tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump output clarification

From: Guy Harris <guy () alum mit edu>
Date: Mon, 22 Oct 2012 19:51:53 -0700

On Oct 22, 2012, at 2:36 PM, Michael Downey <miked315 () gmail com> wrote:


I am having trouble fully understanding what exactly a '.' stands for when following another flag in the tcpdump 
output, for example [S.] The reason why I am having trouble with this, is due to separate versions of the man page 
explaining this differently. While researching this, I've came across many forums where others have the same question.

Here's an excerpt from the tcpdump man page on OSX 10.7:


...which, perhaps because Apple modified it to document their "-g" ("g"reppable - "Do not insert line break after IP 
header in verbose mode for easier parsing.") flag, is out-of-date and doesn't reflect what the code actually does.  
(Apple may have picked up some code updates, although they're still at 4.1.1, but not picked up the man page updates.)


Now, here's an excerpt from the tcpdump man page on Ubuntu 12.04 LTS:


...which is closer to, perhaps even identical to, the tcpdump.org man page.


On FreeBSD 8 that whole explanation is missing in tcpdump's man page.


I'm not sure which version of tcpdump is the basis for FreeBSD 8's tcpdump, but:

        3.4, in what I think is the version from LBL, and 3.5.0, 3.6.1, 3.7.1, 3.8.1, and 3.9.1, as downloaded from 
tcpdump.org, have code that prints "." for "no flags" and nothing special for ACK, and a manual page that agrees with 
that;

        4.0.0, 4.1.0, and 4.1.1, as downloaded from tcpdump.org, have code that prints "." for ACK, and a manual page 
that has a version of that explanation that doesn't mention "." for ACK and just says "." is for no flags;

        4.2.0, as downloaded from tcpdump.org, has similar code, and the manual page says "." is for ACK.

So part of the problem is that the code was changed before the man page was - 4.0.0 changed the code, but the man page 
wasn't updated until 4.2.0, so any OS version that ships something based on 4.0.0 through 4.1.1 (without fixing the man 
page) will have an incorrect man page.

I don't have a system running FreeBSD 8 handy, but the CVS repository, at least, seems to have, for FreeBSD 8, a 
version of tcpdump.1 that has the old explanation rather than no explanation (not surprising, given that the 
explanation dates all the way back to the last LBL release), and seems to indicate that the FreeBSD 8 tcpdump is based 
on 4.0.0.  Perhaps the explanation is there but you missed it?


If there is anyway I can get a clear explanation on this,


The explanation is "man pages can be out of date." :-)
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: