IT-Arts.net - User contributions [en]

DEBIAN - Post-Install Script

2026-03-27T13:11:46Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

<nowiki>
apt install -y tree strace vim screen unzip unrar-free p7zip-full nmap traceroute sysstat locate openssh-server htop iftop iotop tcpdump curl wget rsync dnsutils dnstop iputils-ping iputils-tracepath locales-all iproute2 net-tools mtr-tiny snmp whois apt-transport-https ca-certificates software-properties-common dirmngr util-linux</nowiki>

F5 BIG-IP - LTM Survival Guide

2026-03-20T11:34:50Z

Admin: /* Show VS Logs */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Choose Partition ==

=== TMSH Mode ===

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

=== Linux Mode ===

List the partitions with the command :

<nowiki>
tmsh -q -c 'cd /; list net route-domain recursive all'</nowiki>

Note the partition ID you need, then :

<nowiki>
rdsh <PARTITION_ID></nowiki>

== Show VS Config ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== Show Pool Config ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== Show Pool Statistics ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== Show SSL Profiles ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== Show VS Connections ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

* '''cs-client-addr''': The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-client-port''': The (client) source port on the clientside of the connection.
* '''cs-server-addr''': The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-server-port''': The (server) destination port on the clientside of the connection (i.e. the Virtual Server port).
* '''ss-client-addr''': The (client) source IP address on the serverside of the connection (i.e. the SNAT address).
* '''ss-client-port''': The (client) source port on the serverside of the connection (i.e. the SNAT port).
* '''ss-server-addr''': The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address).
* '''ss-server-port''': The (server) destination port on the serverside of the connection (i.e., the Pool Member port).

== Show VS Logs ==

In Linux mode use tail or cat/zcat command :

<nowiki>
tail /var/log/ltm | grep <VS_NAME>

cat /var/log/ltm /var/log/ltm.1 | grep <VS_NAME>

zcat /var/log/ltm*.gz | grep <VS_NAME></nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== Show VS Statistics ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0</nowiki>

== Dump VS Traffic ==

Be sure to be in the good partition, and use the tcpdump command.
Eg :

<nowiki>
tcpdump -nni any src or dst 1.2.3.4 and src or dst 5.6.7.8</nowiki>

The backend servers ip/port can be tested with the telnet command.

== Usefull Links ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
* [F5 iHealth](https://ihealth.f5.com/)
* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
* [F5 DevCentral Community](https://community.f5.com/)
* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-03-20T11:34:39Z

Admin: /* Show VS Logs */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Choose Partition ==

=== TMSH Mode ===

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

=== Linux Mode ===

List the partitions with the command :

<nowiki>
tmsh -q -c 'cd /; list net route-domain recursive all'</nowiki>

Note the partition ID you need, then :

<nowiki>
rdsh <PARTITION_ID></nowiki>

== Show VS Config ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== Show Pool Config ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== Show Pool Statistics ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== Show SSL Profiles ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== Show VS Connections ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

* '''cs-client-addr''': The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-client-port''': The (client) source port on the clientside of the connection.
* '''cs-server-addr''': The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-server-port''': The (server) destination port on the clientside of the connection (i.e. the Virtual Server port).
* '''ss-client-addr''': The (client) source IP address on the serverside of the connection (i.e. the SNAT address).
* '''ss-client-port''': The (client) source port on the serverside of the connection (i.e. the SNAT port).
* '''ss-server-addr''': The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address).
* '''ss-server-port''': The (server) destination port on the serverside of the connection (i.e., the Pool Member port).

== Show VS Logs ==

In Linux mode use tail or cat/zcat command :

<nowiki>
tail /var/log/ltm | grep <VS_NAME>

cat /var/log/ltm /var/log/ltm.1 | grep <VS_NAME>

zcat /var/log/ltm*.gz | grep <VS_NAME>

</nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== Show VS Statistics ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0</nowiki>

== Dump VS Traffic ==

Be sure to be in the good partition, and use the tcpdump command.
Eg :

<nowiki>
tcpdump -nni any src or dst 1.2.3.4 and src or dst 5.6.7.8</nowiki>

The backend servers ip/port can be tested with the telnet command.

== Usefull Links ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
* [F5 iHealth](https://ihealth.f5.com/)
* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
* [F5 DevCentral Community](https://community.f5.com/)
* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-03-20T11:31:44Z

Admin: /* Dump VS Traffic */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Choose Partition ==

=== TMSH Mode ===

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

=== Linux Mode ===

List the partitions with the command :

<nowiki>
tmsh -q -c 'cd /; list net route-domain recursive all'</nowiki>

Note the partition ID you need, then :

<nowiki>
rdsh <PARTITION_ID></nowiki>

== Show VS Config ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== Show Pool Config ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== Show Pool Statistics ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== Show SSL Profiles ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== Show VS Connections ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

* '''cs-client-addr''': The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-client-port''': The (client) source port on the clientside of the connection.
* '''cs-server-addr''': The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-server-port''': The (server) destination port on the clientside of the connection (i.e. the Virtual Server port).
* '''ss-client-addr''': The (client) source IP address on the serverside of the connection (i.e. the SNAT address).
* '''ss-client-port''': The (client) source port on the serverside of the connection (i.e. the SNAT port).
* '''ss-server-addr''': The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address).
* '''ss-server-port''': The (server) destination port on the serverside of the connection (i.e., the Pool Member port).

== Show VS Logs ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME></nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== Show VS Statistics ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0</nowiki>

== Dump VS Traffic ==

Be sure to be in the good partition, and use the tcpdump command.
Eg :

<nowiki>
tcpdump -nni any src or dst 1.2.3.4 and src or dst 5.6.7.8</nowiki>

The backend servers ip/port can be tested with the telnet command.

== Usefull Links ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
* [F5 iHealth](https://ihealth.f5.com/)
* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
* [F5 DevCentral Community](https://community.f5.com/)
* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-03-20T11:30:28Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Choose Partition ==

=== TMSH Mode ===

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

=== Linux Mode ===

List the partitions with the command :

<nowiki>
tmsh -q -c 'cd /; list net route-domain recursive all'</nowiki>

Note the partition ID you need, then :

<nowiki>
rdsh <PARTITION_ID></nowiki>

== Show VS Config ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== Show Pool Config ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== Show Pool Statistics ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== Show SSL Profiles ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== Show VS Connections ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

* '''cs-client-addr''': The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-client-port''': The (client) source port on the clientside of the connection.
* '''cs-server-addr''': The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-server-port''': The (server) destination port on the clientside of the connection (i.e. the Virtual Server port).
* '''ss-client-addr''': The (client) source IP address on the serverside of the connection (i.e. the SNAT address).
* '''ss-client-port''': The (client) source port on the serverside of the connection (i.e. the SNAT port).
* '''ss-server-addr''': The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address).
* '''ss-server-port''': The (server) destination port on the serverside of the connection (i.e., the Pool Member port).

== Show VS Logs ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME></nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== Show VS Statistics ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0</nowiki>

== Dump VS Traffic ==

Be sure to be in the good partition, and use the tcpdump command.
Eg :

<nowiki>
tcpdump -nni any src or dst 1.2.3.4 and src or dst 5.6.7.8
</nowiki>

The backend servers ip/port can be tested with the telnet command.

== Usefull Links ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
* [F5 iHealth](https://ihealth.f5.com/)
* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
* [F5 DevCentral Community](https://community.f5.com/)
* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

CURL - Manpage

2026-02-25T12:43:16Z

Admin: /* Force to Connect to a given Host */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Quick Examples ==

=== Force to Connect to a given Host ===

Connect to host2 instead of host1 :
<nowiki>
curl https://domain.example --connect-to domain.example:443:203.0.113.81:443</nowiki>

=== Get the HTTP Headers of a URL ===

<nowiki>
curl -I --http2 https://<URL></nowiki>

=== Follow Redirects ===

<nowiki>
curl -L <URL></nowiki>

=== Testing The Download Time ===

<nowiki>
curl -D - https://www.ubuntu.com -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/2 301
server: nginx/1.14.0 (Ubuntu)
date: Mon, 21 Jul 2025 10:04:33 GMT
content-type: text/html
content-length: 162
location: https://ubuntu.com/
strict-transport-security: max-age=15724800
link: <https://assets.ubuntu.com>; rel=preconnect; crossorigin, <https://assets.ubuntu.com>; rel=preconnect, <https://res.cloudinary.com>; rel=preconnect
x-cache-status: HIT from content-cache-il3/1

100 162 100 162 0 0 367 0 --:--:-- --:--:-- --:--:-- 368</nowiki>

=== Recording Cookies ===

<nowiki>
curl --cookie-jar received_cookies.txt https://URL -O</nowiki>

== curl --help all ==

<nowiki>
curl --help all
--abstract-unix-socket <path> Connect via abstract Unix domain socket
--alt-svc <filename> Enable alt-svc with this cache file
--anyauth Pick any authentication method
-a, --append Append to target file when uploading
--aws-sigv4 <provider1[:prvdr2[:reg[:srv]]]> AWS V4 signature auth
--basic HTTP Basic Authentication
--ca-native Load CA certs from the OS
--cacert <file> CA certificate to verify peer against
--capath <dir> CA directory to verify peer against
-E, --cert <certificate[:password]> Client certificate file and password
--cert-status Verify server cert status OCSP-staple
--cert-type <type> Certificate type (DER/PEM/ENG/PROV/P12)
--ciphers <list> TLS 1.2 (1.1, 1.0) ciphers to use
--compressed Request compressed response
--compressed-ssh Enable SSH compression
-K, --config <file> Read config from a file
--connect-timeout <seconds> Maximum time allowed to connect
--connect-to <HOST1:PORT1:HOST2:PORT2> Connect to host2 instead of host1
-C, --continue-at <offset> Resumed transfer offset
-b, --cookie <data|filename> Send cookies from string/load from file
-c, --cookie-jar <filename> Save cookies to <filename> after operation
--create-dirs Create necessary local directory hierarchy
--create-file-mode <mode> File mode for created files
--crlf Convert LF to CRLF in upload
--crlfile <file> Certificate Revocation list
--curves <list> (EC) TLS key exchange algorithms to request
-d, --data <data> HTTP POST data
--data-ascii <data> HTTP POST ASCII data
--data-binary <data> HTTP POST binary data
--data-raw <data> HTTP POST data, '@' allowed
--data-urlencode <data> HTTP POST data URL encoded
--delegation <LEVEL> GSS-API delegation permission
--digest HTTP Digest Authentication
-q, --disable Disable .curlrc
--disable-eprt Inhibit using EPRT or LPRT
--disable-epsv Inhibit using EPSV
--disallow-username-in-url Disallow username in URL
--dns-interface <interface> Interface to use for DNS requests
--dns-ipv4-addr <address> IPv4 address to use for DNS requests
--dns-ipv6-addr <address> IPv6 address to use for DNS requests
--dns-servers <addresses> DNS server addrs to use
--doh-cert-status Verify DoH server cert status OCSP-staple
--doh-insecure Allow insecure DoH server connections
--doh-url <URL> Resolve hostnames over DoH
--dump-ca-embed Write the embedded CA bundle to standard output
-D, --dump-header <filename> Write the received headers to <filename>
--ech <config> Configure ECH
--egd-file <file> EGD socket path for random data
--engine <name> Crypto engine to use
--etag-compare <file> Load ETag from file
--etag-save <file> Parse incoming ETag and save to a file
--expect100-timeout <seconds> How long to wait for 100-continue
-f, --fail Fail fast with no output on HTTP errors
--fail-early Fail on first transfer error
--fail-with-body Fail on HTTP errors but save the body
--false-start Enable TLS False Start
-F, --form <name=content> Specify multipart MIME data
--form-escape Escape form fields using backslash
--form-string <name=string> Specify multipart MIME data
--ftp-account <data> Account data string
--ftp-alternative-to-user <command> String to replace USER [name]
--ftp-create-dirs Create the remote dirs if not present
--ftp-method <method> Control CWD usage
--ftp-pasv Send PASV/EPSV instead of PORT
-P, --ftp-port <address> Send PORT instead of PASV
--ftp-pret Send PRET before PASV
--ftp-skip-pasv-ip Skip the IP address for PASV
--ftp-ssl-ccc Send CCC after authenticating
--ftp-ssl-ccc-mode <active/passive> Set CCC mode
--ftp-ssl-control Require TLS for login, clear for transfer
-G, --get Put the post data in the URL and use GET
-g, --globoff Disable URL globbing with {} and []
--happy-eyeballs-timeout-ms <ms> Time for IPv6 before IPv4
--haproxy-clientip <ip> Set address in HAProxy PROXY
--haproxy-protocol Send HAProxy PROXY protocol v1 header
-I, --head Show document info only
-H, --header <header/@file> Pass custom header(s) to server
-h, --help <subject> Get help for commands
--hostpubmd5 <md5> Acceptable MD5 hash of host public key
--hostpubsha256 <sha256> Acceptable SHA256 hash of host public key
--hsts <filename> Enable HSTS with this cache file
--http0.9 Allow HTTP/0.9 responses
-0, --http1.0 Use HTTP/1.0
--http1.1 Use HTTP/1.1
--http2 Use HTTP/2
--http2-prior-knowledge Use HTTP/2 without HTTP/1.1 Upgrade
--http3 Use HTTP/3
--http3-only Use HTTP/3 only
--ignore-content-length Ignore the size of the remote resource
-k, --insecure Allow insecure server connections
--interface <name> Use network interface
--ip-tos <string> Set IP Type of Service or Traffic Class
--ipfs-gateway <URL> Gateway for IPFS
-4, --ipv4 Resolve names to IPv4 addresses
-6, --ipv6 Resolve names to IPv6 addresses
--json <data> HTTP POST JSON
-j, --junk-session-cookies Ignore session cookies read from file
--keepalive-cnt <integer> Maximum number of keepalive probes
--keepalive-time <seconds> Interval time for keepalive probes
--key <key> Private key filename
--key-type <type> Private key file type (DER/PEM/ENG)
--krb <level> Enable Kerberos with security <level>
--libcurl <file> Generate libcurl code for this command line
--limit-rate <speed> Limit transfer speed to RATE
-l, --list-only List only mode
--local-port <range> Use a local port number within RANGE
-L, --location Follow redirects
--location-trusted As --location, but send secrets to other hosts
--login-options <options> Server login options
--mail-auth <address> Originator address of the original email
--mail-from <address> Mail from this address
--mail-rcpt <address> Mail to this address
--mail-rcpt-allowfails Allow RCPT TO command to fail
-M, --manual Display the full manual
--max-filesize <bytes> Maximum file size to download
--max-redirs <num> Maximum number of redirects allowed
-m, --max-time <seconds> Maximum time allowed for transfer
--metalink Process given URLs as metalink XML file
--mptcp Enable Multipath TCP
--negotiate Use HTTP Negotiate (SPNEGO) authentication
-n, --netrc Must read .netrc for username and password
--netrc-file <filename> Specify FILE for netrc
--netrc-optional Use either .netrc or URL
-:, --next Make next URL use separate options
--no-alpn Disable the ALPN TLS extension
-N, --no-buffer Disable buffering of the output stream
--no-clobber Do not overwrite files that already exist
--no-keepalive Disable TCP keepalive on the connection
--no-npn Disable the NPN TLS extension
--no-progress-meter Do not show the progress meter
--no-sessionid Disable SSL session-ID reusing
--noproxy <no-proxy-list> List of hosts which do not use proxy
--ntlm HTTP NTLM authentication
--ntlm-wb HTTP NTLM authentication with winbind
--oauth2-bearer <token> OAuth 2 Bearer Token
-o, --output <file> Write to file instead of stdout
--output-dir <dir> Directory to save files in
-Z, --parallel Perform transfers in parallel
--parallel-immediate Do not wait for multiplexing
--parallel-max <num> Maximum concurrency for parallel transfers
--pass <phrase> Passphrase for the private key
--path-as-is Do not squash .. sequences in URL path
--pinnedpubkey <hashes> Public key to verify peer against
--post301 Do not switch to GET after a 301 redirect
--post302 Do not switch to GET after a 302 redirect
--post303 Do not switch to GET after a 303 redirect
--preproxy <[protocol://]host[:port]> Use this proxy first
-#, --progress-bar Display transfer progress as a bar
--proto <protocols> Enable/disable PROTOCOLS
--proto-default <protocol> Use PROTOCOL for any URL missing a scheme
--proto-redir <protocols> Enable/disable PROTOCOLS on redirect
-x, --proxy <[protocol://]host[:port]> Use this proxy
--proxy-anyauth Pick any proxy authentication method
--proxy-basic Use Basic authentication on the proxy
--proxy-ca-native Load CA certs from the OS to verify proxy
--proxy-cacert <file> CA certificates to verify proxy against
--proxy-capath <dir> CA directory to verify proxy against
--proxy-cert <cert[:passwd]> Set client certificate for proxy
--proxy-cert-type <type> Client certificate type for HTTPS proxy
--proxy-ciphers <list> TLS 1.2 (1.1, 1.0) ciphers to use for proxy
--proxy-crlfile <file> Set a CRL list for proxy
--proxy-digest Digest auth with the proxy
--proxy-header <header/@file> Pass custom header(s) to proxy
--proxy-http2 Use HTTP/2 with HTTPS proxy
--proxy-insecure Skip HTTPS proxy cert verification
--proxy-key <key> Private key for HTTPS proxy
--proxy-key-type <type> Private key file type for proxy
--proxy-negotiate HTTP Negotiate (SPNEGO) auth with the proxy
--proxy-ntlm NTLM authentication with the proxy
--proxy-pass <phrase> Passphrase for private key for HTTPS proxy
--proxy-pinnedpubkey <hashes> FILE/HASHES public key to verify proxy with
--proxy-service-name <name> SPNEGO proxy service name
--proxy-ssl-allow-beast Allow this security flaw for HTTPS proxy
--proxy-ssl-auto-client-cert Auto client certificate for proxy
--proxy-tls13-ciphers <list> TLS 1.3 proxy cipher suites
--proxy-tlsauthtype <type> TLS authentication type for HTTPS proxy
--proxy-tlspassword <string> TLS password for HTTPS proxy
--proxy-tlsuser <name> TLS username for HTTPS proxy
--proxy-tlsv1 TLSv1 for HTTPS proxy
-U, --proxy-user <user:password> Proxy user and password
--proxy1.0 <host[:port]> Use HTTP/1.0 proxy on given port
-p, --proxytunnel HTTP proxy tunnel (using CONNECT)
--pubkey <key> SSH Public key filename
-Q, --quote <command> Send command(s) to server before transfer
--random-file <file> File for reading random data from
-r, --range <range> Retrieve only the bytes within RANGE
--rate <max request rate> Request rate for serial transfers
--raw Do HTTP raw; no transfer decoding
-e, --referer <URL> Referrer URL
-J, --remote-header-name Use the header-provided filename
-O, --remote-name Write output to file named as remote file
--remote-name-all Use the remote filename for all URLs
-R, --remote-time Set remote file's time on local output
--remove-on-error Remove output file on errors
-X, --request <method> Specify request method to use
--request-target <path> Specify the target for this request
--resolve <[+]host:port:addr[,addr]...> Resolve host+port to address
--retry <num> Retry request if transient problems occur
--retry-all-errors Retry all errors (with --retry)
--retry-connrefused Retry on connection refused (with --retry)
--retry-delay <seconds> Wait time between retries
--retry-max-time <seconds> Retry only within this period
--sasl-authzid <identity> Identity for SASL PLAIN authentication
--sasl-ir Initial response in SASL authentication
--service-name <name> SPNEGO service name
-S, --show-error Show error even when -s is used
-i, --show-headers Show response headers in output
--sigalgs <list> TLS signature algorithms to use
-s, --silent Silent mode
--skip-existing Skip download if local file already exists
--socks4 <host[:port]> SOCKS4 proxy on given host + port
--socks4a <host[:port]> SOCKS4a proxy on given host + port
--socks5 <host[:port]> SOCKS5 proxy on given host + port
--socks5-basic Username/password auth for SOCKS5 proxies
--socks5-gssapi Enable GSS-API auth for SOCKS5 proxies
--socks5-gssapi-nec Compatibility with NEC SOCKS5 server
--socks5-gssapi-service <name> SOCKS5 proxy service name for GSS-API
--socks5-hostname <host[:port]> SOCKS5 proxy, pass hostname to proxy
-Y, --speed-limit <speed> Stop transfers slower than this
-y, --speed-time <seconds> Trigger 'speed-limit' abort after this time
--ssl Try enabling TLS
--ssl-allow-beast Allow security flaw to improve interop
--ssl-auto-client-cert Use auto client certificate (Schannel)
--ssl-no-revoke Disable cert revocation checks (Schannel)
--ssl-reqd Require SSL/TLS
--ssl-revoke-best-effort Ignore missing cert CRL dist points
--ssl-sessions <filename> Load/save SSL session tickets from/to this file
-2, --sslv2 SSLv2
-3, --sslv3 SSLv3
--stderr <file> Where to redirect stderr
--styled-output Enable styled output for HTTP headers
--suppress-connect-headers Suppress proxy CONNECT response headers
--tcp-fastopen Use TCP Fast Open
--tcp-nodelay Set TCP_NODELAY
-t, --telnet-option <opt=val> Set telnet option
--tftp-blksize <value> Set TFTP BLKSIZE option
--tftp-no-options Do not send any TFTP options
-z, --time-cond <time> Transfer based on a time condition
--tls-earlydata Allow use of TLSv1.3 early data (0RTT)
--tls-max <VERSION> Maximum allowed TLS version
--tls13-ciphers <list> TLS 1.3 cipher suites to use
--tlsauthtype <type> TLS authentication type
--tlspassword <string> TLS password
--tlsuser <name> TLS username
-1, --tlsv1 TLSv1.0 or greater
--tlsv1.0 TLSv1.0 or greater
--tlsv1.1 TLSv1.1 or greater
--tlsv1.2 TLSv1.2 or greater
--tlsv1.3 TLSv1.3 or greater
--tr-encoding Request compressed transfer encoding
--trace <file> Write a debug trace to FILE
--trace-ascii <file> Like --trace, but without hex output
--trace-config <string> Details to log in trace/verbose output
--trace-ids Transfer + connection ids in verbose output
--trace-time Add time stamps to trace/verbose output
--unix-socket <path> Connect through this Unix domain socket
-T, --upload-file <file> Transfer local FILE to destination
--upload-flags <flags> IMAP upload behavior
--url <url/file> URL(s) to work with
--url-query <data> Add a URL query part
-B, --use-ascii Use ASCII/text transfer
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
--variable <[%]name=text/@file> Set variable
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
--vlan-priority <priority> Set VLAN priority
-w, --write-out <format> Output FORMAT after completion
--xattr Store metadata in extended file attributes</nowiki>

== Manpage ==

<nowiki>
curl(1) curl Manual curl(1)

NAME
curl - transfer a URL

SYNOPSIS
curl [options / URLs]

DESCRIPTION
curl is a tool for transferring data from or to a server. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS,
RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. The command is designed to work without user interaction.

curl offers a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, SSL connections, cookies, file transfer resume and more. As you will see below, the number of
features will make your head spin.

curl is powered by libcurl for all transfer-related features. See libcurl(3) for details.

URL
The URL syntax is protocol-dependent. You find a detailed description in RFC 3986.

You can specify multiple URLs or parts of URLs by writing part sets within braces and quoting the URL as in:

"http://site.{one,two,three}.com"

or you can get sequences of alphanumeric series by using [] as in:

"ftp://ftp.example.com/file[1-100].txt"

"ftp://ftp.example.com/file[001-100].txt" (with leading zeros)

"ftp://ftp.example.com/file[a-z].txt"

Nested sequences are not supported, but you can use several ones next to each other:

"http://example.com/archive[1996-1999]/vol[1-4]/part{a,b,c}.html"

You can specify any amount of URLs on the command line. They will be fetched in a sequential manner in the specified order. You can specify command line options and URLs mixed and in any order on
the command line.

You can specify a step counter for the ranges to get every Nth number or letter:

"http://example.com/file[1-100:10].txt"

"http://example.com/file[a-z:2].txt"

When using [] or {} sequences when invoked from a command line prompt, you probably have to put the full URL within double quotes to avoid the shell from interfering with it. This also goes for
other characters treated special, like for example '&', '?' and '*'.

Provide the IPv6 zone index in the URL with an escaped percentage sign and the interface name. Like in

"http://[fe80::3%25eth0]/"

If you specify URL without protocol:// prefix, curl will attempt to guess what protocol you might want. It will then default to HTTP but try other protocols based on often-used host name prefixes.
For example, for host names starting with "ftp." curl will assume you want to speak FTP.

curl will do its best to use what you pass to it as a URL. It is not trying to validate it as a syntactically correct URL by any means but is fairly liberal with what it accepts.

curl will attempt to re-use connections for multiple file transfers, so that getting many files from the same server will not do multiple connects / handshakes. This improves speed. Of course this
is only done on files specified on a single command line and cannot be used between separate curl invocations.

OUTPUT
If not told otherwise, curl writes the received data to stdout. It can be instructed to instead save that data into a local file, using the -o, --output or -O, --remote-name options. If curl is
given multiple URLs to transfer on the command line, it similarly needs multiple options for where to save them.

curl does not parse or otherwise "understand" the content it gets or writes as output. It does no encoding or decoding, unless explicitly asked to with dedicated command line options.

PROTOCOLS
curl supports numerous protocols, or put in URL terms: schemes. Your particular build may not support them all.

DICT Lets you lookup words using online dictionaries.

FILE Read or write local files. curl does not support accessing file:// URL remotely, but when running on Microsoft Windows using the native UNC approach will work.

FTP(S) curl supports the File Transfer Protocol with a lot of tweaks and levers. With or without using TLS.

GOPHER(S)
Retrieve files.

HTTP(S)
curl supports HTTP with numerous options and variations. It can speak HTTP version 0.9, 1.0, 1.1, 2 and 3 depending on build options and the correct command line options.

IMAP(S)
Using the mail reading protocol, curl can "download" emails for you. With or without using TLS.

LDAP(S)
curl can do directory lookups for you, with or without TLS.

MQTT curl supports MQTT version 3. Downloading over MQTT equals "subscribe" to a topic while uploading/posting equals "publish" on a topic. MQTT over TLS is not supported (yet).

POP3(S)
Downloading from a pop3 server means getting a mail. With or without using TLS.

RTMP(S)
The Realtime Messaging Protocol is primarily used to server streaming media and curl can download it.

RTSP curl supports RTSP 1.0 downloads.

SCP curl supports SSH version 2 scp transfers.

SFTP curl supports SFTP (draft 5) done over SSH version 2.

SMB(S) curl supports SMB version 1 for upload and download.

SMTP(S)
Uploading contents to an SMTP server means sending an email. With or without TLS.

TELNET Telling curl to fetch a telnet URL starts an interactive session where it sends what it reads on stdin and outputs what the server sends it.

TFTP curl can do TFTP downloads and uploads.

PROGRESS METER
curl normally displays a progress meter during operations, indicating the amount of transferred data, transfer speeds and estimated time left, etc. The progress meter displays the transfer rate in
bytes per second. The suffixes (k, M, G, T, P) are 1024 based. For example 1k is 1024 bytes. 1M is 1048576 bytes.

curl displays this data to the terminal by default, so if you invoke curl to do an operation and it is about to write data to the terminal, it disables the progress meter as otherwise it would mess
up the output mixing progress meter and response data.

If you want a progress meter for HTTP POST or PUT requests, you need to redirect the response output to a file, using shell redirect (>), -o, --output or similar.

This does not apply to FTP upload as that operation does not spit out any response data to the terminal.

If you prefer a progress "bar" instead of the regular meter, -#, --progress-bar is your friend. You can also disable the progress meter completely with the -s, --silent option.

OPTIONS
Options start with one or two dashes. Many of the options require an additional value next to them.

The short "single-dash" form of the options, -d for example, may be used with or without a space between it and its value, although a space is a recommended separator. The long "double-dash" form,
-d, --data for example, requires a space between it and its value.

Short version options that do not need any additional values can be used immediately next to each other, like for example you can specify all the options -O, -L and -v at once as -OLv.

In general, all boolean options are enabled with --option and yet again disabled with --no-option. That is, you use the same option name but prefix it with "no-". However, in this list we mostly
only list and show the --option version of them.

--abstract-unix-socket <path>
(HTTP) Connect through an abstract Unix domain socket, instead of using the network. Note: netstat shows the path of an abstract socket prefixed with '@', however the <path> argument should
not have this leading character.

If --abstract-unix-socket is provided several times, the last set value will be used.

Example:
curl --abstract-unix-socket socketpath https://example.com

See also --unix-socket. Added in 7.53.0.

--alt-svc <file name>
(HTTPS) This option enables the alt-svc parser in curl. If the file name points to an existing alt-svc cache file, that will be used. After a completed transfer, the cache will be saved to
the file name again if it has been modified.

Specify a "" file name (zero length) to avoid loading/saving and make curl just handle the cache in memory.

If this option is used several times, curl will load contents from all the files but the last one will be used for saving.

--alt-svc can be used several times in a command line

Example:
curl --alt-svc svc.txt https://example.com

See also --resolve and --connect-to. Added in 7.64.1.

--anyauth
(HTTP) Tells curl to figure out authentication method by itself, and use the most secure one the remote site claims to support. This is done by first doing a request and checking the re‐
sponse-headers, thus possibly inducing an extra network round-trip. This is used instead of setting a specific authentication method, which you can do with --basic, --digest, --ntlm, and
--negotiate.

Using --anyauth is not recommended if you do uploads from stdin, since it may require data to be sent twice and then the client must be able to rewind. If the need should arise when uploading
from stdin, the upload operation will fail.

Used together with -u, --user.

Providing --anyauth multiple times has no extra effect.

Example:
curl --anyauth --user me:pwd https://example.com

See also --proxy-anyauth, --basic and --digest.

-a, --append
(FTP SFTP) When used in an upload, this makes curl append to the target file instead of overwriting it. If the remote file does not exist, it will be created. Note that this flag is ignored
by some SFTP servers (including OpenSSH).

Providing -a, --append multiple times has no extra effect. Disable it again with --no-append.

Example:
curl --upload-file local --append ftp://example.com/

See also -r, --range and -C, --continue-at.

--aws-sigv4 <provider1[:provider2[:region[:service]]]>
Use AWS V4 signature authentication in the transfer.

The provider argument is a string that is used by the algorithm when creating outgoing authentication headers.

The region argument is a string that points to a geographic area of a resources collection (region-code) when the region name is omitted from the endpoint.

The service argument is a string that points to a function provided by a cloud (service-code) when the service name is omitted from the endpoint.

If --aws-sigv4 is provided several times, the last set value will be used.

Example:
curl --aws-sigv4 "aws:amz:east-2:es" --user "key:secret" https://example.com

See also --basic and -u, --user. Added in 7.75.0.

--basic
(HTTP) Tells curl to use HTTP Basic authentication with the remote host. This is the default and this option is usually pointless, unless you use it to override a previously set option that
sets a different authentication method (such as --ntlm, --digest, or --negotiate).

Used together with -u, --user.

Providing --basic multiple times has no extra effect.

Example:
curl -u name:password --basic https://example.com

See also --proxy-basic.

--cacert <file>
(TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to
use a default file for this, so this option is typically used to alter that default file.

curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.

The windows version of curl will automatically look for a CA certs file named 'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the Current Working Directory, or in any
folder along your PATH.

If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.

(iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not
set, then curl will use the certificates in the system and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain.

(Schannel only) This option is supported for Schannel in Windows 7 or later with libcurl 7.60 or later. This option is supported for backward compatibility with other SSL engines; instead it
is recommended to use Windows' store of root certificates (the default for Schannel).

If --cacert is provided several times, the last set value will be used.

Example:
curl --cacert CA-file.txt https://example.com

See also --capath and -k, --insecure.

--capath <dir>
(TLS) Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with ":" (e.g. "path1:path2:path3"). The certificates must
be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl
to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.

If this option is set, the default capath value will be ignored.

If --capath is provided several times, the last set value will be used.

Example:
curl --capath /local/directory https://example.com

See also --cacert and -k, --insecure.

--cert-status
(TLS) Tells curl to verify the status of the server certificate by using the Certificate Status Request (aka. OCSP stapling) TLS extension.

If this option is enabled and the server sends an invalid (e.g. expired) response, if the response suggests that the server certificate has been revoked, or no response at all is received,
the verification fails.

This is currently only implemented in the OpenSSL, GnuTLS and NSS backends.

Providing --cert-status multiple times has no extra effect. Disable it again with --no-cert-status.

Example:
curl --cert-status https://example.com

See also --pinnedpubkey. Added in 7.41.0.

--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types.

The default type depends on the TLS backend and is usually PEM, however for Secure Transport and Schannel it is P12. If -E, --cert is a pkcs11: URI then ENG is the default type.

If --cert-type is provided several times, the last set value will be used.

Example:
curl --cert-type PEM --cert file https://example.com

See also -E, --cert, --key and --key-type.

-E, --cert <certificate[:password]>
(TLS) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure
Transport, or PEM format if using any other engine. If the optional password is not specified, it will be queried for on the terminal. Note that this option assumes a certificate file that is
the private key and the client certificate concatenated. See -E, --cert and --key to specify them independently.

In the <certificate> portion of the argument, you must escape the character ":" as "\:" so that it is not recognized as the password delimiter. Similarly, you must escape the character "\" as
"\\" so that it is not recognized as an escape character.

If curl is built against the NSS SSL library then this option can tell curl the nickname of the certificate to use within the NSS database defined by the environment variable SSL_DIR (or by
default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded.

If you provide a path relative to the current directory, you must prefix the path with "./" in order to avoid confusion with an NSS database nickname.

If curl is built against OpenSSL library, and the engine pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in a PKCS#11 device. A string begin‐
ning with "pkcs11:" will be interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set as "pkcs11" if none was provided and the --cert-type option will
be set as "ENG" if none was provided.

(iOS and macOS only) If curl is built against Secure Transport, then the certificate string can either be the name of a certificate/private key in the system or user keychain, or the path to
a PKCS#12-encoded certificate and private key. If you want to use a file from the current directory, please precede it with "./" prefix, in order to avoid confusion with a nickname.

(Schannel only) Client certificates must be specified by a path expression to a certificate store. (Loading PFX is not supported; you can import it to a store first). You can use "<store lo‐
cation>\<store name>\<thumbprint>" to refer to a certificate in the system certificates store, for example, "CurrentUser\MY\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a". Thumbprint is usually a
SHA-1 hex string which you can see in certificate details. Following store locations are supported: CurrentUser, LocalMachine, CurrentService, Services, CurrentUserGroupPolicy, LocalMachine‐
GroupPolicy, LocalMachineEnterprise.

If -E, --cert is provided several times, the last set value will be used.

Example:
curl --cert certfile --key keyfile https://example.com

See also --cert-type, --key and --key-type.

--ciphers <list of ciphers>
(TLS) Specifies which ciphers to use in the connection. The list of ciphers must specify valid ciphers. Read up on SSL cipher list details on this URL:

https://curl.se/docs/ssl-ciphers.html

If --ciphers is provided several times, the last set value will be used.

Example:
curl --ciphers ECDHE-ECDSA-AES256-CCM8 https://example.com

See also --tlsv1.3.

--compressed-ssh
(SCP SFTP) Enables built-in SSH compression. This is a request, not an order; the server may or may not do it.

Providing --compressed-ssh multiple times has no extra effect. Disable it again with --no-compressed-ssh.

Example:
curl --compressed-ssh sftp://example.com/

See also --compressed. Added in 7.56.0.

--compressed
(HTTP) Request a compressed response using one of the algorithms curl supports, and automatically decompress the content. Headers are not modified.

If this option is used and the server sends an unsupported encoding, curl will report an error. This is a request, not an order; the server may or may not deliver data compressed.

Providing --compressed multiple times has no extra effect. Disable it again with --no-compressed.

Example:
curl --compressed https://example.com

See also --compressed-ssh.

-K, --config <file>
Specify a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line.

Options and their parameters must be specified on the same line in the file, separated by whitespace, colon, or the equals sign. Long option names can optionally be given in the config file
without the initial double dashes and if so, the colon or equals characters can be used as separators. If the option is specified with one or two dashes, there can be no colon or equals char‐
acter between the option and its parameter.

If the parameter contains whitespace (or starts with : or =), the parameter must be enclosed within quotes. Within double quotes, the following escape sequences are available: \\, \", \t, \n,
\r and \v. A backslash preceding any other letter is ignored.

If the first column of a config line is a '#' character, the rest of the line will be treated as a comment.

Only write one option per physical line in the config file.

Specify the filename to -K, --config as '-' to make curl read the file from stdin.

Note that to be able to specify a URL in the config file, you need to specify it using the --url option, and not by simply writing the URL on its own line. So, it could look similar to this:

url = "https://curl.se/docs/"

# --- Example file ---
# this is a comment
url = "example.com"
output = "curlhere.html"
user-agent = "superagent/1.0"

# and fetch another URL too
url = "example.com/docs/manpage.html"
-O
referer = "http://nowhereatall.example.com/"
# --- End of example file ---

When curl is invoked, it (unless -q, --disable is used) checks for a default config file and uses it if found, even when -K, --config is used. The default config file is checked for in the
following places in this order:

1) "$CURL_HOME/.curlrc"

2) "$XDG_CONFIG_HOME/.curlrc" (Added in 7.73.0)

3) "$HOME/.curlrc"

4) Windows: "%USERPROFILE%\.curlrc"

5) Windows: "%APPDATA%\.curlrc"

6) Windows: "%USERPROFILE%\Application Data\.curlrc"

7) Non-Windows: use getpwuid to find the home directory

8) On Windows, if it finds no .curlrc file in the sequence described above, it checks for one in the same dir the curl executable is placed.

On Windows two filenames are checked per location: .curlrc and _curlrc, preferring the former. Older versions on Windows checked for _curlrc only.

-K, --config can be used several times in a command line

Example:
curl --config file.txt https://example.com

See also -q, --disable.

--connect-timeout <fractional seconds>
Maximum time in seconds that you allow curl's connection to take. This only limits the connection phase, so if curl connects within the given period it will continue - if not it will exit.
Since version 7.32.0, this option accepts decimal values.

The "connection phase" is considered complete when the requested TCP, TLS or QUIC handshakes are done.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If --connect-timeout is provided several times, the last set value will be used.

Examples:
curl --connect-timeout 20 https://example.com
curl --connect-timeout 3.14 https://example.com

See also -m, --max-time.

--connect-to <HOST1:PORT1:HOST2:PORT2>

For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead. This option is suitable to direct requests at a specific server, e.g. at a specific cluster node in a cluster of
servers. This option is only used to establish the network connection. It does NOT affect the hostname/port that is used for TLS/SSL (e.g. SNI, certificate verification) or for the applica‐
tion protocols. "HOST1" and "PORT1" may be the empty string, meaning "any host/port". "HOST2" and "PORT2" may also be the empty string, meaning "use the request's original host/port".

A "host" specified to this option is compared as a string, so it needs to match the name used in request URL. It can be either numerical such as "127.0.0.1" or the full host name such as "ex‐
ample.org".

--connect-to can be used several times in a command line

Example:
curl --connect-to example.com:443:example.net:8443 https://example.com

See also --resolve and -H, --header. Added in 7.49.0.

-C, --continue-at <offset>
Continue/Resume a previous file transfer at the given offset. The given offset is the exact number of bytes that will be skipped, counting from the beginning of the source file before it is
transferred to the destination. If used with uploads, the FTP server command SIZE will not be used by curl.

Use "-C -" to tell curl to automatically find out where/how to resume the transfer. It then uses the given output/input files to figure that out.

If -C, --continue-at is provided several times, the last set value will be used.

Examples:
curl -C - https://example.com
curl -C 400 https://example.com

See also -r, --range.

-c, --cookie-jar <filename>
(HTTP) Specify to which file you want curl to write all cookies after a completed operation. Curl writes all cookies from its in-memory cookie storage to the given file at the end of opera‐
tions. If no cookies are known, no data will be written. The file will be written using the Netscape cookie file format. If you set the file name to a single dash, "-", the cookies will be
written to stdout.

This command line option will activate the cookie engine that makes curl record and use cookies. Another way to activate it is to use the -b, --cookie option.

If the cookie jar cannot be created or written to, the whole curl operation will not fail or even report an error clearly. Using -v, --verbose will get a warning displayed, but that is the
only visible feedback you get about this possibly lethal situation.

If -c, --cookie-jar is provided several times, the last set value will be used.

Examples:
curl -c store-here.txt https://example.com
curl -c store-here.txt -b read-these https://example.com

See also -b, --cookie.

-b, --cookie <data|filename>
(HTTP) Pass the data to the HTTP server in the Cookie header. It is supposedly the data previously received from the server in a "Set-Cookie:" line. The data should be in the format
"NAME1=VALUE1; NAME2=VALUE2". This makes curl use the cookie header with this content explicitly in all outgoing request(s). If multiple requests are done due to authentication, followed
redirects or similar, they will all get this cookie passed on.

If no '=' symbol is used in the argument, it is instead treated as a filename to read previously stored cookie from. This option also activates the cookie engine which will make curl record
incoming cookies, which may be handy if you are using this in combination with the -L, --location option or do multiple URL transfers on the same invoke. If the file name is exactly a minus
("-"), curl will instead read the contents from stdin.

The file format of the file to read cookies from should be plain HTTP headers (Set-Cookie style) or the Netscape/Mozilla cookie file format.

The file specified with -b, --cookie is only used as input. No cookies will be written to the file. To store cookies, use the -c, --cookie-jar option.

If you use the Set-Cookie file format and do not specify a domain then the cookie is not sent since the domain will never match. To address this, set a domain in Set-Cookie line (doing that
will include sub-domains) or preferably: use the Netscape format.

Users often want to both read cookies from a file and write updated cookies back to a file, so using both -b, --cookie and -c, --cookie-jar in the same command line is common.

-b, --cookie can be used several times in a command line

Examples:
curl -b cookiefile https://example.com
curl -b cookiefile -c cookiefile https://example.com

See also -c, --cookie-jar and -j, --junk-session-cookies.

--create-dirs
When used in conjunction with the -o, --output option, curl will create the necessary local directory hierarchy as needed. This option creates the directories mentioned with the -o, --output
option, nothing else. If the -o, --output file name uses no directory, or if the directories it mentions already exist, no directories will be created.

Created dirs are made with mode 0750 on unix style file systems.

To create remote directories when using FTP or SFTP, try --ftp-create-dirs.

Providing --create-dirs multiple times has no extra effect. Disable it again with --no-create-dirs.

Example:
curl --create-dirs --output local/dir/file https://example.com

See also --ftp-create-dirs and --output-dir.

--create-file-mode <mode>
(SFTP SCP FILE) When curl is used to create files remotely using one of the supported protocols, this option allows the user to set which 'mode' to set on the file at creation time, instead
of the default 0644.

This option takes an octal number as argument.

If --create-file-mode is provided several times, the last set value will be used.

