1 files changed, 45 insertions, 22 deletions

diff --git a/usr.sbin/tcpdump/tcpdump/tcpdump.1 b/usr.sbin/tcpdump/tcpdump/tcpdump.1
index 61f5727ef71c..5034bb1be529 100644
--- a/usr.sbin/tcpdump/tcpdump/tcpdump.1
+++ b/usr.sbin/tcpdump/tcpdump/tcpdump.1
@@ -30,7 +30,7 @@ tcpdump \- dump traffic on a network
 .na
 .B tcpdump
 [
-.B \-AbdDefIKlLnNOpqRStuUvxX
+.B \-AbdDefhHIJKlLnNOpqRStuUvxX
 ] [
 .B \-B
 .I buffer_size
@@ -57,6 +57,10 @@ tcpdump \- dump traffic on a network
 .I interface
 ]
 [
+.B \-j
+.I tstamp_type
+]
+[
 .B \-m
 .I module
 ]
@@ -272,7 +276,7 @@ The default is \fBdes-cbc\fP.
 The ability to decrypt packets is only present if \fItcpdump\fP was compiled
 with cryptography enabled.
 .IP
-\fIsecret\fP is the ASCII text for ESP secret key.
+\fIsecret\fP is the ASCII text for ESP secret key. 
 If preceded by 0x, then a hex value will be read.
 .IP
 The option assumes RFC2406 ESP, not RFC1827 ESP.
@@ -284,7 +288,7 @@ you make it visible to others, via
 and other occasions.
 .IP
 In addition to the above syntax, the syntax \fIfile name\fP may be used
-to have tcpdump read the provided file in. The file is opened upon
+to have tcpdump read the provided file in. The file is opened upon 
 receiving the first ESP packet, so any special permissions that tcpdump
 may have been given should already have been given up.
 .TP
@@ -320,6 +324,13 @@ If used in conjunction with the
 .B \-C
 option, filenames will take the form of `\fIfile\fP<count>'.
 .TP
+.B \-h
+Print the tcpdump and libpcap version strings, print a usage message,
+and exit.
+.TP
+.B \-H
+Attempt to detect 802.11s draft mesh headers.
+.TP
 .B \-i
 Listen on \fIinterface\fP.
 If unspecified, \fItcpdump\fP searches the system interface list for the
@@ -360,6 +371,18 @@ monitor mode will be shown; if
 is specified, only those link-layer types available when in monitor mode
 will be shown.
 .TP
+.B \-j
+Set the time stamp type for the capture to \fItstamp_type\fP.  The names
+to use for the time stamp types are given in
+.BR pcap-tstamp-type (7);
+not all the types listed there will necessarily be valid for any given
+interface.
+.TP
+.B \-J
+List the supported time stamp types for the interface and exit.  If the
+time stamp type cannot be set for the interface, no time stamp types are
+listed.
+.TP
 .B \-K
 Don't attempt to verify IP, TCP, or UDP checksums.  This is useful for
 interfaces that perform some or all of those checksum calculation in
@@ -540,16 +563,16 @@ See
 for a description of the file format.
 .TP
 .B \-W
-Used in conjunction with the
-.B \-C
+Used in conjunction with the 
+.B \-C 
 option, this will limit the number
 of files created to the specified number, and begin overwriting files
-from the beginning, thus creating a 'rotating' buffer.
+from the beginning, thus creating a 'rotating' buffer. 
 In addition, it will name
 the files with enough leading 0s to support the maximum number of
 files, allowing them to sort correctly.
 .IP
-Used in conjunction with the
+Used in conjunction with the 
 .B \-G
 option, this will limit the number of rotated dump files that get
 created, exiting with status 0 when reaching the limit. If used with
@@ -559,7 +582,7 @@ as well, the behavior will result in cyclical files per timeslice.
 .B \-x
 When parsing and printing,
 in addition to printing the headers of each packet, print the data of
-each packet (minus its link level header) in hex.
+each packet (minus its link level header) in hex. 
 The smaller of the entire packet or
 .I snaplen
 bytes will be printed.  Note that this is the entire link-layer
@@ -616,7 +639,10 @@ savefile name as the only argument, make the flags & arguments arrangements
 and execute the command that you want.
 .TP
 .B \-Z
-Drops privileges (if root) and changes user ID to
+If
+.I tcpdump
+is running as root, after opening the capture device or input savefile,
+but before opening any savefiles for output, change the user ID to
 .I user
 and the group ID to the primary group of
 .IR user .
@@ -872,8 +898,8 @@ The general format of a tcp protocol line is:
 \fISrc\fP and \fIdst\fP are the source and destination IP
 addresses and ports.
 \fIFlags\fP are some combination of S (SYN),
-F (FIN), P (PUSH), R (RST), W (ECN CWR) or E (ECN-Echo), or a single
-`.' (no flags).
+F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or
+`.' (ACK), or `none' if no flags are set.
 \fIData-seqno\fP describes the portion of sequence space covered
 by the data in this packet (see example below).
 \fIAck\fP is sequence number of the next data expected the other
@@ -920,8 +946,7 @@ bytes and there was a max-segment-size option requesting an mss of
 Csam replies with a similar packet except it includes a piggy-backed
 ack for rtsg's SYN.
 Rtsg then acks csam's SYN.
-The `.' means no
-flags were set.
+The `.' means the ACK flag was set.
 The packet contained no data so there is no data sequence number.
 Note that the ack sequence
 number is a small integer (1).
@@ -1156,7 +1181,7 @@ tcp-push, tcp-act, tcp-urg.
 .PP
 This can be demonstrated as:
 .RS
-.B
+.B 
      tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
 .RE
 .PP
@@ -1267,7 +1292,6 @@ RA, \fInot\fP set) and `|' (truncated message, TC, set).
 If the
 `question' section doesn't contain exactly one entry, `[\fIn\fPq]'
 is printed.
-
 .HD
 SMB/CIFS decoding
 .LP
@@ -1275,19 +1299,18 @@ SMB/CIFS decoding
 on UDP/137, UDP/138 and TCP/139.
 Some primitive decoding of IPX and
 NetBEUI SMB data is also done.
-
+.LP
 By default a fairly minimal decode is done, with a much more detailed
 decode done if -v is used.
 Be warned that with -v a single SMB packet
 may take up a page or more, so only use -v if you really want all the
 gory details.
-
-For information on SMB packet formats and what all te fields mean see
+.LP
+For information on SMB packet formats and what all the fields mean see
 www.cifs.org or the pub/samba/specs/ directory on your favorite
 samba.org mirror site.
 The SMB patches were written by Andrew Tridgell
 (tridge@samba.org).
-
 .HD
 NFS Requests and Replies
 .LP
@@ -1413,11 +1436,11 @@ not be useful to people who are not familiar with the workings of
 AFS and RX.
 .LP
 If the -v (verbose) flag is given twice, acknowledgement packets and
-additional header information is printed, such as the RX call ID,
+additional header information is printed, such as the the RX call ID,
 call number, sequence number, serial number, and the RX packet flags.
 .LP
 If the -v flag is given twice, additional information is printed,
-such as the RX call ID, serial number, and the RX packet flags.
+such as the the RX call ID, serial number, and the RX packet flags.
 The MTU negotiation information is also printed from RX ack packets.
 .LP
 If the -v flag is given three times, the security index and service id
@@ -1640,7 +1663,7 @@ Ethernet interface removed the packet from the wire and when the kernel
 serviced the `new packet' interrupt.
 .SH "SEE ALSO"
 stty(1), pcap(3PCAP), bpf(4), nit(4P), pcap-savefile(5),
-pcap-filter(7)
+pcap-filter(7), pcap-tstamp-type(7)
 .SH AUTHORS
 The original authors are:
 .LP