLC header is displayed if it is not an ISO datagram or so-called Subnetwork Access Protocol (SNAP) packet.
The following description assumes familiarity with the ARP and RARP protocols. See Chapter 6, Common Interfaces, the Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) subsections for further information.
Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) output shows the type of request and its arguments.
The format is intended to be self-explanatory. The following abbreviated sample output is taken from the start of an RLOGIN operation from host MARGE to BART:
$ tcpdump host bart -t
arp who-has bart.example.com tell marge.example.com
arp reply bart.example.com is-at aa:0:4:0:1f:8
The first line indicates that MARGE sent an ARP packet asking for BART's Ethernet address. BART replied with its Ethernet address, aa:0:4:0:1f:8.
You can also specify not to convert IP addresses to hostnames by using the -n option:
$ tcpdump host bart -t -n
arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at aa:0:4:0:1f:8
With the additional link level header information, the output would be as follows:
$ tcpdump host bart -t -e
aa:0:4:0:1:8 aa:0:4:0:15:a ip 82: arp who-has 128.3.254.6 tell
128.3.254.68
aa:0:4:0:1:8 aa:0:4:0:15:a ip 82: arp reply 128.3.254.6 is-at aa:0:4:0:1f:8
The following description assumes familiarity with the DNS protocol. See Chapter 3, Domain Name Services, for further information.
Domain Name System (DNS) name server requests are formatted as:
src>dst: qidop? Flags qtype qclassname (len)
The below diagram shows an example in which APOLLO queries the domain server on BART for an address (type A) record associated with the name MARGE.NENE.COM.
· The source and destination hosts (src >dst) are given.
· The query id (qid) is 3 (the + indicates that the "recursion desired" flag was set).
· The query operation (op?) is omitted since it is the normal one, Query. If op had been anything else, it would appear between the 3 and the +.
· The query type (qtype) is A for Address record.
· The qclass is omitted since it is the normal one, C_IN. Any other qclass would have been displayed immediately after the A.
· The name is the domain name of target host MARGE.
· The query length (len) is 37 bytes, not including the UDP and IP protocol headers.
A few anomalies are checked and can result in extra fields enclosed in square brackets. If a query contains an answer, name server, or authority section, ancount, nscount, or arcount are displayed as [na], [nn], or [nau], where n is the appropriate count. If any of the response bits are set (AA, RA, or rcode) or any of the "must be zero" bits are set in bytes two and three, [b2&3=x] is displayed, where x is the hex value of header bytes two and three.
DNS name server responses are formatted as:
src> dst: qid op rcode flags a/n/au qtype qclass data (len)
The below diagram shows two examples.
In the first example, BART responds to query 3 from APOLLO with three answer records (a), three name server records (n), and seven authority records (au). The first answer record is type A (address) and its data is internet address 128.32.137.3. The total size of the response is 273 bytes, excluding UDP and IP headers. The op (Query) and rcode (NoError) were omitted, as was the class (C_IN) of the A record.
In the second example, BART responds to query 2 with a response code of nonexistent domain (NXDomain) with no answers, one name server, and no authority records. The * indicates that the authoritative answer bit was set. Since there were no answers, there is no qtype, qclass, or data displayed.
Other flag characters that might appear are - (recursion available, RA, not set) and | (truncated message, TC, set). If the "question" section does not contain exactly one entry, [nq] is displayed.
Note that name server requests and responses tend to be large, and the default snapshot length of 68 bytes may not capture enough of the packet to display. Use the -s flag to increase the snapshot length if you need to seriously investigate name server traffic (-s 128 is known to be effective).
The following description assumes familiarity with the Network File System (NFS). See Chapter 13, NFS Client Management, or Chapter 14, NFS Server Management, for further information.
NFS requests and replies are displayed as:
src.xid>dst.nfs: len op args
src.nfs >dst.xid: reply stat len op results
The below diagram shows an example. SUSHI sends a transaction with id 6709 to WRL (note that the number following the src host is the transaction ID, not the source port). The request was 112 bytes long, excluding the UDP and IP headers. The operation was a readlink (read symbolic link) on file handle (VMS fid) 2661,43,0. Host WRL replies ok with the contents of the link.