Example:
curl --create-file-mode 0777 -T localfile sftp://example.com/new

See also --ftp-create-dirs. Added in 7.75.0.

--crlf (FTP SMTP) Convert LF to CRLF in upload. Useful for MVS (OS/390).

(SMTP added in 7.40.0)

Providing --crlf multiple times has no extra effect. Disable it again with --no-crlf.

Example:
curl --crlf -T file ftp://example.com/

See also -B, --use-ascii.

--crlfile <file>
(TLS) Provide a file using PEM format with a Certificate Revocation List that may specify peer certificates that are to be considered revoked.

If --crlfile is provided several times, the last set value will be used.

Example:
curl --crlfile rejects.txt https://example.com

See also --cacert and --capath.

--curves <algorithm list>
(TLS) Tells curl to request specific curves to use during SSL session establishment according to RFC 8422, 5.1. Multiple algorithms can be provided by separating them with ":" (e.g.
"X25519:P-521"). The parameter is available identically in the "openssl s_client/s_server" utilities.

--curves allows a OpenSSL powered curl to make SSL-connections with exactly the (EC) curve requested by the client, avoiding nontransparent client/server negotiations.

If this option is set, the default curves list built into openssl will be ignored.

If --curves is provided several times, the last set value will be used.

Example:
curl --curves X25519 https://example.com

See also --ciphers. Added in 7.73.0.

--data-ascii <data>
(HTTP) This is just an alias for -d, --data.

--data-ascii can be used several times in a command line

Example:
curl --data-ascii @file https://example.com

See also --data-binary, --data-raw and --data-urlencode.

--data-binary <data>
(HTTP) This posts data exactly as specified with no extra processing whatsoever.

If you start the data with the letter @, the rest should be a filename. Data is posted in a similar manner as -d, --data does, except that newlines and carriage returns are preserved and con‐
versions are never done.

Like -d, --data the default content-type sent to the server is application/x-www-form-urlencoded. If you want the data to be treated as arbitrary binary data by the server then set the con‐
tent-type to octet-stream: -H "Content-Type: application/octet-stream".

If this option is used several times, the ones following the first will append data as described in -d, --data.

--data-binary can be used several times in a command line

Example:
curl --data-binary @filename https://example.com

See also --data-ascii.

--data-raw <data>
(HTTP) This posts data similarly to -d, --data but without the special interpretation of the @ character.

--data-raw can be used several times in a command line

Examples:
curl --data-raw "hello" https://example.com
curl --data-raw "@at@at@" https://example.com

See also -d, --data. Added in 7.43.0.

--data-urlencode <data>
(HTTP) This posts data, similar to the other -d, --data options with the exception that this performs URL-encoding.

To be CGI-compliant, the <data> part should begin with a name followed by a separator and a content specification. The <data> part can be passed to curl using one of the following syntaxes:

content
This will make curl URL-encode the content and pass that on. Just be careful so that the content does not contain any = or @ symbols, as that will then make the syntax match one of the
other cases below!

=content
This will make curl URL-encode the content and pass that on. The preceding = symbol is not included in the data.

name=content
This will make curl URL-encode the content part and pass that on. Note that the name part is expected to be URL-encoded already.

@filename
This will make curl load data from the given file (including any newlines), URL-encode that data and pass it on in the POST.

name@filename
This will make curl load data from the given file (including any newlines), URL-encode that data and pass it on in the POST. The name part gets an equal sign appended, resulting in
name=urlencoded-file-content. Note that the name is expected to be URL-encoded already.

--data-urlencode can be used several times in a command line

Examples:
curl --data-urlencode name=val https://example.com
curl --data-urlencode =encodethis https://example.com
curl --data-urlencode name@file https://example.com
curl --data-urlencode @fileonly https://example.com

See also -d, --data and --data-raw.

-d, --data <data>
(HTTP MQTT) Sends the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. This will
cause curl to pass the data to the server using the content-type application/x-www-form-urlencoded. Compare to -F, --form.

--data-raw is almost the same but does not have a special interpretation of the @ character. To post data purely binary, you should instead use the --data-binary option. To URL-encode the
value of a form field you may use --data-urlencode.

If any of these options is used more than once on the same command line, the data pieces specified will be merged with a separating &-symbol. Thus, using '-d name=daniel -d skill=lousy' would
generate a post chunk that looks like 'name=daniel&skill=lousy'.

If you start the data with the letter @, the rest should be a file name to read the data from, or - if you want curl to read the data from stdin. Posting data from a file named 'foobar' would
thus be done with -d, --data @foobar. When -d, --data is told to read from a file like that, carriage returns and newlines will be stripped out. If you do not want the @ character to have a
special interpretation use --data-raw instead.

-d, --data can be used several times in a command line

Examples:
curl -d "name=curl" https://example.com
curl -d "name=curl" -d "tool=cmdline" https://example.com
curl -d @filename https://example.com

See also --data-binary, --data-urlencode and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file.

--delegation <LEVEL>
(GSS/kerberos) Set LEVEL to tell the server what it is allowed to delegate when it comes to user credentials.

none Do not allow any delegation.

policy Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos service ticket, which is a matter of realm policy.

always Unconditionally allow the server to delegate.

If --delegation is provided several times, the last set value will be used.

Example:
curl --delegation "none" https://example.com

See also -k, --insecure and --ssl.

--digest
(HTTP) Enables HTTP Digest authentication. This is an authentication scheme that prevents the password from being sent over the wire in clear text. Use this in combination with the normal -u,
--user option to set user name and password.

Providing --digest multiple times has no extra effect. Disable it again with --no-digest.

Example:
curl -u name:password --digest https://example.com

See also -u, --user, --proxy-digest and --anyauth. This option is mutually exclusive to --basic and --ntlm and --negotiate.

--disable-eprt
(FTP) Tell curl to disable the use of the EPRT and LPRT commands when doing active FTP transfers. Curl will normally always first attempt to use EPRT, then LPRT before using PORT, but with
this option, it will use PORT right away. EPRT and LPRT are extensions to the original FTP protocol, and may not work on all servers, but they enable more functionality in a better way than
the traditional PORT command.

--eprt can be used to explicitly enable EPRT again and --no-eprt is an alias for --disable-eprt.

If the server is accessed using IPv6, this option will have no effect as EPRT is necessary then.

Disabling EPRT only changes the active behavior. If you want to switch to passive mode you need to not use -P, --ftp-port or force it with --ftp-pasv.

Providing --disable-eprt multiple times has no extra effect. Disable it again with --no-disable-eprt.

Example:
curl --disable-eprt ftp://example.com/

See also --disable-epsv and -P, --ftp-port.

--disable-epsv
(FTP) Tell curl to disable the use of the EPSV command when doing passive FTP transfers. Curl will normally always first attempt to use EPSV before PASV, but with this option, it will not try
using EPSV.

--epsv can be used to explicitly enable EPSV again and --no-epsv is an alias for --disable-epsv.

If the server is an IPv6 host, this option will have no effect as EPSV is necessary then.

Disabling EPSV only changes the passive behavior. If you want to switch to active mode you need to use -P, --ftp-port.

Providing --disable-epsv multiple times has no extra effect. Disable it again with --no-disable-epsv.

Example:
curl --disable-epsv ftp://example.com/

See also --disable-eprt and -P, --ftp-port.

-q, --disable
If used as the first parameter on the command line, the curlrc config file will not be read and used. See the -K, --config for details on the default config file search path.

Providing -q, --disable multiple times has no extra effect. Disable it again with --no-disable.

Example:
curl -q https://example.com

See also -K, --config.

--disallow-username-in-url
(HTTP) This tells curl to exit if passed a URL containing a username. This is probably most useful when the URL is being provided at runtime or similar.

Providing --disallow-username-in-url multiple times has no extra effect. Disable it again with --no-disallow-username-in-url.

Example:
curl --disallow-username-in-url https://example.com

See also --proto. Added in 7.61.0.

--dns-interface <interface>
(DNS) Tell curl to send outgoing DNS requests through <interface>. This option is a counterpart to --interface (which does not affect DNS). The supplied string must be an interface name (not
an address).

If --dns-interface is provided several times, the last set value will be used.

Example:
curl --dns-interface eth0 https://example.com

See also --dns-ipv4-addr and --dns-ipv6-addr. --dns-interface requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-ipv4-addr <address>
(DNS) Tell curl to bind to <ip-address> when making IPv4 DNS requests, so that the DNS requests originate from this address. The argument should be a single IPv4 address.

If --dns-ipv4-addr is provided several times, the last set value will be used.

Example:
curl --dns-ipv4-addr 10.1.2.3 https://example.com

See also --dns-interface and --dns-ipv6-addr. --dns-ipv4-addr requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-ipv6-addr <address>
(DNS) Tell curl to bind to <ip-address> when making IPv6 DNS requests, so that the DNS requests originate from this address. The argument should be a single IPv6 address.

If --dns-ipv6-addr is provided several times, the last set value will be used.

Example:
curl --dns-ipv6-addr 2a04:4e42::561 https://example.com

See also --dns-interface and --dns-ipv4-addr. --dns-ipv6-addr requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-servers <addresses>
Set the list of DNS servers to be used instead of the system default. The list of IP addresses should be separated with commas. Port numbers may also optionally be given as :<port-number>
after each IP address.

If --dns-servers is provided several times, the last set value will be used.

Example:
curl --dns-servers 192.168.0.1,192.168.0.2 https://example.com

See also --dns-interface and --dns-ipv4-addr. --dns-servers requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--doh-cert-status
Same as --cert-status but used for DoH (DNS-over-HTTPS).

Providing --doh-cert-status multiple times has no extra effect. Disable it again with --no-doh-cert-status.

Example:
curl --doh-cert-status --doh-url https://doh.example https://example.com

See also --doh-insecure. Added in 7.76.0.

--doh-insecure
Same as -k, --insecure but used for DoH (DNS-over-HTTPS).

Providing --doh-insecure multiple times has no extra effect. Disable it again with --no-doh-insecure.

Example:
curl --doh-insecure --doh-url https://doh.example https://example.com

See also --doh-url. Added in 7.76.0.

--doh-url <URL>
Specifies which DNS-over-HTTPS (DoH) server to use to resolve hostnames, instead of using the default name resolver mechanism. The URL must be HTTPS.

Some SSL options that you set for your transfer will apply to DoH since the name lookups take place over SSL. However, the certificate verification settings are not inherited and can be con‐
trolled separately via --doh-insecure and --doh-cert-status.

This option is unset if an empty string "" is used as the URL. (Added in 7.85.0)

If --doh-url is provided several times, the last set value will be used.

Example:
curl --doh-url https://doh.example https://example.com

See also --doh-insecure. Added in 7.62.0.

-D, --dump-header <filename>
(HTTP FTP) Write the received protocol headers to the specified file. If no headers are received, the use of this option will create an empty file.

When used in FTP, the FTP server response lines are considered being "headers" and thus are saved there.

Having multiple transfers in one set of operations (i.e. the URLs in one -:, --next clause), will append them to the same file, separated by a blank line.

If -D, --dump-header is provided several times, the last set value will be used.

Example:
curl --dump-header store.txt https://example.com

See also -o, --output.

--egd-file <file>
(TLS) Deprecated option. This option is ignored by curl since 7.84.0. Prior to that it only had an effect on curl if built to use old versions of OpenSSL.

Specify the path name to the Entropy Gathering Daemon socket. The socket is used to seed the random engine for SSL connections.

If --egd-file is provided several times, the last set value will be used.

Example:
curl --egd-file /random/here https://example.com

See also --random-file.

--engine <name>
(TLS) Select the OpenSSL crypto engine to use for cipher operations. Use --engine list to print a list of build-time supported engines. Note that not all (and possibly none) of the engines
may be available at runtime.

If --engine is provided several times, the last set value will be used.

Example:
curl --engine flavor https://example.com

See also --ciphers and --curves.

--etag-compare <file>
(HTTP) This option makes a conditional HTTP request for the specific ETag read from the given file by sending a custom If-None-Match header using the stored ETag.

For correct results, make sure that the specified file contains only a single line with the desired ETag. An empty file is parsed as an empty ETag.

Use the option --etag-save to first save the ETag from a response, and then use this option to compare against the saved ETag in a subsequent request.

If --etag-compare is provided several times, the last set value will be used.

Example:
curl --etag-compare etag.txt https://example.com

See also --etag-save and -z, --time-cond. Added in 7.68.0.

--etag-save <file>
(HTTP) This option saves an HTTP ETag to the specified file. An ETag is a caching related header, usually returned in a response.

If no ETag is sent by the server, an empty file is created.

If --etag-save is provided several times, the last set value will be used.

Example:
curl --etag-save storetag.txt https://example.com

See also --etag-compare. Added in 7.68.0.

--expect100-timeout <seconds>
(HTTP) Maximum time in seconds that you allow curl to wait for a 100-continue response when curl emits an Expects: 100-continue header in its request. By default curl will wait one second.
This option accepts decimal values! When curl stops waiting, it will continue as if the response has been received.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If --expect100-timeout is provided several times, the last set value will be used.

Example:
curl --expect100-timeout 2.5 -T file https://example.com

See also --connect-timeout. Added in 7.47.0.

--fail-early
Fail and exit on the first detected transfer error.

When curl is used to do multiple transfers on the command line, it will attempt to operate on each given URL, one by one. By default, it will ignore errors if there are more URLs given and
the last URL's success will determine the error code curl returns. So early failures will be "hidden" by subsequent successful transfers.

Using this option, curl will instead return an error on the first transfer that fails, independent of the amount of URLs that are given on the command line. This way, no transfer failures go
undetected by scripts and similar.

This option is global and does not need to be specified for each use of -:, --next.

This option does not imply -f, --fail, which causes transfers to fail due to the server's HTTP status code. You can combine the two options, however note -f, --fail is not global and is
therefore contained by -:, --next.

Providing --fail-early multiple times has no extra effect. Disable it again with --no-fail-early.

Example:
curl --fail-early https://example.com https://two.example

See also -f, --fail and --fail-with-body. Added in 7.52.0.

--fail-with-body
(HTTP) Return an error on server errors where the HTTP response code is 400 or greater). In normal cases when an HTTP server fails to deliver a document, it returns an HTML document stating
so (which often also describes why and more). This flag will still allow curl to output and save that content but also to return error 22.

This is an alternative option to -f, --fail which makes curl fail for the same circumstances but without saving the content.

Providing --fail-with-body multiple times has no extra effect. Disable it again with --no-fail-with-body.

Example:
curl --fail-with-body https://example.com

See also -f, --fail. This option is mutually exclusive to -f, --fail. Added in 7.76.0.

-f, --fail
(HTTP) Fail fast with no output at all on server errors. This is useful to enable scripts and users to better deal with failed attempts. In normal cases when an HTTP server fails to deliver a
document, it returns an HTML document stating so (which often also describes why and more). This flag will prevent curl from outputting that and return error 22.

This method is not fail-safe and there are occasions where non-successful response codes will slip through, especially when authentication is involved (response codes 401 and 407).

Providing -f, --fail multiple times has no extra effect. Disable it again with --no-fail.

Example:
curl --fail https://example.com

See also --fail-with-body. This option is mutually exclusive to --fail-with-body.

--false-start
(TLS) Tells curl to use false start during the TLS handshake. False start is a mode where a TLS client will start sending application data before verifying the server's Finished message, thus
saving a round trip when performing a full handshake.

This is currently only implemented in the NSS and Secure Transport (on iOS 7.0 or later, or OS X 10.9 or later) backends.

Providing --false-start multiple times has no extra effect. Disable it again with --no-false-start.

Example:
curl --false-start https://example.com

See also --tcp-fastopen. Added in 7.42.0.

--form-escape
(HTTP) Tells curl to pass on names of multipart form fields and files using backslash-escaping instead of percent-encoding.

If --form-escape is provided several times, the last set value will be used.

Example:
curl --form-escape -F 'field\name=curl' -F 'file=@load"this' https://example.com

See also -F, --form. Added in 7.81.0.

--form-string <name=string>
(HTTP SMTP IMAP) Similar to -F, --form except that the value string for the named parameter is used literally. Leading '@' and '<' characters, and the ';type=' string in the value have no
special meaning. Use this in preference to -F, --form if there's any possibility that the string value may accidentally trigger the '@' or '<' features of -F, --form.

--form-string can be used several times in a command line

Example:
curl --form-string "data" https://example.com

See also -F, --form.

-F, --form <name=content>
(HTTP SMTP IMAP) For HTTP protocol family, this lets curl emulate a filled-in form in which a user has pressed the submit button. This causes curl to POST data using the Content-Type multi‐
part/form-data according to RFC 2388.

For SMTP and IMAP protocols, this is the means to compose a multipart mail message to transmit.

This enables uploading of binary files etc. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with
the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text
field from a file.

Tell curl to read content from stdin instead of a file by using - as filename. This goes for both @ and < constructs. When stdin is used, the contents is buffered in memory first by curl to
determine its size and allow a possible resend. Defining a part's data from a named non-regular file (such as a named pipe or similar) is unfortunately not subject to buffering and will be
effectively read at transmission time; since the full size is unknown before the transfer starts, such data is sent as chunks by HTTP and rejected by IMAP.

Example: send an image to an HTTP server, where 'profile' is the name of the form-field to which the file portrait.jpg will be the input:

curl -F profile=@portrait.jpg https://example.com/upload.cgi

Example: send your name and shoe size in two text fields to the server:

curl -F name=John -F shoesize=11 https://example.com/

Example: send your essay in a text field to the server. Send it as a plain text field, but get the contents for it from a local file:

curl -F "story=<hugefile.txt" https://example.com/

You can also tell curl what Content-Type to use by using 'type=', in a manner similar to:

curl -F "web=@index.html;type=text/html" example.com

or

curl -F "name=daniel;type=text/foo" example.com

You can also explicitly change the name field of a file upload part by setting filename=, like this:

curl -F "file=@localfile;filename=nameinpost" example.com

If filename/path contains ',' or ';', it must be quoted by double-quotes like:

curl -F "file=@\"local,file\";filename=\"name;in;post\"" example.com

or

curl -F 'file=@"local,file";filename="name;in;post"' example.com

Note that if a filename/path is quoted by double-quotes, any double-quote or backslash within the filename must be escaped by backslash.

Quoting must also be applied to non-file data if it contains semicolons, leading/trailing spaces or leading double quotes:

curl -F 'colors="red; green; blue";type=text/x-myapp' example.com

You can add custom headers to the field by setting headers=, like

curl -F "submit=OK;headers=\"X-submit-type: OK\"" example.com

or

curl -F "submit=OK;headers=@headerfile" example.com

The headers= keyword may appear more that once and above notes about quoting apply. When headers are read from a file, Empty lines and lines starting with '#' are comments and ignored; each
header can be folded by splitting between two words and starting the continuation line with a space; embedded carriage-returns and trailing spaces are stripped. Here is an example of a
header file contents:

# This file contain two headers.
X-header-1: this is a header

# The following header is folded.
X-header-2: this is
another header

To support sending multipart mail messages, the syntax is extended as follows:
- name can be omitted: the equal sign is the first character of the argument,
- if data starts with '(', this signals to start a new multipart: it can be followed by a content type specification.
- a multipart can be terminated with a '=)' argument.

Example: the following command sends an SMTP mime email consisting in an inline part in two alternative formats: plain text and HTML. It attaches a text file:

curl -F '=(;type=multipart/alternative' \
-F '=plain text message' \
-F '= <body>HTML message</body>;type=text/html' \
-F '=)' -F '=@textfile.txt' ... smtp://example.com

Data can be encoded for transfer using encoder=. Available encodings are binary and 8bit that do nothing else than adding the corresponding Content-Transfer-Encoding header, 7bit that only
rejects 8-bit characters with a transfer error, quoted-printable and base64 that encodes data according to the corresponding schemes, limiting lines length to 76 characters.

Example: send multipart mail with a quoted-printable text message and a base64 attached file:

curl -F '=text message;encoder=quoted-printable' \
-F '=@localfile;encoder=base64' ... smtp://example.com

See further examples and details in the MANUAL.

-F, --form can be used several times in a command line

Example:
curl --form "name=curl" --form "file=@loadthis" https://example.com

See also -d, --data, --form-string and --form-escape. This option is mutually exclusive to -d, --data and -I, --head and -T, --upload-file.

--ftp-account <data>
(FTP) When an FTP server asks for "account data" after user name and password has been provided, this data is sent off using the ACCT command.

If --ftp-account is provided several times, the last set value will be used.

Example:
curl --ftp-account "mr.robot" ftp://example.com/

See also -u, --user.

--ftp-alternative-to-user <command>
(FTP) If authenticating with the USER and PASS commands fails, send this command. When connecting to Tumbleweed's Secure Transport server over FTPS using a client certificate, using "SITE
AUTH" will tell the server to retrieve the username from the certificate.

If --ftp-alternative-to-user is provided several times, the last set value will be used.

Example:
curl --ftp-alternative-to-user "U53r" ftp://example.com

See also --ftp-account and -u, --user.

--ftp-create-dirs
(FTP SFTP) When an FTP or SFTP URL/operation uses a path that does not currently exist on the server, the standard behavior of curl is to fail. Using this option, curl will instead attempt to
create missing directories.

Providing --ftp-create-dirs multiple times has no extra effect. Disable it again with --no-ftp-create-dirs.

Example:
curl --ftp-create-dirs -T file ftp://example.com/remote/path/file

See also --create-dirs.

--ftp-method <method>
(FTP) Control what method curl should use to reach a file on an FTP(S) server. The method argument should be one of the following alternatives:

multicwd
curl does a single CWD operation for each path part in the given URL. For deep hierarchies this means many commands. This is how RFC 1738 says it should be done. This is the default
but the slowest behavior.

nocwd curl does no CWD at all. curl will do SIZE, RETR, STOR etc and give a full path to the server for all these commands. This is the fastest behavior.

singlecwd
curl does one CWD with the full target directory and then operates on the file "normally" (like in the multicwd case). This is somewhat more standards compliant than 'nocwd' but with‐
out the full penalty of 'multicwd'.

If --ftp-method is provided several times, the last set value will be used.

Examples:
curl --ftp-method multicwd ftp://example.com/dir1/dir2/file
curl --ftp-method nocwd ftp://example.com/dir1/dir2/file
curl --ftp-method singlecwd ftp://example.com/dir1/dir2/file

See also -l, --list-only.

--ftp-pasv
(FTP) Use passive mode for the data connection. Passive is the internal default behavior, but using this option can be used to override a previous -P, --ftp-port option.

Reversing an enforced passive really is not doable but you must then instead enforce the correct -P, --ftp-port again.

Passive mode means that curl will try the EPSV command first and then PASV, unless --disable-epsv is used.

Providing --ftp-pasv multiple times has no extra effect. Disable it again with --no-ftp-pasv.

Example:
curl --ftp-pasv ftp://example.com/

See also --disable-epsv.

-P, --ftp-port <address>
(FTP) Reverses the default initiator/listener roles when connecting with FTP. This option makes curl use active mode. curl then tells the server to connect back to the client's specified ad‐
dress and port, while passive mode asks the server to setup an IP address and port for it to connect to. <address> should be one of:

interface
e.g. "eth0" to specify which interface's IP address you want to use (Unix only)

IP address
e.g. "192.168.10.1" to specify the exact IP address

host name
e.g. "my.host.domain" to specify the machine

- make curl pick the same IP address that is already used for the control connection

Disable the use of PORT with --ftp-pasv. Disable the attempt to use the EPRT command instead of PORT by using --disable-eprt. EPRT is really PORT++.

You can also append ":[start]-[end]" to the right of the address, to tell curl what TCP port range to use. That means you specify a port range, from a lower to a higher number. A single number works
as well, but do note that it increases the risk of failure since the port may not be available.

If -P, --ftp-port is provided several times, the last set value will be used.

Examples:
curl -P - ftp:/example.com
curl -P eth0 ftp:/example.com
curl -P 192.168.0.2 ftp:/example.com

See also --ftp-pasv and --disable-eprt.

--ftp-pret
(FTP) Tell curl to send a PRET command before PASV (and EPSV). Certain FTP servers, mainly drftpd, require this non-standard command for directory listings as well as up and downloads in PASV
mode.

Providing --ftp-pret multiple times has no extra effect. Disable it again with --no-ftp-pret.

Example:
curl --ftp-pret ftp://example.com/

See also -P, --ftp-port and --ftp-pasv.

--ftp-skip-pasv-ip
(FTP) Tell curl to not use the IP address the server suggests in its response to curl's PASV command when curl connects the data connection. Instead curl will re-use the same IP address it
already uses for the control connection.

Since curl 7.74.0 this option is enabled by default.

This option has no effect if PORT, EPRT or EPSV is used instead of PASV.

Providing --ftp-skip-pasv-ip multiple times has no extra effect. Disable it again with --no-ftp-skip-pasv-ip.

Example:
curl --ftp-skip-pasv-ip ftp://example.com/

See also --ftp-pasv.

--ftp-ssl-ccc-mode <active/passive>
(FTP) Sets the CCC mode. The passive mode will not initiate the shutdown, but instead wait for the server to do it, and will not reply to the shutdown from the server. The active mode initi‐
ates the shutdown and waits for a reply from the server.

Providing --ftp-ssl-ccc-mode multiple times has no extra effect. Disable it again with --no-ftp-ssl-ccc-mode.

Example:
curl --ftp-ssl-ccc-mode active --ftp-ssl-ccc ftps://example.com/

See also --ftp-ssl-ccc.

--ftp-ssl-ccc
(FTP) Use CCC (Clear Command Channel) Shuts down the SSL/TLS layer after authenticating. The rest of the control channel communication will be unencrypted. This allows NAT routers to follow
the FTP transaction. The default mode is passive.

Providing --ftp-ssl-ccc multiple times has no extra effect. Disable it again with --no-ftp-ssl-ccc.

Example:
curl --ftp-ssl-ccc ftps://example.com/

See also --ssl and --ftp-ssl-ccc-mode.

--ftp-ssl-control
(FTP) Require SSL/TLS for the FTP login, clear for transfer. Allows secure authentication, but non-encrypted data transfers for efficiency. Fails the transfer if the server does not support
SSL/TLS.

Providing --ftp-ssl-control multiple times has no extra effect. Disable it again with --no-ftp-ssl-control.

Example:
curl --ftp-ssl-control ftp://example.com

See also --ssl.

-G, --get
When used, this option will make all data specified with -d, --data, --data-binary or --data-urlencode to be used in an HTTP GET request instead of the POST request that otherwise would be
used. The data will be appended to the URL with a '?' separator.

If used in combination with -I, --head, the POST data will instead be appended to the URL with a HEAD request.

Providing -G, --get multiple times has no extra effect. Disable it again with --no-get.

Examples:
curl --get https://example.com
curl --get -d "tool=curl" -d "age=old" https://example.com
curl --get -I -d "tool=curl" https://example.com

See also -d, --data and -X, --request.

-g, --globoff
This option switches off the "URL globbing parser". When you set this option, you can specify URLs that contain the letters {}[] without having curl itself interpret them. Note that these
letters are not normal legal URL contents but they should be encoded according to the URI standard.

Providing -g, --globoff multiple times has no extra effect. Disable it again with --no-globoff.

Example:
curl -g "https://example.com/{[]}}}}"

See also -K, --config and -q, --disable.

--happy-eyeballs-timeout-ms <milliseconds>
Happy Eyeballs is an algorithm that attempts to connect to both IPv4 and IPv6 addresses for dual-stack hosts, giving IPv6 a head-start of the specified number of milliseconds. If the IPv6 ad‐
dress cannot be connected to within that time, then a connection attempt is made to the IPv4 address in parallel. The first connection to be established is the one that is used.

The range of suggested useful values is limited. Happy Eyeballs RFC 6555 says "It is RECOMMENDED that connection attempts be paced 150-250 ms apart to balance human factors against network
load." libcurl currently defaults to 200 ms. Firefox and Chrome currently default to 300 ms.

If --happy-eyeballs-timeout-ms is provided several times, the last set value will be used.

Example:
curl --happy-eyeballs-timeout-ms 500 https://example.com

See also -m, --max-time and --connect-timeout. Added in 7.59.0.

--haproxy-protocol
(HTTP) Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This is used by some load balancers and reverse proxies to indicate the client's true IP address and port.

This option is primarily useful when sending test requests to a service that expects this header.

Providing --haproxy-protocol multiple times has no extra effect. Disable it again with --no-haproxy-protocol.

Example:
curl --haproxy-protocol https://example.com

See also -x, --proxy. Added in 7.60.0.

-I, --head
(HTTP FTP FILE) Fetch the headers only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document. When used on an FTP or FILE file, curl displays the
file size and last modification time only.

Providing -I, --head multiple times has no extra effect. Disable it again with --no-head.

Example:
curl -I https://example.com

See also -G, --get, -v, --verbose and --trace-ascii.

-H, --header <header/@file>
(HTTP IMAP SMTP) Extra header to include in information sent. When used within an HTTP request, it is added to the regular request headers.

For an IMAP or SMTP MIME uploaded mail built with -F, --form options, it is prepended to the resulting MIME document, effectively including it at the mail global level. It does not affect raw
uploaded mails (Added in 7.56.0).

You may specify any number of extra headers. Note that if you should add a custom header that has the same name as one of the internal ones curl would use, your externally set header will be
used instead of the internal one. This allows you to make even trickier stuff than curl would normally do. You should not replace internally set headers without knowing perfectly well what
you are doing. Remove an internal header by giving a replacement without content on the right side of the colon, as in: -H "Host:". If you send the custom header with no-value then its header
must be terminated with a semicolon, such as -H "X-Custom-Header;" to send "X-Custom-Header:".

curl will make sure that each header you add/replace is sent with the proper end-of-line marker, you should thus not add that as a part of the header content: do not add newlines or carriage
returns, they will only mess things up for you.

This option can take an argument in @filename style, which then adds a header for each line in the input file. Using @- will make curl read the header file from stdin. Added in 7.55.0.

Please note that most anti-spam utilities check the presence and value of several MIME mail headers: these are "From:", "To:", "Date:" and "Subject:" among others and should be added with
this option.

You need --proxy-header to send custom headers intended for an HTTP proxy. Added in 7.37.0.

Passing on a "Transfer-Encoding: chunked" header when doing an HTTP request with a request body, will make curl send the data using chunked encoding.

WARNING: headers set with this option will be set in all HTTP requests - even after redirects are followed, like when told with -L, --location. This can lead to the header being sent to other
hosts than the original host, so sensitive headers should be used with caution combined with following redirects.

-H, --header can be used several times in a command line

Examples:
curl -H "X-First-Name: Joe" https://example.com
curl -H "User-Agent: yes-please/2000" https://example.com
curl -H "Host:" https://example.com
curl -H @headers.txt https://example.com

See also -A, --user-agent and -e, --referer.

-h, --help <category>
Usage help. This lists all commands of the <category>. If no arg was provided, curl will display the most important command line arguments. If the argument "all" was provided, curl will
display all options available. If the argument "category" was provided, curl will display all categories and their meanings.

Example:
curl --help all

See also -v, --verbose.

--hostpubmd5 <md5>
(SFTP SCP) Pass a string containing 32 hexadecimal digits. The string should be the 128 bit MD5 checksum of the remote host's public key, curl will refuse the connection with the host unless
the md5sums match.

If --hostpubmd5 is provided several times, the last set value will be used.

Example:
curl --hostpubmd5 e5c1c49020640a5ab0f2034854c321a8 sftp://example.com/

See also --hostpubsha256.

--hostpubsha256 <sha256>
(SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash of the remote host's public key. Curl will refuse the connection with the host unless the hashes match.

This feature requires libcurl to be built with libssh2 and does not work with other SSH backends.

If --hostpubsha256 is provided several times, the last set value will be used.

Example:
curl --hostpubsha256 NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= sftp://example.com/

See also --hostpubmd5. Added in 7.80.0.

--hsts <file name>
(HTTPS) This option enables HSTS for the transfer. If the file name points to an existing HSTS cache file, that will be used. After a completed transfer, the cache will be saved to the file
name again if it has been modified.

If curl is told to use HTTP:// for a transfer involving a host name that exists in the HSTS cache, it upgrades the transfer to use HTTPS. Each HSTS cache entry has an individual life time af‐
ter which the upgrade is no longer performed.

Specify a "" file name (zero length) to avoid loading/saving and make curl just handle HSTS in memory.

If this option is used several times, curl will load contents from all the files but the last one will be used for saving.

--hsts can be used several times in a command line

Example:
curl --hsts cache.txt https://example.com

See also --proto. Added in 7.74.0.

--http0.9
(HTTP) Tells curl to be fine with HTTP version 0.9 response.

HTTP/0.9 is a completely headerless response and therefore you can also connect with this to non-HTTP servers and still get a response since curl will simply transparently downgrade - if al‐
lowed.

Since curl 7.66.0, HTTP/0.9 is disabled by default.

Providing --http0.9 multiple times has no extra effect. Disable it again with --no-http0.9.

Example:
curl --http0.9 https://example.com

See also --http1.1, --http2 and --http3. Added in 7.64.0.

-0, --http1.0
(HTTP) Tells curl to use HTTP version 1.0 instead of using its internally preferred HTTP version.

Providing -0, --http1.0 multiple times has no extra effect.

Example:
curl --http1.0 https://example.com

See also --http0.9 and --http1.1. This option is mutually exclusive to --http1.1 and --http2 and --http2-prior-knowledge and --http3.

--http1.1
(HTTP) Tells curl to use HTTP version 1.1.

Providing --http1.1 multiple times has no extra effect.

Example:
curl --http1.1 https://example.com

See also -0, --http1.0 and --http0.9. This option is mutually exclusive to -0, --http1.0 and --http2 and --http2-prior-knowledge and --http3. Added in 7.33.0.

--http2-prior-knowledge
(HTTP) Tells curl to issue its non-TLS HTTP requests using HTTP/2 without HTTP/1.1 Upgrade. It requires prior knowledge that the server supports HTTP/2 straight away. HTTPS requests will
still do HTTP/2 the standard way with negotiated protocol version in the TLS handshake.

Providing --http2-prior-knowledge multiple times has no extra effect. Disable it again with --no-http2-prior-knowledge.

Example:
curl --http2-prior-knowledge https://example.com

See also --http2 and --http3. --http2-prior-knowledge requires that the underlying libcurl was built to support HTTP/2. This option is mutually exclusive to --http1.1 and -0, --http1.0 and
--http2 and --http3. Added in 7.49.0.

--http2
(HTTP) Tells curl to use HTTP version 2.

For HTTPS, this means curl will attempt to negotiate HTTP/2 in the TLS handshake. curl does this by default.

For HTTP, this means curl will attempt to upgrade the request to HTTP/2 using the Upgrade: request header.

When curl uses HTTP/2 over HTTPS, it does not itself insist on TLS 1.2 or higher even though that is required by the specification. A user can add this version requirement with --tlsv1.2.

Providing --http2 multiple times has no extra effect.

Example:
curl --http2 https://example.com

See also --http1.1 and --http3. --http2 requires that the underlying libcurl was built to support HTTP/2. This option is mutually exclusive to --http1.1 and -0, --http1.0 and --http2-prior-
knowledge and --http3. Added in 7.33.0.

--http3-only
(HTTP) **WARNING**: this option is experimental. Do not use in production.

Instructs curl to use HTTP/3 to the host in the URL, with no fallback to earlier HTTP versions. HTTP/3 can only be used for HTTPS and not for HTTP URLs. For HTTP, this option will trigger an
error.

This option allows a user to avoid using the Alt-Svc method of upgrading to HTTP/3 when you know that the target speaks HTTP/3 on the given host and port.

This option will make curl fail if a QUIC connection cannot be established, it will not attempt any other HTTP version on its own. Use --http3 for similar functionality with a fallback.

Providing --http3-only multiple times has no extra effect.

Example:
curl --http3-only https://example.com

See also --http1.1, --http2 and --http3. --http3-only requires that the underlying libcurl was built to support HTTP/3. This option is mutually exclusive to --http1.1 and -0, --http1.0 and
--http2 and --http2-prior-knowledge and --http3. Added in 7.88.0.

--http3
(HTTP) **WARNING**: this option is experimental. Do not use in production.

Tells curl to try HTTP/3 to the host in the URL, but fallback to earlier HTTP versions if the HTTP/3 connection establishment fails. HTTP/3 is only available for HTTPS and not for HTTP URLs.

This option allows a user to avoid using the Alt-Svc method of upgrading to HTTP/3 when you know that the target speaks HTTP/3 on the given host and port.

When asked to use HTTP/3, curl will issue a separate attempt to use older HTTP versions with a slight delay, so if the HTTP/3 transfer fails or is very slow, curl will still try to proceed
with an older HTTP version.

Use --http3-only for similar functionality without a fallback.

Providing --http3 multiple times has no extra effect.

Example:
curl --http3 https://example.com

See also --http1.1 and --http2. --http3 requires that the underlying libcurl was built to support HTTP/3. This option is mutually exclusive to --http1.1 and -0, --http1.0 and --http2 and
--http2-prior-knowledge and --http3-only. Added in 7.66.0.

--ignore-content-length
(FTP HTTP) For HTTP, Ignore the Content-Length header. This is particularly useful for servers running Apache 1.x, which will report incorrect Content-Length for files larger than 2 giga‐
bytes.

For FTP (since 7.46.0), skip the RETR command to figure out the size before downloading a file.

This option does not work for HTTP if libcurl was built to use hyper.

Providing --ignore-content-length multiple times has no extra effect. Disable it again with --no-ignore-content-length.

Example:
curl --ignore-content-length https://example.com

See also --ftp-skip-pasv-ip.

-i, --include
Include the HTTP response headers in the output. The HTTP response headers can include things like server name, cookies, date of the document, HTTP version and more...

To view the request headers, consider the -v, --verbose option.

Providing -i, --include multiple times has no extra effect. Disable it again with --no-include.

Example:
curl -i https://example.com

See also -v, --verbose.

-k, --insecure
(TLS SFTP SCP) By default, every secure connection curl makes is verified to be secure before the transfer takes place. This option makes curl skip the verification step and proceed without
checking.

When this option is not used for protocols using TLS, curl verifies the server's TLS certificate before it continues: that the certificate contains the right name which matches the host name
used in the URL and that the certificate has been signed by a CA certificate present in the cert store. See this online resource for further details:
https://curl.se/docs/sslcerts.html

For SFTP and SCP, this option makes curl skip the known_hosts verification. known_hosts is a file normally stored in the user's home directory in the ".ssh" subdirectory, which contains host
names and their public keys.

WARNING: using this option makes the transfer insecure.

When curl uses secure protocols it trusts responses and allows for example HSTS and Alt-Svc information to be stored and used subsequently. Using -k, --insecure can make curl trust and use
such information from malicious servers.

Providing -k, --insecure multiple times has no extra effect. Disable it again with --no-insecure.

Example:
curl --insecure https://example.com

See also --proxy-insecure, --cacert and --capath.

--interface <name>
Perform an operation using a specified interface. You can enter interface name, IP address or host name. An example could look like:

curl --interface eth0:1 https://www.example.com/

On Linux it can be used to specify a VRF, but the binary needs to either have CAP_NET_RAW or to be run as root. More information about Linux VRF: https://www.kernel.org/doc/Documentation/net‐
working/vrf.txt

If --interface is provided several times, the last set value will be used.

Example:
curl --interface eth0 https://example.com

See also --dns-interface.

-4, --ipv4
This option tells curl to use IPv4 addresses only, and not for example try IPv6.

Providing -4, --ipv4 multiple times has no extra effect. Disable it again with --no-ipv4.

Example:
curl --ipv4 https://example.com

See also --http1.1 and --http2. This option is mutually exclusive to -6, --ipv6.

-6, --ipv6
This option tells curl to use IPv6 addresses only, and not for example try IPv4.

Providing -6, --ipv6 multiple times has no extra effect. Disable it again with --no-ipv6.

Example:
curl --ipv6 https://example.com

See also --http1.1 and --http2. This option is mutually exclusive to -4, --ipv4.

--json <data>
(HTTP) Sends the specified JSON data in a POST request to the HTTP server. --json works as a shortcut for passing on these three options:

--data [arg]
--header "Content-Type: application/json"
--header "Accept: application/json"

There is no verification that the passed in data is actual JSON or that the syntax is correct.

If you start the data with the letter @, the rest should be a file name to read the data from, or a single dash (-) if you want curl to read the data from stdin. Posting data from a file
named 'foobar' would thus be done with --json @foobar and to instead read the data from stdin, use --json @-.

If this option is used more than once on the same command line, the additional data pieces will be concatenated to the previous before sending.

The headers this option sets can be overridden with -H, --header as usual.

--json can be used several times in a command line

Examples:
curl --json '{ "drink": "coffe" }' https://example.com
curl --json '{ "drink":' --json ' "coffe" }' https://example.com
curl --json @prepared https://example.com
curl --json @- https://example.com < json.txt

See also --data-binary and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file. Added in 7.82.0.

-j, --junk-session-cookies
(HTTP) When curl is told to read cookies from a given file, this option will make it discard all "session cookies". This will basically have the same effect as if a new session is started.
Typical browsers always discard session cookies when they are closed down.

Providing -j, --junk-session-cookies multiple times has no extra effect. Disable it again with --no-junk-session-cookies.

Example:
curl --junk-session-cookies -b cookies.txt https://example.com

See also -b, --cookie and -c, --cookie-jar.

--keepalive-time <seconds>
This option sets the time a connection needs to remain idle before sending keepalive probes and the time between individual keepalive probes. It is currently effective on operating systems
offering the TCP_KEEPIDLE and TCP_KEEPINTVL socket options (meaning Linux, recent AIX, HP-UX and more). Keepalives are used by the TCP stack to detect broken networks on idle connections.
The number of missed keepalive probes before declaring the connection down is OS dependent and is commonly 9 or 10. This option has no effect if --no-keepalive is used.

If unspecified, the option defaults to 60 seconds.

If --keepalive-time is provided several times, the last set value will be used.

Example:
curl --keepalive-time 20 https://example.com

See also --no-keepalive and -m, --max-time.

--key-type <type>
(TLS) Private key file type. Specify which type your --key provided private key is. DER, PEM, and ENG are supported. If not specified, PEM is assumed.

If --key-type is provided several times, the last set value will be used.

Example:
curl --key-type DER --key here https://example.com

See also --key.

--key <key>
(TLS SSH) Private key file name. Allows you to provide your private key in this separate file. For SSH, if not specified, curl tries the following candidates in order: '~/.ssh/id_rsa',
'~/.ssh/id_dsa', './id_rsa', './id_dsa'.

If curl is built against OpenSSL library, and the engine pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a PKCS#11 device. A string begin‐
ning with "pkcs11:" will be interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set as "pkcs11" if none was provided and the --key-type option will be
set as "ENG" if none was provided.

If curl is built against Secure Transport or Schannel then this option is ignored for TLS protocols (HTTPS, etc). Those backends expect the private key to be already present in the keychain
or PKCS#12 file containing the certificate.

If --key is provided several times, the last set value will be used.

Example:
curl --cert certificate --key here https://example.com

See also --key-type and -E, --cert.

