new version of tcpdump available

Van Jacobson van at helios.ee.lbl.gov
Sun Mar 4 02:31:07 AEST 1990 

A new version of tcpdump is available for anonymous ftp from host
ftp.ee.lbl.gov (128.3.254.68), file tcpdump.tar.Z.  (This is a compressed
Unix tar file and must be ftped in *binary* mode.)  This version runs on
both Sun-3s and Sun-4s (including the Sparcstation-1) and under either Sun
OS3.x or 4.x.

Attached is a portion of the README file describing what has changed since
the last release.  Enjoy.

 - Van Jacobson, Steve McCanne, Craig Leres
   Lawrence Berkeley Laboratory

Sat Mar  3 04:45:39 PST 1990

This directory contains yet another beta release of the source for
tcpdump.  We are still in the middle of replacing the Sun NIT interface
with an enhanced version of the CMU/Stanford packet filter that was
distributed with 4.3bsd.  We hope that the next version of tcpdump will
run an any 4bsd system, not just Suns.  Our intent is to include the new
version with the 4.4bsd distribution.

Major changes from the June '89 release to this release are:

- Sparc architectures, including the Sparcstation-1, are now supported
  thanks to Steve McCanne and Craig Leres.

- SunOS 4.0 is now supported thanks to Micky Liu of Columbia University
  (micky at cunixc.cc.columbia.edu). To compile, you need to define SUNOS4.
  You will also need to replace the Sun supplied /sys/OBJ/nit_if.o with the
  appropriate version from this distribution's SUNOS4 subdirectory:
  nit_if.o.sun3	(any flavor of sun3) nit_if.o.sparc	(all Sun4's except
  for the Sparcstation-1) nit_if.o.sun4c	(Sparcstation-1) These nit
  replacements fix a bug that makes nit essentially unusable in Sun OS 4.
  In addition, our sun4c nit gives you timestamps to the resolution of the
  SS-1 clock (1 us) rather than the lousy 20ms timestamps Sun gives you
  (tcpdump will print out the full timestamp resolution if it finds it's
  running on a SS-1).

- IP options are now printed.

- RIP packets are now printed (RIP printing is partly thanks to code
  contributed by Ken Adelman of TGV).

- There's a -v flag that prints out more information than the default
  (e.g., it will enable printing of IP ttl, tos and id) and -q flag that
  prints out less (e.g., it will disable interpretation of
  Appletalk-in-UDP).

- The grammar has undergone substantial changes (if you have an earlier
  version of tcpdump, you should re-read the manual entry).  The syntax is
  more regular than the previous version and should be easier to learn and
  remember.

The most useful change is probably the replacement of the "byte" operator
by an arithmetic expression syntax that lets you filter on arbitrary
fields or values in the packet.  E.g., "ip[0] > 0x45" would print only
packets with IP options or ST packets, "tcp[13] & 3 != 0" would print only
TCP SYN and FIN packets.

The most painful change is that concatenation no longer means "and" --
e.g., you have to say "host foo and port bar" instead of "host foo port
bar".  The up side to this down is that repeated qualifiers can be
omitted, making most filter expressions shorter.  E.g., you can now say
"ip host foo and (bar or baz)" to look at ip traffic between hosts foo and
bar or between hosts foo and baz.  [The old way of saying this was "ip
host foo and (ip host bar or ip host baz)".]

More information about the Comp.sys.sun mailing list