tcpdump tips

Overview
Displaying Cisco Discovery Protocol
Man page

Overview

tcpdump is a powerful tool for system problem solving. It is not as easy to use as fancy PC based packet sniffers or professional grade network diagnostic equipment. It is however available in the standard installation of pretty much every Unix platform. (see "snoop" for Solaris).

Displaying CDP info via tcpdump or snoop

Cisco Discovery Protocol is a management protocol that Cisco uses to communicate a great deal of information about a network connection. The protocol tells you which switch and and port you are connected to. And if you are trying to debug connectivity issues, such as a system being connected to the wrong VLAN, or with the wrong duplex, this can help. If you are connected at the wrong speed, your system typically will not give you a valid link status, so a bad speed settings will probably prevent you from getting any data from the interface. There are CDP analysis programs for Windows that Network people can use to display CDP packets for a port, however, this generally requires someone to hook the PC up to the port in question.

In AIX 5.3, the tcpdump program an format CDP packets for you. It is as simple as specifiying verbose output and telling the system which packets to display. If you are using Solaris, you can use snoop to find the CDP packets, but it does not format the data nicely. I have a script, cdpinfo that will format grab the data using either tcpdump or snoop, and format select information from the packet.

Command:

# tcpdump -nn -vvv -i en0 -s 1500 -c 1 'ether[20:2] == 0x2000'

Options explained.
-nn don't do dns or port number lookups

-vvv very verbose output

-i en0 specifies the interface to use

-s 1500 capture 1500 bytes of the packet (typical MTU size)

-c 1 capture one packet and exit

'ether[20:2] == 0x2000' capture only packets that have a 2 byte value of hex 2000 starting at
byte 20.

Output:
tcpdump: listening on en0, link-type 1, capture size 1500 bytes
10:41:55.398940 snap 0:0:c:20:0 CDP v2, ttl: 180s, checksum: 692 (unverified)
Device-ID (0x01), length: 25 bytes: 'MYSWITCH01.net.somecompany.com'
Version String (0x05), length: 293 bytes:
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Thu 23-Mar-06 19:38 by tinhuang
Platform (0x06), length: 14 bytes: 'cisco WS-C6513'
Address (0x02), length: 13 bytes: IPv4 (1) 192.168.0.50
Port-ID (0x03), length: 20 bytes: 'GigabitEthernet13/26'
Capability (0x04), length: 4 bytes: (0x00000029): Router, L2 Switch, IGMP snooping
VTP Management Domain (0x09), length: 7 bytes: 'mwv-vtp'
Native VLAN ID (0x0a), length: 2 bytes: 2033
Duplex (0x0b), length: 1 byte: full
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
18 packets received by filter
0 packets dropped by kernel

Key Data:
tcpdump: listening on en0, link-type 1, capture size 1500 bytes
10:41:55.398940 snap 0:0:c:20:0 CDP v2, ttl: 180s, checksum: 692 (unverified)
Device-ID (0x01), length: 25 bytes: 'MYSWITCH01.net.somecompany.com'
^
switch device name

Version String (0x05), length: 293 bytes:
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF4, RELEASE SOFTWARE (fc1)
^
IOS Version running on the switch

Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Thu 23-Mar-06 19:38 by tinhuang
Platform (0x06), length: 14 bytes: 'cisco WS-C6513'
^
Switch Device Type

Address (0x02), length: 13 bytes: IPv4 (1) 192.168.0.50
^
IP address of the switch

Port-ID (0x03), length: 20 bytes: 'GigabitEthernet13/26'
^
port id on the switch

Capability (0x04), length: 4 bytes: (0x00000029): Router, L2 Switch, IGMP snooping
VTP Management Domain (0x09), length: 7 bytes: 'mwv-vtp'
Native VLAN ID (0x0a), length: 2 bytes: 2033
^
VLAN ID on the switch

Duplex (0x0b), length: 1 byte: full
^
Ethernet duplex setting

AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00

tcpdump man page

Dumps traffic on a network

Syntax

tcpdump [ -a ] [ -A ] [ -d ] [ -D ] [ -e ] [ -f ] [
-l ] [ -L ] [ -n ] [ -N ] [ -O ] [ -p ] [ -q ] [ -R
] [ -S ] [ -t ] [ -u ] [ -U ] [ -v ] [ -x ] [ -X ]
[ -c count ]