If you use the -v (verbose) option, additional information is displayed. For example:
sushi.1372a > wrl.nfs: 148 read VMS
fid (2661,43,0) 8192 bytes @ 24576
wrl.nfs > sushi.1372a: reply ok 1472 read REG 100664 ids 417/0 sz 29388
In the first line, SUSHI queries WRL to read 8192 bytes from file handle 2661,43,0 at byte offset @24576. WRL responds with ok. The packet shown on the second line is the first fragment of the reply, and hence is only 1472 bytes long. (The other bytes follow in subsequent fragments, but these fragments do not have NFS or even UDP headers and so might not be displayed, depending on the filter expression used.)
Because of the -v option, some of the file attributes returned in addition to the file data are displayed: the file type (REG, for regular file), the file mode (in octal, 100664), the UID and GID (417/0), and the file size (sz, 29388). (The -v option also displays the IP header TTL, ID, and fragmentation fields, which were omitted from this example.) If you use -v more than once, even more details are displayed.
Note that NFS requests are very large and much of the detail is not displayed unless the snapshot length is increased. Try using -s 192 to watch NFS traffic.
NFS reply packets do not explicitly identify the RPC operation. Instead, TCPDUMP keeps track of "recent'' requests, and matches them to the responses using the transaction ID. If a response does not closely follow the corresponding request, it might be ignored.
TCPDUMP supports the following options/qualifiers enabling more decoding of RPC-based services.
R_RPC
-”R” all|udp|tcp
/RPC [=ALL|UDP|TCP]
For a UNIX-style option, the “R” must be uppercase and quoted.
The option/qualifier values are:
· ALL (default) decodes both UDP and TCP
· UDP decodes UDP only
· TCP decodes TCP only.
The following RPC protocols are decoded:
· For NFS:
o Network Lock Manager (v.1)
o Net Status
· For Portmapper:
o Network Lock Manager (v.3)
o Mount
The display with /RPC=qualifier used will look like this:
To display more detail, increase the size of snapshot_size
using the /SNAP option.
$ netcu tcpdump /rpc=all /snap=8192 host flintstone
Tcpdump: listening on IPA0:
16:59:54.165987 test.example.com60e19a3d > construction.example.com.NFS:
udp(AUTH_UNIX: Machine=drilling.example.com,Uid=1111,Gid=22) GETATTR(Fh=6070000.1000000.a00.2a8a
0200)
16:59:54.169893
test.example.com.NFS > test.example.com.60e19a3d:
udp GETATTR = OK,Type=DIR,Mode=040755,Nlink=3,Uid=1111,Gid=2,Size=3584,
Rdev=ffffa5a8,Blocks=8,Fsid=706,fileID=166442
Fragmented Internet datagrams are displayed as:
(fragid:size@offset+)
(fragid:size@offset)
The first form, which includes the ending +, indicates that there are more fragments. The second form indicates the last fragment. The id parameter is the fragment ID, size is the fragment size (in bytes) excluding the IP header, and offset is this fragment's offset (in bytes) in the original datagram.
Information is displayed for each fragment. The first fragment contains the higher-level protocol header and the fragment information is displayed after the protocol information. Fragments after the first contain no higher-level protocol header, and the fragment information is displayed after the source and destination addresses. For example, here is part of an FTP from EXAMPLE.EDU to LBL-BART.ARPA over a CSNET connection that does not appear to handle 576-byte datagrams:
example.ftp-data> bart.1170: .
1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
example > bart: (frag 595a:204@328)
bart.1170 > example.ftp-data: . ack 1536 win 2560
· Addresses in the third line do not include port numbers, because the TCP protocol information is all in the first fragment, and it is not known what the port or sequence numbers will be when the later fragments are displayed.
· The TCP sequence information in the first line is displayed as if there were 308 bytes of user data when, in fact, there are 512 bytes (308 in the first fragment and 204 in the second). If you are looking for holes in the sequence space or trying to match up ACKs with packets, this can be misleading.
A packet with the IP do-not-fragment flag is marked with a trailing (DF).
This section shows the format for and examples of the TCPDUMP command.
The first form of the TCPDUMP command is available on the DCL level as:
$ TCPDUMP:==$TCPWARE:TCPDUMP
$ TCPDUMP [options] [expressions]
The second form is on the Network Control Utility (NETCU) level. This form allows you to use OpenVMS qualifiers in place of (or in addition to) UNIX-style options. To use TCPDUMP on the NETCU level, enter the following:
$ NETCU TCPDUMP [qualifiers | options] [expressions]
The options and their qualifier equivalents are listed together.