--krb <level>
(FTP) Enable Kerberos authentication and use. The level must be entered and should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use a level that is not one of these,
'private' will instead be used.

If --krb is provided several times, the last set value will be used.

Example:
curl --krb clear ftp://example.com/

See also --delegation and --ssl. --krb requires that the underlying libcurl was built to support Kerberos.

--libcurl <file>
Append this option to any ordinary curl command line, and you will get libcurl-using C source code written to the file that does the equivalent of what your command-line operation does!

This option is global and does not need to be specified for each use of -:, --next.

If --libcurl is provided several times, the last set value will be used.

Example:
curl --libcurl client.c https://example.com

See also -v, --verbose.

--limit-rate <speed>
Specify the maximum transfer rate you want curl to use - for both downloads and uploads. This feature is useful if you have a limited pipe and you would like your transfer not to use your en‐
tire bandwidth. To make it slower than it otherwise would be.

The given speed is measured in bytes/second, unless a suffix is appended. Appending 'k' or 'K' will count the number as kilobytes, 'm' or 'M' makes it megabytes, while 'g' or 'G' makes it
gigabytes. The suffixes (k, M, G, T, P) are 1024 based. For example 1k is 1024. Examples: 200K, 3m and 1G.

The rate limiting logic works on averaging the transfer speed to no more than the set threshold over a period of multiple seconds.

If you also use the -Y, --speed-limit option, that option will take precedence and might cripple the rate-limiting slightly, to help keeping the speed-limit logic working.

If --limit-rate is provided several times, the last set value will be used.

Examples:
curl --limit-rate 100K https://example.com
curl --limit-rate 1000 https://example.com
curl --limit-rate 10M https://example.com

See also --rate, -Y, --speed-limit and -y, --speed-time.

-l, --list-only
(FTP POP3) (FTP) When listing an FTP directory, this switch forces a name-only view. This is especially useful if the user wants to machine-parse the contents of an FTP directory since the
normal directory view does not use a standard look or format. When used like this, the option causes an NLST command to be sent to the server instead of LIST.

Note: Some FTP servers list only files in their response to NLST; they do not include sub-directories and symbolic links.

(POP3) When retrieving a specific email from POP3, this switch forces a LIST command to be performed instead of RETR. This is particularly useful if the user wants to see if a specific mes‐
sage-id exists on the server and what size it is.

Note: When combined with -X, --request, this option can be used to send a UIDL command instead, so the user may use the email's unique identifier rather than its message-id to make the re‐
quest.

Providing -l, --list-only multiple times has no extra effect. Disable it again with --no-list-only.

Example:
curl --list-only ftp://example.com/dir/

See also -Q, --quote and -X, --request.

--local-port <num/range>
Set a preferred single number or range (FROM-TO) of local port numbers to use for the connection(s). Note that port numbers by nature are a scarce resource that will be busy at times so set‐
ting this range to something too narrow might cause unnecessary connection setup failures.

If --local-port is provided several times, the last set value will be used.

Example:
curl --local-port 1000-3000 https://example.com

See also -g, --globoff.

--location-trusted
(HTTP) Like -L, --location, but will allow sending the name + password to all hosts that the site may redirect to. This may or may not introduce a security breach if the site redirects you to
a site to which you will send your authentication info (which is plaintext in the case of HTTP Basic authentication).

Providing --location-trusted multiple times has no extra effect. Disable it again with --no-location-trusted.

Example:
curl --location-trusted -u user:password https://example.com

See also -u, --user.

-L, --location
(HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request
on the new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the ini‐
tial host. If a redirect takes curl to a different host, it will not be able to intercept the user+password. See also --location-trusted on how to change this. You can limit the amount of
redirects to follow by using the --max-redirs option.

When curl follows a redirect and if the request is a POST, it will send the following request with a GET if the HTTP response was 301, 302, or 303. If the response code was any other 3xx
code, curl will re-send the following request using the same unmodified method.

You can tell curl to not change POST requests to GET after a 30x response by using the dedicated options for that: --post301, --post302 and --post303.

The method set with -X, --request overrides the method curl would otherwise select to use.

Providing -L, --location multiple times has no extra effect. Disable it again with --no-location.

Example:
curl -L https://example.com

See also --resolve and --alt-svc.

--login-options <options>
(IMAP LDAP POP3 SMTP) Specify the login options to use during server authentication.

You can use login options to specify protocol specific options that may be used during authentication. At present only IMAP, POP3 and SMTP support login options. For more information about
login options please see RFC 2384, RFC 5092 and IETF draft draft-earhart-url-smtp-00.txt

If --login-options is provided several times, the last set value will be used.

Example:
curl --login-options 'AUTH=*' imap://example.com

See also -u, --user. Added in 7.34.0.

--mail-auth <address>
(SMTP) Specify a single address. This will be used to specify the authentication address (identity) of a submitted message that is being relayed to another server.

If --mail-auth is provided several times, the last set value will be used.

Example:
curl --mail-auth user@example.come -T mail smtp://example.com/

See also --mail-rcpt and --mail-from.

--mail-from <address>
(SMTP) Specify a single address that the given mail should get sent from.

If --mail-from is provided several times, the last set value will be used.

Example:
curl --mail-from user@example.com -T mail smtp://example.com/

See also --mail-rcpt and --mail-auth.

--mail-rcpt-allowfails
(SMTP) When sending data to multiple recipients, by default curl will abort SMTP conversation if at least one of the recipients causes RCPT TO command to return an error.

The default behavior can be changed by passing --mail-rcpt-allowfails command-line option which will make curl ignore errors and proceed with the remaining valid recipients.

If all recipients trigger RCPT TO failures and this flag is specified, curl will still abort the SMTP conversation and return the error received from to the last RCPT TO command.

Providing --mail-rcpt-allowfails multiple times has no extra effect. Disable it again with --no-mail-rcpt-allowfails.

Example:
curl --mail-rcpt-allowfails --mail-rcpt dest@example.com smtp://example.com

See also --mail-rcpt. Added in 7.69.0.

--mail-rcpt <address>
(SMTP) Specify a single email address, user name or mailing list name. Repeat this option several times to send to multiple recipients.

When performing an address verification (VRFY command), the recipient should be specified as the user name or user name and domain (as per Section 3.5 of RFC5321). (Added in 7.34.0)

When performing a mailing list expand (EXPN command), the recipient should be specified using the mailing list name, such as "Friends" or "London-Office". (Added in 7.34.0)

--mail-rcpt can be used several times in a command line

Example:
curl --mail-rcpt user@example.net smtp://example.com

See also --mail-rcpt-allowfails.

-M, --manual
Manual. Display the huge help text.

Example:
curl --manual

See also -v, --verbose, --libcurl and --trace.

--max-filesize <bytes>
(FTP HTTP MQTT) Specify the maximum size (in bytes) of a file to download. If the file requested is larger than this value, the transfer will not start and curl will return with exit code 63.

A size modifier may be used. For example, Appending 'k' or 'K' will count the number as kilobytes, 'm' or 'M' makes it megabytes, while 'g' or 'G' makes it gigabytes. Examples: 200K, 3m and
1G. (Added in 7.58.0)

NOTE: The file size is not always known prior to download, and for such files this option has no effect even if the file transfer ends up being larger than this given limit. If --max-file‐
size is provided several times, the last set value will be used.

Example:
curl --max-filesize 100K https://example.com

See also --limit-rate.

--max-redirs <num>
(HTTP) Set maximum number of redirections to follow. When -L, --location is used, to prevent curl from following too many redirects, by default, the limit is set to 50 redirects. Set this op‐
tion to -1 to make it unlimited.

If --max-redirs is provided several times, the last set value will be used.

Example:
curl --max-redirs 3 --location https://example.com

See also -L, --location.

-m, --max-time <fractional seconds>
Maximum time in seconds that you allow each transfer to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0,
this option accepts decimal values, but the actual timeout will decrease in accuracy as the specified timeout increases in decimal precision.

If you enable retrying the transfer (--retry) then the maximum time counter is reset each time the transfer is retried. You can use --retry-max-time to limit the retry time.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If -m, --max-time is provided several times, the last set value will be used.

Examples:
curl --max-time 10 https://example.com
curl --max-time 2.92 https://example.com

See also --connect-timeout and --retry-max-time.

--metalink
This option was previously used to specify a metalink resource. Metalink support has been disabled in curl since 7.78.0 for security reasons.

If --metalink is provided several times, the last set value will be used.

Example:
curl --metalink file https://example.com

See also -Z, --parallel.

--negotiate
(HTTP) Enables Negotiate (SPNEGO) authentication.

This option requires a library built with GSS-API or SSPI support. Use -V, --version to see if your curl supports GSS-API/SSPI or SPNEGO.

When using this option, you must also provide a fake -u, --user option to activate the authentication code properly. Sending a '-u :' is enough as the user name and password from the -u,
--user option are not actually used.

If this option is used several times, only the first one is used.

Providing --negotiate multiple times has no extra effect.

Example:
curl --negotiate -u : https://example.com

See also --basic, --ntlm, --anyauth and --proxy-negotiate.

--netrc-file <filename>
This option is similar to -n, --netrc, except that you provide the path (absolute or relative) to the netrc file that curl should use. You can only specify one netrc file per invocation.

It will abide by --netrc-optional if specified.

If --netrc-file is provided several times, the last set value will be used.

Example:
curl --netrc-file netrc https://example.com

See also -n, --netrc, -u, --user and -K, --config. This option is mutually exclusive to -n, --netrc.

--netrc-optional
Similar to -n, --netrc, but this option makes the .netrc usage optional and not mandatory as the -n, --netrc option does.

Providing --netrc-optional multiple times has no extra effect. Disable it again with --no-netrc-optional.

Example:
curl --netrc-optional https://example.com

See also --netrc-file. This option is mutually exclusive to -n, --netrc.

-n, --netrc
Makes curl scan the .netrc (_netrc on Windows) file in the user's home directory for login name and password. This is typically used for FTP on Unix. If used with HTTP, curl will enable user
authentication. See netrc(5) and ftp(1) for details on the file format. Curl will not complain if that file does not have the right permissions (it should be neither world- nor group-read‐
able). The environment variable "HOME" is used to find the home directory.

A quick and simple example of how to setup a .netrc to allow curl to FTP to the machine host.domain.com with user name 'myself' and password 'secret' could look similar to:

machine host.domain.com
login myself
password secret

Providing -n, --netrc multiple times has no extra effect. Disable it again with --no-netrc.

Example:
curl --netrc https://example.com

See also --netrc-file, -K, --config and -u, --user. This option is mutually exclusive to --netrc-file and --netrc-optional.

-:, --next
Tells curl to use a separate operation for the following URL and associated options. This allows you to send several URL requests, each with their own specific options, for example, such as
different user names or custom requests for each.

-:, --next will reset all local options and only global ones will have their values survive over to the operation following the -:, --next instruction. Global options include -v, --verbose,
--trace, --trace-ascii and --fail-early.

For example, you can do both a GET and a POST in a single command line:

curl www1.example.com --next -d postthis www2.example.com

-:, --next can be used several times in a command line

Examples:
curl https://example.com --next -d postthis www2.example.com
curl -I https://example.com --next https://example.net/

See also -Z, --parallel and -K, --config. Added in 7.36.0.

--no-alpn
(HTTPS) Disable the ALPN TLS extension. ALPN is enabled by default if libcurl was built with an SSL library that supports ALPN. ALPN is used by a libcurl that supports HTTP/2 to negotiate
HTTP/2 support with the server during https sessions.

Providing --no-alpn multiple times has no extra effect. Disable it again with --alpn.

Example:
curl --no-alpn https://example.com

See also --no-npn and --http2. --no-alpn requires that the underlying libcurl was built to support TLS. Added in 7.36.0.

-N, --no-buffer
Disables the buffering of the output stream. In normal work situations, curl will use a standard buffered output stream that will have the effect that it will output the data in chunks, not
necessarily exactly when the data arrives. Using this option will disable that buffering.

Providing -N, --no-buffer multiple times has no extra effect. Disable it again with --buffer.

Example:
curl --no-buffer https://example.com

See also -#, --progress-bar.

--no-clobber
When used in conjunction with the -o, --output, -J, --remote-header-name, -O, --remote-name, or --remote-name-all options, curl avoids overwriting files that already exist. Instead, a dot and
a number gets appended to the name of the file that would be created, up to filename.100 after which it will not create any file.

Note that this is the negated option name documented. You can thus use --clobber to enforce the clobbering, even if -J, --remote-header-name is specified.

Providing --no-clobber multiple times has no extra effect. Disable it again with --clobber.

Example:
curl --no-clobber --output local/dir/file https://example.com

See also -o, --output and -O, --remote-name. Added in 7.83.0.

--no-keepalive
Disables the use of keepalive messages on the TCP connection. curl otherwise enables them by default.

Note that this is the negated option name documented. You can thus use --keepalive to enforce keepalive.

Providing --no-keepalive multiple times has no extra effect. Disable it again with --keepalive.

Example:
curl --no-keepalive https://example.com

See also --keepalive-time.

--no-npn
(HTTPS) In curl 7.86.0 and later, curl never uses NPN.

Disable the NPN TLS extension. NPN is enabled by default if libcurl was built with an SSL library that supports NPN. NPN is used by a libcurl that supports HTTP/2 to negotiate HTTP/2 support
with the server during https sessions.

Providing --no-npn multiple times has no extra effect. Disable it again with --npn.

Example:
curl --no-npn https://example.com

See also --no-alpn and --http2. --no-npn requires that the underlying libcurl was built to support TLS. Added in 7.36.0.

--no-progress-meter
Option to switch off the progress meter output without muting or otherwise affecting warning and informational messages like -s, --silent does.

Note that this is the negated option name documented. You can thus use --progress-meter to enable the progress meter again.

Providing --no-progress-meter multiple times has no extra effect. Disable it again with --progress-meter.

Example:
curl --no-progress-meter -o store https://example.com

See also -v, --verbose and -s, --silent. Added in 7.67.0.

--no-sessionid
(TLS) Disable curl's use of SSL session-ID caching. By default all transfers are done using the cache. Note that while nothing should ever get hurt by attempting to reuse SSL session-IDs,
there seem to be broken SSL implementations in the wild that may require you to disable this in order for you to succeed.

Note that this is the negated option name documented. You can thus use --sessionid to enforce session-ID caching.

Providing --no-sessionid multiple times has no extra effect. Disable it again with --sessionid.

Example:
curl --no-sessionid https://example.com

See also -k, --insecure.

--noproxy <no-proxy-list>
Comma-separated list of hosts for which not to use a proxy, if one is specified. The only wildcard is a single * character, which matches all hosts, and effectively disables the proxy. Each
name in this list is matched as either a domain which contains the hostname, or the hostname itself. For example, local.com would match local.com, local.com:80, and www.local.com, but not
www.notlocal.com.

Since 7.53.0, This option overrides the environment variables that disable the proxy ('no_proxy' and 'NO_PROXY'). If there's an environment variable disabling a proxy, you can set the noproxy
list to "" to override it.

Since 7.86.0, IP addresses specified to this option can be provided using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the
comparison. For example "192.168.0.0/16" would match all addresses starting with "192.168".

If --noproxy is provided several times, the last set value will be used.

Example:
curl --noproxy "www.example" https://example.com

See also -x, --proxy.

--ntlm-wb
(HTTP) Enables NTLM much in the style --ntlm does, but hand over the authentication to the separate binary ntlmauth application that is executed when needed.

Providing --ntlm-wb multiple times has no extra effect.

Example:
curl --ntlm-wb -u user:password https://example.com

See also --ntlm and --proxy-ntlm.

--ntlm (HTTP) Enables NTLM authentication. The NTLM authentication method was designed by Microsoft and is used by IIS web servers. It is a proprietary protocol, reverse-engineered by clever people
and implemented in curl based on their efforts. This kind of behavior should not be endorsed, you should encourage everyone who uses NTLM to switch to a public and documented authentication
method instead, such as Digest.

If you want to enable NTLM for your proxy authentication, then use --proxy-ntlm.

If this option is used several times, only the first one is used.

Providing --ntlm multiple times has no extra effect.

Example:
curl --ntlm -u user:password https://example.com

See also --proxy-ntlm. --ntlm requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to --basic and --negotiate and --digest and --anyauth.

--oauth2-bearer <token>
(IMAP LDAP POP3 SMTP HTTP) Specify the Bearer Token for OAUTH 2.0 server authentication. The Bearer Token is used in conjunction with the user name which can be specified as part of the --url
or -u, --user options.

The Bearer Token and user name are formatted according to RFC 6750.

If --oauth2-bearer is provided several times, the last set value will be used.

Example:
curl --oauth2-bearer "mF_9.B5f-4.1JqM" https://example.com

See also --basic, --ntlm and --digest. Added in 7.33.0.

--output-dir <dir>
This option specifies the directory in which files should be stored, when -O, --remote-name or -o, --output are used.

The given output directory is used for all URLs and output options on the command line, up until the first -:, --next.

If the specified target directory does not exist, the operation will fail unless --create-dirs is also used.

If --output-dir is provided several times, the last set value will be used.

Example:
curl --output-dir "tmp" -O https://example.com

See also -O, --remote-name and -J, --remote-header-name. Added in 7.73.0.

-o, --output <file>
Write output to <file> instead of stdout. If you are using {} or [] to fetch multiple documents, you should quote the URL and you can use '#' followed by a number in the <file> specifier.
That variable will be replaced with the current string for the URL being fetched. Like in:

curl "http://{one,two}.example.com" -o "file_#1.txt"

or use several variables like:

curl "http://{site,host}.host[1-5].com" -o "#1_#2"

You may use this option as many times as the number of URLs you have. For example, if you specify two URLs on the same command line, you can use it like this:

curl -o aa example.com -o bb example.net

and the order of the -o options and the URLs does not matter, just that the first -o is for the first URL and so on, so the above command line can also be written as

curl example.com example.net -o aa -o bb

See also the --create-dirs option to create the local directories dynamically. Specifying the output as '-' (a single dash) will force the output to be done to stdout.

To suppress response bodies, you can redirect output to /dev/null:

curl example.com -o /dev/null

Or for Windows use nul:

curl example.com -o nul

-o, --output can be used several times in a command line

Examples:
curl -o file https://example.com
curl "http://{one,two}.example.com" -o "file_#1.txt"
curl "http://{site,host}.host[1-5].com" -o "#1_#2"
curl -o file https://example.com -o file2 https://example.net

See also -O, --remote-name, --remote-name-all and -J, --remote-header-name.

--parallel-immediate
When doing parallel transfers, this option will instruct curl that it should rather prefer opening up more connections in parallel at once rather than waiting to see if new transfers can be
added as multiplexed streams on another connection.

This option is global and does not need to be specified for each use of -:, --next.

Providing --parallel-immediate multiple times has no extra effect. Disable it again with --no-parallel-immediate.

Example:
curl --parallel-immediate -Z https://example.com -o file1 https://example.com -o file2

See also -Z, --parallel and --parallel-max. Added in 7.68.0.

--parallel-max <num>
When asked to do parallel transfers, using -Z, --parallel, this option controls the maximum amount of transfers to do simultaneously.

This option is global and does not need to be specified for each use of -:, --next.

The default is 50.

If --parallel-max is provided several times, the last set value will be used.

Example:
curl --parallel-max 100 -Z https://example.com ftp://example.com/

See also -Z, --parallel. Added in 7.66.0.

-Z, --parallel
Makes curl perform its transfers in parallel as compared to the regular serial manner.

This option is global and does not need to be specified for each use of -:, --next.

Providing -Z, --parallel multiple times has no extra effect. Disable it again with --no-parallel.

Example:
curl --parallel https://example.com -o file1 https://example.com -o file2

See also -:, --next and -v, --verbose. Added in 7.66.0.

--pass <phrase>
(SSH TLS) Passphrase for the private key.

If --pass is provided several times, the last set value will be used.

Example:
curl --pass secret --key file https://example.com

See also --key and -u, --user.

--path-as-is
Tell curl to not handle sequences of /../ or /./ in the given URL path. Normally curl will squash or merge them according to standards but with this option set you tell it not to do that.

Providing --path-as-is multiple times has no extra effect. Disable it again with --no-path-as-is.

Example:
curl --path-as-is https://example.com/../../etc/passwd

See also --request-target. Added in 7.42.0.

--pinnedpubkey <hashes>
(TLS) Tells curl to use the specified public key file (or hashes) to verify the peer. This can be a path to a file which contains a single public key in PEM or DER format, or any number of
base64 encoded sha256 hashes preceded by 'sha256//' and separated by ';'.

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public
key provided to this option, curl will abort the connection before sending or receiving any data.

PEM/DER support:

7.39.0: OpenSSL, GnuTLS and GSKit

7.43.0: NSS and wolfSSL

7.47.0: mbedtls

sha256 support:

7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL

7.47.0: mbedtls

Other SSL backends not supported.

If --pinnedpubkey is provided several times, the last set value will be used.

Examples:
curl --pinnedpubkey keyfile https://example.com
curl --pinnedpubkey 'sha256//ce118b51897f4452dc' https://example.com

See also --hostpubsha256. Added in 7.39.0.

--post301
(HTTP) Tells curl to respect RFC 7231/6.4.2 and not convert POST requests into GET requests when following a 301 redirection. The non-RFC behavior is ubiquitous in web browsers, so curl does
the conversion by default to maintain consistency. However, a server may require a POST to remain a POST after such a redirection. This option is meaningful only when using -L, --location.

Providing --post301 multiple times has no extra effect. Disable it again with --no-post301.

Example:
curl --post301 --location -d "data" https://example.com

See also --post302, --post303 and -L, --location.

--post302
(HTTP) Tells curl to respect RFC 7231/6.4.3 and not convert POST requests into GET requests when following a 302 redirection. The non-RFC behavior is ubiquitous in web browsers, so curl does
the conversion by default to maintain consistency. However, a server may require a POST to remain a POST after such a redirection. This option is meaningful only when using -L, --location.

Providing --post302 multiple times has no extra effect. Disable it again with --no-post302.

Example:
curl --post302 --location -d "data" https://example.com

See also --post301, --post303 and -L, --location.

--post303
(HTTP) Tells curl to violate RFC 7231/6.4.4 and not convert POST requests into GET requests when following 303 redirections. A server may require a POST to remain a POST after a 303 redirect‐
ion. This option is meaningful only when using -L, --location.

Providing --post303 multiple times has no extra effect. Disable it again with --no-post303.

Example:
curl --post303 --location -d "data" https://example.com

See also --post302, --post301 and -L, --location.

--preproxy [protocol://]host[:port]
Use the specified SOCKS proxy before connecting to an HTTP or HTTPS -x, --proxy. In such a case curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy. Hence pre proxy.

The pre proxy string should be specified with a protocol:// prefix to specify alternative proxy protocols. Use socks4://, socks4a://, socks5:// or socks5h:// to request the specific SOCKS
version to be used. No protocol specified will make curl default to SOCKS4.

If the port number is not specified in the proxy string, it is assumed to be 1080.

User and password that might be provided in the proxy string are URL decoded by curl. This allows you to pass in special characters such as @ by using %40 or pass in a colon with %3a.

If --preproxy is provided several times, the last set value will be used.

Example:
curl --preproxy socks5://proxy.example -x http://http.example https://example.com

See also -x, --proxy and --socks5. Added in 7.52.0.

-#, --progress-bar
Make curl display transfer progress as a simple progress bar instead of the standard, more informational, meter.

This progress bar draws a single line of '#' characters across the screen and shows a percentage if the transfer size is known. For transfers without a known size, there will be space ship
(-=o=-) that moves back and forth but only while data is being transferred, with a set of flying hash sign symbols on top.

This option is global and does not need to be specified for each use of -:, --next.

Providing -#, --progress-bar multiple times has no extra effect. Disable it again with --no-progress-bar.

Example:
curl -# -O https://example.com

See also --styled-output.

--proto-default <protocol>
Tells curl to use protocol for any URL missing a scheme name.

An unknown or unsupported protocol causes error CURLE_UNSUPPORTED_PROTOCOL (1).

This option does not change the default proxy protocol (http).

Without this option set, curl guesses protocol based on the host name, see --url for details.

If --proto-default is provided several times, the last set value will be used.

Example:
curl --proto-default https ftp.example.com

See also --proto and --proto-redir. Added in 7.45.0.

--proto-redir <protocols>
Tells curl to limit what protocols it may use on redirect. Protocols denied by --proto are not overridden by this option. See --proto for how protocols are represented.

Example, allow only HTTP and HTTPS on redirect:

curl --proto-redir -all,http,https http://example.com

By default curl will only allow HTTP, HTTPS, FTP and FTPS on redirect (since 7.65.2). Specifying all or +all enables all protocols on redirects, which is not good for security.

If --proto-redir is provided several times, the last set value will be used.

Example:
curl --proto-redir =http,https https://example.com

See also --proto.

--proto <protocols>
Tells curl to limit what protocols it may use for transfers. Protocols are evaluated left to right, are comma separated, and are each a protocol name or 'all', optionally prefixed by zero or
more modifiers. Available modifiers are:

+ Permit this protocol in addition to protocols already permitted (this is the default if no modifier is used).

- Deny this protocol, removing it from the list of protocols already permitted.

= Permit only this protocol (ignoring the list already permitted), though subject to later modification by subsequent entries in the comma separated list.

For example:

--proto -ftps uses the default protocols, but disables ftps

--proto -all,https,+http
only enables http and https

--proto =http,https
also only enables http and https

Unknown and disabled protocols produce a warning. This allows scripts to safely rely on being able to disable potentially dangerous protocols, without relying upon support for that protocol
being built into curl to avoid an error.

This option can be used multiple times, in which case the effect is the same as concatenating the protocols into one instance of the option.

If --proto is provided several times, the last set value will be used.

Example:
curl --proto =http,https,sftp https://example.com

See also --proto-redir and --proto-default.

--proxy-anyauth
Tells curl to pick a suitable authentication method when communicating with the given HTTP proxy. This might cause an extra request/response round-trip.

Providing --proxy-anyauth multiple times has no extra effect.

Example:
curl --proxy-anyauth --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-basic and --proxy-digest.

--proxy-basic
Tells curl to use HTTP Basic authentication when communicating with the given proxy. Use --basic for enabling HTTP Basic with a remote host. Basic is the default authentication method curl
uses with proxies.

Providing --proxy-basic multiple times has no extra effect.

Example:
curl --proxy-basic --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-anyauth and --proxy-digest.

--proxy-cacert <file>
Same as --cacert but used in HTTPS proxy context.

If --proxy-cacert is provided several times, the last set value will be used.

Example:
curl --proxy-cacert CA-file.txt -x https://proxy https://example.com

See also --proxy-capath, --cacert, --capath and -x, --proxy. Added in 7.52.0.

--proxy-capath <dir>
Same as --capath but used in HTTPS proxy context.

If --proxy-capath is provided several times, the last set value will be used.

Example:
curl --proxy-capath /local/directory -x https://proxy https://example.com

See also --proxy-cacert, -x, --proxy and --capath. Added in 7.52.0.

--proxy-cert-type <type>
Same as --cert-type but used in HTTPS proxy context.

If --proxy-cert-type is provided several times, the last set value will be used.

Example:
curl --proxy-cert-type PEM --proxy-cert file -x https://proxy https://example.com

See also --proxy-cert. Added in 7.52.0.

--proxy-cert <cert[:passwd]>
Same as -E, --cert but used in HTTPS proxy context.

If --proxy-cert is provided several times, the last set value will be used.

Example:
curl --proxy-cert file -x https://proxy https://example.com

See also --proxy-cert-type. Added in 7.52.0.

--proxy-ciphers <list>
Same as --ciphers but used in HTTPS proxy context.

If --proxy-ciphers is provided several times, the last set value will be used.

Example:
curl --proxy-ciphers ECDHE-ECDSA-AES256-CCM8 -x https://proxy https://example.com

See also --ciphers, --curves and -x, --proxy. Added in 7.52.0.

--proxy-crlfile <file>
Same as --crlfile but used in HTTPS proxy context.

If --proxy-crlfile is provided several times, the last set value will be used.

Example:
curl --proxy-crlfile rejects.txt -x https://proxy https://example.com

See also --crlfile and -x, --proxy. Added in 7.52.0.

--proxy-digest
Tells curl to use HTTP Digest authentication when communicating with the given proxy. Use --digest for enabling HTTP Digest with a remote host.

Providing --proxy-digest multiple times has no extra effect.

Example:
curl --proxy-digest --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-anyauth and --proxy-basic.

--proxy-header <header/@file>
(HTTP) Extra header to include in the request when sending HTTP to a proxy. You may specify any number of extra headers. This is the equivalent option to -H, --header but is for proxy commu‐
nication only like in CONNECT requests when you want a separate header sent to the proxy to what is sent to the actual remote host.

curl will make sure that each header you add/replace is sent with the proper end-of-line marker, you should thus not add that as a part of the header content: do not add newlines or carriage
returns, they will only mess things up for you.

Headers specified with this option will not be included in requests that curl knows will not be sent to a proxy.

Starting in 7.55.0, this option can take an argument in @filename style, which then adds a header for each line in the input file. Using @- will make curl read the header file from stdin.

This option can be used multiple times to add/replace/remove multiple headers.

--proxy-header can be used several times in a command line

Examples:
curl --proxy-header "X-First-Name: Joe" -x http://proxy https://example.com
curl --proxy-header "User-Agent: surprise" -x http://proxy https://example.com
curl --proxy-header "Host:" -x http://proxy https://example.com

See also -x, --proxy. Added in 7.37.0.

--proxy-insecure
Same as -k, --insecure but used in HTTPS proxy context.

Providing --proxy-insecure multiple times has no extra effect. Disable it again with --no-proxy-insecure.

Example:
curl --proxy-insecure -x https://proxy https://example.com

See also -x, --proxy and -k, --insecure. Added in 7.52.0.

--proxy-key-type <type>
Same as --key-type but used in HTTPS proxy context.

If --proxy-key-type is provided several times, the last set value will be used.

Example:
curl --proxy-key-type DER --proxy-key here -x https://proxy https://example.com

See also --proxy-key and -x, --proxy. Added in 7.52.0.

--proxy-key <key>
Same as --key but used in HTTPS proxy context.

If --proxy-key is provided several times, the last set value will be used.

Example:
curl --proxy-key here -x https://proxy https://example.com

See also --proxy-key-type and -x, --proxy. Added in 7.52.0.

--proxy-negotiate
Tells curl to use HTTP Negotiate (SPNEGO) authentication when communicating with the given proxy. Use --negotiate for enabling HTTP Negotiate (SPNEGO) with a remote host.

Providing --proxy-negotiate multiple times has no extra effect.

Example:
curl --proxy-negotiate --proxy-user user:passwd -x proxy https://example.com

See also --proxy-anyauth and --proxy-basic.

--proxy-ntlm
Tells curl to use HTTP NTLM authentication when communicating with the given proxy. Use --ntlm for enabling NTLM with a remote host.

Providing --proxy-ntlm multiple times has no extra effect.

Example:
curl --proxy-ntlm --proxy-user user:passwd -x http://proxy https://example.com

See also --proxy-negotiate and --proxy-anyauth.

--proxy-pass <phrase>
Same as --pass but used in HTTPS proxy context.

If --proxy-pass is provided several times, the last set value will be used.

Example:
curl --proxy-pass secret --proxy-key here -x https://proxy https://example.com

See also -x, --proxy and --proxy-key. Added in 7.52.0.

--proxy-pinnedpubkey <hashes>
(TLS) Tells curl to use the specified public key file (or hashes) to verify the proxy. This can be a path to a file which contains a single public key in PEM or DER format, or any number of
base64 encoded sha256 hashes preceded by 'sha256//' and separated by ';'.

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public
key provided to this option, curl will abort the connection before sending or receiving any data.

If --proxy-pinnedpubkey is provided several times, the last set value will be used.

Examples:
curl --proxy-pinnedpubkey keyfile https://example.com
curl --proxy-pinnedpubkey 'sha256//ce118b51897f4452dc' https://example.com

See also --pinnedpubkey and -x, --proxy. Added in 7.59.0.

--proxy-service-name <name>
This option allows you to change the service name for proxy negotiation.

If --proxy-service-name is provided several times, the last set value will be used.

Example:
curl --proxy-service-name "shrubbery" -x proxy https://example.com

See also --service-name and -x, --proxy. Added in 7.43.0.

--proxy-ssl-allow-beast
Same as --ssl-allow-beast but used in HTTPS proxy context.

Providing --proxy-ssl-allow-beast multiple times has no extra effect. Disable it again with --no-proxy-ssl-allow-beast.

Example:
curl --proxy-ssl-allow-beast -x https://proxy https://example.com

See also --ssl-allow-beast and -x, --proxy. Added in 7.52.0.

--proxy-ssl-auto-client-cert
Same as --ssl-auto-client-cert but used in HTTPS proxy context.

Providing --proxy-ssl-auto-client-cert multiple times has no extra effect. Disable it again with --no-proxy-ssl-auto-client-cert.

Example:
curl --proxy-ssl-auto-client-cert -x https://proxy https://example.com

See also --ssl-auto-client-cert and -x, --proxy. Added in 7.77.0.

--proxy-tls13-ciphers <ciphersuite list>
(TLS) Specifies which cipher suites to use in the connection to your HTTPS proxy when it negotiates TLS 1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3 cipher
suite details on this URL:

https://curl.se/docs/ssl-ciphers.html

This option is currently used only when curl is built to use OpenSSL 1.1.1 or later. If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the --proxy-
ciphers option.

If --proxy-tls13-ciphers is provided several times, the last set value will be used.

Example:
curl --proxy-tls13-ciphers TLS_AES_128_GCM_SHA256 -x proxy https://example.com

See also --tls13-ciphers and --curves. Added in 7.61.0.

--proxy-tlsauthtype <type>
Same as --tlsauthtype but used in HTTPS proxy context.

If --proxy-tlsauthtype is provided several times, the last set value will be used.

Example:
curl --proxy-tlsauthtype SRP -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlsuser. Added in 7.52.0.

--proxy-tlspassword <string>
Same as --tlspassword but used in HTTPS proxy context.

If --proxy-tlspassword is provided several times, the last set value will be used.

Example:
curl --proxy-tlspassword passwd -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlsuser. Added in 7.52.0.

--proxy-tlsuser <name>
Same as --tlsuser but used in HTTPS proxy context.

If --proxy-tlsuser is provided several times, the last set value will be used.

Example:
curl --proxy-tlsuser smith -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlspassword. Added in 7.52.0.

--proxy-tlsv1
Same as -1, --tlsv1 but used in HTTPS proxy context.

Providing --proxy-tlsv1 multiple times has no extra effect.

Example:
curl --proxy-tlsv1 -x https://proxy https://example.com

See also -x, --proxy. Added in 7.52.0.

-U, --proxy-user <user:password>
Specify the user name and password to use for proxy authentication.

If you use a Windows SSPI-enabled curl binary and do either Negotiate or NTLM authentication then you can tell curl to select the user name and password from your environment by specifying a
single colon with this option: "-U :".

On systems where it works, curl will hide the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same sys‐
tem as they will still be visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.

If -U, --proxy-user is provided several times, the last set value will be used.

Example:
curl --proxy-user name:pwd -x proxy https://example.com

See also --proxy-pass.

-x, --proxy [protocol://]host[:port]
Use the specified proxy.

The proxy string can be specified with a protocol:// prefix. No protocol specified or http:// will be treated as HTTP proxy. Use socks4://, socks4a://, socks5:// or socks5h:// to request a
specific SOCKS version to be used.

Unix domain sockets are supported for socks proxy. Set localhost for the host part. e.g. socks5h://localhost/path/to/socket.sock

HTTPS proxy support via https:// protocol prefix was added in 7.52.0 for OpenSSL, GnuTLS and NSS.

Unrecognized and unsupported proxy protocols cause an error since 7.52.0. Prior versions may ignore the protocol and use http:// instead.

If the port number is not specified in the proxy string, it is assumed to be 1080.

This option overrides existing environment variables that set the proxy to use. If there's an environment variable setting a proxy, you can set proxy to "" to override it.

All operations that are performed over an HTTP proxy will transparently be converted to HTTP. It means that certain protocol specific operations might not be available. This is not the case
if you can tunnel through the proxy, as one with the -p, --proxytunnel option.

User and password that might be provided in the proxy string are URL decoded by curl. This allows you to pass in special characters such as @ by using %40 or pass in a colon with %3a.

The proxy host can be specified the same way as the proxy environment variables, including the protocol prefix (http://) and the embedded user + password.

When a proxy is used, the active FTP mode as set with -P, --ftp-port, cannot be used.

If -x, --proxy is provided several times, the last set value will be used.

Example:
curl --proxy http://proxy.example https://example.com

See also --socks5 and --proxy-basic.

--proxy1.0 <host[:port]>
Use the specified HTTP 1.0 proxy. If the port number is not specified, it is assumed at port 1080.

The only difference between this and the HTTP proxy option -x, --proxy, is that attempts to use CONNECT through the proxy will specify an HTTP 1.0 protocol instead of the default HTTP 1.1.

Providing --proxy1.0 multiple times has no extra effect.

Example:
curl --proxy1.0 -x http://proxy https://example.com

See also -x, --proxy, --socks5 and --preproxy.

-p, --proxytunnel
When an HTTP proxy is used -x, --proxy, this option will make curl tunnel through the proxy. The tunnel approach is made with the HTTP proxy CONNECT request and requires that the proxy allows
direct connect to the remote port number curl wants to tunnel through to.

To suppress proxy CONNECT response headers when curl is set to output headers use --suppress-connect-headers.

Providing -p, --proxytunnel multiple times has no extra effect. Disable it again with --no-proxytunnel.

Example:
curl --proxytunnel -x http://proxy https://example.com

See also -x, --proxy.

--pubkey <key>
(SFTP SCP) Public key file name. Allows you to provide your public key in this separate file.

(As of 7.39.0, curl attempts to automatically extract the public key from the private key file, so passing this option is generally not required. Note that this public key extraction requires
libcurl to be linked against a copy of libssh2 1.2.8 or higher that is itself linked against OpenSSL.)

If --pubkey is provided several times, the last set value will be used.

Example:
curl --pubkey file.pub sftp://example.com/

See also --pass.

-Q, --quote <command>
(FTP SFTP) Send an arbitrary command to the remote FTP or SFTP server. Quote commands are sent BEFORE the transfer takes place (just after the initial PWD command in an FTP transfer, to be
exact). To make commands take place after a successful transfer, prefix them with a dash '-'.

(FTP only) To make commands be sent after curl has changed the working directory, just before the file transfer command(s), prefix the command with a '+'. This is not performed when a direc‐
tory listing is performed.

You may specify any number of commands.

By default curl will stop at first failure. To make curl continue even if the command fails, prefix the command with an asterisk (*). Otherwise, if the server returns failure for one of the
commands, the entire operation will be aborted.

You must send syntactically correct FTP commands as RFC 959 defines to FTP servers, or one of the commands listed below to SFTP servers.

This option can be used multiple times.

SFTP is a binary protocol. Unlike for FTP, curl interprets SFTP quote commands itself before sending them to the server. File names may be quoted shell-style to embed spaces or special char‐
acters. Following is the list of all supported SFTP quote commands:

atime date file
The atime command sets the last access time of the file named by the file operand. The <date expression> can be all sorts of date strings, see the curl_getdate(3) man page for date ex‐
pression details. (Added in 7.73.0)

chgrp group file
The chgrp command sets the group ID of the file named by the file operand to the group ID specified by the group operand. The group operand is a decimal integer group ID.

chmod mode file
The chmod command modifies the file mode bits of the specified file. The mode operand is an octal integer mode number.

chown user file
The chown command sets the owner of the file named by the file operand to the user ID specified by the user operand. The user operand is a decimal integer user ID.

ln source_file target_file
The ln and symlink commands create a symbolic link at the target_file location pointing to the source_file location.

mkdir directory_name
The mkdir command creates the directory named by the directory_name operand.

mtime date file
The mtime command sets the last modification time of the file named by the file operand. The <date expression> can be all sorts of date strings, see the curl_getdate(3) man page for
date expression details. (Added in 7.73.0)

pwd The pwd command returns the absolute pathname of the current working directory.

rename source target
The rename command renames the file or directory named by the source operand to the destination path named by the target operand.

rm file
The rm command removes the file specified by the file operand.

rmdir directory
The rmdir command removes the directory entry specified by the directory operand, provided it is empty.

symlink source_file target_file
See ln.

-Q, --quote can be used several times in a command line

Example:
curl --quote "DELE file" ftp://example.com/foo

See also -X, --request.

--random-file <file>
Deprecated option. This option is ignored by curl since 7.84.0. Prior to that it only had an effect on curl if built to use old versions of OpenSSL.

Specify the path name to file containing what will be considered as random data. The data may be used to seed the random engine for SSL connections.

If --random-file is provided several times, the last set value will be used.

Example:
curl --random-file rubbish https://example.com

See also --egd-file.

-r, --range <range>
(HTTP FTP SFTP FILE) Retrieve a byte range (i.e. a partial document) from an HTTP/1.1, FTP or SFTP server or a local FILE. Ranges can be specified in a number of ways.

0-499 specifies the first 500 bytes

500-999 specifies the second 500 bytes

-500 specifies the last 500 bytes

9500- specifies the bytes from offset 9500 and forward

0-0,-1 specifies the first and last byte only(*)(HTTP)

100-199,500-599
specifies two separate 100-byte ranges(*) (HTTP)

(*) = NOTE that this will cause the server to reply with a multipart response, which will be returned as-is by curl! Parsing or otherwise transforming this response is the responsibility of
the caller.

Only digit characters (0-9) are valid in the 'start' and 'stop' fields of the 'start-stop' range syntax. If a non-digit character is given in the range, the server's response will be unspeci‐
fied, depending on the server's configuration.

You should also be aware that many HTTP/1.1 servers do not have this feature enabled, so that when you attempt to get a range, you will instead get the whole document.

FTP and SFTP range downloads only support the simple 'start-stop' syntax (optionally with one of the numbers omitted). FTP use depends on the extended FTP command SIZE.

If -r, --range is provided several times, the last set value will be used.

Example:
curl --range 22-44 https://example.com

See also -C, --continue-at and -a, --append.

--rate <max request rate>
Specify the maximum transfer frequency you allow curl to use - in number of transfer starts per time unit (sometimes called request rate). Without this option, curl will start the next trans‐
fer as fast as possible.

If given several URLs and a transfer completes faster than the allowed rate, curl will wait until the next transfer is started to maintain the requested rate. This option has no effect when
-Z, --parallel is used.

The request rate is provided as "N/U" where N is an integer number and U is a time unit. Supported units are 's' (second), 'm' (minute), 'h' (hour) and 'd' /(day, as in a 24 hour unit). The
default time unit, if no "/U" is provided, is number of transfers per hour.

If curl is told to allow 10 requests per minute, it will not start the next request until 6 seconds have elapsed since the previous transfer was started.

This function uses millisecond resolution. If the allowed frequency is set more than 1000 per second, it will instead run unrestricted.