[ -C file_size ] [ -F file ]

[ -i interface ] [ -m module ] [ -r file ]

[ -s snaplen ] [ -w file ]

[ -E addr ] [ -y datalinktype ]

[ expression ]

Description
The tcpdump command prints out the headers of
packets on a network interface that match the
boolean expression. It can also be run with the -w
flag, which causes it to save the packet data to a
file for later analysis. It can also be run with
the -r flag, which causes it to read from a saved
packet file rather than to read packets from a
network interface. In all cases, only packets that
match expression will be processed by tcpdump.

If it is not run with the -c flag, tcpdump will
continue capturing packets until it is interrupted
by a SIGINT signal (typically control-C) or a
SIGTERM signal (typically the kill(1) command). If
tcpdump is run with the -c flag, it will capture
packets until it is interrupted by a SIGINT or
SIGTERM signal or the specified number of packets
have been processed.

When tcpdump completes capturing packets, it will
report counts of:
packets "received by filter"
Counts all packets regardless of whether they
were matched by the filter expression.
packets "dropped by kernel"
The number of packets that were dropped, due
to a lack of buffer space.

Allowable Primitives
dst host host
True if the IPv4/v6 destination field of the
If host is a name with multiple IP addresses,
each address will be checked for a match.
ether dst ehost
True if the ethernet destination address is
ehost. Ehost may be either a name from
/etc/ethers or a number (see ethers(3N) for
numeric format).
ether src ehost
True if the ethernet source address is ehost.
ether host ehost
True if either the ethernet source or
destination address is ehost.
gateway host
True if the packet used host as a gateway. For
example, the ethernet source or destination
address was host but neither the IP source nor
the IP destination was host. Host must be a
name and must be found both by the machine's
host-name-to-IP-address resolution mechanisms
(host name file, DNS, NIS, etc.) and by the
machine's host-name-to-Ethernet-address
resolution mechanism (/etc/ethers, and so on).
An equivalent expression is ether host ehost
and not host host which can be used with
either names or numbers for host /ehost. This
syntax does not work in IPv6-enabled
configuration at this moment.
dst net net
True if the IPv4/v6 destination address of the
packet has a network number of net.
src net net
True if the IPv4/v6 source address of the
packet has a network number of net.
net net
True if either the IPv4/v6 source or
destination address of the packet has a
network number of net.
net net mask netmask
True if the IP address matches net with the
specific netmask. May be qualified with src or
dst. Note that this syntax is not valid for
IPv6 net.
net net/len
True if the IPv4/v6 address matches net with a
netmask len bits wide. May be qualified with
src or dst.

dst port port
True if the packet is ip/tcp, ip/udp, ip6/tcp
orip6/udp and has a destination port value of
port. The port can be a number or a name used
in /etc/services (see tcp(4P) and udp(4P)). If
keywords, tcp or udp, as in: tcp src port port
which matches only tcp packets whose source
port is port.
less length
True if the packet has a length less than or
equal to length. This is equivalent to: len <=
length.
greater length
True if the packet has a length greater than
or equal to length. This is equivalent to: len
>= length.
ip proto protocol
True if the packet is an IP packet of protocol
type protocol. Protocol can be a number or one
of the names icmp, icmp6, igmp, igrp, pim, ah,
esp, vrrp, udp, or tcp. Note that the
identifiers tcp, udp, and icmp are also
keywords and must be escaped via backslash
(\), which is \\ in the C-shell. Note that
this primitive does not chase the protocol
header chain.
ip6 proto protocol
True if the packet is an IPv6 packet of
protocol type protocol. Note that this
primitive does not chase the protocol header
chain.
ip6 protochain protocol
True if the packet is IPv6 packet, and
contains protocol header with type protocol in
its protocol header chain. For example, ip6
protochain 6 matches any IPv6 packet with TCP
protocol header in the protocol header chain.
The packet may contain, for example,
authentication header, routing header, or
hop-by-hop option header, between IPv6 header
and TCP header. The BPF code emitted by this
primitive is complex and cannot be optimized
by BPF optimizer code in tcpdump, so this can
be somewhat slow.