TCPDUMP displays the headers of packets on a network interface that match the Boolean expression. The OpenVMS implementation currently works only with HP-compatible Ethernet cards. Some of the command line switches were changed from the UNIX version to support OpenVMS's case-insensitive command line.
PHY_IO privilege is required to use TCPDUMP, unless reading packets from a file. If using the TCPware drivers for packet capturing, LOG_IO and SYSPRV or BYPASS privileges are also needed.
TCPDUMP [ options | qualifiers] [expressions]
Only options are available if using TCPDUMP as a foreign command at the DCL prompt. You can mix and match options and qualifiers if using TCPDUMP as a NETCU command. In each case, the option is listed before its equivalent qualifier.
|
-a
/NO_RELATIVE_SEQUENCE_NUMBERS
Displays absolute, rather than relative, TCP sequence numbers. /RELATIVE is the default.
-b bufcount
/BUFFERS=bufcount
Sets the number of receive buffers for the Ethernet adapter to bufcount. The default is 255 on VAX, 175 on AXP and Itanium. You may need to lower the number if you receive the message %SYSTEM-F-EXQUOTA, process quota exceeded. This option does not apply to the TCPware drivers. Valid values are 1 to 255.
-c exitcount
/COUNT=exitcount
Exits after receiving exitcount packets.
-d
/HOSTNAMES=NOQUALIFIED
/NODOMAINS
Does not display host names as fully qualified domain names. For example, display nic instead of nic.ddn.mil. /HOSTNAMES=QUALIFIED is the default.
-e
/LINK_HEADERS
/ETHERNET_HEADER
Displays the link-level header on each dump line. (See Displaying Link Level Headers.)
-f
/HOSTNAMES=NOFOREIGN
/FOREIGN_NUMERICALLY
Displays "foreign" internet addresses numerically, not symbolically. FOREIGN is the default.
-g
/NETWORK
Translates network and broadcast addresses to domain names.
-i interface
/INTERFACE=interface
Listens on the interface interface. If unspecified, TCPDUMP searches for a configured interface (excluding loopback).
-j file
/FILTER_EXPRESSIONS=file
Uses the specified file as input for the filter expression. Any additional expressions given on the command line are ignored.
-k packetype
/PACKET_TYPE=packetype
Forces packets selected by the expression to be interpreted by the specified packetype. Currently known types are rpc (Remote Procedure Call), rtp (Real-Time Applications Protocol), rtcp (Real-Time Applications Control Protocol), vat (Visual Audio Tool), and wb (Distributed White Board).
-l
/LINE_BUFFERED
Makes stdout line buffered.
-n
/NOHOSTNAMES
/NUMERICALLY
Does not convert addresses (host addresses, port numbers, and so on) to names. (See Monitoring ARP and RARP Packets for an example.)
-o
/NOOPTIMIZER
Does not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer. The default is /OPTIMIZER.
-q
/SHOW=LESS
/QUIET
Quick output. Displays less protocol information so that
output lines are shorter. The default is
/SHOW=NORMAL.
-r file
/INPUT=file
/READ_BINARY=file
Reads packets from the file created with the -w option.
-”R” all|dup|tcp
/RPC [=ALL | UDP | TCP]
Displays RPC information. For UNIX-style options the “R” must be uppercase and in quotation marks.
-s snapshotlength
/DATA=snapshotlength
/SNAPSHOT_SIZE=size
Captures snapshotlength bytes of data from each packet, rather than the default of 68 bytes. 68 bytes is adequate for IP, ICMP, TCP, and UDP, but may truncate protocol information from name server and NFS packets. Packets truncated because of a limited snapshot are indicated in the output with [|proto], where proto is the name of the protocol level at which the truncation occurred.
If a snapshot of IP data is smaller than the actual packet size, the message truncated-ip - n bytes missing! appears. This is an informational message, and the data captured may be sufficient. If you need to see more data, use -s (or /DATA) to increase the snapshot length.
Note that taking larger snapshots both increases the amount of time it takes to process packets, and effectively decreases the amount of packet buffering. This can cause packets to be lost. You should limit snapshotlength to the smallest number that captures the protocol information you need.
-t
/TIMESTAMPS=value
/NOTIMESTAMPS
/NOTIME
Causes TCPDUMP to display a timestamp on each output line.
Accepted values are UNIX, DELTA,
and RELATIVE. The /NOTIMESTAMPS
qualifier disables the timestamp. The default is
/TIME=FORMAT.
-tt
/TIME=NOFORMAT
Displays an unformatted time stamp on each dump line. The default is /TIME=FORMAT.
