1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
.TH IPGRAB 8 "07 March 2007"
.SH NAME
ipgrab \- A Verbose Packet Sniffer
.SH SYNOPSIS
\fBipgrab\fP [ -ablmnPprTtwx ] [ -c \fIcnt\fP ] [ -i \fIif\fP ] [ \fiexpr\fP ]
.SH DESCRIPTION
\fIipgrab\fP reads and parses packets from the link layer through the
application layer, dumping explicit header information along the way.
It is a lot like \fItcpdump\fP except that it prints almost every
header field.
.SS Options
.TP
\fB-a\fP
Do not display application layer data.
.TP
\fB-b\fP
Buffer standard output. Useful when you're redirecting output to a file.
.TP
\fB-c \fIcnt\fR, \fB--count \fIcnt\fR
Terminate after receiving \fIcnt\fP packets.
.TP
\fB-C \fIproto\fR, \fB--CCP \fIproto\fR
Assume a particular CCP protocol, such as MPPC. MPPC is the only one supported as yet.
.TP
\fB-d\fP
Dump extra padding in packets. For example, according to an IP header, the
packet ends at a certain point, but the link layer may have padded it
beyond that. This option displays the padding. Not valid in minimal mode.
.TP
\fB-h, --help\fP
Display usage screen with a brief description of the command line options.
.TP
\fB-i \fIif\fR, \fB--interface \fIif\fR
Makes ipgrab listen to packets on interface \fIif\fP, e.g., eth0. If this
option is not used, the default interface will be assumed.
.TP
\fB-l\fP
Don't display link-layer headers. The following protocols are considered to
be link layer: ARP, CHAP, Ethernet, IPCP, LCP, LLC, Loopback, PPP, PPPoE,
Raw, Slip.
.TP
\fB-m\fP
Minimal mode output. When operating in this mode, ipgrab displays only brief
header information.
.TP
\fB-n\fP
Don't display network-layer headers. The following protocols are considered
to be network layer: AH, ESP, GRE, ICMP, ICMPv6, IGMP, IP, IPv6, IPX, IPXRIP.
.TP
\fB-P \fIstring\fR
Initiate a dynamic port mapping. This option must be followed by a string
of the form `<protocol>=<port>', such as `http=8080'.
.TP
\fB-p\fP
Dump packet payloads beyond what IPgrab parses. In other words, if IPgrab
does not parse a particular application, this option will dump application
data in hex and text format.
.TP
\fB-r\fP FILE
Read packets from a file, rather than an interface. The file should be
created in "raw" format, such as with '-w' option.
.TP
\fB-T\fP
Do not display timestamps in minimal mode.
.TP
\fB-t\fP
Don't display transport layer headers. The following protocols are considered
to be transport layer: SPX, TCP, UDP.
.TP
\fB-v, --version\fP
Display version number and then quit.
.TP
\fB-w\fP FILE
Write the raw packets to a file, rather than the screen. The packets will not
be parsed. The file can be read with the '-r' option.
.TP
\fB-x\fP
Hex dump mode. After processing each layer, dump out the contents of that
layer in hex and text. Only valid in main mode.
.TP
\fBexpr\fP
Berkeley packet filter expression.
See tcpdump(8) man page for details and examples.
.SH SEE ALSO
tcpdump(8)
.SH NOTES
Requires libpcap version 0.3 or greater to be installed.
.SH AUTHOR
Michael S. Borella
.br
http://www.borella.net/mike/
.br
mike@borella.net
|