ip protochain protocol
Equivalent to ip6 protochain protocol, but
this is for IPv4.
ether broadcast
True if the packet is an ethernet broadcast
packet. The ether keyword is optional.
ip broadcast
True if the packet is an IPv4 broadcast
packet. It checks for both the all-zeroes and
all-ones broadcast conventions, and looks up
the subnet mask on the interface on which the
capture is being done.
packet.
ether proto protocol
True if the packet is of ether type
protocol.Protocol can be a number or one of
the names ip, ip6, arp, rarp, atalk, aarp,
decnet, sca, lat, mopdl, moprc, iso, stp, ipx,
or netbeui. Note that these identifiers are
also keywords and must be escaped via
backslash (\).

[In the case of FDDI (e.g., `fddi protocol
arp'), Token Ring (e.g., `tr protocol arp'),
and IEEE 802.11 wireless LANS (e.g., `wlan
protocol arp'), for most of those protocols,
the protocol identification comes from the
802.2 Logical Link Control (LLC) header, which
is usually layered on top of the FDDI, Token
Ring, or 802.11 header. When filtering for
most protocol identifiers on FDDI, Token Ring,
or 802.11, tcpdump checks only the protocol ID
field of an LLC header in so-called SNAP
format with an Organizational UnitIdentifier
(OUI) of 0x000000, for encapsulated Ethernet;
it doesn't check whether the packet is in SNAP
format with an OUI of 0x000000. The exceptions
are:
iso
tcpdump checks the DSAP (Destination
Service Access Point) and SSAP (Source
Service Access Point) fields of the LLC
header.
stp and netbeui

tcpdump checks the DSAP of the LLC
header.
atalk
tcpdump checks for a SNAP-format packet
with an OUI of 0x080007 and the
AppleTalk etype.
In the case of Ethernet, tcpdump checks the
Ethernet type field for most of those
protocols. The exceptions are:
iso, sap, and netbeui
tcpdump checks for an 802.3 frame and
then checks the LLC header as it does
for FDDI, Token Ring, and 802.11.
atalk
tcpdump checks both for the AppleTalk
etype in an Ethernet frame and for a
SNAP-format packet as it does for FDDI,
Token Ring, and 802.11.
aarp

is only available on Ultrix systems that are
configured to run DECNET.]
decnet dst host
True if the DECNET destination address is
host.
decnet host host
True if either the DECNET source or
destination address is host.
ifname interface
True if the packet was logged as coming from
the specified interface.
on interface
Synonymous with the ifname modifier.
rnr num
True if the packet was logged as matching the
specified PF rule number (applies only to
packets logged by OpenBSD's pf(4)).
rulenum num
Synonomous with the rnr modifier.
reason code
True if the packet was logged with the
specified PF reason code. The known codes are:
match, bad-offset, fragment, short, normalize,
and memory (applies only to packets logged by
OpenBSD's pf(4)).

action act
True if PF took the specified action when the
packet was logged. Known actions are: pass and
block (applies only to packets logged by
OpenBSD's pf(4))
netbeui
ip, ip6, arp, rarp, atalk, aarp, decnet, iso,
stp, ipx.

Abbreviations for:

ether proto p
where p is one of the above protocols.

lat, moprc, mopdl

Abbreviations for:

ether proto p

where p is one of the above protocols. Note
that tcpdump does not currently know how to
parse these protocols.
vlan [vlan_id]
True if the packet is an IEEE 802.1Q VLAN
packet. If [vlan_id] is specified, only true
isis.
clnp, esis, isis
Abbreviations for:
* iso proto p
where p is one of the above protocols.
l1, l2, iih, lsp, snp, csnp, psnp
Abbreviations for IS-IS PDU types.
vpi n
True if the packet is an ATM packet, for
SunATM on Solaris, with a virtual path
identifier of n.
vci n
True if the packet is an ATM packet, for
SunATM on Solaris, with a virtual channel
identifier of n.
lane
True if the packet is an ATM packet, for
SunATM on Solaris, and is an ATM LANE packet.
Note that the first lane keyword encountered