When retrying transfers, enabled with --retry, the separate retry delay logic is used and not this setting.

If --rate is provided several times, the last set value will be used.

Examples:
curl --rate 2/s https://example.com
curl --rate 3/h https://example.com
curl --rate 14/m https://example.com

See also --limit-rate and --retry-delay. Added in 7.84.0.

--raw (HTTP) When used, it disables all internal HTTP decoding of content or transfer encodings and instead makes them passed on unaltered, raw.

Providing --raw multiple times has no extra effect. Disable it again with --no-raw.

Example:
curl --raw https://example.com

See also --tr-encoding.

-e, --referer <URL>
(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L, --location you can append ";auto" to the -e,
--referer URL to make curl automatically set the previous URL when it follows a Location: header. The ";auto" string can be used alone, even if you do not set an initial -e, --referer.

If -e, --referer is provided several times, the last set value will be used.

Examples:
curl --referer "https://fake.example" https://example.com
curl --referer "https://fake.example;auto" -L https://example.com
curl --referer ";auto" -L https://example.com

See also -A, --user-agent and -H, --header.

-J, --remote-header-name
(HTTP) This option tells the -O, --remote-name option to use the server-specified Content-Disposition filename instead of extracting a filename from the URL. If the server-provided file name
contains a path, that will be stripped off before the file name is used.

The file is saved in the current directory, or in the directory specified with --output-dir.

If the server specifies a file name and a file with that name already exists in the destination directory, it will not be overwritten and an error will occur - unless you allow it by using
the --clobber option. If the server does not specify a file name then this option has no effect.

There's no attempt to decode %-sequences (yet) in the provided file name, so this option may provide you with rather unexpected file names.

This feature uses the name from the "filename" field, it does not yet support the "filename*" field (filenames with explicit character sets).

WARNING: Exercise judicious use of this option, especially on Windows. A rogue server could send you the name of a DLL or other file that could be loaded automatically by Windows or some
third party software.

Providing -J, --remote-header-name multiple times has no extra effect. Disable it again with --no-remote-header-name.

Example:
curl -OJ https://example.com/file

See also -O, --remote-name.

--remote-name-all
This option changes the default action for all given URLs to be dealt with as if -O, --remote-name were used for each one. So if you want to disable that for a specific URL after --remote-
name-all has been used, you must use "-o -" or --no-remote-name.

Providing --remote-name-all multiple times has no extra effect. Disable it again with --no-remote-name-all.

Example:
curl --remote-name-all ftp://example.com/file1 ftp://example.com/file2

See also -O, --remote-name.

-O, --remote-name
Write output to a local file named like the remote file we get. (Only the file part of the remote file is used, the path is cut off.)

The file will be saved in the current working directory. If you want the file saved in a different directory, make sure you change the current working directory before invoking curl with this
option or use --output-dir.

The remote file name to use for saving is extracted from the given URL, nothing else, and if it already exists it will be overwritten. If you want the server to be able to choose the file
name refer to -J, --remote-header-name which can be used in addition to this option. If the server chooses a file name and that name already exists it will not be overwritten.

There is no URL decoding done on the file name. If it has %20 or other URL encoded parts of the name, they will end up as-is as file name.

You may use this option as many times as the number of URLs you have.

-O, --remote-name can be used several times in a command line

Example:
curl -O https://example.com/filename

See also --remote-name-all, --output-dir and -J, --remote-header-name.

-R, --remote-time
When used, this will make curl attempt to figure out the timestamp of the remote file, and if that is available make the local file get that same timestamp.

Providing -R, --remote-time multiple times has no extra effect. Disable it again with --no-remote-time.

Example:
curl --remote-time -o foo https://example.com

See also -O, --remote-name and -z, --time-cond.

--remove-on-error
When curl returns an error when told to save output in a local file, this option removes that saved file before exiting. This prevents curl from leaving a partial file in the case of an error
during transfer.

If the output is not a file, this option has no effect.

Providing --remove-on-error multiple times has no extra effect. Disable it again with --no-remove-on-error.

Example:
curl --remove-on-error -o output https://example.com

See also -f, --fail. Added in 7.83.0.

--request-target <path>
(HTTP) Tells curl to use an alternative "target" (path) instead of using the path as provided in the URL. Particularly useful when wanting to issue HTTP requests without leading slash or
other data that does not follow the regular URL pattern, like "OPTIONS *".

If --request-target is provided several times, the last set value will be used.

Example:
curl --request-target "*" -X OPTIONS https://example.com

See also -X, --request. Added in 7.55.0.

-X, --request <method>
(HTTP) Specifies a custom request method to use when communicating with the HTTP server. The specified request method will be used instead of the method otherwise used (which defaults to
GET). Read the HTTP 1.1 specification for details and explanations. Common additional HTTP requests include PUT and DELETE, but related technologies like WebDAV offers PROPFIND, COPY, MOVE
and more.

Normally you do not need this option. All sorts of GET, HEAD, POST and PUT requests are rather invoked by using dedicated command line options.

This option only changes the actual word used in the HTTP request, it does not alter the way curl behaves. So for example if you want to make a proper HEAD request, using -X HEAD will not
suffice. You need to use the -I, --head option.

The method string you set with -X, --request will be used for all requests, which if you for example use -L, --location may cause unintended side-effects when curl does not change request
method according to the HTTP 30x response codes - and similar.

(FTP) Specifies a custom FTP command to use instead of LIST when doing file lists with FTP.

(POP3) Specifies a custom POP3 command to use instead of LIST or RETR.

(IMAP) Specifies a custom IMAP command to use instead of LIST. (Added in 7.30.0)

(SMTP) Specifies a custom SMTP command to use instead of HELP or VRFY. (Added in 7.34.0)

If -X, --request is provided several times, the last set value will be used.

Examples:
curl -X "DELETE" https://example.com
curl -X NLST ftp://example.com/

See also --request-target.

--resolve <[+]host:port:addr[,addr]...>
Provide a custom address for a specific host and port pair. Using this, you can make the curl requests(s) use a specified address and prevent the otherwise normally resolved address to be
used. Consider it a sort of /etc/hosts alternative provided on the command line. The port number should be the number used for the specific protocol the host will be used for. It means you
need several entries if you want to provide address for the same host but different ports.

By specifying '*' as host you can tell curl to resolve any host and specific port pair to the specified address. Wildcard is resolved last so any --resolve with a specific host and port will
be used first.

The provided address set by this option will be used even if -4, --ipv4 or -6, --ipv6 is set to make curl use another IP version.

By prefixing the host with a '+' you can make the entry time out after curl's default timeout (1 minute). Note that this will only make sense for long running parallel transfers with a lot of
files. In such cases, if this option is used curl will try to resolve the host as it normally would once the timeout has expired.

Support for providing the IP address within [brackets] was added in 7.57.0.

Support for providing multiple IP addresses per entry was added in 7.59.0.

Support for resolving with wildcard was added in 7.64.0.

Support for the '+' prefix was was added in 7.75.0.

This option can be used many times to add many host names to resolve.

--resolve can be used several times in a command line

Example:
curl --resolve example.com:443:127.0.0.1 https://example.com

See also --connect-to and --alt-svc.

--retry-all-errors
Retry on any error. This option is used together with --retry.

This option is the "sledgehammer" of retrying. Do not use this option by default (eg in curlrc), there may be unintended consequences such as sending or receiving duplicate data. Do not use
with redirected input or output. You'd be much better off handling your unique problems in shell script. Please read the example below.

WARNING: For server compatibility curl attempts to retry failed flaky transfers as close as possible to how they were started, but this is not possible with redirected input or output. For
example, before retrying it removes output data from a failed partial transfer that was written to an output file. However this is not true of data redirected to a | pipe or > file, which are
not reset. We strongly suggest you do not parse or record output via redirect in combination with this option, since you may receive duplicate data.

By default curl will not error on an HTTP response code that indicates an HTTP error, if the transfer was successful. For example, if a server replies 404 Not Found and the reply is fully re‐
ceived then that is not an error. When --retry is used then curl will retry on some HTTP response codes that indicate transient HTTP errors, but that does not include most 4xx response codes
such as 404. If you want to retry on all response codes that indicate HTTP errors (4xx and 5xx) then combine with -f, --fail.

Providing --retry-all-errors multiple times has no extra effect. Disable it again with --no-retry-all-errors.

Example:
curl --retry 5 --retry-all-errors https://example.com

See also --retry. Added in 7.71.0.

--retry-connrefused
In addition to the other conditions, consider ECONNREFUSED as a transient error too for --retry. This option is used together with --retry.

Providing --retry-connrefused multiple times has no extra effect. Disable it again with --no-retry-connrefused.

Example:
curl --retry-connrefused --retry 7 https://example.com

See also --retry and --retry-all-errors. Added in 7.52.0.

--retry-delay <seconds>
Make curl sleep this amount of time before each retry when a transfer has failed with a transient error (it changes the default backoff time algorithm between retries). This option is only
interesting if --retry is also used. Setting this delay to zero will make curl use the default backoff time.

If --retry-delay is provided several times, the last set value will be used.

Example:
curl --retry-delay 5 --retry 7 https://example.com

See also --retry.

--retry-max-time <seconds>
The retry timer is reset before the first transfer attempt. Retries will be done as usual (see --retry) as long as the timer has not reached this given limit. Notice that if the timer has not
reached the limit, the request will be made and while performing, it may take longer than this given time period. To limit a single request's maximum time, use -m, --max-time. Set this option
to zero to not timeout retries.

If --retry-max-time is provided several times, the last set value will be used.

Example:
curl --retry-max-time 30 --retry 10 https://example.com

See also --retry.

--retry <num>
If a transient error is returned when curl tries to perform a transfer, it will retry this number of times before giving up. Setting the number to 0 makes curl do no retries (which is the de‐
fault). Transient error means either: a timeout, an FTP 4xx response code or an HTTP 408, 429, 500, 502, 503 or 504 response code.

When curl is about to retry a transfer, it will first wait one second and then for all forthcoming retries it will double the waiting time until it reaches 10 minutes which then will be the
delay between the rest of the retries. By using --retry-delay you disable this exponential backoff algorithm. See also --retry-max-time to limit the total time allowed for retries.

Since curl 7.66.0, curl will comply with the Retry-After: response header if one was present to know when to issue the next retry.

If --retry is provided several times, the last set value will be used.

Example:
curl --retry 7 https://example.com

See also --retry-max-time.

--sasl-authzid <identity>
Use this authorization identity (authzid), during SASL PLAIN authentication, in addition to the authentication identity (authcid) as specified by -u, --user.

If the option is not specified, the server will derive the authzid from the authcid, but if specified, and depending on the server implementation, it may be used to access another user's in‐
box, that the user has been granted access to, or a shared mailbox for example.

If --sasl-authzid is provided several times, the last set value will be used.

Example:
curl --sasl-authzid zid imap://example.com/

See also --login-options. Added in 7.66.0.

--sasl-ir
Enable initial response in SASL authentication.

Providing --sasl-ir multiple times has no extra effect. Disable it again with --no-sasl-ir.

Example:
curl --sasl-ir imap://example.com/

See also --sasl-authzid. Added in 7.31.0.

--service-name <name>
This option allows you to change the service name for SPNEGO.

Examples: --negotiate --service-name sockd would use sockd/server-name.

If --service-name is provided several times, the last set value will be used.

Example:
curl --service-name sockd/server https://example.com

See also --negotiate and --proxy-service-name. Added in 7.43.0.

-S, --show-error
When used with -s, --silent, it makes curl show an error message if it fails.

This option is global and does not need to be specified for each use of -:, --next.

Providing -S, --show-error multiple times has no extra effect. Disable it again with --no-show-error.

Example:
curl --show-error --silent https://example.com

See also --no-progress-meter.

-s, --silent
Silent or quiet mode. Do not show progress meter or error messages. Makes Curl mute. It will still output the data you ask for, potentially even to the terminal/stdout unless you redirect it.

Use -S, --show-error in addition to this option to disable progress meter but still show error messages.

Providing -s, --silent multiple times has no extra effect. Disable it again with --no-silent.

Example:
curl -s https://example.com

See also -v, --verbose, --stderr and --no-progress-meter.

--socks4 <host[:port]>
Use the specified SOCKS4 proxy. If the port number is not specified, it is assumed at port 1080. Using this socket type make curl resolve the host name and passing the address on to the
proxy.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks4://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks4 proxy with -x, --proxy using a socks4:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks4 is provided several times, the last set value will be used.

Example:
curl --socks4 hostname:4096 https://example.com

See also --socks4a, --socks5 and --socks5-hostname.

--socks4a <host[:port]>
Use the specified SOCKS4a proxy. If the port number is not specified, it is assumed at port 1080. This asks the proxy to resolve the host name.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks4a://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks4a proxy with -x, --proxy using a socks4a:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks4a is provided several times, the last set value will be used.

Example:
curl --socks4a hostname:4096 https://example.com

See also --socks4, --socks5 and --socks5-hostname.

--socks5-basic
Tells curl to use username/password authentication when connecting to a SOCKS5 proxy. The username/password authentication is enabled by default. Use --socks5-gssapi to force GSS-API au‐
thentication to SOCKS5 proxies.

Providing --socks5-basic multiple times has no extra effect.

Example:
curl --socks5-basic --socks5 hostname:4096 https://example.com

See also --socks5. Added in 7.55.0.

--socks5-gssapi-nec
As part of the GSS-API negotiation a protection mode is negotiated. RFC 1961 says in section 4.3/4.4 it should be protected, but the NEC reference implementation does not. The option
--socks5-gssapi-nec allows the unprotected exchange of the protection mode negotiation.

Providing --socks5-gssapi-nec multiple times has no extra effect. Disable it again with --no-socks5-gssapi-nec.

Example:
curl --socks5-gssapi-nec --socks5 hostname:4096 https://example.com

See also --socks5.

--socks5-gssapi-service <name>
The default service name for a socks server is rcmd/server-fqdn. This option allows you to change it.

Examples: --socks5 proxy-name --socks5-gssapi-service sockd would use sockd/proxy-name --socks5 proxy-name --socks5-gssapi-service sockd/real-name would use sockd/real-name for cases where
the proxy-name does not match the principal name.

If --socks5-gssapi-service is provided several times, the last set value will be used.

Example:
curl --socks5-gssapi-service sockd --socks5 hostname:4096 https://example.com

See also --socks5.

--socks5-gssapi
Tells curl to use GSS-API authentication when connecting to a SOCKS5 proxy. The GSS-API authentication is enabled by default (if curl is compiled with GSS-API support). Use --socks5-basic
to force username/password authentication to SOCKS5 proxies.

Providing --socks5-gssapi multiple times has no extra effect. Disable it again with --no-socks5-gssapi.

Example:
curl --socks5-gssapi --socks5 hostname:4096 https://example.com

See also --socks5. Added in 7.55.0.

--socks5-hostname <host[:port]>
Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If the port number is not specified, it is assumed at port 1080.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks5h://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks5 hostname proxy with -x, --proxy using a socks5h:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks5-hostname is provided several times, the last set value will be used.

Example:
curl --socks5-hostname proxy.example:7000 https://example.com

See also --socks5 and --socks4a.

--socks5 <host[:port]>
Use the specified SOCKS5 proxy - but resolve the host name locally. If the port number is not specified, it is assumed at port 1080.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks5://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks5 proxy with -x, --proxy using a socks5:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

This option (as well as --socks4) does not work with IPV6, FTPS or LDAP.

If --socks5 is provided several times, the last set value will be used.

Example:
curl --socks5 proxy.example:7000 https://example.com

See also --socks5-hostname and --socks4a.

-Y, --speed-limit <speed>
If a transfer is slower than this given speed (in bytes per second) for speed-time seconds it gets aborted. speed-time is set with -y, --speed-time and is 30 if not set.

If -Y, --speed-limit is provided several times, the last set value will be used.

Example:
curl --speed-limit 300 --speed-time 10 https://example.com

See also -y, --speed-time, --limit-rate and -m, --max-time.

-y, --speed-time <seconds>
If a transfer runs slower than speed-limit bytes per second during a speed-time period, the transfer is aborted. If speed-time is used, the default speed-limit will be 1 unless set with -Y,
--speed-limit.

This option controls transfers (in both directions) but will not affect slow connects etc. If this is a concern for you, try the --connect-timeout option.

If -y, --speed-time is provided several times, the last set value will be used.

Example:
curl --speed-limit 300 --speed-time 10 https://example.com

See also -Y, --speed-limit and --limit-rate.

--ssl-allow-beast
This option tells curl to not work around a security flaw in the SSL3 and TLS1.0 protocols known as BEAST. If this option is not used, the SSL layer may use workarounds known to cause inter‐
operability problems with some older SSL implementations.

WARNING: this option loosens the SSL security, and by using this flag you ask for exactly that.

Providing --ssl-allow-beast multiple times has no extra effect. Disable it again with --no-ssl-allow-beast.

Example:
curl --ssl-allow-beast https://example.com

See also --proxy-ssl-allow-beast and -k, --insecure.

--ssl-auto-client-cert
Tell libcurl to automatically locate and use a client certificate for authentication, when requested by the server. This option is only supported for Schannel (the native Windows SSL li‐
brary). Prior to 7.77.0 this was the default behavior in libcurl with Schannel. Since the server can request any certificate that supports client authentication in the OS certificate store it
could be a privacy violation and unexpected.

Providing --ssl-auto-client-cert multiple times has no extra effect. Disable it again with --no-ssl-auto-client-cert.

Example:
curl --ssl-auto-client-cert https://example.com

See also --proxy-ssl-auto-client-cert. Added in 7.77.0.

--ssl-no-revoke
(Schannel) This option tells curl to disable certificate revocation checks. WARNING: this option loosens the SSL security, and by using this flag you ask for exactly that.

Providing --ssl-no-revoke multiple times has no extra effect. Disable it again with --no-ssl-no-revoke.

Example:
curl --ssl-no-revoke https://example.com

See also --crlfile. Added in 7.44.0.

--ssl-reqd
(FTP IMAP POP3 SMTP LDAP) Require SSL/TLS for the connection. Terminates the connection if the transfer cannot be upgraded to use SSL/TLS.

This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and rejected by the generic ldap backend if explicit TLS is required.

This option is unnecessary if you use a URL scheme that in itself implies immediate and implicit use of TLS, like for FTPS, IMAPS, POP3S, SMTPS and LDAPS. Such transfers will always fail if
the TLS handshake does not work.

This option was formerly known as --ftp-ssl-reqd.

Providing --ssl-reqd multiple times has no extra effect. Disable it again with --no-ssl-reqd.

Example:
curl --ssl-reqd ftp://example.com

See also --ssl and -k, --insecure.

--ssl-revoke-best-effort
(Schannel) This option tells curl to ignore certificate revocation checks when they failed due to missing/offline distribution points for the revocation check lists.

Providing --ssl-revoke-best-effort multiple times has no extra effect. Disable it again with --no-ssl-revoke-best-effort.

Example:
curl --ssl-revoke-best-effort https://example.com

See also --crlfile and -k, --insecure. Added in 7.70.0.

--ssl (FTP IMAP POP3 SMTP LDAP) Warning: this is considered an insecure option. Consider using --ssl-reqd instead to be sure curl upgrades to a secure connection.

Try to use SSL/TLS for the connection. Reverts to a non-secure connection if the server does not support SSL/TLS. See also --ftp-ssl-control and --ssl-reqd for different levels of encryption
required.

This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and ignored by the generic ldap backend.

Please note that a server may close the connection if the negotiation does not succeed.

This option was formerly known as --ftp-ssl. That option name can still be used but will be removed in a future version.

Providing --ssl multiple times has no extra effect. Disable it again with --no-ssl.

Example:
curl --ssl pop3://example.com/

See also --ssl-reqd, -k, --insecure and --ciphers.

-2, --sslv2
(SSL) This option previously asked curl to use SSLv2, but starting in curl 7.77.0 this instruction is ignored. SSLv2 is widely considered insecure (see RFC 6176).

Providing -2, --sslv2 multiple times has no extra effect.

Example:
curl --sslv2 https://example.com

See also --http1.1 and --http2. -2, --sslv2 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to -3, --sslv3 and -1, --tlsv1 and --tlsv1.1 and
--tlsv1.2.

-3, --sslv3
(SSL) This option previously asked curl to use SSLv3, but starting in curl 7.77.0 this instruction is ignored. SSLv3 is widely considered insecure (see RFC 7568).

Providing -3, --sslv3 multiple times has no extra effect.

Example:
curl --sslv3 https://example.com

See also --http1.1 and --http2. -3, --sslv3 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to -2, --sslv2 and -1, --tlsv1 and --tlsv1.1 and
--tlsv1.2.

--stderr <file>
Redirect all writes to stderr to the specified file instead. If the file name is a plain '-', it is instead written to stdout.

This option is global and does not need to be specified for each use of -:, --next.

If --stderr is provided several times, the last set value will be used.

Example:
curl --stderr output.txt https://example.com

See also -v, --verbose and -s, --silent.

--styled-output
Enables the automatic use of bold font styles when writing HTTP headers to the terminal. Use --no-styled-output to switch them off.

Styled output requires a terminal that supports bold fonts. This feature is not present on curl for Windows due to lack of this capability.

This option is global and does not need to be specified for each use of -:, --next.

Providing --styled-output multiple times has no extra effect. Disable it again with --no-styled-output.

Example:
curl --styled-output -I https://example.com

See also -I, --head and -v, --verbose. Added in 7.61.0.

--suppress-connect-headers
When -p, --proxytunnel is used and a CONNECT request is made do not output proxy CONNECT response headers. This option is meant to be used with -D, --dump-header or -i, --include which are
used to show protocol headers in the output. It has no effect on debug options such as -v, --verbose or --trace, or any statistics.

Providing --suppress-connect-headers multiple times has no extra effect. Disable it again with --no-suppress-connect-headers.

Example:
curl --suppress-connect-headers --include -x proxy https://example.com

See also -D, --dump-header, -i, --include and -p, --proxytunnel. Added in 7.54.0.

--tcp-fastopen
Enable use of TCP Fast Open (RFC7413).

Providing --tcp-fastopen multiple times has no extra effect. Disable it again with --no-tcp-fastopen.

Example:
curl --tcp-fastopen https://example.com

See also --false-start. Added in 7.49.0.

--tcp-nodelay
Turn on the TCP_NODELAY option. See the curl_easy_setopt(3) man page for details about this option.

Since 7.50.2, curl sets this option by default and you need to explicitly switch it off if you do not want it on.

Providing --tcp-nodelay multiple times has no extra effect. Disable it again with --no-tcp-nodelay.

Example:
curl --tcp-nodelay https://example.com

See also -N, --no-buffer.

-t, --telnet-option <opt=val>
Pass options to the telnet protocol. Supported options are:

TTYPE=<term> Sets the terminal type.

XDISPLOC=<X display> Sets the X display location.

NEW_ENV=<var,val> Sets an environment variable.

-t, --telnet-option can be used several times in a command line

Example:
curl -t TTYPE=vt100 telnet://example.com/

See also -K, --config.

--tftp-blksize <value>
(TFTP) Set TFTP BLKSIZE option (must be >512). This is the block size that curl will try to use when transferring data to or from a TFTP server. By default 512 bytes will be used.

If --tftp-blksize is provided several times, the last set value will be used.

Example:
curl --tftp-blksize 1024 tftp://example.com/file

See also --tftp-no-options.

--tftp-no-options
(TFTP) Tells curl not to send TFTP options requests.

This option improves interop with some legacy servers that do not acknowledge or properly implement TFTP options. When this option is used --tftp-blksize is ignored.

Providing --tftp-no-options multiple times has no extra effect. Disable it again with --no-tftp-no-options.

Example:
curl --tftp-no-options tftp://192.168.0.1/

See also --tftp-blksize. Added in 7.48.0.

-z, --time-cond <time>
(HTTP FTP) Request a file that has been modified later than the given time and date, or one that has been modified before that time. The <date expression> can be all sorts of date strings or
if it does not match any internal ones, it is taken as a filename and tries to get the modification date (mtime) from <file> instead. See the curl_getdate(3) man pages for date expression de‐
tails.

Start the date expression with a dash (-) to make it request for a document that is older than the given date/time, default is a document that is newer than the specified date/time.

If -z, --time-cond is provided several times, the last set value will be used.

Examples:
curl -z "Wed 01 Sep 2021 12:18:00" https://example.com
curl -z "-Wed 01 Sep 2021 12:18:00" https://example.com
curl -z file https://example.com

See also --etag-compare and -R, --remote-time.

--tls-max <VERSION>
(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3.

If the connection is done without TLS, this option has no effect. This includes QUIC-using (HTTP/3) transfers.

default
Use up to recommended TLS version.

1.0 Use up to TLSv1.0.

1.1 Use up to TLSv1.1.

1.2 Use up to TLSv1.2.

1.3 Use up to TLSv1.3.

If --tls-max is provided several times, the last set value will be used.

Examples:
curl --tls-max 1.2 https://example.com
curl --tls-max 1.3 --tlsv1.2 https://example.com

See also --tlsv1.0, --tlsv1.1, --tlsv1.2 and --tlsv1.3. --tls-max requires that the underlying libcurl was built to support TLS. Added in 7.54.0.

--tls13-ciphers <ciphersuite list>
(TLS) Specifies which cipher suites to use in the connection if it negotiates TLS 1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3 cipher suite details on this
URL:

https://curl.se/docs/ssl-ciphers.html

This option is currently used only when curl is built to use OpenSSL 1.1.1 or later. If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the --ciphers
option.

If --tls13-ciphers is provided several times, the last set value will be used.

Example:
curl --tls13-ciphers TLS_AES_128_GCM_SHA256 https://example.com

See also --ciphers and --curves. Added in 7.61.0.

--tlsauthtype <type>
Set TLS authentication type. Currently, the only supported option is "SRP", for TLS-SRP (RFC 5054). If --tlsuser and --tlspassword are specified but --tlsauthtype is not, then this option de‐
faults to "SRP". This option works only if the underlying libcurl is built with TLS-SRP support, which requires OpenSSL or GnuTLS with TLS-SRP support.

If --tlsauthtype is provided several times, the last set value will be used.

Example:
curl --tlsauthtype SRP https://example.com

See also --tlsuser.

--tlspassword <string>
Set password for use with the TLS authentication method specified with --tlsauthtype. Requires that --tlsuser also be set.

This option does not work with TLS 1.3.

If --tlspassword is provided several times, the last set value will be used.

Example:
curl --tlspassword pwd --tlsuser user https://example.com

See also --tlsuser.

--tlsuser <name>
Set username for use with the TLS authentication method specified with --tlsauthtype. Requires that --tlspassword also is set.

This option does not work with TLS 1.3.

If --tlsuser is provided several times, the last set value will be used.

Example:
curl --tlspassword pwd --tlsuser user https://example.com

See also --tlspassword.

--tlsv1.0
(TLS) Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.0. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.0 multiple times has no extra effect.

Example:
curl --tlsv1.0 https://example.com

See also --tlsv1.3. Added in 7.34.0.

--tlsv1.1
(TLS) Forces curl to use TLS version 1.1 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.1. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.1 multiple times has no extra effect.

Example:
curl --tlsv1.1 https://example.com

See also --tlsv1.3 and --tls-max. Added in 7.34.0.

--tlsv1.2
(TLS) Forces curl to use TLS version 1.2 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.2. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.2 multiple times has no extra effect.

Example:
curl --tlsv1.2 https://example.com

See also --tlsv1.3 and --tls-max. Added in 7.34.0.

--tlsv1.3
(TLS) Forces curl to use TLS version 1.3 or later when connecting to a remote TLS server.

If the connection is done without TLS, this option has no effect. This includes QUIC-using (HTTP/3) transfers.

Note that TLS 1.3 is not supported by all TLS backends.

Providing --tlsv1.3 multiple times has no extra effect.

Example:
curl --tlsv1.3 https://example.com

See also --tlsv1.2 and --tls-max. Added in 7.52.0.

-1, --tlsv1
(SSL) Tells curl to use at least TLS version 1.x when negotiating with a remote TLS server. That means TLS version 1.0 or higher

Providing -1, --tlsv1 multiple times has no extra effect.

Example:
curl --tlsv1 https://example.com

See also --http1.1 and --http2. -1, --tlsv1 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to --tlsv1.1 and --tlsv1.2 and --tlsv1.3.

--tr-encoding
(HTTP) Request a compressed Transfer-Encoding response using one of the algorithms curl supports, and uncompress the data while receiving it.

Providing --tr-encoding multiple times has no extra effect. Disable it again with --no-tr-encoding.

Example:
curl --tr-encoding https://example.com

See also --compressed.

--trace-ascii <file>
Enables a full trace dump of all incoming and outgoing data, including descriptive information, to the given output file. Use "-" as filename to have the output sent to stdout.

This is similar to --trace, but leaves out the hex part and only shows the ASCII part of the dump. It makes smaller output that might be easier to read for untrained humans.

This option is global and does not need to be specified for each use of -:, --next.

If --trace-ascii is provided several times, the last set value will be used.

Example:
curl --trace-ascii log.txt https://example.com

See also -v, --verbose and --trace. This option is mutually exclusive to --trace and -v, --verbose.

--trace-time
Prepends a time stamp to each trace or verbose line that curl displays.

This option is global and does not need to be specified for each use of -:, --next.

Providing --trace-time multiple times has no extra effect. Disable it again with --no-trace-time.

Example:
curl --trace-time --trace-ascii output https://example.com

See also --trace and -v, --verbose.

--trace <file>
Enables a full trace dump of all incoming and outgoing data, including descriptive information, to the given output file. Use "-" as filename to have the output sent to stdout. Use "%" as
filename to have the output sent to stderr.

This option is global and does not need to be specified for each use of -:, --next.

If --trace is provided several times, the last set value will be used.

Example:
curl --trace log.txt https://example.com

See also --trace-ascii and --trace-time. This option is mutually exclusive to -v, --verbose and --trace-ascii.

--unix-socket <path>
(HTTP) Connect through this Unix domain socket, instead of using the network.

If --unix-socket is provided several times, the last set value will be used.

Example:
curl --unix-socket socket-path https://example.com

See also --abstract-unix-socket. Added in 7.40.0.

-T, --upload-file <file>
This transfers the specified local file to the remote URL. If there is no file part in the specified URL, curl will append the local file name. NOTE that you must use a trailing / on the last
directory to really prove to Curl that there is no file name or curl will think that your last directory name is the remote file name to use. That will most likely cause the upload operation
to fail. If this is used on an HTTP(S) server, the PUT command will be used.

Use the file name "-" (a single dash) to use stdin instead of a given file. Alternately, the file name "." (a single period) may be specified instead of "-" to use stdin in non-blocking mode
to allow reading server output while stdin is being uploaded.

You can specify one -T, --upload-file for each URL on the command line. Each -T, --upload-file + URL pair specifies what to upload and to where. curl also supports "globbing" of the -T, --up‐
load-file argument, meaning that you can upload multiple files to a single URL by using the same URL globbing style supported in the URL.

When uploading to an SMTP server: the uploaded data is assumed to be RFC 5322 formatted. It has to feature the necessary set of headers and mail body formatted correctly by the user as curl
will not transcode nor encode it further in any way.

-T, --upload-file can be used several times in a command line

Examples:
curl -T file https://example.com
curl -T "img[1-1000].png" ftp://ftp.example.com/
curl --upload-file "{file1,file2}" https://example.com

See also -G, --get and -I, --head.

--url-query <data>
(all) This option adds a piece of data, usually a name + value pair, to the end of the URL query part. The syntax is identical to that used for --data-urlencode with one extension:

If the argument starts with a '+' (plus), the rest of the string is provided as-is unencoded.

The query part of a URL is the one following the question mark on the right end.

--url-query can be used several times in a command line

Examples:
curl --url-query name=val https://example.com
curl --url-query =encodethis http://example.net/foo
curl --url-query name@file https://example.com
curl --url-query @fileonly https://example.com
curl --url-query "+name=%20foo" https://example.com

See also --data-urlencode and -G, --get. Added in 7.87.0.

--url <url>
Specify a URL to fetch. This option is mostly handy when you want to specify URL(s) in a config file.

If the given URL is missing a scheme name (such as "http://" or "ftp://" etc) then curl will make a guess based on the host. If the outermost sub-domain name matches DICT, FTP, IMAP, LDAP,
POP3 or SMTP then that protocol will be used, otherwise HTTP will be used. Since 7.45.0 guessing can be disabled by setting a default protocol, see --proto-default for details.

To control where this URL is written, use the -o, --output or the -O, --remote-name options.

WARNING: On Windows, particular file:// accesses can be converted to network accesses by the operating system. Beware!

--url can be used several times in a command line

Example:
curl --url https://example.com

See also -:, --next and -K, --config.

-B, --use-ascii
(FTP LDAP) Enable ASCII transfer. For FTP, this can also be enforced by using a URL that ends with ";type=A". This option causes data sent to stdout to be in text mode for win32 systems.

Providing -B, --use-ascii multiple times has no extra effect. Disable it again with --no-use-ascii.

Example:
curl -B ftp://example.com/README

See also --crlf and --data-ascii.

-A, --user-agent <name>
(HTTP) Specify the User-Agent string to send to the HTTP server. To encode blanks in the string, surround the string with single quote marks. This header can also be set with the -H, --header
or the --proxy-header options.

If you give an empty argument to -A, --user-agent (""), it will remove the header completely from the request. If you prefer a blank header, you can set it to a single space (" ").

If -A, --user-agent is provided several times, the last set value will be used.

Example:
curl -A "Agent 007" https://example.com

See also -H, --header and --proxy-header.

-u, --user <user:password>
Specify the user name and password to use for server authentication. Overrides -n, --netrc and --netrc-optional.

If you simply specify the user name, curl will prompt for a password.

The user name and passwords are split up on the first colon, which makes it impossible to use a colon in the user name with this option. The password can, still.

On systems where it works, curl will hide the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same sys‐
tem as they will still be visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.

When using Kerberos V5 with a Windows based server you should include the Windows domain name in the user name, in order for the server to successfully obtain a Kerberos Ticket. If you do
not, then the initial authentication handshake may fail.

When using NTLM, the user name can be specified simply as the user name, without the domain, if there is a single domain and forest in your setup for example.

To specify the domain name use either Down-Level Logon Name or UPN (User Principal Name) formats. For example, EXAMPLE\user and user@example.com respectively.

If you use a Windows SSPI-enabled curl binary and perform Kerberos V5, Negotiate, NTLM or Digest authentication then you can tell curl to select the user name and password from your environ‐
ment by specifying a single colon with this option: "-u :".

If -u, --user is provided several times, the last set value will be used.

Example:
curl -u user:secret https://example.com

See also -n, --netrc and -K, --config.

-v, --verbose
Makes curl verbose during the operation. Useful for debugging and seeing what's going on "under the hood". A line starting with '>' means "header data" sent by curl, '<' means "header data"
received by curl that is hidden in normal cases, and a line starting with '*' means additional info provided by curl.

If you only want HTTP headers in the output, -i, --include might be the option you are looking for.

If you think this option still does not give you enough details, consider using --trace or --trace-ascii instead.

This option is global and does not need to be specified for each use of -:, --next.

Use -s, --silent to make curl really quiet.

Providing -v, --verbose multiple times has no extra effect. Disable it again with --no-verbose.

Example:
curl --verbose https://example.com

See also -i, --include. This option is mutually exclusive to --trace and --trace-ascii.

-V, --version
Displays information about curl and the libcurl version it uses.

The first line includes the full version of curl, libcurl and other 3rd party libraries linked with the executable.

The second line (starts with "Protocols:") shows all protocols that libcurl reports to support.

The third line (starts with "Features:") shows specific features libcurl reports to offer. Available features include:

alt-svc
Support for the Alt-Svc: header is provided.

AsynchDNS
This curl uses asynchronous name resolves. Asynchronous name resolves can be done using either the c-ares or the threaded resolver backends.

brotli Support for automatic brotli compression over HTTP(S).

CharConv
curl was built with support for character set conversions (like EBCDIC)

Debug This curl uses a libcurl built with Debug. This enables more error-tracking and memory debugging etc. For curl-developers only!

gsasl The built-in SASL authentication includes extensions to support SCRAM because libcurl was built with libgsasl.

GSS-API
GSS-API is supported.

HSTS HSTS support is present.

HTTP2 HTTP/2 support has been built-in.

HTTP3 HTTP/3 support has been built-in.

HTTPS-proxy
This curl is built to support HTTPS proxy.

IDN This curl supports IDN - international domain names.

IPv6 You can use IPv6 with this.

Kerberos
Kerberos V5 authentication is supported.

Largefile
This curl supports transfers of large files, files larger than 2GB.

libz Automatic decompression (via gzip, deflate) of compressed files over HTTP is supported.

MultiSSL
This curl supports multiple TLS backends.

NTLM NTLM authentication is supported.

NTLM_WB
NTLM delegation to winbind helper is supported.

PSL PSL is short for Public Suffix List and means that this curl has been built with knowledge about "public suffixes".

SPNEGO SPNEGO authentication is supported.

SSL SSL versions of various protocols are supported, such as HTTPS, FTPS, POP3S and so on.

SSPI SSPI is supported.

TLS-SRP
SRP (Secure Remote Password) authentication is supported for TLS.

TrackMemory
Debug memory tracking is supported.

Unicode
Unicode support on Windows.

UnixSockets
Unix sockets support is provided.

zstd Automatic decompression (via zstd) of compressed files over HTTP is supported.

Example:
curl --version

See also -h, --help and -M, --manual.

-w, --write-out <format>
Make curl display information on stdout after a completed transfer. The format is a string that may contain plain text mixed with any number of variables. The format can be specified as a
literal "string", or you can have curl read the format from a file with "@filename" and to tell curl to read the format from stdin you write "@-".

The variables present in the output format will be substituted by the value or text that curl thinks fit, as described below. All variables are specified as %{variable_name} and to output a
normal % you just write them as %%. You can output a newline by using \n, a carriage return with \r and a tab space with \t.

The output will be written to standard output, but this can be switched to standard error by using %{stderr}.

Output HTTP headers from the most recent request by using %header{name} where name is the case insensitive name of the header (without the trailing colon). The header contents are exactly as
sent over the network, with leading and trailing whitespace trimmed. Added in curl 7.84.0.

NOTE: In Windows the %-symbol is a special symbol used to expand environment variables. In batch files all occurrences of % must be doubled when using this option to properly escape. If this
option is used at the command prompt then the % cannot be escaped and unintended expansion is possible.

The variables available are:

certs Output the certificate chain with details. Supported only by the OpenSSL, GnuTLS, Schannel, NSS, GSKit and Secure Transport backends (Added in 7.88.0)

content_type The Content-Type of the requested document, if there was any.

errormsg The error message. (Added in 7.75.0)

exitcode The numerical exitcode of the transfer. (Added in 7.75.0)

filename_effective
The ultimate filename that curl writes out to. This is only meaningful if curl is told to write to a file with the -O, --remote-name or -o, --output option. It's most useful in
combination with the -J, --remote-header-name option.

ftp_entry_path The initial path curl ended up in when logging on to the remote FTP server.

header_json A JSON object with all HTTP response headers from the recent transfer. Values are provided as arrays, since in the case of multiple headers there can be multiple values. (Added
in 7.83.0)

The header names provided in lowercase, listed in order of appearance over the wire. Except for duplicated headers. They are grouped on the first occurrence of that header,
each value is presented in the JSON array.

http_code The numerical response code that was found in the last retrieved HTTP(S) or FTP(s) transfer.

http_connect The numerical code that was found in the last response (from a proxy) to a curl CONNECT request.

http_version The http version that was effectively used. (Added in 7.50.0)

json A JSON object with all available keys.

local_ip The IP address of the local end of the most recently done connection - can be either IPv4 or IPv6.

local_port The local port number of the most recently done connection.

method The http method used in the most recent HTTP request. (Added in 7.72.0)

num_certs Number of server certificates received in the TLS handshake. Supported only by the OpenSSL, GnuTLS, Schannel, NSS, GSKit and Secure Transport backends (Added in 7.88.0)

num_connects Number of new connects made in the recent transfer.

num_headers The number of response headers in the most recent request (restarted at each redirect). Note that the status line IS NOT a header. (Added in 7.73.0)

num_redirects Number of redirects that were followed in the request.

onerror The rest of the output is only shown if the transfer returned a non-zero error (Added in 7.75.0)

proxy_ssl_verify_result
The result of the HTTPS proxy's SSL peer certificate verification that was requested. 0 means the verification was successful. (Added in 7.52.0)

redirect_url When an HTTP request was made without -L, --location to follow redirects (or when --max-redirs is met), this variable will show the actual URL a redirect would have gone to.

referer The Referer: header, if there was any. (Added in 7.76.0)

remote_ip The remote IP address of the most recently done connection - can be either IPv4 or IPv6.

remote_port The remote port number of the most recently done connection.

response_code The numerical response code that was found in the last transfer (formerly known as "http_code").

scheme The URL scheme (sometimes called protocol) that was effectively used. (Added in 7.52.0)

size_download The total amount of bytes that were downloaded. This is the size of the body/data that was transferred, excluding headers.

size_header The total amount of bytes of the downloaded headers.

size_request The total amount of bytes that were sent in the HTTP request.

size_upload The total amount of bytes that were uploaded. This is the size of the body/data that was transferred, excluding headers.

speed_download The average download speed that curl measured for the complete download. Bytes per second.

speed_upload The average upload speed that curl measured for the complete upload. Bytes per second.

ssl_verify_result
The result of the SSL peer certificate verification that was requested. 0 means the verification was successful.

stderr From this point on, the -w, --write-out output will be written to standard error. (Added in 7.63.0)

stdout From this point on, the -w, --write-out output will be written to standard output. This is the default, but can be used to switch back after switching to stderr. (Added in
7.63.0)

time_appconnect
The time, in seconds, it took from the start until the SSL/SSH/etc connect/handshake to the remote host was completed.

time_connect The time, in seconds, it took from the start until the TCP connect to the remote host (or proxy) was completed.

time_namelookup
The time, in seconds, it took from the start until the name resolving was completed.

time_pretransfer
The time, in seconds, it took from the start until the file transfer was just about to begin. This includes all pre-transfer commands and negotiations that are specific to the
particular protocol(s) involved.

time_redirect The time, in seconds, it took for all redirection steps including name lookup, connect, pretransfer and transfer before the final transaction was started. time_redirect shows
the complete execution time for multiple redirections.

time_starttransfer
The time, in seconds, it took from the start until the first byte was just about to be transferred. This includes time_pretransfer and also the time the server needed to calcu‐
late the result.

time_total The total time, in seconds, that the full operation lasted.

url The URL that was fetched. (Added in 7.75.0)

urlnum The URL index number of this transfer, 0-indexed. De-globbed URLs share the same index number as the origin globbed URL. (Added in 7.75.0)

url_effective The URL that was fetched last. This is most meaningful if you have told curl to follow location: headers.

If -w, --write-out is provided several times, the last set value will be used.