-u
/OUTPUT=file
Redirects TCPDUMP output to an ASCII file.
-v
/SHOW=MORE
/VERBOSE
Verbose output. For example, the time-to-live (TTL) and type-of-service (TOS) information in an IP packet is displayed. (See NFS Requests and Replies.)
-vv
/SHOW=FULL
/FULL
"Hyperverbose" output. For example, additional fields are displayed from NFS reply packets.
-w file
/WRITE_BINARY=file
Writes the raw packets to a file, rather than parsing and displaying them out. The file can later be displayed with the -r option.
This file is written in libpcap format. When the interface specified is an Ethernet device the data in the file can be analyzed with Ethereal and similar tools.
-x
/HEXADECIMAL
Displays each packet (minus its link level header) in hexadecimal format. The smaller of the entire packet and snapshotlength byte values are displayed.
-z
/ASCII
Displays each packet in hexadecimal format with the ASCII equivalent.
Recall that a TCPDUMP command consists of the following elements:
TCPDUMP [ options | qualifiers] [expressions]
Expressions select which packets to dump. Only packets for which the expression is true are dumped (or all packets if the expression is omitted). An expression breaks down into one or more primitives:
expression = primitive primitive ...
Primitives usually break down into a qualifier and an address:
primitive = qualifier address
There are three kinds of qualifiers – type, direction, and protocol:
· Type qualifiers define the ID name or number type. Possible types are:
o host
o net
o port
Examples of primitives using these qualifiers are host foo, net 128.3, and port 20. The default is host if the type qualifier is omitted, so that foo and host foo are equivalent. A host can be either an IP address or hostname. A net can either be a name from the TCPWARE:NETWORKS.file, or a network number, and can include the additional mask qualifier.
· Direction qualifiers specify a transfer direction, and are prepended to the type qualifier:
o src
o dst
o src or dst (default)
o src and dst
Examples of primitives using these qualifiers are src foo, dst net 128.3, and src or dst port ftp-data. The default is src or dst if the direction qualifier is omitted, so that port ftp-data is true for a source or destination port.
· Protocol qualifiers restrict the match to a particular protocol and are prepended to the direction qualifier. Possible protocols are:
o ether
o fddi
o icmp
o ip
o ipx
o arp
o rarp
o decnet
o lat
o sca
o moprc
o mopdl
o tcp
o udp
Examples of primitives using these qualifiers are ether src foo, arp net 128.3, and tcp port 21. If the protocol qualifier is omitted, the default is all protocols consistent with the type. For example:
o src foo implies ip, arp, or rarp
o net bar implies ip, arp, or rarp
o port 53 implies tcp or udp
You can be even more specific about the ip protocol by adding proto and the IP protocols cmp, igrp, dp, nd, or cp; for example, ip proto cmp. (Note that some protocols are preceded by backslashes to distinguish them from protocol qualifiers.) The same goes for the ether protocols p, rp, and arp, such as in ether proto p.
The fddi protocol qualifier is actually an alias for ether, and is treated identically as meaning the data link level used on the specified network interface. FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. (FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression.)
There are additional special, "primitive" qualifiers that do not follow the pattern:
· gateway
· broadcast
· less
· greater
· arithmetic expressions
All of these are described in the Primitives subsection that follows.
More complex filter expressions are built up by using the words and, or, and not to combine primitives. For example, host foo and not port ftp and not port ftp-data. To save typing, identical qualifier lists can be omitted. For example, the following two expressions are identical, the first being the abbreviated form:
tcp dst port ftp or ftp-data or domain
tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain
dst [host] host
IP destination field of the packet must be host.
src [host] host
IP source field of the packet must be host.
[host] host
IP source or destination of the packet must be host. Any of the above host expressions can be prepended with the keywords ip, arp, or rarp, as in ip host host, which is equivalent to ether proto ip and host host. If host is a name with multiple IP addresses, each address is checked for a match.
ether dst ehost
Ethernet destination address must be ehost, which is either a name from the TCPWARE:ETHERS. file, or a number.
ether src ehost
Ethernet source address must be ehost.
ether[host] ehost
Ethernet source or destination address must be ehost.
gateway host
Packet must use host as a gateway; that is, the Ethernet source or destination address was host, but neither the IP source nor destination was host. (This makes the expression equivalent to ether host ehost and not host host.) The host must be a name and must be found in both the TCPWARE:HOSTS. And TCPWARE:ETHERS. files.