in expression changes the tests done in the
remainder of expression on the assumption that
the packet is either a LANE emulated Ethernet
packet or a LANE LE Control packet. If lane
isn't specified, the tests are done under the
assumption that the packet is an LLC-
encapsulated packet.
llc
True if the packet is an ATM packet, for
SunATM on Solaris, and is an LLC-encapsulated
packet.
oamf4s
True if the packet is an ATM packet, for
SunATM on Solaris, and is a segment OAM F4
flow cell (VPI=0 & VCI=3).
oamf4e
True if the packet is an ATM packet, for
SunATM on Solaris, and is an end-to-end OAM F4
flow cell (VPI=0 & VCI=4).
oamf4
True if the packet is an ATM packet, for
SunATM on Solaris, and is a segment or end-
to-end OAM F4 flow cell (VPI=0 & (VCI=3 |
VCI=4)).
oam
True if the packet is an ATM packet, for
SunATM on Solaris, and is a segment or end-
to-end OAM F4 flow cell (VPI=0 & (VCI=3 |
VCI=4)).
metac
True if the packet is an ATM packet, for
SunATM on Solaris, and is on a meta signaling
True if the packet is an ATM packet, for
SunATM on Solaris, and is on a signaling
circuit and is a Q.2931 Setup, Call
Proceeding, Connect, Connect Ack, Release, or
Release Done message.
metaconnect
True if the packet is an ATM packet, for
SunATM on Solaris, and is on a meta signaling
circuit and is a Q.2931 Setup, Call
Proceeding, Connect, Release, or Release Done
message.
expr relop expr

True if the relation holds, where relop is one
of >, <, >=, <=, =, !=, and expr is an
arithmetic expression composed of integer
constants (expressed in standard C syntax),
the normal binary operators [+, -, *, /, &,
|], a length operator, and special packet data
accessors. To access data inside the packet,
use the following syntax:

proto [ expr : size ]
Proto is one of ether, fddi, tr, wlan, ppp,
slip, link, ip, arp, rarp, tcp, udp, icmp or
ip6, and indicates the protocol layer for the
index operation. (ether, fddi, wlan, tr, ppp,
slip and link all refer to the link layer.)
Note that tcp, udp and other upper-layer
protocol types only apply to IPv4, not IPv6
(this will be fixed in the future). The byte
offset, relative to the indicated protocol
layer, is given by expr. Size is optional and
indicates the number of bytes in the field of
interest; it can be either one, two, or four,
and defaults to one. The length operator,
indicated by the keyword len, gives the length
of the packet.

For example, ether[0] & 1 != 0 catches all
multicast traffic. The expression ip[0] & 0xf
!=5 catches all IP packets with options. The
expression ip[6:2] & 0x1fff = 0 catches only
unfragmented datagrams and frag zero of
fragmented datagrams. This check is implicitly
applied to the tcp and udp index operations.
For instance, tcp[0] always means the first
byte of the TCP header, and never means the
first byte of an intervening fragment.

Some offsets and field values may be expressed
as names rather than as numeric values. The
available: tcp-fin, tcp-syn, tcp-rst, tcp-
push, tcp-ack, tcp-urg.

Combining Primitives

A parenthesized group of primitives and operators

(parentheses are special to the Shell and must be
escaped).

Negation (`!' or `not').
Concatenation (`&&' or `and').
Alternation (`||' or `or').

Negation has highest precedence. Alternation and
concatenation have equal precedence and associate
left to right. Note that explicits and tokens, not
juxtaposition, are now required for concatenation.

If an identifier is given without a keyword, the
most recent keyword is assumed. For example, not
host vs and ace is short for not host vs and host
ace which should not be confused with not ( host vs
or ace )

Expression arguments can be passed to tcpdump as
either a single argument or as multiple arguments,
whichever is more convenient. Generally, if the
expression contains Shell metacharacters, it is
easier to pass it as a single, quoted argument.
Multiple arguments are concatenated with spaces
before being parsed.

Flags

-a
Attempt to convert network and broadcast
addresses to names.
-A
Print each packet (minus its link level
header) in ASCII. Handy for capturing web
pages.
-c
Exits after receiving Count packets.
-C file_size
Before writing a raw packet to a savefile,
check whether the file is currently larger
than file_size and, if so, close the current
savefile and open a new one. Savefiles after
the first savefile will have the name
specified with the -w flag, with a number
after it, starting at 2 and continuing upward.