Example:
curl -w '%{http_code}\n' https://example.com

See also -v, --verbose and -I, --head.

--xattr
When saving output to a file, this option tells curl to store certain file metadata in extended file attributes. Currently, the URL is stored in the xdg.origin.url attribute and, for HTTP,
the content type is stored in the mime_type attribute. If the file system does not support extended attributes, a warning is issued.

Providing --xattr multiple times has no extra effect. Disable it again with --no-xattr.

Example:
curl --xattr -o storage https://example.com

See also -R, --remote-time, -w, --write-out and -v, --verbose.

FILES
~/.curlrc
Default config file, see -K, --config for details.

ENVIRONMENT
The environment variables can be specified in lower case or upper case. The lower case version has precedence. http_proxy is an exception as it is only available in lower case.

Using an environment variable to set the proxy has the same effect as using the -x, --proxy option.

http_proxy [protocol://]<host>[:port]
Sets the proxy server to use for HTTP.

HTTPS_PROXY [protocol://]<host>[:port]
Sets the proxy server to use for HTTPS.

[url-protocol]_PROXY [protocol://]<host>[:port]
Sets the proxy server to use for [url-protocol], where the protocol is a protocol that curl supports and as specified in a URL. FTP, FTPS, POP3, IMAP, SMTP, LDAP, etc.

ALL_PROXY [protocol://]<host>[:port]
Sets the proxy server to use if no protocol-specific proxy is set.

NO_PROXY <comma-separated list of hosts/domains>
list of host names that should not go through any proxy. If set to an asterisk '*' only, it matches all hosts. Each name in this list is matched as either a domain name which contains the
hostname, or the hostname itself.

This environment variable disables use of the proxy even when specified with the -x, --proxy option. That is NO_PROXY=direct.example.com curl -x http://proxy.example.com http://direct.exam‐
ple.com accesses the target URL directly, and NO_PROXY=direct.example.com curl -x http://proxy.example.com http://somewhere.example.com accesses the target URL through the proxy.

The list of host names can also be include numerical IP addresses, and IPv6 versions should then be given without enclosing brackets.

Since 7.86.0, IP addresses can be specified using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the comparison. For example
"192.168.0.0/16" would match all addresses starting with "192.168".

APPDATA <dir>
On Windows, this variable is used when trying to find the home directory. If the primary home variable are all unset.

COLUMNS <terminal width>
If set, the specified number of characters will be used as the terminal width when the alternative progress-bar is shown. If not set, curl will try to figure it out using other ways.

CURL_CA_BUNDLE <file>
If set, will be used as the --cacert value.

CURL_HOME <dir>
If set, is the first variable curl checks when trying to find its home directory. If not set, it continues to check XDG_CONFIG_HOME

CURL_SSL_BACKEND <TLS backend>
If curl was built with support for "MultiSSL", meaning that it has built-in support for more than one TLS backend, this environment variable can be set to the case insensitive name of the
particular backend to use when curl is invoked. Setting a name that is not a built-in alternative will make curl stay with the default.

SSL backend names (case-insensitive): bearssl, gnutls, gskit, mbedtls, nss, openssl, rustls, schannel, secure-transport, wolfssl

HOME <dir>
If set, this is used to find the home directory when that is needed. Like when looking for the default .curlrc. CURL_HOME and XDG_CONFIG_HOME have preference.

QLOGDIR <directory name>
If curl was built with HTTP/3 support, setting this environment variable to a local directory will make curl produce qlogs in that directory, using file names named after the destination con‐
nection id (in hex). Do note that these files can become rather large. Works with both QUIC backends.

SHELL Used on VMS when trying to detect if using a DCL or a "unix" shell.

SSL_CERT_DIR <dir>
If set, will be used as the --capath value.

SSL_CERT_FILE <path>
If set, will be used as the --cacert value.

SSLKEYLOGFILE <file name>
If you set this environment variable to a file name, curl will store TLS secrets from its connections in that file when invoked to enable you to analyze the TLS traffic in real time using
network analyzing tools such as Wireshark. This works with the following TLS backends: OpenSSL, libressl, BoringSSL, GnuTLS, NSS and wolfSSL.

USERPROFILE <dir>
On Windows, this variable is used when trying to find the home directory. If the other, primary, variable are all unset. If set, curl will use the path "$USERPROFILE\Application Data".

XDG_CONFIG_HOME <dir>
If CURL_HOME is not set, this variable is checked when looking for a default .curlrc file.

PROXY PROTOCOL PREFIXES
The proxy string may be specified with a protocol:// prefix to specify alternative proxy protocols.

If no protocol is specified in the proxy string or if the string does not match a supported one, the proxy will be treated as an HTTP proxy.

The supported proxy protocol prefixes are as follows:

http://
Makes it use it as an HTTP proxy. The default if no scheme prefix is used.

https://
Makes it treated as an HTTPS proxy.

socks4://
Makes it the equivalent of --socks4

socks4a://
Makes it the equivalent of --socks4a

socks5://
Makes it the equivalent of --socks5

socks5h://
Makes it the equivalent of --socks5-hostname

EXIT CODES
There are a bunch of different error codes and their corresponding error messages that may appear under error conditions. At the time of this writing, the exit codes are:

0 Success. The operation completed successfully according to the instructions.

1 Unsupported protocol. This build of curl has no support for this protocol.

2 Failed to initialize.

3 URL malformed. The syntax was not correct.

4 A feature or option that was needed to perform the desired request was not enabled or was explicitly disabled at build-time. To make curl able to do this, you probably need another build of
libcurl.

5 Could not resolve proxy. The given proxy host could not be resolved.

6 Could not resolve host. The given remote host could not be resolved.

7 Failed to connect to host.

8 Weird server reply. The server sent data curl could not parse.

9 FTP access denied. The server denied login or denied access to the particular resource or directory you wanted to reach. Most often you tried to change to a directory that does not exist on
the server.

10 FTP accept failed. While waiting for the server to connect back when an active FTP session is used, an error code was sent over the control connection or similar.

11 FTP weird PASS reply. Curl could not parse the reply sent to the PASS request.

12 During an active FTP session while waiting for the server to connect back to curl, the timeout expired.

13 FTP weird PASV reply, Curl could not parse the reply sent to the PASV request.

14 FTP weird 227 format. Curl could not parse the 227-line the server sent.

15 FTP cannot use host. Could not resolve the host IP we got in the 227-line.

16 HTTP/2 error. A problem was detected in the HTTP2 framing layer. This is somewhat generic and can be one out of several problems, see the error message for details.

17 FTP could not set binary. Could not change transfer method to binary.

18 Partial file. Only a part of the file was transferred.

19 FTP could not download/access the given file, the RETR (or similar) command failed.

21 FTP quote error. A quote command returned error from the server.

22 HTTP page not retrieved. The requested URL was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.

23 Write error. Curl could not write data to a local filesystem or similar.

25 FTP could not STOR file. The server denied the STOR operation, used for FTP uploading.

26 Read error. Various reading problems.

27 Out of memory. A memory allocation request failed.

28 Operation timeout. The specified time-out period was reached according to the conditions.

30 FTP PORT failed. The PORT command failed. Not all FTP servers support the PORT command, try doing a transfer using PASV instead!

31 FTP could not use REST. The REST command failed. This command is used for resumed FTP transfers.

33 HTTP range error. The range "command" did not work.

34 HTTP post error. Internal post-request generation error.

35 SSL connect error. The SSL handshaking failed.

36 Bad download resume. Could not continue an earlier aborted download.

37 FILE could not read file. Failed to open the file. Permissions?

38 LDAP cannot bind. LDAP bind operation failed.

39 LDAP search failed.

41 Function not found. A required LDAP function was not found.

42 Aborted by callback. An application told curl to abort the operation.

43 Internal error. A function was called with a bad parameter.

45 Interface error. A specified outgoing interface could not be used.

47 Too many redirects. When following redirects, curl hit the maximum amount.

48 Unknown option specified to libcurl. This indicates that you passed a weird option to curl that was passed on to libcurl and rejected. Read up in the manual!

49 Malformed telnet option.

52 The server did not reply anything, which here is considered an error.

53 SSL crypto engine not found.

54 Cannot set SSL crypto engine as default.

55 Failed sending network data.

56 Failure in receiving network data.

58 Problem with the local certificate.

59 Could not use specified SSL cipher.

60 Peer certificate cannot be authenticated with known CA certificates.

61 Unrecognized transfer encoding.

63 Maximum file size exceeded.

64 Requested FTP SSL level failed.

65 Sending the data requires a rewind that failed.

66 Failed to initialise SSL Engine.

67 The user name, password, or similar was not accepted and curl failed to log in.

68 File not found on TFTP server.

69 Permission problem on TFTP server.

70 Out of disk space on TFTP server.

71 Illegal TFTP operation.

72 Unknown TFTP transfer ID.

73 File already exists (TFTP).

74 No such user (TFTP).

77 Problem reading the SSL CA cert (path? access rights?).

78 The resource referenced in the URL does not exist.

79 An unspecified error occurred during the SSH session.

80 Failed to shut down the SSL connection.

82 Could not load CRL file, missing or wrong format.

83 Issuer check failed.

84 The FTP PRET command failed.

85 Mismatch of RTSP CSeq numbers.

86 Mismatch of RTSP Session Identifiers.

87 Unable to parse FTP file list.

88 FTP chunk callback reported error.

89 No connection available, the session will be queued.

90 SSL public key does not matched pinned public key.

91 Invalid SSL certificate status.

92 Stream error in HTTP/2 framing layer.

93 An API function was called from inside a callback.

94 An authentication function returned an error.

95 A problem was detected in the HTTP/3 layer. This is somewhat generic and can be one out of several problems, see the error message for details.

96 QUIC connection error. This error may be caused by an SSL library error. QUIC is the protocol used for HTTP/3 transfers.

XX More error codes will appear here in future releases. The existing ones are meant to never change.

BUGS
If you experience any problems with curl, submit an issue in the project's bug tracker on GitHub: https://github.com/curl/curl/issues

AUTHORS / CONTRIBUTORS
Daniel Stenberg is the main author, but the whole list of contributors is found in the separate THANKS file.

WWW
https://curl.se

SEE ALSO
ftp(1), wget(1)

curl 7.88.1 February 19 2023 curl(1)
</nowiki>

CURL - Manpage

2026-02-25T12:42:32Z

Admin: /* Force to Connect to a given Host */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Quick Examples ==

=== Force to Connect to a given Host ===

Connect to host2 instead of host1 :
<nowiki>
curl https://FQDN --connect-to <HOST1:PORT1:HOST2:PORT2></nowiki>

=== Get the HTTP Headers of a URL ===

<nowiki>
curl -I --http2 https://<URL></nowiki>

=== Follow Redirects ===

<nowiki>
curl -L <URL></nowiki>

=== Testing The Download Time ===

<nowiki>
curl -D - https://www.ubuntu.com -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/2 301
server: nginx/1.14.0 (Ubuntu)
date: Mon, 21 Jul 2025 10:04:33 GMT
content-type: text/html
content-length: 162
location: https://ubuntu.com/
strict-transport-security: max-age=15724800
link: <https://assets.ubuntu.com>; rel=preconnect; crossorigin, <https://assets.ubuntu.com>; rel=preconnect, <https://res.cloudinary.com>; rel=preconnect
x-cache-status: HIT from content-cache-il3/1

100 162 100 162 0 0 367 0 --:--:-- --:--:-- --:--:-- 368</nowiki>

=== Recording Cookies ===

<nowiki>
curl --cookie-jar received_cookies.txt https://URL -O</nowiki>

== curl --help all ==

<nowiki>
curl --help all
--abstract-unix-socket <path> Connect via abstract Unix domain socket
--alt-svc <filename> Enable alt-svc with this cache file
--anyauth Pick any authentication method
-a, --append Append to target file when uploading
--aws-sigv4 <provider1[:prvdr2[:reg[:srv]]]> AWS V4 signature auth
--basic HTTP Basic Authentication
--ca-native Load CA certs from the OS
--cacert <file> CA certificate to verify peer against
--capath <dir> CA directory to verify peer against
-E, --cert <certificate[:password]> Client certificate file and password
--cert-status Verify server cert status OCSP-staple
--cert-type <type> Certificate type (DER/PEM/ENG/PROV/P12)
--ciphers <list> TLS 1.2 (1.1, 1.0) ciphers to use
--compressed Request compressed response
--compressed-ssh Enable SSH compression
-K, --config <file> Read config from a file
--connect-timeout <seconds> Maximum time allowed to connect
--connect-to <HOST1:PORT1:HOST2:PORT2> Connect to host2 instead of host1
-C, --continue-at <offset> Resumed transfer offset
-b, --cookie <data|filename> Send cookies from string/load from file
-c, --cookie-jar <filename> Save cookies to <filename> after operation
--create-dirs Create necessary local directory hierarchy
--create-file-mode <mode> File mode for created files
--crlf Convert LF to CRLF in upload
--crlfile <file> Certificate Revocation list
--curves <list> (EC) TLS key exchange algorithms to request
-d, --data <data> HTTP POST data
--data-ascii <data> HTTP POST ASCII data
--data-binary <data> HTTP POST binary data
--data-raw <data> HTTP POST data, '@' allowed
--data-urlencode <data> HTTP POST data URL encoded
--delegation <LEVEL> GSS-API delegation permission
--digest HTTP Digest Authentication
-q, --disable Disable .curlrc
--disable-eprt Inhibit using EPRT or LPRT
--disable-epsv Inhibit using EPSV
--disallow-username-in-url Disallow username in URL
--dns-interface <interface> Interface to use for DNS requests
--dns-ipv4-addr <address> IPv4 address to use for DNS requests
--dns-ipv6-addr <address> IPv6 address to use for DNS requests
--dns-servers <addresses> DNS server addrs to use
--doh-cert-status Verify DoH server cert status OCSP-staple
--doh-insecure Allow insecure DoH server connections
--doh-url <URL> Resolve hostnames over DoH
--dump-ca-embed Write the embedded CA bundle to standard output
-D, --dump-header <filename> Write the received headers to <filename>
--ech <config> Configure ECH
--egd-file <file> EGD socket path for random data
--engine <name> Crypto engine to use
--etag-compare <file> Load ETag from file
--etag-save <file> Parse incoming ETag and save to a file
--expect100-timeout <seconds> How long to wait for 100-continue
-f, --fail Fail fast with no output on HTTP errors
--fail-early Fail on first transfer error
--fail-with-body Fail on HTTP errors but save the body
--false-start Enable TLS False Start
-F, --form <name=content> Specify multipart MIME data
--form-escape Escape form fields using backslash
--form-string <name=string> Specify multipart MIME data
--ftp-account <data> Account data string
--ftp-alternative-to-user <command> String to replace USER [name]
--ftp-create-dirs Create the remote dirs if not present
--ftp-method <method> Control CWD usage
--ftp-pasv Send PASV/EPSV instead of PORT
-P, --ftp-port <address> Send PORT instead of PASV
--ftp-pret Send PRET before PASV
--ftp-skip-pasv-ip Skip the IP address for PASV
--ftp-ssl-ccc Send CCC after authenticating
--ftp-ssl-ccc-mode <active/passive> Set CCC mode
--ftp-ssl-control Require TLS for login, clear for transfer
-G, --get Put the post data in the URL and use GET
-g, --globoff Disable URL globbing with {} and []
--happy-eyeballs-timeout-ms <ms> Time for IPv6 before IPv4
--haproxy-clientip <ip> Set address in HAProxy PROXY
--haproxy-protocol Send HAProxy PROXY protocol v1 header
-I, --head Show document info only
-H, --header <header/@file> Pass custom header(s) to server
-h, --help <subject> Get help for commands
--hostpubmd5 <md5> Acceptable MD5 hash of host public key
--hostpubsha256 <sha256> Acceptable SHA256 hash of host public key
--hsts <filename> Enable HSTS with this cache file
--http0.9 Allow HTTP/0.9 responses
-0, --http1.0 Use HTTP/1.0
--http1.1 Use HTTP/1.1
--http2 Use HTTP/2
--http2-prior-knowledge Use HTTP/2 without HTTP/1.1 Upgrade
--http3 Use HTTP/3
--http3-only Use HTTP/3 only
--ignore-content-length Ignore the size of the remote resource
-k, --insecure Allow insecure server connections
--interface <name> Use network interface
--ip-tos <string> Set IP Type of Service or Traffic Class
--ipfs-gateway <URL> Gateway for IPFS
-4, --ipv4 Resolve names to IPv4 addresses
-6, --ipv6 Resolve names to IPv6 addresses
--json <data> HTTP POST JSON
-j, --junk-session-cookies Ignore session cookies read from file
--keepalive-cnt <integer> Maximum number of keepalive probes
--keepalive-time <seconds> Interval time for keepalive probes
--key <key> Private key filename
--key-type <type> Private key file type (DER/PEM/ENG)
--krb <level> Enable Kerberos with security <level>
--libcurl <file> Generate libcurl code for this command line
--limit-rate <speed> Limit transfer speed to RATE
-l, --list-only List only mode
--local-port <range> Use a local port number within RANGE
-L, --location Follow redirects
--location-trusted As --location, but send secrets to other hosts
--login-options <options> Server login options
--mail-auth <address> Originator address of the original email
--mail-from <address> Mail from this address
--mail-rcpt <address> Mail to this address
--mail-rcpt-allowfails Allow RCPT TO command to fail
-M, --manual Display the full manual
--max-filesize <bytes> Maximum file size to download
--max-redirs <num> Maximum number of redirects allowed
-m, --max-time <seconds> Maximum time allowed for transfer
--metalink Process given URLs as metalink XML file
--mptcp Enable Multipath TCP
--negotiate Use HTTP Negotiate (SPNEGO) authentication
-n, --netrc Must read .netrc for username and password
--netrc-file <filename> Specify FILE for netrc
--netrc-optional Use either .netrc or URL
-:, --next Make next URL use separate options
--no-alpn Disable the ALPN TLS extension
-N, --no-buffer Disable buffering of the output stream
--no-clobber Do not overwrite files that already exist
--no-keepalive Disable TCP keepalive on the connection
--no-npn Disable the NPN TLS extension
--no-progress-meter Do not show the progress meter
--no-sessionid Disable SSL session-ID reusing
--noproxy <no-proxy-list> List of hosts which do not use proxy
--ntlm HTTP NTLM authentication
--ntlm-wb HTTP NTLM authentication with winbind
--oauth2-bearer <token> OAuth 2 Bearer Token
-o, --output <file> Write to file instead of stdout
--output-dir <dir> Directory to save files in
-Z, --parallel Perform transfers in parallel
--parallel-immediate Do not wait for multiplexing
--parallel-max <num> Maximum concurrency for parallel transfers
--pass <phrase> Passphrase for the private key
--path-as-is Do not squash .. sequences in URL path
--pinnedpubkey <hashes> Public key to verify peer against
--post301 Do not switch to GET after a 301 redirect
--post302 Do not switch to GET after a 302 redirect
--post303 Do not switch to GET after a 303 redirect
--preproxy <[protocol://]host[:port]> Use this proxy first
-#, --progress-bar Display transfer progress as a bar
--proto <protocols> Enable/disable PROTOCOLS
--proto-default <protocol> Use PROTOCOL for any URL missing a scheme
--proto-redir <protocols> Enable/disable PROTOCOLS on redirect
-x, --proxy <[protocol://]host[:port]> Use this proxy
--proxy-anyauth Pick any proxy authentication method
--proxy-basic Use Basic authentication on the proxy
--proxy-ca-native Load CA certs from the OS to verify proxy
--proxy-cacert <file> CA certificates to verify proxy against
--proxy-capath <dir> CA directory to verify proxy against
--proxy-cert <cert[:passwd]> Set client certificate for proxy
--proxy-cert-type <type> Client certificate type for HTTPS proxy
--proxy-ciphers <list> TLS 1.2 (1.1, 1.0) ciphers to use for proxy
--proxy-crlfile <file> Set a CRL list for proxy
--proxy-digest Digest auth with the proxy
--proxy-header <header/@file> Pass custom header(s) to proxy
--proxy-http2 Use HTTP/2 with HTTPS proxy
--proxy-insecure Skip HTTPS proxy cert verification
--proxy-key <key> Private key for HTTPS proxy
--proxy-key-type <type> Private key file type for proxy
--proxy-negotiate HTTP Negotiate (SPNEGO) auth with the proxy
--proxy-ntlm NTLM authentication with the proxy
--proxy-pass <phrase> Passphrase for private key for HTTPS proxy
--proxy-pinnedpubkey <hashes> FILE/HASHES public key to verify proxy with
--proxy-service-name <name> SPNEGO proxy service name
--proxy-ssl-allow-beast Allow this security flaw for HTTPS proxy
--proxy-ssl-auto-client-cert Auto client certificate for proxy
--proxy-tls13-ciphers <list> TLS 1.3 proxy cipher suites
--proxy-tlsauthtype <type> TLS authentication type for HTTPS proxy
--proxy-tlspassword <string> TLS password for HTTPS proxy
--proxy-tlsuser <name> TLS username for HTTPS proxy
--proxy-tlsv1 TLSv1 for HTTPS proxy
-U, --proxy-user <user:password> Proxy user and password
--proxy1.0 <host[:port]> Use HTTP/1.0 proxy on given port
-p, --proxytunnel HTTP proxy tunnel (using CONNECT)
--pubkey <key> SSH Public key filename
-Q, --quote <command> Send command(s) to server before transfer
--random-file <file> File for reading random data from
-r, --range <range> Retrieve only the bytes within RANGE
--rate <max request rate> Request rate for serial transfers
--raw Do HTTP raw; no transfer decoding
-e, --referer <URL> Referrer URL
-J, --remote-header-name Use the header-provided filename
-O, --remote-name Write output to file named as remote file
--remote-name-all Use the remote filename for all URLs
-R, --remote-time Set remote file's time on local output
--remove-on-error Remove output file on errors
-X, --request <method> Specify request method to use
--request-target <path> Specify the target for this request
--resolve <[+]host:port:addr[,addr]...> Resolve host+port to address
--retry <num> Retry request if transient problems occur
--retry-all-errors Retry all errors (with --retry)
--retry-connrefused Retry on connection refused (with --retry)
--retry-delay <seconds> Wait time between retries
--retry-max-time <seconds> Retry only within this period
--sasl-authzid <identity> Identity for SASL PLAIN authentication
--sasl-ir Initial response in SASL authentication
--service-name <name> SPNEGO service name
-S, --show-error Show error even when -s is used
-i, --show-headers Show response headers in output
--sigalgs <list> TLS signature algorithms to use
-s, --silent Silent mode
--skip-existing Skip download if local file already exists
--socks4 <host[:port]> SOCKS4 proxy on given host + port
--socks4a <host[:port]> SOCKS4a proxy on given host + port
--socks5 <host[:port]> SOCKS5 proxy on given host + port
--socks5-basic Username/password auth for SOCKS5 proxies
--socks5-gssapi Enable GSS-API auth for SOCKS5 proxies
--socks5-gssapi-nec Compatibility with NEC SOCKS5 server
--socks5-gssapi-service <name> SOCKS5 proxy service name for GSS-API
--socks5-hostname <host[:port]> SOCKS5 proxy, pass hostname to proxy
-Y, --speed-limit <speed> Stop transfers slower than this
-y, --speed-time <seconds> Trigger 'speed-limit' abort after this time
--ssl Try enabling TLS
--ssl-allow-beast Allow security flaw to improve interop
--ssl-auto-client-cert Use auto client certificate (Schannel)
--ssl-no-revoke Disable cert revocation checks (Schannel)
--ssl-reqd Require SSL/TLS
--ssl-revoke-best-effort Ignore missing cert CRL dist points
--ssl-sessions <filename> Load/save SSL session tickets from/to this file
-2, --sslv2 SSLv2
-3, --sslv3 SSLv3
--stderr <file> Where to redirect stderr
--styled-output Enable styled output for HTTP headers
--suppress-connect-headers Suppress proxy CONNECT response headers
--tcp-fastopen Use TCP Fast Open
--tcp-nodelay Set TCP_NODELAY
-t, --telnet-option <opt=val> Set telnet option
--tftp-blksize <value> Set TFTP BLKSIZE option
--tftp-no-options Do not send any TFTP options
-z, --time-cond <time> Transfer based on a time condition
--tls-earlydata Allow use of TLSv1.3 early data (0RTT)
--tls-max <VERSION> Maximum allowed TLS version
--tls13-ciphers <list> TLS 1.3 cipher suites to use
--tlsauthtype <type> TLS authentication type
--tlspassword <string> TLS password
--tlsuser <name> TLS username
-1, --tlsv1 TLSv1.0 or greater
--tlsv1.0 TLSv1.0 or greater
--tlsv1.1 TLSv1.1 or greater
--tlsv1.2 TLSv1.2 or greater
--tlsv1.3 TLSv1.3 or greater
--tr-encoding Request compressed transfer encoding
--trace <file> Write a debug trace to FILE
--trace-ascii <file> Like --trace, but without hex output
--trace-config <string> Details to log in trace/verbose output
--trace-ids Transfer + connection ids in verbose output
--trace-time Add time stamps to trace/verbose output
--unix-socket <path> Connect through this Unix domain socket
-T, --upload-file <file> Transfer local FILE to destination
--upload-flags <flags> IMAP upload behavior
--url <url/file> URL(s) to work with
--url-query <data> Add a URL query part
-B, --use-ascii Use ASCII/text transfer
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
--variable <[%]name=text/@file> Set variable
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
--vlan-priority <priority> Set VLAN priority
-w, --write-out <format> Output FORMAT after completion
--xattr Store metadata in extended file attributes</nowiki>

== Manpage ==

<nowiki>
curl(1) curl Manual curl(1)

NAME
curl - transfer a URL

SYNOPSIS
curl [options / URLs]

DESCRIPTION
curl is a tool for transferring data from or to a server. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS,
RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. The command is designed to work without user interaction.

curl offers a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, SSL connections, cookies, file transfer resume and more. As you will see below, the number of
features will make your head spin.

curl is powered by libcurl for all transfer-related features. See libcurl(3) for details.

URL
The URL syntax is protocol-dependent. You find a detailed description in RFC 3986.

You can specify multiple URLs or parts of URLs by writing part sets within braces and quoting the URL as in:

"http://site.{one,two,three}.com"

or you can get sequences of alphanumeric series by using [] as in:

"ftp://ftp.example.com/file[1-100].txt"

"ftp://ftp.example.com/file[001-100].txt" (with leading zeros)

"ftp://ftp.example.com/file[a-z].txt"

Nested sequences are not supported, but you can use several ones next to each other:

"http://example.com/archive[1996-1999]/vol[1-4]/part{a,b,c}.html"

You can specify any amount of URLs on the command line. They will be fetched in a sequential manner in the specified order. You can specify command line options and URLs mixed and in any order on
the command line.

You can specify a step counter for the ranges to get every Nth number or letter:

"http://example.com/file[1-100:10].txt"

"http://example.com/file[a-z:2].txt"

When using [] or {} sequences when invoked from a command line prompt, you probably have to put the full URL within double quotes to avoid the shell from interfering with it. This also goes for
other characters treated special, like for example '&', '?' and '*'.

Provide the IPv6 zone index in the URL with an escaped percentage sign and the interface name. Like in

"http://[fe80::3%25eth0]/"

If you specify URL without protocol:// prefix, curl will attempt to guess what protocol you might want. It will then default to HTTP but try other protocols based on often-used host name prefixes.
For example, for host names starting with "ftp." curl will assume you want to speak FTP.

curl will do its best to use what you pass to it as a URL. It is not trying to validate it as a syntactically correct URL by any means but is fairly liberal with what it accepts.

curl will attempt to re-use connections for multiple file transfers, so that getting many files from the same server will not do multiple connects / handshakes. This improves speed. Of course this
is only done on files specified on a single command line and cannot be used between separate curl invocations.

OUTPUT
If not told otherwise, curl writes the received data to stdout. It can be instructed to instead save that data into a local file, using the -o, --output or -O, --remote-name options. If curl is
given multiple URLs to transfer on the command line, it similarly needs multiple options for where to save them.

curl does not parse or otherwise "understand" the content it gets or writes as output. It does no encoding or decoding, unless explicitly asked to with dedicated command line options.

PROTOCOLS
curl supports numerous protocols, or put in URL terms: schemes. Your particular build may not support them all.

DICT Lets you lookup words using online dictionaries.

FILE Read or write local files. curl does not support accessing file:// URL remotely, but when running on Microsoft Windows using the native UNC approach will work.

FTP(S) curl supports the File Transfer Protocol with a lot of tweaks and levers. With or without using TLS.

GOPHER(S)
Retrieve files.

HTTP(S)
curl supports HTTP with numerous options and variations. It can speak HTTP version 0.9, 1.0, 1.1, 2 and 3 depending on build options and the correct command line options.

IMAP(S)
Using the mail reading protocol, curl can "download" emails for you. With or without using TLS.

LDAP(S)
curl can do directory lookups for you, with or without TLS.

MQTT curl supports MQTT version 3. Downloading over MQTT equals "subscribe" to a topic while uploading/posting equals "publish" on a topic. MQTT over TLS is not supported (yet).

POP3(S)
Downloading from a pop3 server means getting a mail. With or without using TLS.

RTMP(S)
The Realtime Messaging Protocol is primarily used to server streaming media and curl can download it.

RTSP curl supports RTSP 1.0 downloads.

SCP curl supports SSH version 2 scp transfers.

SFTP curl supports SFTP (draft 5) done over SSH version 2.

SMB(S) curl supports SMB version 1 for upload and download.

SMTP(S)
Uploading contents to an SMTP server means sending an email. With or without TLS.

TELNET Telling curl to fetch a telnet URL starts an interactive session where it sends what it reads on stdin and outputs what the server sends it.

TFTP curl can do TFTP downloads and uploads.

PROGRESS METER
curl normally displays a progress meter during operations, indicating the amount of transferred data, transfer speeds and estimated time left, etc. The progress meter displays the transfer rate in
bytes per second. The suffixes (k, M, G, T, P) are 1024 based. For example 1k is 1024 bytes. 1M is 1048576 bytes.

curl displays this data to the terminal by default, so if you invoke curl to do an operation and it is about to write data to the terminal, it disables the progress meter as otherwise it would mess
up the output mixing progress meter and response data.

If you want a progress meter for HTTP POST or PUT requests, you need to redirect the response output to a file, using shell redirect (>), -o, --output or similar.

This does not apply to FTP upload as that operation does not spit out any response data to the terminal.

If you prefer a progress "bar" instead of the regular meter, -#, --progress-bar is your friend. You can also disable the progress meter completely with the -s, --silent option.

OPTIONS
Options start with one or two dashes. Many of the options require an additional value next to them.

The short "single-dash" form of the options, -d for example, may be used with or without a space between it and its value, although a space is a recommended separator. The long "double-dash" form,
-d, --data for example, requires a space between it and its value.

Short version options that do not need any additional values can be used immediately next to each other, like for example you can specify all the options -O, -L and -v at once as -OLv.

In general, all boolean options are enabled with --option and yet again disabled with --no-option. That is, you use the same option name but prefix it with "no-". However, in this list we mostly
only list and show the --option version of them.

--abstract-unix-socket <path>
(HTTP) Connect through an abstract Unix domain socket, instead of using the network. Note: netstat shows the path of an abstract socket prefixed with '@', however the <path> argument should
not have this leading character.

If --abstract-unix-socket is provided several times, the last set value will be used.

Example:
curl --abstract-unix-socket socketpath https://example.com

See also --unix-socket. Added in 7.53.0.

--alt-svc <file name>
(HTTPS) This option enables the alt-svc parser in curl. If the file name points to an existing alt-svc cache file, that will be used. After a completed transfer, the cache will be saved to
the file name again if it has been modified.

Specify a "" file name (zero length) to avoid loading/saving and make curl just handle the cache in memory.

If this option is used several times, curl will load contents from all the files but the last one will be used for saving.

--alt-svc can be used several times in a command line

Example:
curl --alt-svc svc.txt https://example.com

See also --resolve and --connect-to. Added in 7.64.1.

--anyauth
(HTTP) Tells curl to figure out authentication method by itself, and use the most secure one the remote site claims to support. This is done by first doing a request and checking the re‐
sponse-headers, thus possibly inducing an extra network round-trip. This is used instead of setting a specific authentication method, which you can do with --basic, --digest, --ntlm, and
--negotiate.

Using --anyauth is not recommended if you do uploads from stdin, since it may require data to be sent twice and then the client must be able to rewind. If the need should arise when uploading
from stdin, the upload operation will fail.

Used together with -u, --user.

Providing --anyauth multiple times has no extra effect.

Example:
curl --anyauth --user me:pwd https://example.com

See also --proxy-anyauth, --basic and --digest.

-a, --append
(FTP SFTP) When used in an upload, this makes curl append to the target file instead of overwriting it. If the remote file does not exist, it will be created. Note that this flag is ignored
by some SFTP servers (including OpenSSH).

Providing -a, --append multiple times has no extra effect. Disable it again with --no-append.

Example:
curl --upload-file local --append ftp://example.com/

See also -r, --range and -C, --continue-at.

--aws-sigv4 <provider1[:provider2[:region[:service]]]>
Use AWS V4 signature authentication in the transfer.

The provider argument is a string that is used by the algorithm when creating outgoing authentication headers.

The region argument is a string that points to a geographic area of a resources collection (region-code) when the region name is omitted from the endpoint.

The service argument is a string that points to a function provided by a cloud (service-code) when the service name is omitted from the endpoint.

If --aws-sigv4 is provided several times, the last set value will be used.

Example:
curl --aws-sigv4 "aws:amz:east-2:es" --user "key:secret" https://example.com

See also --basic and -u, --user. Added in 7.75.0.

--basic
(HTTP) Tells curl to use HTTP Basic authentication with the remote host. This is the default and this option is usually pointless, unless you use it to override a previously set option that
sets a different authentication method (such as --ntlm, --digest, or --negotiate).

Used together with -u, --user.

Providing --basic multiple times has no extra effect.

Example:
curl -u name:password --basic https://example.com

See also --proxy-basic.

--cacert <file>
(TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to
use a default file for this, so this option is typically used to alter that default file.

curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.

The windows version of curl will automatically look for a CA certs file named 'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the Current Working Directory, or in any
folder along your PATH.

If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.

(iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not
set, then curl will use the certificates in the system and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain.

(Schannel only) This option is supported for Schannel in Windows 7 or later with libcurl 7.60 or later. This option is supported for backward compatibility with other SSL engines; instead it
is recommended to use Windows' store of root certificates (the default for Schannel).

If --cacert is provided several times, the last set value will be used.

Example:
curl --cacert CA-file.txt https://example.com

See also --capath and -k, --insecure.

--capath <dir>
(TLS) Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with ":" (e.g. "path1:path2:path3"). The certificates must
be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl
to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.

If this option is set, the default capath value will be ignored.

If --capath is provided several times, the last set value will be used.

Example:
curl --capath /local/directory https://example.com

See also --cacert and -k, --insecure.

--cert-status
(TLS) Tells curl to verify the status of the server certificate by using the Certificate Status Request (aka. OCSP stapling) TLS extension.

If this option is enabled and the server sends an invalid (e.g. expired) response, if the response suggests that the server certificate has been revoked, or no response at all is received,
the verification fails.

This is currently only implemented in the OpenSSL, GnuTLS and NSS backends.

Providing --cert-status multiple times has no extra effect. Disable it again with --no-cert-status.

Example:
curl --cert-status https://example.com

See also --pinnedpubkey. Added in 7.41.0.

--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types.

The default type depends on the TLS backend and is usually PEM, however for Secure Transport and Schannel it is P12. If -E, --cert is a pkcs11: URI then ENG is the default type.

If --cert-type is provided several times, the last set value will be used.

Example:
curl --cert-type PEM --cert file https://example.com

See also -E, --cert, --key and --key-type.

-E, --cert <certificate[:password]>
(TLS) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure
Transport, or PEM format if using any other engine. If the optional password is not specified, it will be queried for on the terminal. Note that this option assumes a certificate file that is
the private key and the client certificate concatenated. See -E, --cert and --key to specify them independently.

In the <certificate> portion of the argument, you must escape the character ":" as "\:" so that it is not recognized as the password delimiter. Similarly, you must escape the character "\" as
"\\" so that it is not recognized as an escape character.

If curl is built against the NSS SSL library then this option can tell curl the nickname of the certificate to use within the NSS database defined by the environment variable SSL_DIR (or by
default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded.

If you provide a path relative to the current directory, you must prefix the path with "./" in order to avoid confusion with an NSS database nickname.

If curl is built against OpenSSL library, and the engine pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in a PKCS#11 device. A string begin‐
ning with "pkcs11:" will be interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set as "pkcs11" if none was provided and the --cert-type option will
be set as "ENG" if none was provided.

(iOS and macOS only) If curl is built against Secure Transport, then the certificate string can either be the name of a certificate/private key in the system or user keychain, or the path to
a PKCS#12-encoded certificate and private key. If you want to use a file from the current directory, please precede it with "./" prefix, in order to avoid confusion with a nickname.

(Schannel only) Client certificates must be specified by a path expression to a certificate store. (Loading PFX is not supported; you can import it to a store first). You can use "<store lo‐
cation>\<store name>\<thumbprint>" to refer to a certificate in the system certificates store, for example, "CurrentUser\MY\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a". Thumbprint is usually a
SHA-1 hex string which you can see in certificate details. Following store locations are supported: CurrentUser, LocalMachine, CurrentService, Services, CurrentUserGroupPolicy, LocalMachine‐
GroupPolicy, LocalMachineEnterprise.

If -E, --cert is provided several times, the last set value will be used.

Example:
curl --cert certfile --key keyfile https://example.com

See also --cert-type, --key and --key-type.

--ciphers <list of ciphers>
(TLS) Specifies which ciphers to use in the connection. The list of ciphers must specify valid ciphers. Read up on SSL cipher list details on this URL:

https://curl.se/docs/ssl-ciphers.html

If --ciphers is provided several times, the last set value will be used.

Example:
curl --ciphers ECDHE-ECDSA-AES256-CCM8 https://example.com

See also --tlsv1.3.

--compressed-ssh
(SCP SFTP) Enables built-in SSH compression. This is a request, not an order; the server may or may not do it.

Providing --compressed-ssh multiple times has no extra effect. Disable it again with --no-compressed-ssh.

Example:
curl --compressed-ssh sftp://example.com/

See also --compressed. Added in 7.56.0.

--compressed
(HTTP) Request a compressed response using one of the algorithms curl supports, and automatically decompress the content. Headers are not modified.

If this option is used and the server sends an unsupported encoding, curl will report an error. This is a request, not an order; the server may or may not deliver data compressed.

Providing --compressed multiple times has no extra effect. Disable it again with --no-compressed.

Example:
curl --compressed https://example.com

See also --compressed-ssh.

-K, --config <file>
Specify a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line.

Options and their parameters must be specified on the same line in the file, separated by whitespace, colon, or the equals sign. Long option names can optionally be given in the config file
without the initial double dashes and if so, the colon or equals characters can be used as separators. If the option is specified with one or two dashes, there can be no colon or equals char‐
acter between the option and its parameter.

If the parameter contains whitespace (or starts with : or =), the parameter must be enclosed within quotes. Within double quotes, the following escape sequences are available: \\, \", \t, \n,
\r and \v. A backslash preceding any other letter is ignored.

If the first column of a config line is a '#' character, the rest of the line will be treated as a comment.

Only write one option per physical line in the config file.

Specify the filename to -K, --config as '-' to make curl read the file from stdin.

Note that to be able to specify a URL in the config file, you need to specify it using the --url option, and not by simply writing the URL on its own line. So, it could look similar to this:

url = "https://curl.se/docs/"

# --- Example file ---
# this is a comment
url = "example.com"
output = "curlhere.html"
user-agent = "superagent/1.0"

# and fetch another URL too
url = "example.com/docs/manpage.html"
-O
referer = "http://nowhereatall.example.com/"
# --- End of example file ---

When curl is invoked, it (unless -q, --disable is used) checks for a default config file and uses it if found, even when -K, --config is used. The default config file is checked for in the
following places in this order:

1) "$CURL_HOME/.curlrc"

2) "$XDG_CONFIG_HOME/.curlrc" (Added in 7.73.0)

3) "$HOME/.curlrc"

4) Windows: "%USERPROFILE%\.curlrc"

5) Windows: "%APPDATA%\.curlrc"

6) Windows: "%USERPROFILE%\Application Data\.curlrc"

7) Non-Windows: use getpwuid to find the home directory

8) On Windows, if it finds no .curlrc file in the sequence described above, it checks for one in the same dir the curl executable is placed.

On Windows two filenames are checked per location: .curlrc and _curlrc, preferring the former. Older versions on Windows checked for _curlrc only.

-K, --config can be used several times in a command line

Example:
curl --config file.txt https://example.com

See also -q, --disable.

--connect-timeout <fractional seconds>
Maximum time in seconds that you allow curl's connection to take. This only limits the connection phase, so if curl connects within the given period it will continue - if not it will exit.
Since version 7.32.0, this option accepts decimal values.

The "connection phase" is considered complete when the requested TCP, TLS or QUIC handshakes are done.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If --connect-timeout is provided several times, the last set value will be used.

Examples:
curl --connect-timeout 20 https://example.com
curl --connect-timeout 3.14 https://example.com

See also -m, --max-time.

--connect-to <HOST1:PORT1:HOST2:PORT2>

For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead. This option is suitable to direct requests at a specific server, e.g. at a specific cluster node in a cluster of
servers. This option is only used to establish the network connection. It does NOT affect the hostname/port that is used for TLS/SSL (e.g. SNI, certificate verification) or for the applica‐
tion protocols. "HOST1" and "PORT1" may be the empty string, meaning "any host/port". "HOST2" and "PORT2" may also be the empty string, meaning "use the request's original host/port".

A "host" specified to this option is compared as a string, so it needs to match the name used in request URL. It can be either numerical such as "127.0.0.1" or the full host name such as "ex‐
ample.org".

--connect-to can be used several times in a command line

Example:
curl --connect-to example.com:443:example.net:8443 https://example.com

See also --resolve and -H, --header. Added in 7.49.0.

-C, --continue-at <offset>
Continue/Resume a previous file transfer at the given offset. The given offset is the exact number of bytes that will be skipped, counting from the beginning of the source file before it is
transferred to the destination. If used with uploads, the FTP server command SIZE will not be used by curl.

Use "-C -" to tell curl to automatically find out where/how to resume the transfer. It then uses the given output/input files to figure that out.

If -C, --continue-at is provided several times, the last set value will be used.

Examples:
curl -C - https://example.com
curl -C 400 https://example.com

See also -r, --range.

-c, --cookie-jar <filename>
(HTTP) Specify to which file you want curl to write all cookies after a completed operation. Curl writes all cookies from its in-memory cookie storage to the given file at the end of opera‐
tions. If no cookies are known, no data will be written. The file will be written using the Netscape cookie file format. If you set the file name to a single dash, "-", the cookies will be
written to stdout.

