TCPDump Man Page – How to Read and Understand Options

manoptions

I am trying to use the tcpdump command in a project and I have some difficulties understanding the help page.

SYNOPSIS
   tcpdump [ -AbdDefhgHIJKlLnNoOpPqRStuUvxX ] [ -B buffer_size ] [ -c
   count ]
           [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
           [ -i interface ] [ -j tstamp_type ] [ -k (metadata_arg) ]
           [ -m module ] [ -M secret ]
           [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
           [ -W filecount ]
           [ -E spi@ipaddr algo:secret,...  ]
           [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
           [ -Q packet-metadata-filter ]
           [ expression ]

First, what is this "[ -AbdDefhgHIJKlLnNoOpPqRStuUvxX ]" at the top ? What is the meaning of that ?
I also see a lot of people on the internet doing crazy things with this command, for example tcpdmp -nnvvXSs 1514 … what is that -nnvvXSs, and how can we know this can be used ?

I see codes examples that according to me does not correspond to the man page, I just don't get how to read, how to understand this help file.

Anybody tell me how to read this and understand it ?

Best Answer

By convention, the brackets indicate something that is optional. So you can run tcpdump, or tcpdump -c 3 -i eth0, or tcpdump -c 3 -r /path/to/file, etc. Also, unless explicitly indicated, options can be used in any order, so you can run tcp -i eth0 -c 3, etc.

Most commands allow options to be clustered when they use a single letter. For example, tcpdump -AX is equivalent to tcpdump -A -X. The manual groups all options that don't take arguments to make the presentation shorter: [ -Abd ] would be a shortcut for [ -A ] [ -b ] [ -d ], etc.

The synopsis is just a summary. Read the “description” or “options” section to see what each option does and what the word after each option can be replaced with.

For example, tcpdmp -nnvvXSs 1514 is a shorter equivalent of tcpdump -n -n -v -v -X -s -s 1514, and means:

-n: don't do name resolution. Repeating this option has no additional effect.
-v: causes tcpdump to print out more stuff. Repeating this option causes it to print even more stuff.
-X adds a dump of the content of each packet to the output.
-S causes absolute TCP sequence numbers to be printed.
-s 1514 causes only the first 1514 bytes of each packet to be captured.

Related Solutions

Man Pages – How to Dump a Man Page

First of all, the man files are usually just gziped text files somewhere in your file system. Since your milage will vary finding them and you probably wanted the processed and formatted version that man gives you instead of the source, you can just dump them with the man tool. By looking at man man, I see that you can change the program used to view man pages with the -P flag like this:

man -P cat command_name

It's also worth nothing that man automatically detects when you pipe it's output instead of viewing it on the screen, so if you are going to process it with something else you can skip straight to that step like so:

man command_name | grep search_string

or to dump TO a file:

man command_name > formatted_man_page.txt

How does `man git init` get the right man page

Some implementations of man, including the one used by Ubuntu, replace spaces in its search terms with hyphens and attempt to find a manual page under that name. So man git init looks for the same thing as man git-init. Similarly, man run parts and man ntfs 3g work (if you have run-parts and ntfs-3g on your system).

It only does this with word pairs, though, so man git annex sync does not work (though man git-annex sync does, as that's again a word pair).

In fact, when you ask for two manual pages (e.g., man git bash to see both the git and bash manpages), man actually first tries to look for a git-bash manpage. You can see this in the debug output if you enable it with -d.

This man feature is called "subpages" you can read the source code implementing subpages in man-db (thanks, Stephen Kitt). Searching the man(1) manpage for "subpages" will also lead you to the description of this behavior under the --no-subpages option:

--no-subpages
      By default, man will try to interpret pairs of manual page
      names given on the command line as equivalent to a single
      manual page name containing a hyphen or an underscore.  This
      supports the common pattern of programs that implement a
      number of subcommands, allowing them to provide manual pages
      for each that can be accessed using similar syntax as would be
      used to invoke the subcommands themselves.  For example:

        $ man -aw git diff
        /usr/share/man/man1/git-diff.1.gz

      To disable this behaviour, use the --no-subpages option.

        $ man -aw --no-subpages git diff
        /usr/share/man/man1/git.1.gz
        /usr/share/man/man3/Git.3pm.gz
        /usr/share/man/man1/diff.1.gz

Best Answer

Related Solutions

Man Pages – How to Dump a Man Page

How does `man git init` get the right man page

Related Question