-dd
Dump packet-matching code as a C program
fragment.
-ddd
Dump packet-matching code as decimal numbers
(preceded with a count).
-e
Prints the link-level header on each dump
line.
-E addr
Use spi@ipaddr algo:secret for decrypting
IPsec ESP packets that are addressed to addr
and contain Security Parameter Index value
spi. This combination may be repeated with
comma or newline separation. Note: Setting the
secret for IPv4 ESP packets is now supported.

Algorithms may be des-cbc, 3des-cbc,
blowfish-cbc, rc3-cbc, cast128-cbc, or none.
The default is des-cbc. The ability to decrypt
packets is only present if libcrypto is
installed and is in LIBPATH.

secret is the ASCII text for ESP secret key.
If preceeded by 0x, then a hex value will be
read.

The option assumes RFC2406 ESP, not RFC1827
ESP. The option is for debugging purposes only
and the use of this option with a true secret
key is discouraged. By presenting the IPsec
secret key onto command line you make it
visible to others, via ps(1) and other
occasions.

In addition to the above syntax, the syntax
file name may be used to have tcpdump read the
provided file. The file is opened upon
receiving the first ESP packet, so any special
permissions that tcpdump may have been given,
should already have been given up.
-f
Prints foreign IPv4 addresses numerically
rather than symbolically.

The test for foreign IPv4 addresses is done by
using the IPv4 address and netmask of the
interface on which capture is being performed.
This option will not work correctly if that
address or netmask is not available.
-F file
Makes stdout line buffered. Useful if you want
to see the data while capturing it. For
example:

tcpdump -l | tee dat
or
tcpdump -l > dat & tail -f dat
-L
Lists the known data link types for the
interface and exits.
-m module
Loads SMI MIB module definitions from the
module file. This option can be used several
times to load several MIB modules into
tcpdump.
-n
Blocks converting addresses (i.e., host
addresses, port numbers, etc.) to names.
-N
Omits printing domain name qualification of
host names. For example,tcpdump will print nic
instead of nic.ddn.mil.
-O
Keeps tcpdump from running the packet-matching
code optimizer. This is useful only if you
suspect a bug in the optimizer.
-p
Won't put the interface into promiscuous mode.
Note that the interface might be in
promiscuous mode for some other reason; hence,
-p cannot be used as an abbreviation for ether
host {local-hw-addr} or ether broadcast.
-q
Quick output. Prints less protocol information
so output lines are shorter.
-r file
Read packets from file (which was created with
the -w option). Standard input is used if file
is "-".
-R
Assumes ESP/AH packets are based on old
specification.

(RFC1825 to RFC1829). If specified, tcpdump
will not print replay prevention field. Since
there is no protocol version field in ESP/AH
specification, tcpdump cannot deduce the
version of ESP/AH protocol.
-S
Prints absolute rather than relative TCP
sequence numbers.
-s snaplen
snaplen to the smallest number that will
capture the protocol information you are
interested in. Setting snaplen to 0 means use
the required length to catch whole packets.
-T
Forces packets selected by expression to be
interpreted the specified type. Currently
known types are cnfp (Cisco NetFlow protocol),
rpc (Remote Procedure Call), rtp (Real-Time
Applications protocol), rtcp (Real-Time
Applications control protocol), snmp (Simple
Network Management Protocol), tftp (Trivial
File Transfer Protocol), vat (Visual Audio
Tool), and wb (distributed White Board).
-t
Omits the printing of a timestamp on each dump
line.
-tt
Prints an unformatted timestamp on each dump
line.
-ttt
Prints a delta (in micro-seconds) between
current and previous line on each dump line.
-tttt
Prints a timestamp in default format proceeded
by date on each dump line.
-u
Prints undecoded NFS handles.
-U
Make output saved via the -w option, for
example, "packet- buffered." As each packet is
saved, it will be written to the output file,
rather than being written only when the output
buffer fills.
-v
Specifies slightly more verbose output. For
example, the time to live, identification,
total length and options in an IP packet are
printed. Also enables additional packet
integrity checks such as verifying the IP and
ICMP header checksum.
-vv
Even more verbose output than -v. For example,
additional fields are printed from NFS and
reply packets are fully decoded.
-vvv
Even more verbose output than -vv. For
example, telnet SB ... SE options are printed

in full. With -X Telnet options are printed in
hex as well.
-w file
Prints each packet, including its link level
header, in hexadecimal.
-X
Prints each packet (minus its link level
header) in hexadecimal and ASCII. This is very
handy for analyzing new protocols.
-y datalinktype
Set the data link type to use while capturing
packets to datalinktype.