dst net net
IP destination address of the packet must have a network ID of net.
src net net
IP source address of the packet must have a network ID of net.
net net
Either the IP source or destination address of the packet must have a network ID of net.
net net mask mask
IP address must match its network ID with the specified mask; can be qualified with src or dst.
net net/length
IP address must match its network ID with the specified mask length, in bits; can be qualified with src or dst.
dst port port
Packet must be IP/TCP or IP/UDP and have a destination port value, a number or name used in the TCPWARE:SERVICES. file. If a name, both the port number and protocol are checked. If a number or ambiguous name, only the port number is checked. For example, dst port 513 displays both TCP/LOGIN and UDP/WHO traffic; dst port domain displays both TCP/DOMAIN and UDP/DOMAIN traffic.
src port port
Packet must have a source port value.
port port
Either the source or destination port of the packet must be port. Any of the above port expressions can be prepended with the keywords tcp or udp, as in tcp src port port, which matches only TCP packets whose source port is port.
less length
Packet must have a length less than or equal to length (equivalent to len <= length).
greater length
Packet must have a length greater than or equal to length (equivalent to len >= length).
ip proto protocol
Packet must be an IP packet of protocol type protocol, which can be a number or one of the names cmp, igrp, dp, nd, or cp. Note that tcp, udp, and icmp must be escaped using a backslash (F0>) to distinguish them from qualifiers.
[ether] broadcast
Packet must be an Ethernet broadcast packet. The ether keyword is optional.
ip broadcast
Packet must be an IP broadcast packet. It checks for both the all-zeros and all-ones broadcast conventions and looks up the local subnet mask.
[ether] multicast
Packet must be an Ethernet multicast packet (shorthand for ether[0] & 1 != 0).
ip multicast
Packet must be an IP multicast packet.
ether proto protocol
Packet must be of Ethernet type protocol, which can be a number or name like p, rp, or F30@Z7@Lam>rarp. Note that these identifiers must be escaped using a backslash (\).
In the case of FDDI (such as fddi proto arp), the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI header. TCPDUMP assumes, when filtering on the protocol identifier, that all FDDI packets include an LLC header, and that the LLC header is in so-called Subnetwork Access Protocol (SNAP) format.
decnet src host
DECNET source address must be host, which can be an address of the form 10.123, or a DECNET hostname.
decnet dst host
DECNET destination address must be host.
decnet host host
Either the DECNET source or destination address must be host.
ip, arp, rarp, decnet
Abbreviation for ether proto protocol for one of these protocols.
ipx { src | dst } host
With ipx alone, packet must be an IPX packet. With src or dst, the packet must come from or go to an ethernet host.
lat, moprc, mopdl
Abbreviation for ether proto protocol for one of these protocols. Note that TCPDUMP does not currently know how to parse these protocols.
tcp, udp, icmp
Abbreviation for ether proto protocol from one of these protocols.
expr relational-operator expression
The relation must hold, where relational-operator is one of >, <, >=, <=, =, !=, and expression is an arithmetic expression composed of integer constants (expressed in standard C syntax), the normal binary operators (+, -, *, /, &, |), a length operator, and special packet data accessors (see the following subsection).
To access data inside a packet, use the syntax:
proto[expr : size]
· proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and indicates the protocol layer for the index operation.
· expr is the byte offset, relative to the indicated protocol layer.
· size is optional and indicates the number of bytes in the field of interest. It can be either 1, 2, or 4, and defaults to 1. The length operator, indicated by the keyword len, gives the length of the packet.
For example:
· ether[0] & 1 != 0 catches all multicast traffic.
· ip[0] & 0xf != 5 catches all IP packets with options.
· ip[6:2] & 0x1fff = 0 catches only unfragmented datagrams and fragment zero of fragmented datagrams. This check is implicitly applied to the TCP and UDP index operations. For instance, tcp[0] always means the first byte of the TCP header, and never means the first byte of an intervening fragment.
You can combine primitives using:
· A parenthesized group of primitives and operators (parentheses must be escaped)
· Negation (! or not) (you must enclose expressions using ! in quotes)
· Concatenation (& or and)
· Alternation (| or or)
Negation has the highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit and tokens, not juxtaposition, are required for concatenation.
If the identifier omits a qualifier, the most recent qualifier applies. For example,
not host vs and ace is short for not host vs and host ace, which should not be confused with not (host vs or ace).