This command line option will activate the cookie engine that makes curl record and use cookies. Another way to activate it is to use the -b, --cookie option.

If the cookie jar cannot be created or written to, the whole curl operation will not fail or even report an error clearly. Using -v, --verbose will get a warning displayed, but that is the
only visible feedback you get about this possibly lethal situation.

If -c, --cookie-jar is provided several times, the last set value will be used.

Examples:
curl -c store-here.txt https://example.com
curl -c store-here.txt -b read-these https://example.com

See also -b, --cookie.

-b, --cookie <data|filename>
(HTTP) Pass the data to the HTTP server in the Cookie header. It is supposedly the data previously received from the server in a "Set-Cookie:" line. The data should be in the format
"NAME1=VALUE1; NAME2=VALUE2". This makes curl use the cookie header with this content explicitly in all outgoing request(s). If multiple requests are done due to authentication, followed
redirects or similar, they will all get this cookie passed on.

If no '=' symbol is used in the argument, it is instead treated as a filename to read previously stored cookie from. This option also activates the cookie engine which will make curl record
incoming cookies, which may be handy if you are using this in combination with the -L, --location option or do multiple URL transfers on the same invoke. If the file name is exactly a minus
("-"), curl will instead read the contents from stdin.

The file format of the file to read cookies from should be plain HTTP headers (Set-Cookie style) or the Netscape/Mozilla cookie file format.

The file specified with -b, --cookie is only used as input. No cookies will be written to the file. To store cookies, use the -c, --cookie-jar option.

If you use the Set-Cookie file format and do not specify a domain then the cookie is not sent since the domain will never match. To address this, set a domain in Set-Cookie line (doing that
will include sub-domains) or preferably: use the Netscape format.

Users often want to both read cookies from a file and write updated cookies back to a file, so using both -b, --cookie and -c, --cookie-jar in the same command line is common.

-b, --cookie can be used several times in a command line

Examples:
curl -b cookiefile https://example.com
curl -b cookiefile -c cookiefile https://example.com

See also -c, --cookie-jar and -j, --junk-session-cookies.

--create-dirs
When used in conjunction with the -o, --output option, curl will create the necessary local directory hierarchy as needed. This option creates the directories mentioned with the -o, --output
option, nothing else. If the -o, --output file name uses no directory, or if the directories it mentions already exist, no directories will be created.

Created dirs are made with mode 0750 on unix style file systems.

To create remote directories when using FTP or SFTP, try --ftp-create-dirs.

Providing --create-dirs multiple times has no extra effect. Disable it again with --no-create-dirs.

Example:
curl --create-dirs --output local/dir/file https://example.com

See also --ftp-create-dirs and --output-dir.

--create-file-mode <mode>
(SFTP SCP FILE) When curl is used to create files remotely using one of the supported protocols, this option allows the user to set which 'mode' to set on the file at creation time, instead
of the default 0644.

This option takes an octal number as argument.

If --create-file-mode is provided several times, the last set value will be used.

Example:
curl --create-file-mode 0777 -T localfile sftp://example.com/new

See also --ftp-create-dirs. Added in 7.75.0.

--crlf (FTP SMTP) Convert LF to CRLF in upload. Useful for MVS (OS/390).

(SMTP added in 7.40.0)

Providing --crlf multiple times has no extra effect. Disable it again with --no-crlf.

Example:
curl --crlf -T file ftp://example.com/

See also -B, --use-ascii.

--crlfile <file>
(TLS) Provide a file using PEM format with a Certificate Revocation List that may specify peer certificates that are to be considered revoked.

If --crlfile is provided several times, the last set value will be used.

Example:
curl --crlfile rejects.txt https://example.com

See also --cacert and --capath.

--curves <algorithm list>
(TLS) Tells curl to request specific curves to use during SSL session establishment according to RFC 8422, 5.1. Multiple algorithms can be provided by separating them with ":" (e.g.
"X25519:P-521"). The parameter is available identically in the "openssl s_client/s_server" utilities.

--curves allows a OpenSSL powered curl to make SSL-connections with exactly the (EC) curve requested by the client, avoiding nontransparent client/server negotiations.

If this option is set, the default curves list built into openssl will be ignored.

If --curves is provided several times, the last set value will be used.

Example:
curl --curves X25519 https://example.com

See also --ciphers. Added in 7.73.0.

--data-ascii <data>
(HTTP) This is just an alias for -d, --data.

--data-ascii can be used several times in a command line

Example:
curl --data-ascii @file https://example.com

See also --data-binary, --data-raw and --data-urlencode.

--data-binary <data>
(HTTP) This posts data exactly as specified with no extra processing whatsoever.

If you start the data with the letter @, the rest should be a filename. Data is posted in a similar manner as -d, --data does, except that newlines and carriage returns are preserved and con‐
versions are never done.

Like -d, --data the default content-type sent to the server is application/x-www-form-urlencoded. If you want the data to be treated as arbitrary binary data by the server then set the con‐
tent-type to octet-stream: -H "Content-Type: application/octet-stream".

If this option is used several times, the ones following the first will append data as described in -d, --data.

--data-binary can be used several times in a command line

Example:
curl --data-binary @filename https://example.com

See also --data-ascii.

--data-raw <data>
(HTTP) This posts data similarly to -d, --data but without the special interpretation of the @ character.

--data-raw can be used several times in a command line

Examples:
curl --data-raw "hello" https://example.com
curl --data-raw "@at@at@" https://example.com

See also -d, --data. Added in 7.43.0.

--data-urlencode <data>
(HTTP) This posts data, similar to the other -d, --data options with the exception that this performs URL-encoding.

To be CGI-compliant, the <data> part should begin with a name followed by a separator and a content specification. The <data> part can be passed to curl using one of the following syntaxes:

content
This will make curl URL-encode the content and pass that on. Just be careful so that the content does not contain any = or @ symbols, as that will then make the syntax match one of the
other cases below!

=content
This will make curl URL-encode the content and pass that on. The preceding = symbol is not included in the data.

name=content
This will make curl URL-encode the content part and pass that on. Note that the name part is expected to be URL-encoded already.

@filename
This will make curl load data from the given file (including any newlines), URL-encode that data and pass it on in the POST.

name@filename
This will make curl load data from the given file (including any newlines), URL-encode that data and pass it on in the POST. The name part gets an equal sign appended, resulting in
name=urlencoded-file-content. Note that the name is expected to be URL-encoded already.

--data-urlencode can be used several times in a command line

Examples:
curl --data-urlencode name=val https://example.com
curl --data-urlencode =encodethis https://example.com
curl --data-urlencode name@file https://example.com
curl --data-urlencode @fileonly https://example.com

See also -d, --data and --data-raw.

-d, --data <data>
(HTTP MQTT) Sends the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. This will
cause curl to pass the data to the server using the content-type application/x-www-form-urlencoded. Compare to -F, --form.

--data-raw is almost the same but does not have a special interpretation of the @ character. To post data purely binary, you should instead use the --data-binary option. To URL-encode the
value of a form field you may use --data-urlencode.

If any of these options is used more than once on the same command line, the data pieces specified will be merged with a separating &-symbol. Thus, using '-d name=daniel -d skill=lousy' would
generate a post chunk that looks like 'name=daniel&skill=lousy'.

If you start the data with the letter @, the rest should be a file name to read the data from, or - if you want curl to read the data from stdin. Posting data from a file named 'foobar' would
thus be done with -d, --data @foobar. When -d, --data is told to read from a file like that, carriage returns and newlines will be stripped out. If you do not want the @ character to have a
special interpretation use --data-raw instead.

-d, --data can be used several times in a command line

Examples:
curl -d "name=curl" https://example.com
curl -d "name=curl" -d "tool=cmdline" https://example.com
curl -d @filename https://example.com

See also --data-binary, --data-urlencode and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file.

--delegation <LEVEL>
(GSS/kerberos) Set LEVEL to tell the server what it is allowed to delegate when it comes to user credentials.

none Do not allow any delegation.

policy Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos service ticket, which is a matter of realm policy.

always Unconditionally allow the server to delegate.

If --delegation is provided several times, the last set value will be used.

Example:
curl --delegation "none" https://example.com

See also -k, --insecure and --ssl.

--digest
(HTTP) Enables HTTP Digest authentication. This is an authentication scheme that prevents the password from being sent over the wire in clear text. Use this in combination with the normal -u,
--user option to set user name and password.

Providing --digest multiple times has no extra effect. Disable it again with --no-digest.

Example:
curl -u name:password --digest https://example.com

See also -u, --user, --proxy-digest and --anyauth. This option is mutually exclusive to --basic and --ntlm and --negotiate.

--disable-eprt
(FTP) Tell curl to disable the use of the EPRT and LPRT commands when doing active FTP transfers. Curl will normally always first attempt to use EPRT, then LPRT before using PORT, but with
this option, it will use PORT right away. EPRT and LPRT are extensions to the original FTP protocol, and may not work on all servers, but they enable more functionality in a better way than
the traditional PORT command.

--eprt can be used to explicitly enable EPRT again and --no-eprt is an alias for --disable-eprt.

If the server is accessed using IPv6, this option will have no effect as EPRT is necessary then.

Disabling EPRT only changes the active behavior. If you want to switch to passive mode you need to not use -P, --ftp-port or force it with --ftp-pasv.

Providing --disable-eprt multiple times has no extra effect. Disable it again with --no-disable-eprt.

Example:
curl --disable-eprt ftp://example.com/

See also --disable-epsv and -P, --ftp-port.

--disable-epsv
(FTP) Tell curl to disable the use of the EPSV command when doing passive FTP transfers. Curl will normally always first attempt to use EPSV before PASV, but with this option, it will not try
using EPSV.

--epsv can be used to explicitly enable EPSV again and --no-epsv is an alias for --disable-epsv.

If the server is an IPv6 host, this option will have no effect as EPSV is necessary then.

Disabling EPSV only changes the passive behavior. If you want to switch to active mode you need to use -P, --ftp-port.

Providing --disable-epsv multiple times has no extra effect. Disable it again with --no-disable-epsv.

Example:
curl --disable-epsv ftp://example.com/

See also --disable-eprt and -P, --ftp-port.

-q, --disable
If used as the first parameter on the command line, the curlrc config file will not be read and used. See the -K, --config for details on the default config file search path.

Providing -q, --disable multiple times has no extra effect. Disable it again with --no-disable.

Example:
curl -q https://example.com

See also -K, --config.

--disallow-username-in-url
(HTTP) This tells curl to exit if passed a URL containing a username. This is probably most useful when the URL is being provided at runtime or similar.

Providing --disallow-username-in-url multiple times has no extra effect. Disable it again with --no-disallow-username-in-url.

Example:
curl --disallow-username-in-url https://example.com

See also --proto. Added in 7.61.0.

--dns-interface <interface>
(DNS) Tell curl to send outgoing DNS requests through <interface>. This option is a counterpart to --interface (which does not affect DNS). The supplied string must be an interface name (not
an address).

If --dns-interface is provided several times, the last set value will be used.

Example:
curl --dns-interface eth0 https://example.com

See also --dns-ipv4-addr and --dns-ipv6-addr. --dns-interface requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-ipv4-addr <address>
(DNS) Tell curl to bind to <ip-address> when making IPv4 DNS requests, so that the DNS requests originate from this address. The argument should be a single IPv4 address.

If --dns-ipv4-addr is provided several times, the last set value will be used.

Example:
curl --dns-ipv4-addr 10.1.2.3 https://example.com

See also --dns-interface and --dns-ipv6-addr. --dns-ipv4-addr requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-ipv6-addr <address>
(DNS) Tell curl to bind to <ip-address> when making IPv6 DNS requests, so that the DNS requests originate from this address. The argument should be a single IPv6 address.

If --dns-ipv6-addr is provided several times, the last set value will be used.

Example:
curl --dns-ipv6-addr 2a04:4e42::561 https://example.com

See also --dns-interface and --dns-ipv4-addr. --dns-ipv6-addr requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-servers <addresses>
Set the list of DNS servers to be used instead of the system default. The list of IP addresses should be separated with commas. Port numbers may also optionally be given as :<port-number>
after each IP address.

If --dns-servers is provided several times, the last set value will be used.

Example:
curl --dns-servers 192.168.0.1,192.168.0.2 https://example.com

See also --dns-interface and --dns-ipv4-addr. --dns-servers requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--doh-cert-status
Same as --cert-status but used for DoH (DNS-over-HTTPS).

Providing --doh-cert-status multiple times has no extra effect. Disable it again with --no-doh-cert-status.

Example:
curl --doh-cert-status --doh-url https://doh.example https://example.com

See also --doh-insecure. Added in 7.76.0.

--doh-insecure
Same as -k, --insecure but used for DoH (DNS-over-HTTPS).

Providing --doh-insecure multiple times has no extra effect. Disable it again with --no-doh-insecure.

Example:
curl --doh-insecure --doh-url https://doh.example https://example.com

See also --doh-url. Added in 7.76.0.

--doh-url <URL>
Specifies which DNS-over-HTTPS (DoH) server to use to resolve hostnames, instead of using the default name resolver mechanism. The URL must be HTTPS.

Some SSL options that you set for your transfer will apply to DoH since the name lookups take place over SSL. However, the certificate verification settings are not inherited and can be con‐
trolled separately via --doh-insecure and --doh-cert-status.

This option is unset if an empty string "" is used as the URL. (Added in 7.85.0)

If --doh-url is provided several times, the last set value will be used.

Example:
curl --doh-url https://doh.example https://example.com

See also --doh-insecure. Added in 7.62.0.

-D, --dump-header <filename>
(HTTP FTP) Write the received protocol headers to the specified file. If no headers are received, the use of this option will create an empty file.

When used in FTP, the FTP server response lines are considered being "headers" and thus are saved there.

Having multiple transfers in one set of operations (i.e. the URLs in one -:, --next clause), will append them to the same file, separated by a blank line.

If -D, --dump-header is provided several times, the last set value will be used.

Example:
curl --dump-header store.txt https://example.com

See also -o, --output.

--egd-file <file>
(TLS) Deprecated option. This option is ignored by curl since 7.84.0. Prior to that it only had an effect on curl if built to use old versions of OpenSSL.

Specify the path name to the Entropy Gathering Daemon socket. The socket is used to seed the random engine for SSL connections.

If --egd-file is provided several times, the last set value will be used.

Example:
curl --egd-file /random/here https://example.com

See also --random-file.

--engine <name>
(TLS) Select the OpenSSL crypto engine to use for cipher operations. Use --engine list to print a list of build-time supported engines. Note that not all (and possibly none) of the engines
may be available at runtime.

If --engine is provided several times, the last set value will be used.

Example:
curl --engine flavor https://example.com

See also --ciphers and --curves.

--etag-compare <file>
(HTTP) This option makes a conditional HTTP request for the specific ETag read from the given file by sending a custom If-None-Match header using the stored ETag.

For correct results, make sure that the specified file contains only a single line with the desired ETag. An empty file is parsed as an empty ETag.

Use the option --etag-save to first save the ETag from a response, and then use this option to compare against the saved ETag in a subsequent request.

If --etag-compare is provided several times, the last set value will be used.

Example:
curl --etag-compare etag.txt https://example.com

See also --etag-save and -z, --time-cond. Added in 7.68.0.

--etag-save <file>
(HTTP) This option saves an HTTP ETag to the specified file. An ETag is a caching related header, usually returned in a response.

If no ETag is sent by the server, an empty file is created.

If --etag-save is provided several times, the last set value will be used.

Example:
curl --etag-save storetag.txt https://example.com

See also --etag-compare. Added in 7.68.0.

--expect100-timeout <seconds>
(HTTP) Maximum time in seconds that you allow curl to wait for a 100-continue response when curl emits an Expects: 100-continue header in its request. By default curl will wait one second.
This option accepts decimal values! When curl stops waiting, it will continue as if the response has been received.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If --expect100-timeout is provided several times, the last set value will be used.

Example:
curl --expect100-timeout 2.5 -T file https://example.com

See also --connect-timeout. Added in 7.47.0.

--fail-early
Fail and exit on the first detected transfer error.

When curl is used to do multiple transfers on the command line, it will attempt to operate on each given URL, one by one. By default, it will ignore errors if there are more URLs given and
the last URL's success will determine the error code curl returns. So early failures will be "hidden" by subsequent successful transfers.

Using this option, curl will instead return an error on the first transfer that fails, independent of the amount of URLs that are given on the command line. This way, no transfer failures go
undetected by scripts and similar.

This option is global and does not need to be specified for each use of -:, --next.

This option does not imply -f, --fail, which causes transfers to fail due to the server's HTTP status code. You can combine the two options, however note -f, --fail is not global and is
therefore contained by -:, --next.

Providing --fail-early multiple times has no extra effect. Disable it again with --no-fail-early.

Example:
curl --fail-early https://example.com https://two.example

See also -f, --fail and --fail-with-body. Added in 7.52.0.

--fail-with-body
(HTTP) Return an error on server errors where the HTTP response code is 400 or greater). In normal cases when an HTTP server fails to deliver a document, it returns an HTML document stating
so (which often also describes why and more). This flag will still allow curl to output and save that content but also to return error 22.

This is an alternative option to -f, --fail which makes curl fail for the same circumstances but without saving the content.

Providing --fail-with-body multiple times has no extra effect. Disable it again with --no-fail-with-body.

Example:
curl --fail-with-body https://example.com

See also -f, --fail. This option is mutually exclusive to -f, --fail. Added in 7.76.0.

-f, --fail
(HTTP) Fail fast with no output at all on server errors. This is useful to enable scripts and users to better deal with failed attempts. In normal cases when an HTTP server fails to deliver a
document, it returns an HTML document stating so (which often also describes why and more). This flag will prevent curl from outputting that and return error 22.

This method is not fail-safe and there are occasions where non-successful response codes will slip through, especially when authentication is involved (response codes 401 and 407).

Providing -f, --fail multiple times has no extra effect. Disable it again with --no-fail.

Example:
curl --fail https://example.com

See also --fail-with-body. This option is mutually exclusive to --fail-with-body.

--false-start
(TLS) Tells curl to use false start during the TLS handshake. False start is a mode where a TLS client will start sending application data before verifying the server's Finished message, thus
saving a round trip when performing a full handshake.

This is currently only implemented in the NSS and Secure Transport (on iOS 7.0 or later, or OS X 10.9 or later) backends.

Providing --false-start multiple times has no extra effect. Disable it again with --no-false-start.

Example:
curl --false-start https://example.com

See also --tcp-fastopen. Added in 7.42.0.

--form-escape
(HTTP) Tells curl to pass on names of multipart form fields and files using backslash-escaping instead of percent-encoding.

If --form-escape is provided several times, the last set value will be used.

Example:
curl --form-escape -F 'field\name=curl' -F 'file=@load"this' https://example.com

See also -F, --form. Added in 7.81.0.

--form-string <name=string>
(HTTP SMTP IMAP) Similar to -F, --form except that the value string for the named parameter is used literally. Leading '@' and '<' characters, and the ';type=' string in the value have no
special meaning. Use this in preference to -F, --form if there's any possibility that the string value may accidentally trigger the '@' or '<' features of -F, --form.

--form-string can be used several times in a command line

Example:
curl --form-string "data" https://example.com

See also -F, --form.

-F, --form <name=content>
(HTTP SMTP IMAP) For HTTP protocol family, this lets curl emulate a filled-in form in which a user has pressed the submit button. This causes curl to POST data using the Content-Type multi‐
part/form-data according to RFC 2388.

For SMTP and IMAP protocols, this is the means to compose a multipart mail message to transmit.

This enables uploading of binary files etc. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with
the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text
field from a file.

Tell curl to read content from stdin instead of a file by using - as filename. This goes for both @ and < constructs. When stdin is used, the contents is buffered in memory first by curl to
determine its size and allow a possible resend. Defining a part's data from a named non-regular file (such as a named pipe or similar) is unfortunately not subject to buffering and will be
effectively read at transmission time; since the full size is unknown before the transfer starts, such data is sent as chunks by HTTP and rejected by IMAP.

Example: send an image to an HTTP server, where 'profile' is the name of the form-field to which the file portrait.jpg will be the input:

curl -F profile=@portrait.jpg https://example.com/upload.cgi

Example: send your name and shoe size in two text fields to the server:

curl -F name=John -F shoesize=11 https://example.com/

Example: send your essay in a text field to the server. Send it as a plain text field, but get the contents for it from a local file:

curl -F "story=<hugefile.txt" https://example.com/

You can also tell curl what Content-Type to use by using 'type=', in a manner similar to:

curl -F "web=@index.html;type=text/html" example.com

or

curl -F "name=daniel;type=text/foo" example.com

You can also explicitly change the name field of a file upload part by setting filename=, like this:

curl -F "file=@localfile;filename=nameinpost" example.com

If filename/path contains ',' or ';', it must be quoted by double-quotes like:

curl -F "file=@\"local,file\";filename=\"name;in;post\"" example.com

or

curl -F 'file=@"local,file";filename="name;in;post"' example.com

Note that if a filename/path is quoted by double-quotes, any double-quote or backslash within the filename must be escaped by backslash.

Quoting must also be applied to non-file data if it contains semicolons, leading/trailing spaces or leading double quotes:

curl -F 'colors="red; green; blue";type=text/x-myapp' example.com

You can add custom headers to the field by setting headers=, like

curl -F "submit=OK;headers=\"X-submit-type: OK\"" example.com

or

curl -F "submit=OK;headers=@headerfile" example.com

The headers= keyword may appear more that once and above notes about quoting apply. When headers are read from a file, Empty lines and lines starting with '#' are comments and ignored; each
header can be folded by splitting between two words and starting the continuation line with a space; embedded carriage-returns and trailing spaces are stripped. Here is an example of a
header file contents:

# This file contain two headers.
X-header-1: this is a header

# The following header is folded.
X-header-2: this is
another header

To support sending multipart mail messages, the syntax is extended as follows:
- name can be omitted: the equal sign is the first character of the argument,
- if data starts with '(', this signals to start a new multipart: it can be followed by a content type specification.
- a multipart can be terminated with a '=)' argument.

Example: the following command sends an SMTP mime email consisting in an inline part in two alternative formats: plain text and HTML. It attaches a text file:

curl -F '=(;type=multipart/alternative' \
-F '=plain text message' \
-F '= <body>HTML message</body>;type=text/html' \
-F '=)' -F '=@textfile.txt' ... smtp://example.com

Data can be encoded for transfer using encoder=. Available encodings are binary and 8bit that do nothing else than adding the corresponding Content-Transfer-Encoding header, 7bit that only
rejects 8-bit characters with a transfer error, quoted-printable and base64 that encodes data according to the corresponding schemes, limiting lines length to 76 characters.

Example: send multipart mail with a quoted-printable text message and a base64 attached file:

curl -F '=text message;encoder=quoted-printable' \
-F '=@localfile;encoder=base64' ... smtp://example.com

See further examples and details in the MANUAL.

-F, --form can be used several times in a command line

Example:
curl --form "name=curl" --form "file=@loadthis" https://example.com

See also -d, --data, --form-string and --form-escape. This option is mutually exclusive to -d, --data and -I, --head and -T, --upload-file.

--ftp-account <data>
(FTP) When an FTP server asks for "account data" after user name and password has been provided, this data is sent off using the ACCT command.

If --ftp-account is provided several times, the last set value will be used.

Example:
curl --ftp-account "mr.robot" ftp://example.com/

See also -u, --user.

--ftp-alternative-to-user <command>
(FTP) If authenticating with the USER and PASS commands fails, send this command. When connecting to Tumbleweed's Secure Transport server over FTPS using a client certificate, using "SITE
AUTH" will tell the server to retrieve the username from the certificate.

If --ftp-alternative-to-user is provided several times, the last set value will be used.

Example:
curl --ftp-alternative-to-user "U53r" ftp://example.com

See also --ftp-account and -u, --user.

--ftp-create-dirs
(FTP SFTP) When an FTP or SFTP URL/operation uses a path that does not currently exist on the server, the standard behavior of curl is to fail. Using this option, curl will instead attempt to
create missing directories.

Providing --ftp-create-dirs multiple times has no extra effect. Disable it again with --no-ftp-create-dirs.

Example:
curl --ftp-create-dirs -T file ftp://example.com/remote/path/file

See also --create-dirs.

--ftp-method <method>
(FTP) Control what method curl should use to reach a file on an FTP(S) server. The method argument should be one of the following alternatives:

multicwd
curl does a single CWD operation for each path part in the given URL. For deep hierarchies this means many commands. This is how RFC 1738 says it should be done. This is the default
but the slowest behavior.

nocwd curl does no CWD at all. curl will do SIZE, RETR, STOR etc and give a full path to the server for all these commands. This is the fastest behavior.

singlecwd
curl does one CWD with the full target directory and then operates on the file "normally" (like in the multicwd case). This is somewhat more standards compliant than 'nocwd' but with‐
out the full penalty of 'multicwd'.

If --ftp-method is provided several times, the last set value will be used.

Examples:
curl --ftp-method multicwd ftp://example.com/dir1/dir2/file
curl --ftp-method nocwd ftp://example.com/dir1/dir2/file
curl --ftp-method singlecwd ftp://example.com/dir1/dir2/file

See also -l, --list-only.

--ftp-pasv
(FTP) Use passive mode for the data connection. Passive is the internal default behavior, but using this option can be used to override a previous -P, --ftp-port option.

Reversing an enforced passive really is not doable but you must then instead enforce the correct -P, --ftp-port again.

Passive mode means that curl will try the EPSV command first and then PASV, unless --disable-epsv is used.

Providing --ftp-pasv multiple times has no extra effect. Disable it again with --no-ftp-pasv.

Example:
curl --ftp-pasv ftp://example.com/

See also --disable-epsv.

-P, --ftp-port <address>
(FTP) Reverses the default initiator/listener roles when connecting with FTP. This option makes curl use active mode. curl then tells the server to connect back to the client's specified ad‐
dress and port, while passive mode asks the server to setup an IP address and port for it to connect to. <address> should be one of:

interface
e.g. "eth0" to specify which interface's IP address you want to use (Unix only)

IP address
e.g. "192.168.10.1" to specify the exact IP address

host name
e.g. "my.host.domain" to specify the machine

- make curl pick the same IP address that is already used for the control connection

Disable the use of PORT with --ftp-pasv. Disable the attempt to use the EPRT command instead of PORT by using --disable-eprt. EPRT is really PORT++.

You can also append ":[start]-[end]" to the right of the address, to tell curl what TCP port range to use. That means you specify a port range, from a lower to a higher number. A single number works
as well, but do note that it increases the risk of failure since the port may not be available.

If -P, --ftp-port is provided several times, the last set value will be used.

Examples:
curl -P - ftp:/example.com
curl -P eth0 ftp:/example.com
curl -P 192.168.0.2 ftp:/example.com

See also --ftp-pasv and --disable-eprt.

--ftp-pret
(FTP) Tell curl to send a PRET command before PASV (and EPSV). Certain FTP servers, mainly drftpd, require this non-standard command for directory listings as well as up and downloads in PASV
mode.

Providing --ftp-pret multiple times has no extra effect. Disable it again with --no-ftp-pret.

Example:
curl --ftp-pret ftp://example.com/

See also -P, --ftp-port and --ftp-pasv.

--ftp-skip-pasv-ip
(FTP) Tell curl to not use the IP address the server suggests in its response to curl's PASV command when curl connects the data connection. Instead curl will re-use the same IP address it
already uses for the control connection.

Since curl 7.74.0 this option is enabled by default.

This option has no effect if PORT, EPRT or EPSV is used instead of PASV.

Providing --ftp-skip-pasv-ip multiple times has no extra effect. Disable it again with --no-ftp-skip-pasv-ip.

Example:
curl --ftp-skip-pasv-ip ftp://example.com/

See also --ftp-pasv.

--ftp-ssl-ccc-mode <active/passive>
(FTP) Sets the CCC mode. The passive mode will not initiate the shutdown, but instead wait for the server to do it, and will not reply to the shutdown from the server. The active mode initi‐
ates the shutdown and waits for a reply from the server.

Providing --ftp-ssl-ccc-mode multiple times has no extra effect. Disable it again with --no-ftp-ssl-ccc-mode.

Example:
curl --ftp-ssl-ccc-mode active --ftp-ssl-ccc ftps://example.com/

See also --ftp-ssl-ccc.

--ftp-ssl-ccc
(FTP) Use CCC (Clear Command Channel) Shuts down the SSL/TLS layer after authenticating. The rest of the control channel communication will be unencrypted. This allows NAT routers to follow
the FTP transaction. The default mode is passive.

Providing --ftp-ssl-ccc multiple times has no extra effect. Disable it again with --no-ftp-ssl-ccc.

Example:
curl --ftp-ssl-ccc ftps://example.com/

See also --ssl and --ftp-ssl-ccc-mode.

--ftp-ssl-control
(FTP) Require SSL/TLS for the FTP login, clear for transfer. Allows secure authentication, but non-encrypted data transfers for efficiency. Fails the transfer if the server does not support
SSL/TLS.

Providing --ftp-ssl-control multiple times has no extra effect. Disable it again with --no-ftp-ssl-control.

Example:
curl --ftp-ssl-control ftp://example.com

See also --ssl.

-G, --get
When used, this option will make all data specified with -d, --data, --data-binary or --data-urlencode to be used in an HTTP GET request instead of the POST request that otherwise would be
used. The data will be appended to the URL with a '?' separator.

If used in combination with -I, --head, the POST data will instead be appended to the URL with a HEAD request.

Providing -G, --get multiple times has no extra effect. Disable it again with --no-get.

Examples:
curl --get https://example.com
curl --get -d "tool=curl" -d "age=old" https://example.com
curl --get -I -d "tool=curl" https://example.com

See also -d, --data and -X, --request.

-g, --globoff
This option switches off the "URL globbing parser". When you set this option, you can specify URLs that contain the letters {}[] without having curl itself interpret them. Note that these
letters are not normal legal URL contents but they should be encoded according to the URI standard.

Providing -g, --globoff multiple times has no extra effect. Disable it again with --no-globoff.

Example:
curl -g "https://example.com/{[]}}}}"

See also -K, --config and -q, --disable.

--happy-eyeballs-timeout-ms <milliseconds>
Happy Eyeballs is an algorithm that attempts to connect to both IPv4 and IPv6 addresses for dual-stack hosts, giving IPv6 a head-start of the specified number of milliseconds. If the IPv6 ad‐
dress cannot be connected to within that time, then a connection attempt is made to the IPv4 address in parallel. The first connection to be established is the one that is used.

The range of suggested useful values is limited. Happy Eyeballs RFC 6555 says "It is RECOMMENDED that connection attempts be paced 150-250 ms apart to balance human factors against network
load." libcurl currently defaults to 200 ms. Firefox and Chrome currently default to 300 ms.

If --happy-eyeballs-timeout-ms is provided several times, the last set value will be used.

Example:
curl --happy-eyeballs-timeout-ms 500 https://example.com

See also -m, --max-time and --connect-timeout. Added in 7.59.0.

--haproxy-protocol
(HTTP) Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This is used by some load balancers and reverse proxies to indicate the client's true IP address and port.

This option is primarily useful when sending test requests to a service that expects this header.

Providing --haproxy-protocol multiple times has no extra effect. Disable it again with --no-haproxy-protocol.

Example:
curl --haproxy-protocol https://example.com

See also -x, --proxy. Added in 7.60.0.

-I, --head
(HTTP FTP FILE) Fetch the headers only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document. When used on an FTP or FILE file, curl displays the
file size and last modification time only.

Providing -I, --head multiple times has no extra effect. Disable it again with --no-head.

Example:
curl -I https://example.com

See also -G, --get, -v, --verbose and --trace-ascii.

-H, --header <header/@file>
(HTTP IMAP SMTP) Extra header to include in information sent. When used within an HTTP request, it is added to the regular request headers.

For an IMAP or SMTP MIME uploaded mail built with -F, --form options, it is prepended to the resulting MIME document, effectively including it at the mail global level. It does not affect raw
uploaded mails (Added in 7.56.0).

You may specify any number of extra headers. Note that if you should add a custom header that has the same name as one of the internal ones curl would use, your externally set header will be
used instead of the internal one. This allows you to make even trickier stuff than curl would normally do. You should not replace internally set headers without knowing perfectly well what
you are doing. Remove an internal header by giving a replacement without content on the right side of the colon, as in: -H "Host:". If you send the custom header with no-value then its header
must be terminated with a semicolon, such as -H "X-Custom-Header;" to send "X-Custom-Header:".

curl will make sure that each header you add/replace is sent with the proper end-of-line marker, you should thus not add that as a part of the header content: do not add newlines or carriage
returns, they will only mess things up for you.

This option can take an argument in @filename style, which then adds a header for each line in the input file. Using @- will make curl read the header file from stdin. Added in 7.55.0.

Please note that most anti-spam utilities check the presence and value of several MIME mail headers: these are "From:", "To:", "Date:" and "Subject:" among others and should be added with
this option.

You need --proxy-header to send custom headers intended for an HTTP proxy. Added in 7.37.0.

Passing on a "Transfer-Encoding: chunked" header when doing an HTTP request with a request body, will make curl send the data using chunked encoding.

WARNING: headers set with this option will be set in all HTTP requests - even after redirects are followed, like when told with -L, --location. This can lead to the header being sent to other
hosts than the original host, so sensitive headers should be used with caution combined with following redirects.

-H, --header can be used several times in a command line

Examples:
curl -H "X-First-Name: Joe" https://example.com
curl -H "User-Agent: yes-please/2000" https://example.com
curl -H "Host:" https://example.com
curl -H @headers.txt https://example.com

See also -A, --user-agent and -e, --referer.

-h, --help <category>
Usage help. This lists all commands of the <category>. If no arg was provided, curl will display the most important command line arguments. If the argument "all" was provided, curl will
display all options available. If the argument "category" was provided, curl will display all categories and their meanings.

Example:
curl --help all

See also -v, --verbose.

--hostpubmd5 <md5>
(SFTP SCP) Pass a string containing 32 hexadecimal digits. The string should be the 128 bit MD5 checksum of the remote host's public key, curl will refuse the connection with the host unless
the md5sums match.

If --hostpubmd5 is provided several times, the last set value will be used.

Example:
curl --hostpubmd5 e5c1c49020640a5ab0f2034854c321a8 sftp://example.com/

See also --hostpubsha256.

--hostpubsha256 <sha256>
(SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash of the remote host's public key. Curl will refuse the connection with the host unless the hashes match.

This feature requires libcurl to be built with libssh2 and does not work with other SSH backends.

If --hostpubsha256 is provided several times, the last set value will be used.

Example:
curl --hostpubsha256 NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= sftp://example.com/

See also --hostpubmd5. Added in 7.80.0.

--hsts <file name>
(HTTPS) This option enables HSTS for the transfer. If the file name points to an existing HSTS cache file, that will be used. After a completed transfer, the cache will be saved to the file
name again if it has been modified.

If curl is told to use HTTP:// for a transfer involving a host name that exists in the HSTS cache, it upgrades the transfer to use HTTPS. Each HSTS cache entry has an individual life time af‐
ter which the upgrade is no longer performed.

Specify a "" file name (zero length) to avoid loading/saving and make curl just handle HSTS in memory.

If this option is used several times, curl will load contents from all the files but the last one will be used for saving.

--hsts can be used several times in a command line

Example:
curl --hsts cache.txt https://example.com

See also --proto. Added in 7.74.0.

--http0.9
(HTTP) Tells curl to be fine with HTTP version 0.9 response.

HTTP/0.9 is a completely headerless response and therefore you can also connect with this to non-HTTP servers and still get a response since curl will simply transparently downgrade - if al‐
lowed.

Since curl 7.66.0, HTTP/0.9 is disabled by default.

Providing --http0.9 multiple times has no extra effect. Disable it again with --no-http0.9.

Example:
curl --http0.9 https://example.com

See also --http1.1, --http2 and --http3. Added in 7.64.0.

-0, --http1.0
(HTTP) Tells curl to use HTTP version 1.0 instead of using its internally preferred HTTP version.

Providing -0, --http1.0 multiple times has no extra effect.

Example:
curl --http1.0 https://example.com

See also --http0.9 and --http1.1. This option is mutually exclusive to --http1.1 and --http2 and --http2-prior-knowledge and --http3.

--http1.1
(HTTP) Tells curl to use HTTP version 1.1.

Providing --http1.1 multiple times has no extra effect.

Example:
curl --http1.1 https://example.com

See also -0, --http1.0 and --http0.9. This option is mutually exclusive to -0, --http1.0 and --http2 and --http2-prior-knowledge and --http3. Added in 7.33.0.

--http2-prior-knowledge
(HTTP) Tells curl to issue its non-TLS HTTP requests using HTTP/2 without HTTP/1.1 Upgrade. It requires prior knowledge that the server supports HTTP/2 straight away. HTTPS requests will
still do HTTP/2 the standard way with negotiated protocol version in the TLS handshake.

Providing --http2-prior-knowledge multiple times has no extra effect. Disable it again with --no-http2-prior-knowledge.

Example:
curl --http2-prior-knowledge https://example.com

See also --http2 and --http3. --http2-prior-knowledge requires that the underlying libcurl was built to support HTTP/2. This option is mutually exclusive to --http1.1 and -0, --http1.0 and
--http2 and --http3. Added in 7.49.0.

--http2
(HTTP) Tells curl to use HTTP version 2.

For HTTPS, this means curl will attempt to negotiate HTTP/2 in the TLS handshake. curl does this by default.

For HTTP, this means curl will attempt to upgrade the request to HTTP/2 using the Upgrade: request header.

When curl uses HTTP/2 over HTTPS, it does not itself insist on TLS 1.2 or higher even though that is required by the specification. A user can add this version requirement with --tlsv1.2.

Providing --http2 multiple times has no extra effect.

Example:
curl --http2 https://example.com

See also --http1.1 and --http3. --http2 requires that the underlying libcurl was built to support HTTP/2. This option is mutually exclusive to --http1.1 and -0, --http1.0 and --http2-prior-
knowledge and --http3. Added in 7.33.0.

--http3-only
(HTTP) **WARNING**: this option is experimental. Do not use in production.

Instructs curl to use HTTP/3 to the host in the URL, with no fallback to earlier HTTP versions. HTTP/3 can only be used for HTTPS and not for HTTP URLs. For HTTP, this option will trigger an
error.

This option allows a user to avoid using the Alt-Svc method of upgrading to HTTP/3 when you know that the target speaks HTTP/3 on the given host and port.

This option will make curl fail if a QUIC connection cannot be established, it will not attempt any other HTTP version on its own. Use --http3 for similar functionality with a fallback.

Providing --http3-only multiple times has no extra effect.

Example:
curl --http3-only https://example.com

See also --http1.1, --http2 and --http3. --http3-only requires that the underlying libcurl was built to support HTTP/3. This option is mutually exclusive to --http1.1 and -0, --http1.0 and
--http2 and --http2-prior-knowledge and --http3. Added in 7.88.0.

--http3
(HTTP) **WARNING**: this option is experimental. Do not use in production.

Tells curl to try HTTP/3 to the host in the URL, but fallback to earlier HTTP versions if the HTTP/3 connection establishment fails. HTTP/3 is only available for HTTPS and not for HTTP URLs.

This option allows a user to avoid using the Alt-Svc method of upgrading to HTTP/3 when you know that the target speaks HTTP/3 on the given host and port.

When asked to use HTTP/3, curl will issue a separate attempt to use older HTTP versions with a slight delay, so if the HTTP/3 transfer fails or is very slow, curl will still try to proceed
with an older HTTP version.

Use --http3-only for similar functionality without a fallback.

Providing --http3 multiple times has no extra effect.

Example:
curl --http3 https://example.com

See also --http1.1 and --http2. --http3 requires that the underlying libcurl was built to support HTTP/3. This option is mutually exclusive to --http1.1 and -0, --http1.0 and --http2 and
--http2-prior-knowledge and --http3-only. Added in 7.66.0.

--ignore-content-length
(FTP HTTP) For HTTP, Ignore the Content-Length header. This is particularly useful for servers running Apache 1.x, which will report incorrect Content-Length for files larger than 2 giga‐
bytes.

For FTP (since 7.46.0), skip the RETR command to figure out the size before downloading a file.

This option does not work for HTTP if libcurl was built to use hyper.

Providing --ignore-content-length multiple times has no extra effect. Disable it again with --no-ignore-content-length.

Example:
curl --ignore-content-length https://example.com

See also --ftp-skip-pasv-ip.

-i, --include
Include the HTTP response headers in the output. The HTTP response headers can include things like server name, cookies, date of the document, HTTP version and more...

To view the request headers, consider the -v, --verbose option.

Providing -i, --include multiple times has no extra effect. Disable it again with --no-include.

Example:
curl -i https://example.com

See also -v, --verbose.

-k, --insecure
(TLS SFTP SCP) By default, every secure connection curl makes is verified to be secure before the transfer takes place. This option makes curl skip the verification step and proceed without
checking.

When this option is not used for protocols using TLS, curl verifies the server's TLS certificate before it continues: that the certificate contains the right name which matches the host name
used in the URL and that the certificate has been signed by a CA certificate present in the cert store. See this online resource for further details:
https://curl.se/docs/sslcerts.html

For SFTP and SCP, this option makes curl skip the known_hosts verification. known_hosts is a file normally stored in the user's home directory in the ".ssh" subdirectory, which contains host
names and their public keys.

WARNING: using this option makes the transfer insecure.

When curl uses secure protocols it trusts responses and allows for example HSTS and Alt-Svc information to be stored and used subsequently. Using -k, --insecure can make curl trust and use
such information from malicious servers.

Providing -k, --insecure multiple times has no extra effect. Disable it again with --no-insecure.

Example:
curl --insecure https://example.com

See also --proxy-insecure, --cacert and --capath.

--interface <name>
Perform an operation using a specified interface. You can enter interface name, IP address or host name. An example could look like:

curl --interface eth0:1 https://www.example.com/

On Linux it can be used to specify a VRF, but the binary needs to either have CAP_NET_RAW or to be run as root. More information about Linux VRF: https://www.kernel.org/doc/Documentation/net‐
working/vrf.txt

If --interface is provided several times, the last set value will be used.

Example:
curl --interface eth0 https://example.com

See also --dns-interface.

-4, --ipv4
This option tells curl to use IPv4 addresses only, and not for example try IPv6.

Providing -4, --ipv4 multiple times has no extra effect. Disable it again with --no-ipv4.

Example:
curl --ipv4 https://example.com

See also --http1.1 and --http2. This option is mutually exclusive to -6, --ipv6.

-6, --ipv6
This option tells curl to use IPv6 addresses only, and not for example try IPv4.

Providing -6, --ipv6 multiple times has no extra effect. Disable it again with --no-ipv6.

Example:
curl --ipv6 https://example.com

See also --http1.1 and --http2. This option is mutually exclusive to -4, --ipv4.

--json <data>
(HTTP) Sends the specified JSON data in a POST request to the HTTP server. --json works as a shortcut for passing on these three options:

--data [arg]
--header "Content-Type: application/json"
--header "Accept: application/json"

There is no verification that the passed in data is actual JSON or that the syntax is correct.

