[tcpdump-workers] tcpdump output clarification

2012-10-22 Thread Michael Downey 
I am having trouble fully understanding what exactly a '.' stands for when
following another flag in the tcpdump output, for example [S.] The reason
why I am having trouble with this, is due to separate versions of the man
page explaining this differently. While researching this, I've came across
many forums where others have the same question.

Here's an excerpt from the tcpdump man page on OSX 10.7:

"The general format of a tcp protocol line is:
  src > dst: flags data-seqno ack window urgent options
   Src  and  dst  are  the  source  and  destination  IP addresses and
ports.  Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST),
W (ECN CWR) or E (ECN-Echo), or a single `.' (no flags).  Data-seqno
describes the portion of
   sequence space covered by the data in this packet (see example
below).  Ack is sequence number of the next data expected the other
direction on this connection.  Window is the number of bytes of receive
buffer space available the  other
   direction on this connection.  Urg indicates there is `urgent' data
in the packet.  Options are tcp options enclosed in angle brackets (e.g.,
).
"
^ ACK and URG flags are not mentioned. I assumed from this output the a
following '.' as with [S.] would represent a flag that is not S, F, P, R,
W, or E, meaning that this flag would either be ACK or URG.


Now, here's an excerpt from the tcpdump man page on Ubuntu 12.04 LTS:

"The general format of a tcp protocol line is:
  src > dst: flags data-seqno ack window urgent options
   Src  and  dst  are  the  source and destination IP addresses and
ports.  Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), *U
(URG)*, W (ECN CWR), E (ECN-Echo) *or `.' (ACK),* or `none' if no flags are
set.  Data-seqno describes the portion of
   sequence space covered by the data in this packet (see example
below).  Ack is sequence number of the next data expected the other
direction on this connection.  Window is the number of bytes of receive
buffer space available the other  direction  on  this
   connection.  Urg indicates there is `urgent' data in the packet.
 Options are tcp options enclosed in angle brackets (e.g., ).
"


Here, the man page shows URG as an option, and lists '.' as an ACK flag. It
also states that none would be shown if no flags are set (unlike the OSX
10.7 man page showing '.' representing no flags.

On FreeBSD 8 that whole explanation is missing in tcpdump's man page.

If there is anyway I can get a clear explanation on this, that would be
wonderful. Thank you for your time.
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Re: [tcpdump-workers] tcpdump output clarification

2012-10-22 Thread Guy Harris 

On Oct 22, 2012, at 2:36 PM, Michael Downey  wrote:

> I am having trouble fully understanding what exactly a '.' stands for when 
> following another flag in the tcpdump output, for example [S.] The reason why 
> I am having trouble with this, is due to separate versions of the man page 
> explaining this differently. While researching this, I've came across many 
> forums where others have the same question.
> 
> Here's an excerpt from the tcpdump man page on OSX 10.7:

...which, perhaps because Apple modified it to document their "-g" ("g"reppable 
- "Do not insert line break after IP header in verbose mode for easier 
parsing.") flag, is out-of-date and doesn't reflect what the code actually 
does.  (Apple may have picked up some code updates, although they're still at 
4.1.1, but not picked up the man page updates.)

> Now, here's an excerpt from the tcpdump man page on Ubuntu 12.04 LTS:

...which is closer to, perhaps even identical to, the tcpdump.org man page.

> On FreeBSD 8 that whole explanation is missing in tcpdump's man page.

I'm not sure which version of tcpdump is the basis for FreeBSD 8's tcpdump, but:

3.4, in what I think is the version from LBL, and 3.5.0, 3.6.1, 3.7.1, 
3.8.1, and 3.9.1, as downloaded from tcpdump.org, have code that prints "." for 
"no flags" and nothing special for ACK, and a manual page that agrees with that;

4.0.0, 4.1.0, and 4.1.1, as downloaded from tcpdump.org, have code that 
prints "." for ACK, and a manual page that has a version of that explanation 
that doesn't mention "." for ACK and just says "." is for no flags;

4.2.0, as downloaded from tcpdump.org, has similar code, and the manual 
page says "." is for ACK.

So part of the problem is that the code was changed before the man page was - 
4.0.0 changed the code, but the man page wasn't updated until 4.2.0, so any OS 
version that ships something based on 4.0.0 through 4.1.1 (without fixing the 
man page) will have an incorrect man page.

I don't have a system running FreeBSD 8 handy, but the CVS repository, at 
least, seems to have, for FreeBSD 8, a version of tcpdump.1 that has the old 
explanation rather than no explanation (not surprising, given that the 
explanation dates all the way back to the last LBL release), and seems to 
indicate that the FreeBSD 8 tcpdump is based on 4.0.0.  Perhaps the explanation 
is there but you missed it?

> If there is anyway I can get a clear explanation on this,

The explanation is "man pages can be out of date." :-)
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers