This change add an option to print only on stderr the packet count
when reading capture file(s) instead of parsing/printing the packets.
If a filter is specified on the command line, tcpdump counts only
packets that were matched by the filter expression.
The option name is '--count'.
Add two shortcuts (as long-options) for setting the time stamp
precision: --micro and --nano. While adding these options, reshuffle
the usage message to group up the options related to time stamp, and
removing the macro TIME_STAMP_PRECISION_USAGE.
If setting the time stamp precision is not supported by the available
libpcap, the usage won't mention these options (including
--time-stamp-precision), but they will still be presented in the
manpage.
When using all three switches (-C -G and -W), the behavior is
practically identical to only using -C and -G, as the -W flag will only
affect the filename suffix.
Fixes#695
Three CLI output examples in the tcpdump man page used to request a
smaller font size since the beginning of the version control history.
That had no effect on the plain text format, and made the examples
difficult to read in the HTML format, so get rid of it.
[skip ci]
At one point, I remember a discussion resulting in the official name of
the next-generation replacement for pcap format being changed to
"pcapng", with no hyphen.
Make tcpdump reflect that.
While we're at it, uppdate to use "macOS" as the name of Apple's
UNIX-for-Macs, as appropriate (don't use it for versions that were still
called Mac OS X or OS X).
The -s default is now large, so it's not as if you'll have to increase
it to get more packet data; you might have to *decrease* it to avoid
dropping packets.
Put the information about the time stamp first, and put in a more
detailed description of IPv4 header information before TCP header
information is described.
Update the description of TCP header informaton to reflect current
reality.
More updating is probably needed.
The "tcp" in "tcpdump" is historical; these days, it's a general-purpose
network analyzer. Don't claim tcpdump will not be of much use to you if
you don't know TCP.
Provide better detailed guidelines in CONTRIBUTING and update a number
of other files to refer to that file so that the directions are now
more uniform.
If N is a number, and is the name of an interface on the system, "-i N"
will now attempt to open that interface, not the Nth interface in the
list of interfaces. See GitHub issue #522.
This commit adds support for RESP as defined in: http://redis.io/topics/protocol.
It also supports inline commands and pipelining. Due to the popularity of RESP,
numerous services are emerging that use this protocol. You may decode RESP packets
on arbitrary ports using the "-T resp" option.
Example captures can be found in tests/resp_*.
A simple way to test this parser is to start redis-server and then run
redis-cli commands such as "redis-cli set key value".
Traditionally, redis-cli monitor is used to debug redis. Unfortunately,
the "monitor" command can cause significant load on a redis-server in
production. This parser may be used as a non-invasive alternative to
redis-cli monitor.
Don't speak of "Ethernet" and "wire", as you might not be sniffing an
Ethernet or, indeed, any form of wired network.
Note that not only could there be a delay between the point at which the
interface is finished receiving the packet and when an interrupt is
delivered (whether due to bus delays, polling rather than immediate
interrupts being used, or delays in the CPU responding to the interrupt,
or more than one of those) but also a delay between the point at which
the kernel responds to the interrupt and the point at which it actually
applies a time stamp to the packet.
If libpcap has pcap_set_immediate_mode(), then default to immediate mode
if we're printing packets to a terminal, and use immediate mode if
--immediate-mode is specified.
A while ago we introduced new API in libpcap which made possible to
request time stamps with higher precision (nanoseconds). This commit
aims to move things forward and implement missing bits. It introduces
new long option --time-stamp-precision. Note that there is no equivalent
short option.
When used for a live capture tcpdump will ask the kernel for time stamp
with desired precision and tcpdump will print fraction part of the time
stamp using respective format. We currently support only microsecond and
nanosecond precision. In the future we might support even more granular
time stamp precision, but we should be fine to support only
microseconds and nanoseconds for now. libpcap doesn't provide anything
else at the moment anyway.
When used in combination with -r/-w options then we obtain time stamps
appropriately scaled up or down from libpcap. Also note that distinct
magic number is used for savefiles containing nanosecond time stamps.