If you start the data with the letter @, the rest should be a file name to read the data from, or a single dash (-) if you want curl to read the data from stdin. Posting data from a file
named 'foobar' would thus be done with --json @foobar and to instead read the data from stdin, use --json @-.

If this option is used more than once on the same command line, the additional data pieces will be concatenated to the previous before sending.

The headers this option sets can be overridden with -H, --header as usual.

--json can be used several times in a command line

Examples:
curl --json '{ "drink": "coffe" }' https://example.com
curl --json '{ "drink":' --json ' "coffe" }' https://example.com
curl --json @prepared https://example.com
curl --json @- https://example.com < json.txt

See also --data-binary and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file. Added in 7.82.0.

-j, --junk-session-cookies
(HTTP) When curl is told to read cookies from a given file, this option will make it discard all "session cookies". This will basically have the same effect as if a new session is started.
Typical browsers always discard session cookies when they are closed down.

Providing -j, --junk-session-cookies multiple times has no extra effect. Disable it again with --no-junk-session-cookies.

Example:
curl --junk-session-cookies -b cookies.txt https://example.com

See also -b, --cookie and -c, --cookie-jar.

--keepalive-time <seconds>
This option sets the time a connection needs to remain idle before sending keepalive probes and the time between individual keepalive probes. It is currently effective on operating systems
offering the TCP_KEEPIDLE and TCP_KEEPINTVL socket options (meaning Linux, recent AIX, HP-UX and more). Keepalives are used by the TCP stack to detect broken networks on idle connections.
The number of missed keepalive probes before declaring the connection down is OS dependent and is commonly 9 or 10. This option has no effect if --no-keepalive is used.

If unspecified, the option defaults to 60 seconds.

If --keepalive-time is provided several times, the last set value will be used.

Example:
curl --keepalive-time 20 https://example.com

See also --no-keepalive and -m, --max-time.

--key-type <type>
(TLS) Private key file type. Specify which type your --key provided private key is. DER, PEM, and ENG are supported. If not specified, PEM is assumed.

If --key-type is provided several times, the last set value will be used.

Example:
curl --key-type DER --key here https://example.com

See also --key.

--key <key>
(TLS SSH) Private key file name. Allows you to provide your private key in this separate file. For SSH, if not specified, curl tries the following candidates in order: '~/.ssh/id_rsa',
'~/.ssh/id_dsa', './id_rsa', './id_dsa'.

If curl is built against OpenSSL library, and the engine pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a PKCS#11 device. A string begin‐
ning with "pkcs11:" will be interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set as "pkcs11" if none was provided and the --key-type option will be
set as "ENG" if none was provided.

If curl is built against Secure Transport or Schannel then this option is ignored for TLS protocols (HTTPS, etc). Those backends expect the private key to be already present in the keychain
or PKCS#12 file containing the certificate.

If --key is provided several times, the last set value will be used.

Example:
curl --cert certificate --key here https://example.com

See also --key-type and -E, --cert.

--krb <level>
(FTP) Enable Kerberos authentication and use. The level must be entered and should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use a level that is not one of these,
'private' will instead be used.

If --krb is provided several times, the last set value will be used.

Example:
curl --krb clear ftp://example.com/

See also --delegation and --ssl. --krb requires that the underlying libcurl was built to support Kerberos.

--libcurl <file>
Append this option to any ordinary curl command line, and you will get libcurl-using C source code written to the file that does the equivalent of what your command-line operation does!

This option is global and does not need to be specified for each use of -:, --next.

If --libcurl is provided several times, the last set value will be used.

Example:
curl --libcurl client.c https://example.com

See also -v, --verbose.

--limit-rate <speed>
Specify the maximum transfer rate you want curl to use - for both downloads and uploads. This feature is useful if you have a limited pipe and you would like your transfer not to use your en‐
tire bandwidth. To make it slower than it otherwise would be.

The given speed is measured in bytes/second, unless a suffix is appended. Appending 'k' or 'K' will count the number as kilobytes, 'm' or 'M' makes it megabytes, while 'g' or 'G' makes it
gigabytes. The suffixes (k, M, G, T, P) are 1024 based. For example 1k is 1024. Examples: 200K, 3m and 1G.

The rate limiting logic works on averaging the transfer speed to no more than the set threshold over a period of multiple seconds.

If you also use the -Y, --speed-limit option, that option will take precedence and might cripple the rate-limiting slightly, to help keeping the speed-limit logic working.

If --limit-rate is provided several times, the last set value will be used.

Examples:
curl --limit-rate 100K https://example.com
curl --limit-rate 1000 https://example.com
curl --limit-rate 10M https://example.com

See also --rate, -Y, --speed-limit and -y, --speed-time.

-l, --list-only
(FTP POP3) (FTP) When listing an FTP directory, this switch forces a name-only view. This is especially useful if the user wants to machine-parse the contents of an FTP directory since the
normal directory view does not use a standard look or format. When used like this, the option causes an NLST command to be sent to the server instead of LIST.

Note: Some FTP servers list only files in their response to NLST; they do not include sub-directories and symbolic links.

(POP3) When retrieving a specific email from POP3, this switch forces a LIST command to be performed instead of RETR. This is particularly useful if the user wants to see if a specific mes‐
sage-id exists on the server and what size it is.

Note: When combined with -X, --request, this option can be used to send a UIDL command instead, so the user may use the email's unique identifier rather than its message-id to make the re‐
quest.

Providing -l, --list-only multiple times has no extra effect. Disable it again with --no-list-only.

Example:
curl --list-only ftp://example.com/dir/

See also -Q, --quote and -X, --request.

--local-port <num/range>
Set a preferred single number or range (FROM-TO) of local port numbers to use for the connection(s). Note that port numbers by nature are a scarce resource that will be busy at times so set‐
ting this range to something too narrow might cause unnecessary connection setup failures.

If --local-port is provided several times, the last set value will be used.

Example:
curl --local-port 1000-3000 https://example.com

See also -g, --globoff.

--location-trusted
(HTTP) Like -L, --location, but will allow sending the name + password to all hosts that the site may redirect to. This may or may not introduce a security breach if the site redirects you to
a site to which you will send your authentication info (which is plaintext in the case of HTTP Basic authentication).

Providing --location-trusted multiple times has no extra effect. Disable it again with --no-location-trusted.

Example:
curl --location-trusted -u user:password https://example.com

See also -u, --user.

-L, --location
(HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request
on the new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the ini‐
tial host. If a redirect takes curl to a different host, it will not be able to intercept the user+password. See also --location-trusted on how to change this. You can limit the amount of
redirects to follow by using the --max-redirs option.

When curl follows a redirect and if the request is a POST, it will send the following request with a GET if the HTTP response was 301, 302, or 303. If the response code was any other 3xx
code, curl will re-send the following request using the same unmodified method.

You can tell curl to not change POST requests to GET after a 30x response by using the dedicated options for that: --post301, --post302 and --post303.

The method set with -X, --request overrides the method curl would otherwise select to use.

Providing -L, --location multiple times has no extra effect. Disable it again with --no-location.

Example:
curl -L https://example.com

See also --resolve and --alt-svc.

--login-options <options>
(IMAP LDAP POP3 SMTP) Specify the login options to use during server authentication.

You can use login options to specify protocol specific options that may be used during authentication. At present only IMAP, POP3 and SMTP support login options. For more information about
login options please see RFC 2384, RFC 5092 and IETF draft draft-earhart-url-smtp-00.txt

If --login-options is provided several times, the last set value will be used.

Example:
curl --login-options 'AUTH=*' imap://example.com

See also -u, --user. Added in 7.34.0.

--mail-auth <address>
(SMTP) Specify a single address. This will be used to specify the authentication address (identity) of a submitted message that is being relayed to another server.

If --mail-auth is provided several times, the last set value will be used.

Example:
curl --mail-auth user@example.come -T mail smtp://example.com/

See also --mail-rcpt and --mail-from.

--mail-from <address>
(SMTP) Specify a single address that the given mail should get sent from.

If --mail-from is provided several times, the last set value will be used.

Example:
curl --mail-from user@example.com -T mail smtp://example.com/

See also --mail-rcpt and --mail-auth.

--mail-rcpt-allowfails
(SMTP) When sending data to multiple recipients, by default curl will abort SMTP conversation if at least one of the recipients causes RCPT TO command to return an error.

The default behavior can be changed by passing --mail-rcpt-allowfails command-line option which will make curl ignore errors and proceed with the remaining valid recipients.

If all recipients trigger RCPT TO failures and this flag is specified, curl will still abort the SMTP conversation and return the error received from to the last RCPT TO command.

Providing --mail-rcpt-allowfails multiple times has no extra effect. Disable it again with --no-mail-rcpt-allowfails.

Example:
curl --mail-rcpt-allowfails --mail-rcpt dest@example.com smtp://example.com

See also --mail-rcpt. Added in 7.69.0.

--mail-rcpt <address>
(SMTP) Specify a single email address, user name or mailing list name. Repeat this option several times to send to multiple recipients.

When performing an address verification (VRFY command), the recipient should be specified as the user name or user name and domain (as per Section 3.5 of RFC5321). (Added in 7.34.0)

When performing a mailing list expand (EXPN command), the recipient should be specified using the mailing list name, such as "Friends" or "London-Office". (Added in 7.34.0)

--mail-rcpt can be used several times in a command line

Example:
curl --mail-rcpt user@example.net smtp://example.com

See also --mail-rcpt-allowfails.

-M, --manual
Manual. Display the huge help text.

Example:
curl --manual

See also -v, --verbose, --libcurl and --trace.

--max-filesize <bytes>
(FTP HTTP MQTT) Specify the maximum size (in bytes) of a file to download. If the file requested is larger than this value, the transfer will not start and curl will return with exit code 63.

A size modifier may be used. For example, Appending 'k' or 'K' will count the number as kilobytes, 'm' or 'M' makes it megabytes, while 'g' or 'G' makes it gigabytes. Examples: 200K, 3m and
1G. (Added in 7.58.0)

NOTE: The file size is not always known prior to download, and for such files this option has no effect even if the file transfer ends up being larger than this given limit. If --max-file‐
size is provided several times, the last set value will be used.

Example:
curl --max-filesize 100K https://example.com

See also --limit-rate.

--max-redirs <num>
(HTTP) Set maximum number of redirections to follow. When -L, --location is used, to prevent curl from following too many redirects, by default, the limit is set to 50 redirects. Set this op‐
tion to -1 to make it unlimited.

If --max-redirs is provided several times, the last set value will be used.

Example:
curl --max-redirs 3 --location https://example.com

See also -L, --location.

-m, --max-time <fractional seconds>
Maximum time in seconds that you allow each transfer to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0,
this option accepts decimal values, but the actual timeout will decrease in accuracy as the specified timeout increases in decimal precision.

If you enable retrying the transfer (--retry) then the maximum time counter is reset each time the transfer is retried. You can use --retry-max-time to limit the retry time.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If -m, --max-time is provided several times, the last set value will be used.

Examples:
curl --max-time 10 https://example.com
curl --max-time 2.92 https://example.com

See also --connect-timeout and --retry-max-time.

--metalink
This option was previously used to specify a metalink resource. Metalink support has been disabled in curl since 7.78.0 for security reasons.

If --metalink is provided several times, the last set value will be used.

Example:
curl --metalink file https://example.com

See also -Z, --parallel.

--negotiate
(HTTP) Enables Negotiate (SPNEGO) authentication.

This option requires a library built with GSS-API or SSPI support. Use -V, --version to see if your curl supports GSS-API/SSPI or SPNEGO.

When using this option, you must also provide a fake -u, --user option to activate the authentication code properly. Sending a '-u :' is enough as the user name and password from the -u,
--user option are not actually used.

If this option is used several times, only the first one is used.

Providing --negotiate multiple times has no extra effect.

Example:
curl --negotiate -u : https://example.com

See also --basic, --ntlm, --anyauth and --proxy-negotiate.

--netrc-file <filename>
This option is similar to -n, --netrc, except that you provide the path (absolute or relative) to the netrc file that curl should use. You can only specify one netrc file per invocation.

It will abide by --netrc-optional if specified.

If --netrc-file is provided several times, the last set value will be used.

Example:
curl --netrc-file netrc https://example.com

See also -n, --netrc, -u, --user and -K, --config. This option is mutually exclusive to -n, --netrc.

--netrc-optional
Similar to -n, --netrc, but this option makes the .netrc usage optional and not mandatory as the -n, --netrc option does.

Providing --netrc-optional multiple times has no extra effect. Disable it again with --no-netrc-optional.

Example:
curl --netrc-optional https://example.com

See also --netrc-file. This option is mutually exclusive to -n, --netrc.

-n, --netrc
Makes curl scan the .netrc (_netrc on Windows) file in the user's home directory for login name and password. This is typically used for FTP on Unix. If used with HTTP, curl will enable user
authentication. See netrc(5) and ftp(1) for details on the file format. Curl will not complain if that file does not have the right permissions (it should be neither world- nor group-read‐
able). The environment variable "HOME" is used to find the home directory.

A quick and simple example of how to setup a .netrc to allow curl to FTP to the machine host.domain.com with user name 'myself' and password 'secret' could look similar to:

machine host.domain.com
login myself
password secret

Providing -n, --netrc multiple times has no extra effect. Disable it again with --no-netrc.

Example:
curl --netrc https://example.com

See also --netrc-file, -K, --config and -u, --user. This option is mutually exclusive to --netrc-file and --netrc-optional.

-:, --next
Tells curl to use a separate operation for the following URL and associated options. This allows you to send several URL requests, each with their own specific options, for example, such as
different user names or custom requests for each.

-:, --next will reset all local options and only global ones will have their values survive over to the operation following the -:, --next instruction. Global options include -v, --verbose,
--trace, --trace-ascii and --fail-early.

For example, you can do both a GET and a POST in a single command line:

curl www1.example.com --next -d postthis www2.example.com

-:, --next can be used several times in a command line

Examples:
curl https://example.com --next -d postthis www2.example.com
curl -I https://example.com --next https://example.net/

See also -Z, --parallel and -K, --config. Added in 7.36.0.

--no-alpn
(HTTPS) Disable the ALPN TLS extension. ALPN is enabled by default if libcurl was built with an SSL library that supports ALPN. ALPN is used by a libcurl that supports HTTP/2 to negotiate
HTTP/2 support with the server during https sessions.

Providing --no-alpn multiple times has no extra effect. Disable it again with --alpn.

Example:
curl --no-alpn https://example.com

See also --no-npn and --http2. --no-alpn requires that the underlying libcurl was built to support TLS. Added in 7.36.0.

-N, --no-buffer
Disables the buffering of the output stream. In normal work situations, curl will use a standard buffered output stream that will have the effect that it will output the data in chunks, not
necessarily exactly when the data arrives. Using this option will disable that buffering.

Providing -N, --no-buffer multiple times has no extra effect. Disable it again with --buffer.

Example:
curl --no-buffer https://example.com

See also -#, --progress-bar.

--no-clobber
When used in conjunction with the -o, --output, -J, --remote-header-name, -O, --remote-name, or --remote-name-all options, curl avoids overwriting files that already exist. Instead, a dot and
a number gets appended to the name of the file that would be created, up to filename.100 after which it will not create any file.

Note that this is the negated option name documented. You can thus use --clobber to enforce the clobbering, even if -J, --remote-header-name is specified.

Providing --no-clobber multiple times has no extra effect. Disable it again with --clobber.

Example:
curl --no-clobber --output local/dir/file https://example.com

See also -o, --output and -O, --remote-name. Added in 7.83.0.

--no-keepalive
Disables the use of keepalive messages on the TCP connection. curl otherwise enables them by default.

Note that this is the negated option name documented. You can thus use --keepalive to enforce keepalive.

Providing --no-keepalive multiple times has no extra effect. Disable it again with --keepalive.

Example:
curl --no-keepalive https://example.com

See also --keepalive-time.

--no-npn
(HTTPS) In curl 7.86.0 and later, curl never uses NPN.

Disable the NPN TLS extension. NPN is enabled by default if libcurl was built with an SSL library that supports NPN. NPN is used by a libcurl that supports HTTP/2 to negotiate HTTP/2 support
with the server during https sessions.

Providing --no-npn multiple times has no extra effect. Disable it again with --npn.

Example:
curl --no-npn https://example.com

See also --no-alpn and --http2. --no-npn requires that the underlying libcurl was built to support TLS. Added in 7.36.0.

--no-progress-meter
Option to switch off the progress meter output without muting or otherwise affecting warning and informational messages like -s, --silent does.

Note that this is the negated option name documented. You can thus use --progress-meter to enable the progress meter again.

Providing --no-progress-meter multiple times has no extra effect. Disable it again with --progress-meter.

Example:
curl --no-progress-meter -o store https://example.com

See also -v, --verbose and -s, --silent. Added in 7.67.0.

--no-sessionid
(TLS) Disable curl's use of SSL session-ID caching. By default all transfers are done using the cache. Note that while nothing should ever get hurt by attempting to reuse SSL session-IDs,
there seem to be broken SSL implementations in the wild that may require you to disable this in order for you to succeed.

Note that this is the negated option name documented. You can thus use --sessionid to enforce session-ID caching.

Providing --no-sessionid multiple times has no extra effect. Disable it again with --sessionid.

Example:
curl --no-sessionid https://example.com

See also -k, --insecure.

--noproxy <no-proxy-list>
Comma-separated list of hosts for which not to use a proxy, if one is specified. The only wildcard is a single * character, which matches all hosts, and effectively disables the proxy. Each
name in this list is matched as either a domain which contains the hostname, or the hostname itself. For example, local.com would match local.com, local.com:80, and www.local.com, but not
www.notlocal.com.

Since 7.53.0, This option overrides the environment variables that disable the proxy ('no_proxy' and 'NO_PROXY'). If there's an environment variable disabling a proxy, you can set the noproxy
list to "" to override it.

Since 7.86.0, IP addresses specified to this option can be provided using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the
comparison. For example "192.168.0.0/16" would match all addresses starting with "192.168".

If --noproxy is provided several times, the last set value will be used.

Example:
curl --noproxy "www.example" https://example.com

See also -x, --proxy.

--ntlm-wb
(HTTP) Enables NTLM much in the style --ntlm does, but hand over the authentication to the separate binary ntlmauth application that is executed when needed.

Providing --ntlm-wb multiple times has no extra effect.

Example:
curl --ntlm-wb -u user:password https://example.com

See also --ntlm and --proxy-ntlm.

--ntlm (HTTP) Enables NTLM authentication. The NTLM authentication method was designed by Microsoft and is used by IIS web servers. It is a proprietary protocol, reverse-engineered by clever people
and implemented in curl based on their efforts. This kind of behavior should not be endorsed, you should encourage everyone who uses NTLM to switch to a public and documented authentication
method instead, such as Digest.

If you want to enable NTLM for your proxy authentication, then use --proxy-ntlm.

If this option is used several times, only the first one is used.

Providing --ntlm multiple times has no extra effect.

Example:
curl --ntlm -u user:password https://example.com

See also --proxy-ntlm. --ntlm requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to --basic and --negotiate and --digest and --anyauth.

--oauth2-bearer <token>
(IMAP LDAP POP3 SMTP HTTP) Specify the Bearer Token for OAUTH 2.0 server authentication. The Bearer Token is used in conjunction with the user name which can be specified as part of the --url
or -u, --user options.

The Bearer Token and user name are formatted according to RFC 6750.

If --oauth2-bearer is provided several times, the last set value will be used.

Example:
curl --oauth2-bearer "mF_9.B5f-4.1JqM" https://example.com

See also --basic, --ntlm and --digest. Added in 7.33.0.

--output-dir <dir>
This option specifies the directory in which files should be stored, when -O, --remote-name or -o, --output are used.

The given output directory is used for all URLs and output options on the command line, up until the first -:, --next.

If the specified target directory does not exist, the operation will fail unless --create-dirs is also used.

If --output-dir is provided several times, the last set value will be used.

Example:
curl --output-dir "tmp" -O https://example.com

See also -O, --remote-name and -J, --remote-header-name. Added in 7.73.0.

-o, --output <file>
Write output to <file> instead of stdout. If you are using {} or [] to fetch multiple documents, you should quote the URL and you can use '#' followed by a number in the <file> specifier.
That variable will be replaced with the current string for the URL being fetched. Like in:

curl "http://{one,two}.example.com" -o "file_#1.txt"

or use several variables like:

curl "http://{site,host}.host[1-5].com" -o "#1_#2"

You may use this option as many times as the number of URLs you have. For example, if you specify two URLs on the same command line, you can use it like this:

curl -o aa example.com -o bb example.net

and the order of the -o options and the URLs does not matter, just that the first -o is for the first URL and so on, so the above command line can also be written as

curl example.com example.net -o aa -o bb

See also the --create-dirs option to create the local directories dynamically. Specifying the output as '-' (a single dash) will force the output to be done to stdout.

To suppress response bodies, you can redirect output to /dev/null:

curl example.com -o /dev/null

Or for Windows use nul:

curl example.com -o nul

-o, --output can be used several times in a command line

Examples:
curl -o file https://example.com
curl "http://{one,two}.example.com" -o "file_#1.txt"
curl "http://{site,host}.host[1-5].com" -o "#1_#2"
curl -o file https://example.com -o file2 https://example.net

See also -O, --remote-name, --remote-name-all and -J, --remote-header-name.

--parallel-immediate
When doing parallel transfers, this option will instruct curl that it should rather prefer opening up more connections in parallel at once rather than waiting to see if new transfers can be
added as multiplexed streams on another connection.

This option is global and does not need to be specified for each use of -:, --next.

Providing --parallel-immediate multiple times has no extra effect. Disable it again with --no-parallel-immediate.

Example:
curl --parallel-immediate -Z https://example.com -o file1 https://example.com -o file2

See also -Z, --parallel and --parallel-max. Added in 7.68.0.

--parallel-max <num>
When asked to do parallel transfers, using -Z, --parallel, this option controls the maximum amount of transfers to do simultaneously.

This option is global and does not need to be specified for each use of -:, --next.

The default is 50.

If --parallel-max is provided several times, the last set value will be used.

Example:
curl --parallel-max 100 -Z https://example.com ftp://example.com/

See also -Z, --parallel. Added in 7.66.0.

-Z, --parallel
Makes curl perform its transfers in parallel as compared to the regular serial manner.

This option is global and does not need to be specified for each use of -:, --next.

Providing -Z, --parallel multiple times has no extra effect. Disable it again with --no-parallel.

Example:
curl --parallel https://example.com -o file1 https://example.com -o file2

See also -:, --next and -v, --verbose. Added in 7.66.0.

--pass <phrase>
(SSH TLS) Passphrase for the private key.

If --pass is provided several times, the last set value will be used.

Example:
curl --pass secret --key file https://example.com

See also --key and -u, --user.

--path-as-is
Tell curl to not handle sequences of /../ or /./ in the given URL path. Normally curl will squash or merge them according to standards but with this option set you tell it not to do that.

Providing --path-as-is multiple times has no extra effect. Disable it again with --no-path-as-is.

Example:
curl --path-as-is https://example.com/../../etc/passwd

See also --request-target. Added in 7.42.0.

--pinnedpubkey <hashes>
(TLS) Tells curl to use the specified public key file (or hashes) to verify the peer. This can be a path to a file which contains a single public key in PEM or DER format, or any number of
base64 encoded sha256 hashes preceded by 'sha256//' and separated by ';'.

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public
key provided to this option, curl will abort the connection before sending or receiving any data.

PEM/DER support:

7.39.0: OpenSSL, GnuTLS and GSKit

7.43.0: NSS and wolfSSL

7.47.0: mbedtls

sha256 support:

7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL

7.47.0: mbedtls

Other SSL backends not supported.

If --pinnedpubkey is provided several times, the last set value will be used.

Examples:
curl --pinnedpubkey keyfile https://example.com
curl --pinnedpubkey 'sha256//ce118b51897f4452dc' https://example.com

See also --hostpubsha256. Added in 7.39.0.

--post301
(HTTP) Tells curl to respect RFC 7231/6.4.2 and not convert POST requests into GET requests when following a 301 redirection. The non-RFC behavior is ubiquitous in web browsers, so curl does
the conversion by default to maintain consistency. However, a server may require a POST to remain a POST after such a redirection. This option is meaningful only when using -L, --location.

Providing --post301 multiple times has no extra effect. Disable it again with --no-post301.

Example:
curl --post301 --location -d "data" https://example.com

See also --post302, --post303 and -L, --location.

--post302
(HTTP) Tells curl to respect RFC 7231/6.4.3 and not convert POST requests into GET requests when following a 302 redirection. The non-RFC behavior is ubiquitous in web browsers, so curl does
the conversion by default to maintain consistency. However, a server may require a POST to remain a POST after such a redirection. This option is meaningful only when using -L, --location.

Providing --post302 multiple times has no extra effect. Disable it again with --no-post302.

Example:
curl --post302 --location -d "data" https://example.com

See also --post301, --post303 and -L, --location.

--post303
(HTTP) Tells curl to violate RFC 7231/6.4.4 and not convert POST requests into GET requests when following 303 redirections. A server may require a POST to remain a POST after a 303 redirect‐
ion. This option is meaningful only when using -L, --location.

Providing --post303 multiple times has no extra effect. Disable it again with --no-post303.

Example:
curl --post303 --location -d "data" https://example.com

See also --post302, --post301 and -L, --location.

--preproxy [protocol://]host[:port]
Use the specified SOCKS proxy before connecting to an HTTP or HTTPS -x, --proxy. In such a case curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy. Hence pre proxy.

The pre proxy string should be specified with a protocol:// prefix to specify alternative proxy protocols. Use socks4://, socks4a://, socks5:// or socks5h:// to request the specific SOCKS
version to be used. No protocol specified will make curl default to SOCKS4.

If the port number is not specified in the proxy string, it is assumed to be 1080.

User and password that might be provided in the proxy string are URL decoded by curl. This allows you to pass in special characters such as @ by using %40 or pass in a colon with %3a.

If --preproxy is provided several times, the last set value will be used.

Example:
curl --preproxy socks5://proxy.example -x http://http.example https://example.com

See also -x, --proxy and --socks5. Added in 7.52.0.

-#, --progress-bar
Make curl display transfer progress as a simple progress bar instead of the standard, more informational, meter.

This progress bar draws a single line of '#' characters across the screen and shows a percentage if the transfer size is known. For transfers without a known size, there will be space ship
(-=o=-) that moves back and forth but only while data is being transferred, with a set of flying hash sign symbols on top.

This option is global and does not need to be specified for each use of -:, --next.

Providing -#, --progress-bar multiple times has no extra effect. Disable it again with --no-progress-bar.

Example:
curl -# -O https://example.com

See also --styled-output.

--proto-default <protocol>
Tells curl to use protocol for any URL missing a scheme name.

An unknown or unsupported protocol causes error CURLE_UNSUPPORTED_PROTOCOL (1).

This option does not change the default proxy protocol (http).

Without this option set, curl guesses protocol based on the host name, see --url for details.

If --proto-default is provided several times, the last set value will be used.

Example:
curl --proto-default https ftp.example.com

See also --proto and --proto-redir. Added in 7.45.0.

--proto-redir <protocols>
Tells curl to limit what protocols it may use on redirect. Protocols denied by --proto are not overridden by this option. See --proto for how protocols are represented.

Example, allow only HTTP and HTTPS on redirect:

curl --proto-redir -all,http,https http://example.com

By default curl will only allow HTTP, HTTPS, FTP and FTPS on redirect (since 7.65.2). Specifying all or +all enables all protocols on redirects, which is not good for security.

If --proto-redir is provided several times, the last set value will be used.

Example:
curl --proto-redir =http,https https://example.com

See also --proto.

--proto <protocols>
Tells curl to limit what protocols it may use for transfers. Protocols are evaluated left to right, are comma separated, and are each a protocol name or 'all', optionally prefixed by zero or
more modifiers. Available modifiers are:

+ Permit this protocol in addition to protocols already permitted (this is the default if no modifier is used).

- Deny this protocol, removing it from the list of protocols already permitted.

= Permit only this protocol (ignoring the list already permitted), though subject to later modification by subsequent entries in the comma separated list.

For example:

--proto -ftps uses the default protocols, but disables ftps

--proto -all,https,+http
only enables http and https

--proto =http,https
also only enables http and https

Unknown and disabled protocols produce a warning. This allows scripts to safely rely on being able to disable potentially dangerous protocols, without relying upon support for that protocol
being built into curl to avoid an error.

This option can be used multiple times, in which case the effect is the same as concatenating the protocols into one instance of the option.

If --proto is provided several times, the last set value will be used.

Example:
curl --proto =http,https,sftp https://example.com

See also --proto-redir and --proto-default.

--proxy-anyauth
Tells curl to pick a suitable authentication method when communicating with the given HTTP proxy. This might cause an extra request/response round-trip.

Providing --proxy-anyauth multiple times has no extra effect.

Example:
curl --proxy-anyauth --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-basic and --proxy-digest.

--proxy-basic
Tells curl to use HTTP Basic authentication when communicating with the given proxy. Use --basic for enabling HTTP Basic with a remote host. Basic is the default authentication method curl
uses with proxies.

Providing --proxy-basic multiple times has no extra effect.

Example:
curl --proxy-basic --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-anyauth and --proxy-digest.

--proxy-cacert <file>
Same as --cacert but used in HTTPS proxy context.

If --proxy-cacert is provided several times, the last set value will be used.

Example:
curl --proxy-cacert CA-file.txt -x https://proxy https://example.com

See also --proxy-capath, --cacert, --capath and -x, --proxy. Added in 7.52.0.

--proxy-capath <dir>
Same as --capath but used in HTTPS proxy context.

If --proxy-capath is provided several times, the last set value will be used.

Example:
curl --proxy-capath /local/directory -x https://proxy https://example.com

See also --proxy-cacert, -x, --proxy and --capath. Added in 7.52.0.

--proxy-cert-type <type>
Same as --cert-type but used in HTTPS proxy context.

If --proxy-cert-type is provided several times, the last set value will be used.

Example:
curl --proxy-cert-type PEM --proxy-cert file -x https://proxy https://example.com

See also --proxy-cert. Added in 7.52.0.

--proxy-cert <cert[:passwd]>
Same as -E, --cert but used in HTTPS proxy context.

If --proxy-cert is provided several times, the last set value will be used.

Example:
curl --proxy-cert file -x https://proxy https://example.com

See also --proxy-cert-type. Added in 7.52.0.

--proxy-ciphers <list>
Same as --ciphers but used in HTTPS proxy context.

If --proxy-ciphers is provided several times, the last set value will be used.

Example:
curl --proxy-ciphers ECDHE-ECDSA-AES256-CCM8 -x https://proxy https://example.com

See also --ciphers, --curves and -x, --proxy. Added in 7.52.0.

--proxy-crlfile <file>
Same as --crlfile but used in HTTPS proxy context.

If --proxy-crlfile is provided several times, the last set value will be used.

Example:
curl --proxy-crlfile rejects.txt -x https://proxy https://example.com

See also --crlfile and -x, --proxy. Added in 7.52.0.

--proxy-digest
Tells curl to use HTTP Digest authentication when communicating with the given proxy. Use --digest for enabling HTTP Digest with a remote host.

Providing --proxy-digest multiple times has no extra effect.

Example:
curl --proxy-digest --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-anyauth and --proxy-basic.

--proxy-header <header/@file>
(HTTP) Extra header to include in the request when sending HTTP to a proxy. You may specify any number of extra headers. This is the equivalent option to -H, --header but is for proxy commu‐
nication only like in CONNECT requests when you want a separate header sent to the proxy to what is sent to the actual remote host.

curl will make sure that each header you add/replace is sent with the proper end-of-line marker, you should thus not add that as a part of the header content: do not add newlines or carriage
returns, they will only mess things up for you.

Headers specified with this option will not be included in requests that curl knows will not be sent to a proxy.

Starting in 7.55.0, this option can take an argument in @filename style, which then adds a header for each line in the input file. Using @- will make curl read the header file from stdin.

This option can be used multiple times to add/replace/remove multiple headers.

--proxy-header can be used several times in a command line

Examples:
curl --proxy-header "X-First-Name: Joe" -x http://proxy https://example.com
curl --proxy-header "User-Agent: surprise" -x http://proxy https://example.com
curl --proxy-header "Host:" -x http://proxy https://example.com

See also -x, --proxy. Added in 7.37.0.

--proxy-insecure
Same as -k, --insecure but used in HTTPS proxy context.

Providing --proxy-insecure multiple times has no extra effect. Disable it again with --no-proxy-insecure.

Example:
curl --proxy-insecure -x https://proxy https://example.com

See also -x, --proxy and -k, --insecure. Added in 7.52.0.

--proxy-key-type <type>
Same as --key-type but used in HTTPS proxy context.

If --proxy-key-type is provided several times, the last set value will be used.

Example:
curl --proxy-key-type DER --proxy-key here -x https://proxy https://example.com

See also --proxy-key and -x, --proxy. Added in 7.52.0.

--proxy-key <key>
Same as --key but used in HTTPS proxy context.

If --proxy-key is provided several times, the last set value will be used.

Example:
curl --proxy-key here -x https://proxy https://example.com

See also --proxy-key-type and -x, --proxy. Added in 7.52.0.

--proxy-negotiate
Tells curl to use HTTP Negotiate (SPNEGO) authentication when communicating with the given proxy. Use --negotiate for enabling HTTP Negotiate (SPNEGO) with a remote host.

Providing --proxy-negotiate multiple times has no extra effect.

Example:
curl --proxy-negotiate --proxy-user user:passwd -x proxy https://example.com

See also --proxy-anyauth and --proxy-basic.

--proxy-ntlm
Tells curl to use HTTP NTLM authentication when communicating with the given proxy. Use --ntlm for enabling NTLM with a remote host.

Providing --proxy-ntlm multiple times has no extra effect.

Example:
curl --proxy-ntlm --proxy-user user:passwd -x http://proxy https://example.com

See also --proxy-negotiate and --proxy-anyauth.

--proxy-pass <phrase>
Same as --pass but used in HTTPS proxy context.

If --proxy-pass is provided several times, the last set value will be used.

Example:
curl --proxy-pass secret --proxy-key here -x https://proxy https://example.com

See also -x, --proxy and --proxy-key. Added in 7.52.0.

--proxy-pinnedpubkey <hashes>
(TLS) Tells curl to use the specified public key file (or hashes) to verify the proxy. This can be a path to a file which contains a single public key in PEM or DER format, or any number of
base64 encoded sha256 hashes preceded by 'sha256//' and separated by ';'.

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public
key provided to this option, curl will abort the connection before sending or receiving any data.

If --proxy-pinnedpubkey is provided several times, the last set value will be used.

Examples:
curl --proxy-pinnedpubkey keyfile https://example.com
curl --proxy-pinnedpubkey 'sha256//ce118b51897f4452dc' https://example.com

See also --pinnedpubkey and -x, --proxy. Added in 7.59.0.

--proxy-service-name <name>
This option allows you to change the service name for proxy negotiation.

If --proxy-service-name is provided several times, the last set value will be used.

Example:
curl --proxy-service-name "shrubbery" -x proxy https://example.com

See also --service-name and -x, --proxy. Added in 7.43.0.

--proxy-ssl-allow-beast
Same as --ssl-allow-beast but used in HTTPS proxy context.

Providing --proxy-ssl-allow-beast multiple times has no extra effect. Disable it again with --no-proxy-ssl-allow-beast.

Example:
curl --proxy-ssl-allow-beast -x https://proxy https://example.com

See also --ssl-allow-beast and -x, --proxy. Added in 7.52.0.

--proxy-ssl-auto-client-cert
Same as --ssl-auto-client-cert but used in HTTPS proxy context.

Providing --proxy-ssl-auto-client-cert multiple times has no extra effect. Disable it again with --no-proxy-ssl-auto-client-cert.

Example:
curl --proxy-ssl-auto-client-cert -x https://proxy https://example.com

See also --ssl-auto-client-cert and -x, --proxy. Added in 7.77.0.

--proxy-tls13-ciphers <ciphersuite list>
(TLS) Specifies which cipher suites to use in the connection to your HTTPS proxy when it negotiates TLS 1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3 cipher
suite details on this URL:

https://curl.se/docs/ssl-ciphers.html

This option is currently used only when curl is built to use OpenSSL 1.1.1 or later. If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the --proxy-
ciphers option.

If --proxy-tls13-ciphers is provided several times, the last set value will be used.

Example:
curl --proxy-tls13-ciphers TLS_AES_128_GCM_SHA256 -x proxy https://example.com

See also --tls13-ciphers and --curves. Added in 7.61.0.

--proxy-tlsauthtype <type>
Same as --tlsauthtype but used in HTTPS proxy context.

If --proxy-tlsauthtype is provided several times, the last set value will be used.

Example:
curl --proxy-tlsauthtype SRP -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlsuser. Added in 7.52.0.

--proxy-tlspassword <string>
Same as --tlspassword but used in HTTPS proxy context.

If --proxy-tlspassword is provided several times, the last set value will be used.

Example:
curl --proxy-tlspassword passwd -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlsuser. Added in 7.52.0.

--proxy-tlsuser <name>
Same as --tlsuser but used in HTTPS proxy context.

If --proxy-tlsuser is provided several times, the last set value will be used.

Example:
curl --proxy-tlsuser smith -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlspassword. Added in 7.52.0.

--proxy-tlsv1
Same as -1, --tlsv1 but used in HTTPS proxy context.

Providing --proxy-tlsv1 multiple times has no extra effect.

Example:
curl --proxy-tlsv1 -x https://proxy https://example.com

See also -x, --proxy. Added in 7.52.0.

-U, --proxy-user <user:password>
Specify the user name and password to use for proxy authentication.

If you use a Windows SSPI-enabled curl binary and do either Negotiate or NTLM authentication then you can tell curl to select the user name and password from your environment by specifying a
single colon with this option: "-U :".

On systems where it works, curl will hide the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same sys‐
tem as they will still be visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.

If -U, --proxy-user is provided several times, the last set value will be used.

Example:
curl --proxy-user name:pwd -x proxy https://example.com

See also --proxy-pass.

-x, --proxy [protocol://]host[:port]
Use the specified proxy.

The proxy string can be specified with a protocol:// prefix. No protocol specified or http:// will be treated as HTTP proxy. Use socks4://, socks4a://, socks5:// or socks5h:// to request a
specific SOCKS version to be used.

Unix domain sockets are supported for socks proxy. Set localhost for the host part. e.g. socks5h://localhost/path/to/socket.sock

HTTPS proxy support via https:// protocol prefix was added in 7.52.0 for OpenSSL, GnuTLS and NSS.

Unrecognized and unsupported proxy protocols cause an error since 7.52.0. Prior versions may ignore the protocol and use http:// instead.

If the port number is not specified in the proxy string, it is assumed to be 1080.

This option overrides existing environment variables that set the proxy to use. If there's an environment variable setting a proxy, you can set proxy to "" to override it.

All operations that are performed over an HTTP proxy will transparently be converted to HTTP. It means that certain protocol specific operations might not be available. This is not the case
if you can tunnel through the proxy, as one with the -p, --proxytunnel option.

User and password that might be provided in the proxy string are URL decoded by curl. This allows you to pass in special characters such as @ by using %40 or pass in a colon with %3a.

The proxy host can be specified the same way as the proxy environment variables, including the protocol prefix (http://) and the embedded user + password.

When a proxy is used, the active FTP mode as set with -P, --ftp-port, cannot be used.

If -x, --proxy is provided several times, the last set value will be used.

Example:
curl --proxy http://proxy.example https://example.com

See also --socks5 and --proxy-basic.

--proxy1.0 <host[:port]>
Use the specified HTTP 1.0 proxy. If the port number is not specified, it is assumed at port 1080.

The only difference between this and the HTTP proxy option -x, --proxy, is that attempts to use CONNECT through the proxy will specify an HTTP 1.0 protocol instead of the default HTTP 1.1.

Providing --proxy1.0 multiple times has no extra effect.

Example:
curl --proxy1.0 -x http://proxy https://example.com

See also -x, --proxy, --socks5 and --preproxy.

-p, --proxytunnel
When an HTTP proxy is used -x, --proxy, this option will make curl tunnel through the proxy. The tunnel approach is made with the HTTP proxy CONNECT request and requires that the proxy allows
direct connect to the remote port number curl wants to tunnel through to.

To suppress proxy CONNECT response headers when curl is set to output headers use --suppress-connect-headers.

Providing -p, --proxytunnel multiple times has no extra effect. Disable it again with --no-proxytunnel.

Example:
curl --proxytunnel -x http://proxy https://example.com

See also -x, --proxy.

--pubkey <key>
(SFTP SCP) Public key file name. Allows you to provide your public key in this separate file.

(As of 7.39.0, curl attempts to automatically extract the public key from the private key file, so passing this option is generally not required. Note that this public key extraction requires
libcurl to be linked against a copy of libssh2 1.2.8 or higher that is itself linked against OpenSSL.)

If --pubkey is provided several times, the last set value will be used.

Example:
curl --pubkey file.pub sftp://example.com/

See also --pass.

-Q, --quote <command>
(FTP SFTP) Send an arbitrary command to the remote FTP or SFTP server. Quote commands are sent BEFORE the transfer takes place (just after the initial PWD command in an FTP transfer, to be
exact). To make commands take place after a successful transfer, prefix them with a dash '-'.

(FTP only) To make commands be sent after curl has changed the working directory, just before the file transfer command(s), prefix the command with a '+'. This is not performed when a direc‐
tory listing is performed.

You may specify any number of commands.

By default curl will stop at first failure. To make curl continue even if the command fails, prefix the command with an asterisk (*). Otherwise, if the server returns failure for one of the
commands, the entire operation will be aborted.

You must send syntactically correct FTP commands as RFC 959 defines to FTP servers, or one of the commands listed below to SFTP servers.

This option can be used multiple times.

SFTP is a binary protocol. Unlike for FTP, curl interprets SFTP quote commands itself before sending them to the server. File names may be quoted shell-style to embed spaces or special char‐
acters. Following is the list of all supported SFTP quote commands:

atime date file
The atime command sets the last access time of the file named by the file operand. The <date expression> can be all sorts of date strings, see the curl_getdate(3) man page for date ex‐
pression details. (Added in 7.73.0)

chgrp group file
The chgrp command sets the group ID of the file named by the file operand to the group ID specified by the group operand. The group operand is a decimal integer group ID.

chmod mode file
The chmod command modifies the file mode bits of the specified file. The mode operand is an octal integer mode number.

chown user file
The chown command sets the owner of the file named by the file operand to the user ID specified by the user operand. The user operand is a decimal integer user ID.

ln source_file target_file
The ln and symlink commands create a symbolic link at the target_file location pointing to the source_file location.

mkdir directory_name
The mkdir command creates the directory named by the directory_name operand.

mtime date file
The mtime command sets the last modification time of the file named by the file operand. The <date expression> can be all sorts of date strings, see the curl_getdate(3) man page for
date expression details. (Added in 7.73.0)

pwd The pwd command returns the absolute pathname of the current working directory.

rename source target
The rename command renames the file or directory named by the source operand to the destination path named by the target operand.

rm file
The rm command removes the file specified by the file operand.

rmdir directory
The rmdir command removes the directory entry specified by the directory operand, provided it is empty.

symlink source_file target_file
See ln.