Expression arguments can be passed to TCPDUMP as either a single argument or as multiple arguments, whichever is more convenient.
1. These identical examples display all packets arriving at or departing from BART.
$ tcpdump bart
$ tcpdump host bart
2. These identical examples display traffic between HELIOS and either HOT or ACE.
$ tcpdump helios and (hot or ace)
$ tcpdump host helios and (hot or ace)
3. These identical examples display all IP packets between ACE and any host except HELOIS.
$ tcpdump ip ace and not helios
$ tcpdump ip host ace and not helios
4. This example displays all traffic between local hosts and hosts at Berkeley.
$ tcpdump net ucb-ether
5. This example displays all FTP traffic through gateway SNUP (note that the expression is quoted because of the parentheses).
$ tcpdump "gateway snup and (port ftp or ftp-data)"
6. This example displays traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this information should never make it onto your local net).
$ tcpdump ip and not net localnet
7. This example displays the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a nonlocal host.
$ tcpdump "tcp[13] & 3 != 0 and not src and dst net localnet"
8. This example displays IP packets longer than 576 bytes sent through gateway HOMER.
$ tcpdump "gateway homer and ip[2:2] > 576"
9. This example displays IP broadcast or multicast packets not sent over Ethernet broadcast or multicast.
$ tcpdump "ether[0] & 1 = 0 and ip[16] >= 224"
10. This example displays all ICMP packets that are not echo requests/replies (PING packets).
$ tcpdump "icmp[0] != 8 and icmp[0] != 0"
TIME is the Time Protocol, defined by RFC 868. For a TCP connection, TIME returns a four-byte integer (in network byte order) of the current time in number of seconds since 1-JAN-1900 00:00 GMT. For UDP, when you receive a packet time port (37), TIME returns a four-byte datagram with the time (and discards the received datagram).
This section describes the TRACEROUTE utility, which traces the path of an IP packet to an internet host. Only one user can run TRACEROUTE at a time. TRACEROUTE requires BYPASS or SYSPRV privileges.
Before using TRACEROUTE, enter the following to define the TRACEROUTE foreign command definition:
$ TRACEROUTE :== $TCPWARE:TRACEROUTE
To trace the path an IP packet follows to an internet host, enter the following format:
$ TRACEROUTE [-dnrv] [-w wait]
[-m max_ttl][-q nqueries]-
_$ [-t tos] [-s src_addr] host
-n |
Specifies to display internet addresses, not host names |
-r |
Specifies not to route (TRACEROUTE displays only directly "connected" hosts) |
-v |
Specifies verbose mode |
-w wait |
Is the number of seconds to wait between probes |
-m max_ttl |
Is the maximum time-to-live to set in or outgoing datagrams |
-q nqueries |
Is the number of probes sent |
-t tos |
Is the type of service (the default is 0) |
-s src_addr |
Is the source internet address to use (the default depends on the interface needed to reach the destination) |
host |
Is the name of the internet host whose path you want to trace |
The below example shows a TRACEROUTE command and the resulting output.
$ TRACEROUTE nic.ddn.mil
TRACEROUTE to nic.ddn.mil
(192.112.36.5), 30 hops max, 38 byte packets
1 delta.example.com (192.168.95.126) 0 ms 0 ms 0 ms
2 process-gw.example.com (192.168.138.1) 0 ms 10 ms 0 ms
3 waltham-cr1.bbnplanet.net (131.192.148.49) 20 ms 0 ms 0 ms
4 cambridge2-cr3.bbnplanet.net (131.192.27.2) 10 ms 10 ms 10 ms
5 cambridge2-br1.bbnplanet.net (199.92.129.6) 10 ms 10 ms 10 ms
6 cambridge1-br2.bbnplanet.net (4.0.2.25) 10 ms 20 ms 10 ms
7 nyc1-br2.bbnplanet.net (4.0.1.121) 20 ms 30 ms 20 ms
8 nyc2-br2.bbnplanet.net (4.0.1.154) 30 ms 90 ms 120 ms
9 nynap.bbnplanet.net (4.0.1.26) 20 ms 40 ms 20 ms
10 niprnet.sprintnap.net (192.157.69.45) 420 ms 90 ms 90 ms
11 137.209.12.1 (137.209.12.1) 90 ms 90 ms 90 ms
12 * 198.26.119.26 (198.26.119.26) 90 ms 100 ms
13 nic.mil (192.112.36.5) 90 ms