Parameters
expressions
Selects which packets will be dumped. If no
expression is given, all packets on the net
will be dumped. Otherwise, only packets for
which expression is true will be dumped.

The expression consists of one or more
primitives. Primitives usually consist of an
id (name or number) preceded by one or more
qualifiers. There are three different kinds of
qualifier:
* type qualifiers say what type of
primitive the id name or number refers
to. Possible types are host, net and
port. For example, `host foo', `net
128.3', `port 20'. If there is no type
qualifier, host is assumed.
* dir qualifiers specify a particular
transfer direction to and/or from id.
Possible directions are src, dst, src
or dst and src and dst. If there is no
dir qualifier, src or dst is assumed.
For some link layers, such as SLIP and
for some other device types, the
inbound and outbound qualifiers can be
used to specify a desired direction.
* proto qualifiers restrict the match to
a particular protocol. Possible protos
are fddi, tr, wlan, ip, ip6, arp, rarp,
decnet, tcp and udp. If there is no
proto qualifier, all protocols

consistent with the type are assumed.
fddi is an alias for ether. The parser treats
it as meaning "the data link level used on the
specified network interface." FDDI headers
contain Ethernet-like source and destination
addresses, and often contain Ethernet-like
packet types, so you can filter on these FDDI
fields just as with the analogous Ethernet
fields. FDDI headers also contain other
and arithmetic expressions. All of these are
described below.

More complex filter expressions are built by
using the words and, or, and not to combine
primitives.

Environment Variables

LIBPATH environmental variable must be set or
libcrypto library should be in /usr/lib for the -E
flag to work. For example:

ksh$ LIBPATH=/opt/freeware/lib tcpdump -E"algo:secret"

Exit Status
0
Success.
non-zero
Error.

Security

Reading packets from a network interface requires
read access to /dev/bpf*, which is typically root-
only. Reading packets from a file does not require
any special privileges except file read permission.

Examples
1 To print all packets arriving at or departing
from sundown, type the following:

tcpdump host sundown
2 To print traffic between helios and either hot
or ace, type the following:

tcpdump host helios and $ hot or ace $
3 To print all IP packets between ace and any
host except helios, type the following:

tcpdump ip host ace and not helios
4 To print all traffic between local hosts and
hosts at Berkeley, type:

tcpdump net ucb-ether
5 To print all ftp traffic through internet
gateway snup, type the following:

tcpdump 'gateway snup and (port ftp or ftp-data)'
Note: The expression is quoted to prevent the
shell from (mis-)interpreting the parentheses)
6 To print traffic neither sourced from nor
9 To print IP broadcast or multicast packets
that were not sent via ethernet broadcast or
multicast, type:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'
10 To print all ICMP packets that are not echo
requests/replies (for instance, not ping
packets), type:

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-e choreply'

Standard Error

All errors and warnings are sent to stderr.

Limitations

A packet trace that crosses a daylight savings time
change will give skewed time stamps (the time
change is ignored).

Filter expressions on fields other than those in
Token Ring headers will not correctly handle
source-routed Token Ring packets.

Filter expressions on fields other than those in
802.11 headers will not correctly handle 802.11
data packets with both To DS and From DS set.

ip6 proto should chase header chain, but at this
moment it does not. ip6 protochain is supplied for
this behavior.

Arithmetic expression against transport layer
headers, like tcp[0], does not work against IPv6
packets. It only looks at IPv4 packets.

Files
/usr/sbin/tcpdump
Location of the tcpdump command.
/usr/lib/libpcap.a
/dev/bpf*
/opt/freeware/lib/libcrypto.a(libcrypto.so)
Optional

Related Information

pcap library, iptrace, Berkeley Packet Filter.

Back
Last Updated: Dec. 2006