-Q, --quote can be used several times in a command line

Example:
curl --quote "DELE file" ftp://example.com/foo

See also -X, --request.

--random-file <file>
Deprecated option. This option is ignored by curl since 7.84.0. Prior to that it only had an effect on curl if built to use old versions of OpenSSL.

Specify the path name to file containing what will be considered as random data. The data may be used to seed the random engine for SSL connections.

If --random-file is provided several times, the last set value will be used.

Example:
curl --random-file rubbish https://example.com

See also --egd-file.

-r, --range <range>
(HTTP FTP SFTP FILE) Retrieve a byte range (i.e. a partial document) from an HTTP/1.1, FTP or SFTP server or a local FILE. Ranges can be specified in a number of ways.

0-499 specifies the first 500 bytes

500-999 specifies the second 500 bytes

-500 specifies the last 500 bytes

9500- specifies the bytes from offset 9500 and forward

0-0,-1 specifies the first and last byte only(*)(HTTP)

100-199,500-599
specifies two separate 100-byte ranges(*) (HTTP)

(*) = NOTE that this will cause the server to reply with a multipart response, which will be returned as-is by curl! Parsing or otherwise transforming this response is the responsibility of
the caller.

Only digit characters (0-9) are valid in the 'start' and 'stop' fields of the 'start-stop' range syntax. If a non-digit character is given in the range, the server's response will be unspeci‐
fied, depending on the server's configuration.

You should also be aware that many HTTP/1.1 servers do not have this feature enabled, so that when you attempt to get a range, you will instead get the whole document.

FTP and SFTP range downloads only support the simple 'start-stop' syntax (optionally with one of the numbers omitted). FTP use depends on the extended FTP command SIZE.

If -r, --range is provided several times, the last set value will be used.

Example:
curl --range 22-44 https://example.com

See also -C, --continue-at and -a, --append.

--rate <max request rate>
Specify the maximum transfer frequency you allow curl to use - in number of transfer starts per time unit (sometimes called request rate). Without this option, curl will start the next trans‐
fer as fast as possible.

If given several URLs and a transfer completes faster than the allowed rate, curl will wait until the next transfer is started to maintain the requested rate. This option has no effect when
-Z, --parallel is used.

The request rate is provided as "N/U" where N is an integer number and U is a time unit. Supported units are 's' (second), 'm' (minute), 'h' (hour) and 'd' /(day, as in a 24 hour unit). The
default time unit, if no "/U" is provided, is number of transfers per hour.

If curl is told to allow 10 requests per minute, it will not start the next request until 6 seconds have elapsed since the previous transfer was started.

This function uses millisecond resolution. If the allowed frequency is set more than 1000 per second, it will instead run unrestricted.

When retrying transfers, enabled with --retry, the separate retry delay logic is used and not this setting.

If --rate is provided several times, the last set value will be used.

Examples:
curl --rate 2/s https://example.com
curl --rate 3/h https://example.com
curl --rate 14/m https://example.com

See also --limit-rate and --retry-delay. Added in 7.84.0.

--raw (HTTP) When used, it disables all internal HTTP decoding of content or transfer encodings and instead makes them passed on unaltered, raw.

Providing --raw multiple times has no extra effect. Disable it again with --no-raw.

Example:
curl --raw https://example.com

See also --tr-encoding.

-e, --referer <URL>
(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L, --location you can append ";auto" to the -e,
--referer URL to make curl automatically set the previous URL when it follows a Location: header. The ";auto" string can be used alone, even if you do not set an initial -e, --referer.

If -e, --referer is provided several times, the last set value will be used.

Examples:
curl --referer "https://fake.example" https://example.com
curl --referer "https://fake.example;auto" -L https://example.com
curl --referer ";auto" -L https://example.com

See also -A, --user-agent and -H, --header.

-J, --remote-header-name
(HTTP) This option tells the -O, --remote-name option to use the server-specified Content-Disposition filename instead of extracting a filename from the URL. If the server-provided file name
contains a path, that will be stripped off before the file name is used.

The file is saved in the current directory, or in the directory specified with --output-dir.

If the server specifies a file name and a file with that name already exists in the destination directory, it will not be overwritten and an error will occur - unless you allow it by using
the --clobber option. If the server does not specify a file name then this option has no effect.

There's no attempt to decode %-sequences (yet) in the provided file name, so this option may provide you with rather unexpected file names.

This feature uses the name from the "filename" field, it does not yet support the "filename*" field (filenames with explicit character sets).

WARNING: Exercise judicious use of this option, especially on Windows. A rogue server could send you the name of a DLL or other file that could be loaded automatically by Windows or some
third party software.

Providing -J, --remote-header-name multiple times has no extra effect. Disable it again with --no-remote-header-name.

Example:
curl -OJ https://example.com/file

See also -O, --remote-name.

--remote-name-all
This option changes the default action for all given URLs to be dealt with as if -O, --remote-name were used for each one. So if you want to disable that for a specific URL after --remote-
name-all has been used, you must use "-o -" or --no-remote-name.

Providing --remote-name-all multiple times has no extra effect. Disable it again with --no-remote-name-all.

Example:
curl --remote-name-all ftp://example.com/file1 ftp://example.com/file2

See also -O, --remote-name.

-O, --remote-name
Write output to a local file named like the remote file we get. (Only the file part of the remote file is used, the path is cut off.)

The file will be saved in the current working directory. If you want the file saved in a different directory, make sure you change the current working directory before invoking curl with this
option or use --output-dir.

The remote file name to use for saving is extracted from the given URL, nothing else, and if it already exists it will be overwritten. If you want the server to be able to choose the file
name refer to -J, --remote-header-name which can be used in addition to this option. If the server chooses a file name and that name already exists it will not be overwritten.

There is no URL decoding done on the file name. If it has %20 or other URL encoded parts of the name, they will end up as-is as file name.

You may use this option as many times as the number of URLs you have.

-O, --remote-name can be used several times in a command line

Example:
curl -O https://example.com/filename

See also --remote-name-all, --output-dir and -J, --remote-header-name.

-R, --remote-time
When used, this will make curl attempt to figure out the timestamp of the remote file, and if that is available make the local file get that same timestamp.

Providing -R, --remote-time multiple times has no extra effect. Disable it again with --no-remote-time.

Example:
curl --remote-time -o foo https://example.com

See also -O, --remote-name and -z, --time-cond.

--remove-on-error
When curl returns an error when told to save output in a local file, this option removes that saved file before exiting. This prevents curl from leaving a partial file in the case of an error
during transfer.

If the output is not a file, this option has no effect.

Providing --remove-on-error multiple times has no extra effect. Disable it again with --no-remove-on-error.

Example:
curl --remove-on-error -o output https://example.com

See also -f, --fail. Added in 7.83.0.

--request-target <path>
(HTTP) Tells curl to use an alternative "target" (path) instead of using the path as provided in the URL. Particularly useful when wanting to issue HTTP requests without leading slash or
other data that does not follow the regular URL pattern, like "OPTIONS *".

If --request-target is provided several times, the last set value will be used.

Example:
curl --request-target "*" -X OPTIONS https://example.com

See also -X, --request. Added in 7.55.0.

-X, --request <method>
(HTTP) Specifies a custom request method to use when communicating with the HTTP server. The specified request method will be used instead of the method otherwise used (which defaults to
GET). Read the HTTP 1.1 specification for details and explanations. Common additional HTTP requests include PUT and DELETE, but related technologies like WebDAV offers PROPFIND, COPY, MOVE
and more.

Normally you do not need this option. All sorts of GET, HEAD, POST and PUT requests are rather invoked by using dedicated command line options.

This option only changes the actual word used in the HTTP request, it does not alter the way curl behaves. So for example if you want to make a proper HEAD request, using -X HEAD will not
suffice. You need to use the -I, --head option.

The method string you set with -X, --request will be used for all requests, which if you for example use -L, --location may cause unintended side-effects when curl does not change request
method according to the HTTP 30x response codes - and similar.

(FTP) Specifies a custom FTP command to use instead of LIST when doing file lists with FTP.

(POP3) Specifies a custom POP3 command to use instead of LIST or RETR.

(IMAP) Specifies a custom IMAP command to use instead of LIST. (Added in 7.30.0)

(SMTP) Specifies a custom SMTP command to use instead of HELP or VRFY. (Added in 7.34.0)

If -X, --request is provided several times, the last set value will be used.

Examples:
curl -X "DELETE" https://example.com
curl -X NLST ftp://example.com/

See also --request-target.

--resolve <[+]host:port:addr[,addr]...>
Provide a custom address for a specific host and port pair. Using this, you can make the curl requests(s) use a specified address and prevent the otherwise normally resolved address to be
used. Consider it a sort of /etc/hosts alternative provided on the command line. The port number should be the number used for the specific protocol the host will be used for. It means you
need several entries if you want to provide address for the same host but different ports.

By specifying '*' as host you can tell curl to resolve any host and specific port pair to the specified address. Wildcard is resolved last so any --resolve with a specific host and port will
be used first.

The provided address set by this option will be used even if -4, --ipv4 or -6, --ipv6 is set to make curl use another IP version.

By prefixing the host with a '+' you can make the entry time out after curl's default timeout (1 minute). Note that this will only make sense for long running parallel transfers with a lot of
files. In such cases, if this option is used curl will try to resolve the host as it normally would once the timeout has expired.

Support for providing the IP address within [brackets] was added in 7.57.0.

Support for providing multiple IP addresses per entry was added in 7.59.0.

Support for resolving with wildcard was added in 7.64.0.

Support for the '+' prefix was was added in 7.75.0.

This option can be used many times to add many host names to resolve.

--resolve can be used several times in a command line

Example:
curl --resolve example.com:443:127.0.0.1 https://example.com

See also --connect-to and --alt-svc.

--retry-all-errors
Retry on any error. This option is used together with --retry.

This option is the "sledgehammer" of retrying. Do not use this option by default (eg in curlrc), there may be unintended consequences such as sending or receiving duplicate data. Do not use
with redirected input or output. You'd be much better off handling your unique problems in shell script. Please read the example below.

WARNING: For server compatibility curl attempts to retry failed flaky transfers as close as possible to how they were started, but this is not possible with redirected input or output. For
example, before retrying it removes output data from a failed partial transfer that was written to an output file. However this is not true of data redirected to a | pipe or > file, which are
not reset. We strongly suggest you do not parse or record output via redirect in combination with this option, since you may receive duplicate data.

By default curl will not error on an HTTP response code that indicates an HTTP error, if the transfer was successful. For example, if a server replies 404 Not Found and the reply is fully re‐
ceived then that is not an error. When --retry is used then curl will retry on some HTTP response codes that indicate transient HTTP errors, but that does not include most 4xx response codes
such as 404. If you want to retry on all response codes that indicate HTTP errors (4xx and 5xx) then combine with -f, --fail.

Providing --retry-all-errors multiple times has no extra effect. Disable it again with --no-retry-all-errors.

Example:
curl --retry 5 --retry-all-errors https://example.com

See also --retry. Added in 7.71.0.

--retry-connrefused
In addition to the other conditions, consider ECONNREFUSED as a transient error too for --retry. This option is used together with --retry.

Providing --retry-connrefused multiple times has no extra effect. Disable it again with --no-retry-connrefused.

Example:
curl --retry-connrefused --retry 7 https://example.com

See also --retry and --retry-all-errors. Added in 7.52.0.

--retry-delay <seconds>
Make curl sleep this amount of time before each retry when a transfer has failed with a transient error (it changes the default backoff time algorithm between retries). This option is only
interesting if --retry is also used. Setting this delay to zero will make curl use the default backoff time.

If --retry-delay is provided several times, the last set value will be used.

Example:
curl --retry-delay 5 --retry 7 https://example.com

See also --retry.

--retry-max-time <seconds>
The retry timer is reset before the first transfer attempt. Retries will be done as usual (see --retry) as long as the timer has not reached this given limit. Notice that if the timer has not
reached the limit, the request will be made and while performing, it may take longer than this given time period. To limit a single request's maximum time, use -m, --max-time. Set this option
to zero to not timeout retries.

If --retry-max-time is provided several times, the last set value will be used.

Example:
curl --retry-max-time 30 --retry 10 https://example.com

See also --retry.

--retry <num>
If a transient error is returned when curl tries to perform a transfer, it will retry this number of times before giving up. Setting the number to 0 makes curl do no retries (which is the de‐
fault). Transient error means either: a timeout, an FTP 4xx response code or an HTTP 408, 429, 500, 502, 503 or 504 response code.

When curl is about to retry a transfer, it will first wait one second and then for all forthcoming retries it will double the waiting time until it reaches 10 minutes which then will be the
delay between the rest of the retries. By using --retry-delay you disable this exponential backoff algorithm. See also --retry-max-time to limit the total time allowed for retries.

Since curl 7.66.0, curl will comply with the Retry-After: response header if one was present to know when to issue the next retry.

If --retry is provided several times, the last set value will be used.

Example:
curl --retry 7 https://example.com

See also --retry-max-time.

--sasl-authzid <identity>
Use this authorization identity (authzid), during SASL PLAIN authentication, in addition to the authentication identity (authcid) as specified by -u, --user.

If the option is not specified, the server will derive the authzid from the authcid, but if specified, and depending on the server implementation, it may be used to access another user's in‐
box, that the user has been granted access to, or a shared mailbox for example.

If --sasl-authzid is provided several times, the last set value will be used.

Example:
curl --sasl-authzid zid imap://example.com/

See also --login-options. Added in 7.66.0.

--sasl-ir
Enable initial response in SASL authentication.

Providing --sasl-ir multiple times has no extra effect. Disable it again with --no-sasl-ir.

Example:
curl --sasl-ir imap://example.com/

See also --sasl-authzid. Added in 7.31.0.

--service-name <name>
This option allows you to change the service name for SPNEGO.

Examples: --negotiate --service-name sockd would use sockd/server-name.

If --service-name is provided several times, the last set value will be used.

Example:
curl --service-name sockd/server https://example.com

See also --negotiate and --proxy-service-name. Added in 7.43.0.

-S, --show-error
When used with -s, --silent, it makes curl show an error message if it fails.

This option is global and does not need to be specified for each use of -:, --next.

Providing -S, --show-error multiple times has no extra effect. Disable it again with --no-show-error.

Example:
curl --show-error --silent https://example.com

See also --no-progress-meter.

-s, --silent
Silent or quiet mode. Do not show progress meter or error messages. Makes Curl mute. It will still output the data you ask for, potentially even to the terminal/stdout unless you redirect it.

Use -S, --show-error in addition to this option to disable progress meter but still show error messages.

Providing -s, --silent multiple times has no extra effect. Disable it again with --no-silent.

Example:
curl -s https://example.com

See also -v, --verbose, --stderr and --no-progress-meter.

--socks4 <host[:port]>
Use the specified SOCKS4 proxy. If the port number is not specified, it is assumed at port 1080. Using this socket type make curl resolve the host name and passing the address on to the
proxy.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks4://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks4 proxy with -x, --proxy using a socks4:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks4 is provided several times, the last set value will be used.

Example:
curl --socks4 hostname:4096 https://example.com

See also --socks4a, --socks5 and --socks5-hostname.

--socks4a <host[:port]>
Use the specified SOCKS4a proxy. If the port number is not specified, it is assumed at port 1080. This asks the proxy to resolve the host name.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks4a://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks4a proxy with -x, --proxy using a socks4a:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks4a is provided several times, the last set value will be used.

Example:
curl --socks4a hostname:4096 https://example.com

See also --socks4, --socks5 and --socks5-hostname.

--socks5-basic
Tells curl to use username/password authentication when connecting to a SOCKS5 proxy. The username/password authentication is enabled by default. Use --socks5-gssapi to force GSS-API au‐
thentication to SOCKS5 proxies.

Providing --socks5-basic multiple times has no extra effect.

Example:
curl --socks5-basic --socks5 hostname:4096 https://example.com

See also --socks5. Added in 7.55.0.

--socks5-gssapi-nec
As part of the GSS-API negotiation a protection mode is negotiated. RFC 1961 says in section 4.3/4.4 it should be protected, but the NEC reference implementation does not. The option
--socks5-gssapi-nec allows the unprotected exchange of the protection mode negotiation.

Providing --socks5-gssapi-nec multiple times has no extra effect. Disable it again with --no-socks5-gssapi-nec.

Example:
curl --socks5-gssapi-nec --socks5 hostname:4096 https://example.com

See also --socks5.

--socks5-gssapi-service <name>
The default service name for a socks server is rcmd/server-fqdn. This option allows you to change it.

Examples: --socks5 proxy-name --socks5-gssapi-service sockd would use sockd/proxy-name --socks5 proxy-name --socks5-gssapi-service sockd/real-name would use sockd/real-name for cases where
the proxy-name does not match the principal name.

If --socks5-gssapi-service is provided several times, the last set value will be used.

Example:
curl --socks5-gssapi-service sockd --socks5 hostname:4096 https://example.com

See also --socks5.

--socks5-gssapi
Tells curl to use GSS-API authentication when connecting to a SOCKS5 proxy. The GSS-API authentication is enabled by default (if curl is compiled with GSS-API support). Use --socks5-basic
to force username/password authentication to SOCKS5 proxies.

Providing --socks5-gssapi multiple times has no extra effect. Disable it again with --no-socks5-gssapi.

Example:
curl --socks5-gssapi --socks5 hostname:4096 https://example.com

See also --socks5. Added in 7.55.0.

--socks5-hostname <host[:port]>
Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If the port number is not specified, it is assumed at port 1080.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks5h://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks5 hostname proxy with -x, --proxy using a socks5h:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks5-hostname is provided several times, the last set value will be used.

Example:
curl --socks5-hostname proxy.example:7000 https://example.com

See also --socks5 and --socks4a.

--socks5 <host[:port]>
Use the specified SOCKS5 proxy - but resolve the host name locally. If the port number is not specified, it is assumed at port 1080.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks5://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks5 proxy with -x, --proxy using a socks5:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

This option (as well as --socks4) does not work with IPV6, FTPS or LDAP.

If --socks5 is provided several times, the last set value will be used.

Example:
curl --socks5 proxy.example:7000 https://example.com

See also --socks5-hostname and --socks4a.

-Y, --speed-limit <speed>
If a transfer is slower than this given speed (in bytes per second) for speed-time seconds it gets aborted. speed-time is set with -y, --speed-time and is 30 if not set.

If -Y, --speed-limit is provided several times, the last set value will be used.

Example:
curl --speed-limit 300 --speed-time 10 https://example.com

See also -y, --speed-time, --limit-rate and -m, --max-time.

-y, --speed-time <seconds>
If a transfer runs slower than speed-limit bytes per second during a speed-time period, the transfer is aborted. If speed-time is used, the default speed-limit will be 1 unless set with -Y,
--speed-limit.

This option controls transfers (in both directions) but will not affect slow connects etc. If this is a concern for you, try the --connect-timeout option.

If -y, --speed-time is provided several times, the last set value will be used.

Example:
curl --speed-limit 300 --speed-time 10 https://example.com

See also -Y, --speed-limit and --limit-rate.

--ssl-allow-beast
This option tells curl to not work around a security flaw in the SSL3 and TLS1.0 protocols known as BEAST. If this option is not used, the SSL layer may use workarounds known to cause inter‐
operability problems with some older SSL implementations.

WARNING: this option loosens the SSL security, and by using this flag you ask for exactly that.

Providing --ssl-allow-beast multiple times has no extra effect. Disable it again with --no-ssl-allow-beast.

Example:
curl --ssl-allow-beast https://example.com

See also --proxy-ssl-allow-beast and -k, --insecure.

--ssl-auto-client-cert
Tell libcurl to automatically locate and use a client certificate for authentication, when requested by the server. This option is only supported for Schannel (the native Windows SSL li‐
brary). Prior to 7.77.0 this was the default behavior in libcurl with Schannel. Since the server can request any certificate that supports client authentication in the OS certificate store it
could be a privacy violation and unexpected.

Providing --ssl-auto-client-cert multiple times has no extra effect. Disable it again with --no-ssl-auto-client-cert.

Example:
curl --ssl-auto-client-cert https://example.com

See also --proxy-ssl-auto-client-cert. Added in 7.77.0.

--ssl-no-revoke
(Schannel) This option tells curl to disable certificate revocation checks. WARNING: this option loosens the SSL security, and by using this flag you ask for exactly that.

Providing --ssl-no-revoke multiple times has no extra effect. Disable it again with --no-ssl-no-revoke.

Example:
curl --ssl-no-revoke https://example.com

See also --crlfile. Added in 7.44.0.

--ssl-reqd
(FTP IMAP POP3 SMTP LDAP) Require SSL/TLS for the connection. Terminates the connection if the transfer cannot be upgraded to use SSL/TLS.

This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and rejected by the generic ldap backend if explicit TLS is required.

This option is unnecessary if you use a URL scheme that in itself implies immediate and implicit use of TLS, like for FTPS, IMAPS, POP3S, SMTPS and LDAPS. Such transfers will always fail if
the TLS handshake does not work.

This option was formerly known as --ftp-ssl-reqd.

Providing --ssl-reqd multiple times has no extra effect. Disable it again with --no-ssl-reqd.

Example:
curl --ssl-reqd ftp://example.com

See also --ssl and -k, --insecure.

--ssl-revoke-best-effort
(Schannel) This option tells curl to ignore certificate revocation checks when they failed due to missing/offline distribution points for the revocation check lists.

Providing --ssl-revoke-best-effort multiple times has no extra effect. Disable it again with --no-ssl-revoke-best-effort.

Example:
curl --ssl-revoke-best-effort https://example.com

See also --crlfile and -k, --insecure. Added in 7.70.0.

--ssl (FTP IMAP POP3 SMTP LDAP) Warning: this is considered an insecure option. Consider using --ssl-reqd instead to be sure curl upgrades to a secure connection.

Try to use SSL/TLS for the connection. Reverts to a non-secure connection if the server does not support SSL/TLS. See also --ftp-ssl-control and --ssl-reqd for different levels of encryption
required.

This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and ignored by the generic ldap backend.

Please note that a server may close the connection if the negotiation does not succeed.

This option was formerly known as --ftp-ssl. That option name can still be used but will be removed in a future version.

Providing --ssl multiple times has no extra effect. Disable it again with --no-ssl.

Example:
curl --ssl pop3://example.com/

See also --ssl-reqd, -k, --insecure and --ciphers.

-2, --sslv2
(SSL) This option previously asked curl to use SSLv2, but starting in curl 7.77.0 this instruction is ignored. SSLv2 is widely considered insecure (see RFC 6176).

Providing -2, --sslv2 multiple times has no extra effect.

Example:
curl --sslv2 https://example.com

See also --http1.1 and --http2. -2, --sslv2 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to -3, --sslv3 and -1, --tlsv1 and --tlsv1.1 and
--tlsv1.2.

-3, --sslv3
(SSL) This option previously asked curl to use SSLv3, but starting in curl 7.77.0 this instruction is ignored. SSLv3 is widely considered insecure (see RFC 7568).

Providing -3, --sslv3 multiple times has no extra effect.

Example:
curl --sslv3 https://example.com

See also --http1.1 and --http2. -3, --sslv3 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to -2, --sslv2 and -1, --tlsv1 and --tlsv1.1 and
--tlsv1.2.

--stderr <file>
Redirect all writes to stderr to the specified file instead. If the file name is a plain '-', it is instead written to stdout.

This option is global and does not need to be specified for each use of -:, --next.

If --stderr is provided several times, the last set value will be used.

Example:
curl --stderr output.txt https://example.com

See also -v, --verbose and -s, --silent.

--styled-output
Enables the automatic use of bold font styles when writing HTTP headers to the terminal. Use --no-styled-output to switch them off.

Styled output requires a terminal that supports bold fonts. This feature is not present on curl for Windows due to lack of this capability.

This option is global and does not need to be specified for each use of -:, --next.

Providing --styled-output multiple times has no extra effect. Disable it again with --no-styled-output.

Example:
curl --styled-output -I https://example.com

See also -I, --head and -v, --verbose. Added in 7.61.0.

--suppress-connect-headers
When -p, --proxytunnel is used and a CONNECT request is made do not output proxy CONNECT response headers. This option is meant to be used with -D, --dump-header or -i, --include which are
used to show protocol headers in the output. It has no effect on debug options such as -v, --verbose or --trace, or any statistics.

Providing --suppress-connect-headers multiple times has no extra effect. Disable it again with --no-suppress-connect-headers.

Example:
curl --suppress-connect-headers --include -x proxy https://example.com

See also -D, --dump-header, -i, --include and -p, --proxytunnel. Added in 7.54.0.

--tcp-fastopen
Enable use of TCP Fast Open (RFC7413).

Providing --tcp-fastopen multiple times has no extra effect. Disable it again with --no-tcp-fastopen.

Example:
curl --tcp-fastopen https://example.com

See also --false-start. Added in 7.49.0.

--tcp-nodelay
Turn on the TCP_NODELAY option. See the curl_easy_setopt(3) man page for details about this option.

Since 7.50.2, curl sets this option by default and you need to explicitly switch it off if you do not want it on.

Providing --tcp-nodelay multiple times has no extra effect. Disable it again with --no-tcp-nodelay.

Example:
curl --tcp-nodelay https://example.com

See also -N, --no-buffer.

-t, --telnet-option <opt=val>
Pass options to the telnet protocol. Supported options are:

TTYPE=<term> Sets the terminal type.

XDISPLOC=<X display> Sets the X display location.

NEW_ENV=<var,val> Sets an environment variable.

-t, --telnet-option can be used several times in a command line

Example:
curl -t TTYPE=vt100 telnet://example.com/

See also -K, --config.

--tftp-blksize <value>
(TFTP) Set TFTP BLKSIZE option (must be >512). This is the block size that curl will try to use when transferring data to or from a TFTP server. By default 512 bytes will be used.

If --tftp-blksize is provided several times, the last set value will be used.

Example:
curl --tftp-blksize 1024 tftp://example.com/file

See also --tftp-no-options.

--tftp-no-options
(TFTP) Tells curl not to send TFTP options requests.

This option improves interop with some legacy servers that do not acknowledge or properly implement TFTP options. When this option is used --tftp-blksize is ignored.

Providing --tftp-no-options multiple times has no extra effect. Disable it again with --no-tftp-no-options.

Example:
curl --tftp-no-options tftp://192.168.0.1/

See also --tftp-blksize. Added in 7.48.0.

-z, --time-cond <time>
(HTTP FTP) Request a file that has been modified later than the given time and date, or one that has been modified before that time. The <date expression> can be all sorts of date strings or
if it does not match any internal ones, it is taken as a filename and tries to get the modification date (mtime) from <file> instead. See the curl_getdate(3) man pages for date expression de‐
tails.

Start the date expression with a dash (-) to make it request for a document that is older than the given date/time, default is a document that is newer than the specified date/time.

If -z, --time-cond is provided several times, the last set value will be used.

Examples:
curl -z "Wed 01 Sep 2021 12:18:00" https://example.com
curl -z "-Wed 01 Sep 2021 12:18:00" https://example.com
curl -z file https://example.com

See also --etag-compare and -R, --remote-time.

--tls-max <VERSION>
(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3.

If the connection is done without TLS, this option has no effect. This includes QUIC-using (HTTP/3) transfers.

default
Use up to recommended TLS version.

1.0 Use up to TLSv1.0.

1.1 Use up to TLSv1.1.

1.2 Use up to TLSv1.2.

1.3 Use up to TLSv1.3.

If --tls-max is provided several times, the last set value will be used.

Examples:
curl --tls-max 1.2 https://example.com
curl --tls-max 1.3 --tlsv1.2 https://example.com

See also --tlsv1.0, --tlsv1.1, --tlsv1.2 and --tlsv1.3. --tls-max requires that the underlying libcurl was built to support TLS. Added in 7.54.0.

--tls13-ciphers <ciphersuite list>
(TLS) Specifies which cipher suites to use in the connection if it negotiates TLS 1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3 cipher suite details on this
URL:

https://curl.se/docs/ssl-ciphers.html

This option is currently used only when curl is built to use OpenSSL 1.1.1 or later. If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the --ciphers
option.

If --tls13-ciphers is provided several times, the last set value will be used.

Example:
curl --tls13-ciphers TLS_AES_128_GCM_SHA256 https://example.com

See also --ciphers and --curves. Added in 7.61.0.

--tlsauthtype <type>
Set TLS authentication type. Currently, the only supported option is "SRP", for TLS-SRP (RFC 5054). If --tlsuser and --tlspassword are specified but --tlsauthtype is not, then this option de‐
faults to "SRP". This option works only if the underlying libcurl is built with TLS-SRP support, which requires OpenSSL or GnuTLS with TLS-SRP support.

If --tlsauthtype is provided several times, the last set value will be used.

Example:
curl --tlsauthtype SRP https://example.com

See also --tlsuser.

--tlspassword <string>
Set password for use with the TLS authentication method specified with --tlsauthtype. Requires that --tlsuser also be set.

This option does not work with TLS 1.3.

If --tlspassword is provided several times, the last set value will be used.

Example:
curl --tlspassword pwd --tlsuser user https://example.com

See also --tlsuser.

--tlsuser <name>
Set username for use with the TLS authentication method specified with --tlsauthtype. Requires that --tlspassword also is set.

This option does not work with TLS 1.3.

If --tlsuser is provided several times, the last set value will be used.

Example:
curl --tlspassword pwd --tlsuser user https://example.com

See also --tlspassword.

--tlsv1.0
(TLS) Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.0. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.0 multiple times has no extra effect.

Example:
curl --tlsv1.0 https://example.com

See also --tlsv1.3. Added in 7.34.0.

--tlsv1.1
(TLS) Forces curl to use TLS version 1.1 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.1. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.1 multiple times has no extra effect.

Example:
curl --tlsv1.1 https://example.com

See also --tlsv1.3 and --tls-max. Added in 7.34.0.

--tlsv1.2
(TLS) Forces curl to use TLS version 1.2 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.2. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.2 multiple times has no extra effect.

Example:
curl --tlsv1.2 https://example.com

See also --tlsv1.3 and --tls-max. Added in 7.34.0.

--tlsv1.3
(TLS) Forces curl to use TLS version 1.3 or later when connecting to a remote TLS server.

If the connection is done without TLS, this option has no effect. This includes QUIC-using (HTTP/3) transfers.

Note that TLS 1.3 is not supported by all TLS backends.

Providing --tlsv1.3 multiple times has no extra effect.

Example:
curl --tlsv1.3 https://example.com

See also --tlsv1.2 and --tls-max. Added in 7.52.0.

-1, --tlsv1
(SSL) Tells curl to use at least TLS version 1.x when negotiating with a remote TLS server. That means TLS version 1.0 or higher

Providing -1, --tlsv1 multiple times has no extra effect.

Example:
curl --tlsv1 https://example.com

See also --http1.1 and --http2. -1, --tlsv1 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to --tlsv1.1 and --tlsv1.2 and --tlsv1.3.

--tr-encoding
(HTTP) Request a compressed Transfer-Encoding response using one of the algorithms curl supports, and uncompress the data while receiving it.

Providing --tr-encoding multiple times has no extra effect. Disable it again with --no-tr-encoding.

Example:
curl --tr-encoding https://example.com

See also --compressed.

--trace-ascii <file>
Enables a full trace dump of all incoming and outgoing data, including descriptive information, to the given output file. Use "-" as filename to have the output sent to stdout.

This is similar to --trace, but leaves out the hex part and only shows the ASCII part of the dump. It makes smaller output that might be easier to read for untrained humans.

This option is global and does not need to be specified for each use of -:, --next.

If --trace-ascii is provided several times, the last set value will be used.

Example:
curl --trace-ascii log.txt https://example.com

See also -v, --verbose and --trace. This option is mutually exclusive to --trace and -v, --verbose.

--trace-time
Prepends a time stamp to each trace or verbose line that curl displays.

This option is global and does not need to be specified for each use of -:, --next.

Providing --trace-time multiple times has no extra effect. Disable it again with --no-trace-time.

Example:
curl --trace-time --trace-ascii output https://example.com

See also --trace and -v, --verbose.

--trace <file>
Enables a full trace dump of all incoming and outgoing data, including descriptive information, to the given output file. Use "-" as filename to have the output sent to stdout. Use "%" as
filename to have the output sent to stderr.

This option is global and does not need to be specified for each use of -:, --next.

If --trace is provided several times, the last set value will be used.

Example:
curl --trace log.txt https://example.com

See also --trace-ascii and --trace-time. This option is mutually exclusive to -v, --verbose and --trace-ascii.

--unix-socket <path>
(HTTP) Connect through this Unix domain socket, instead of using the network.

If --unix-socket is provided several times, the last set value will be used.

Example:
curl --unix-socket socket-path https://example.com

See also --abstract-unix-socket. Added in 7.40.0.

-T, --upload-file <file>
This transfers the specified local file to the remote URL. If there is no file part in the specified URL, curl will append the local file name. NOTE that you must use a trailing / on the last
directory to really prove to Curl that there is no file name or curl will think that your last directory name is the remote file name to use. That will most likely cause the upload operation
to fail. If this is used on an HTTP(S) server, the PUT command will be used.

Use the file name "-" (a single dash) to use stdin instead of a given file. Alternately, the file name "." (a single period) may be specified instead of "-" to use stdin in non-blocking mode
to allow reading server output while stdin is being uploaded.

You can specify one -T, --upload-file for each URL on the command line. Each -T, --upload-file + URL pair specifies what to upload and to where. curl also supports "globbing" of the -T, --up‐
load-file argument, meaning that you can upload multiple files to a single URL by using the same URL globbing style supported in the URL.

When uploading to an SMTP server: the uploaded data is assumed to be RFC 5322 formatted. It has to feature the necessary set of headers and mail body formatted correctly by the user as curl
will not transcode nor encode it further in any way.

-T, --upload-file can be used several times in a command line

Examples:
curl -T file https://example.com
curl -T "img[1-1000].png" ftp://ftp.example.com/
curl --upload-file "{file1,file2}" https://example.com

See also -G, --get and -I, --head.

--url-query <data>
(all) This option adds a piece of data, usually a name + value pair, to the end of the URL query part. The syntax is identical to that used for --data-urlencode with one extension:

If the argument starts with a '+' (plus), the rest of the string is provided as-is unencoded.

The query part of a URL is the one following the question mark on the right end.

--url-query can be used several times in a command line

Examples:
curl --url-query name=val https://example.com
curl --url-query =encodethis http://example.net/foo
curl --url-query name@file https://example.com
curl --url-query @fileonly https://example.com
curl --url-query "+name=%20foo" https://example.com

See also --data-urlencode and -G, --get. Added in 7.87.0.

--url <url>
Specify a URL to fetch. This option is mostly handy when you want to specify URL(s) in a config file.

If the given URL is missing a scheme name (such as "http://" or "ftp://" etc) then curl will make a guess based on the host. If the outermost sub-domain name matches DICT, FTP, IMAP, LDAP,
POP3 or SMTP then that protocol will be used, otherwise HTTP will be used. Since 7.45.0 guessing can be disabled by setting a default protocol, see --proto-default for details.

To control where this URL is written, use the -o, --output or the -O, --remote-name options.

WARNING: On Windows, particular file:// accesses can be converted to network accesses by the operating system. Beware!

--url can be used several times in a command line

Example:
curl --url https://example.com

See also -:, --next and -K, --config.

-B, --use-ascii
(FTP LDAP) Enable ASCII transfer. For FTP, this can also be enforced by using a URL that ends with ";type=A". This option causes data sent to stdout to be in text mode for win32 systems.

Providing -B, --use-ascii multiple times has no extra effect. Disable it again with --no-use-ascii.

Example:
curl -B ftp://example.com/README

See also --crlf and --data-ascii.

-A, --user-agent <name>
(HTTP) Specify the User-Agent string to send to the HTTP server. To encode blanks in the string, surround the string with single quote marks. This header can also be set with the -H, --header
or the --proxy-header options.

If you give an empty argument to -A, --user-agent (""), it will remove the header completely from the request. If you prefer a blank header, you can set it to a single space (" ").

If -A, --user-agent is provided several times, the last set value will be used.

Example:
curl -A "Agent 007" https://example.com

See also -H, --header and --proxy-header.

-u, --user <user:password>
Specify the user name and password to use for server authentication. Overrides -n, --netrc and --netrc-optional.

If you simply specify the user name, curl will prompt for a password.

The user name and passwords are split up on the first colon, which makes it impossible to use a colon in the user name with this option. The password can, still.

On systems where it works, curl will hide the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same sys‐
tem as they will still be visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.

When using Kerberos V5 with a Windows based server you should include the Windows domain name in the user name, in order for the server to successfully obtain a Kerberos Ticket. If you do
not, then the initial authentication handshake may fail.

When using NTLM, the user name can be specified simply as the user name, without the domain, if there is a single domain and forest in your setup for example.

To specify the domain name use either Down-Level Logon Name or UPN (User Principal Name) formats. For example, EXAMPLE\user and user@example.com respectively.

If you use a Windows SSPI-enabled curl binary and perform Kerberos V5, Negotiate, NTLM or Digest authentication then you can tell curl to select the user name and password from your environ‐
ment by specifying a single colon with this option: "-u :".

If -u, --user is provided several times, the last set value will be used.

Example:
curl -u user:secret https://example.com

See also -n, --netrc and -K, --config.

-v, --verbose
Makes curl verbose during the operation. Useful for debugging and seeing what's going on "under the hood". A line starting with '>' means "header data" sent by curl, '<' means "header data"
received by curl that is hidden in normal cases, and a line starting with '*' means additional info provided by curl.

If you only want HTTP headers in the output, -i, --include might be the option you are looking for.

If you think this option still does not give you enough details, consider using --trace or --trace-ascii instead.

This option is global and does not need to be specified for each use of -:, --next.

Use -s, --silent to make curl really quiet.

Providing -v, --verbose multiple times has no extra effect. Disable it again with --no-verbose.

Example:
curl --verbose https://example.com

See also -i, --include. This option is mutually exclusive to --trace and --trace-ascii.

-V, --version
Displays information about curl and the libcurl version it uses.

The first line includes the full version of curl, libcurl and other 3rd party libraries linked with the executable.

The second line (starts with "Protocols:") shows all protocols that libcurl reports to support.

The third line (starts with "Features:") shows specific features libcurl reports to offer. Available features include:

alt-svc
Support for the Alt-Svc: header is provided.

AsynchDNS
This curl uses asynchronous name resolves. Asynchronous name resolves can be done using either the c-ares or the threaded resolver backends.

brotli Support for automatic brotli compression over HTTP(S).

CharConv
curl was built with support for character set conversions (like EBCDIC)

Debug This curl uses a libcurl built with Debug. This enables more error-tracking and memory debugging etc. For curl-developers only!

gsasl The built-in SASL authentication includes extensions to support SCRAM because libcurl was built with libgsasl.

GSS-API
GSS-API is supported.

HSTS HSTS support is present.

HTTP2 HTTP/2 support has been built-in.

HTTP3 HTTP/3 support has been built-in.

HTTPS-proxy
This curl is built to support HTTPS proxy.

IDN This curl supports IDN - international domain names.

IPv6 You can use IPv6 with this.

Kerberos
Kerberos V5 authentication is supported.

Largefile
This curl supports transfers of large files, files larger than 2GB.

libz Automatic decompression (via gzip, deflate) of compressed files over HTTP is supported.

MultiSSL
This curl supports multiple TLS backends.

NTLM NTLM authentication is supported.

NTLM_WB
NTLM delegation to winbind helper is supported.

PSL PSL is short for Public Suffix List and means that this curl has been built with knowledge about "public suffixes".

SPNEGO SPNEGO authentication is supported.

SSL SSL versions of various protocols are supported, such as HTTPS, FTPS, POP3S and so on.

SSPI SSPI is supported.

TLS-SRP
SRP (Secure Remote Password) authentication is supported for TLS.

TrackMemory
Debug memory tracking is supported.

Unicode
Unicode support on Windows.

UnixSockets
Unix sockets support is provided.

zstd Automatic decompression (via zstd) of compressed files over HTTP is supported.

Example:
curl --version

See also -h, --help and -M, --manual.

-w, --write-out <format>
Make curl display information on stdout after a completed transfer. The format is a string that may contain plain text mixed with any number of variables. The format can be specified as a
literal "string", or you can have curl read the format from a file with "@filename" and to tell curl to read the format from stdin you write "@-".

The variables present in the output format will be substituted by the value or text that curl thinks fit, as described below. All variables are specified as %{variable_name} and to output a
normal % you just write them as %%. You can output a newline by using \n, a carriage return with \r and a tab space with \t.

The output will be written to standard output, but this can be switched to standard error by using %{stderr}.

Output HTTP headers from the most recent request by using %header{name} where name is the case insensitive name of the header (without the trailing colon). The header contents are exactly as
sent over the network, with leading and trailing whitespace trimmed. Added in curl 7.84.0.

NOTE: In Windows the %-symbol is a special symbol used to expand environment variables. In batch files all occurrences of % must be doubled when using this option to properly escape. If this
option is used at the command prompt then the % cannot be escaped and unintended expansion is possible.

The variables available are:

certs Output the certificate chain with details. Supported only by the OpenSSL, GnuTLS, Schannel, NSS, GSKit and Secure Transport backends (Added in 7.88.0)

content_type The Content-Type of the requested document, if there was any.

errormsg The error message. (Added in 7.75.0)

exitcode The numerical exitcode of the transfer. (Added in 7.75.0)

filename_effective
The ultimate filename that curl writes out to. This is only meaningful if curl is told to write to a file with the -O, --remote-name or -o, --output option. It's most useful in
combination with the -J, --remote-header-name option.

ftp_entry_path The initial path curl ended up in when logging on to the remote FTP server.

header_json A JSON object with all HTTP response headers from the recent transfer. Values are provided as arrays, since in the case of multiple headers there can be multiple values. (Added
in 7.83.0)

The header names provided in lowercase, listed in order of appearance over the wire. Except for duplicated headers. They are grouped on the first occurrence of that header,
each value is presented in the JSON array.

http_code The numerical response code that was found in the last retrieved HTTP(S) or FTP(s) transfer.

http_connect The numerical code that was found in the last response (from a proxy) to a curl CONNECT request.

http_version The http version that was effectively used. (Added in 7.50.0)

json A JSON object with all available keys.

local_ip The IP address of the local end of the most recently done connection - can be either IPv4 or IPv6.

local_port The local port number of the most recently done connection.

method The http method used in the most recent HTTP request. (Added in 7.72.0)

num_certs Number of server certificates received in the TLS handshake. Supported only by the OpenSSL, GnuTLS, Schannel, NSS, GSKit and Secure Transport backends (Added in 7.88.0)

num_connects Number of new connects made in the recent transfer.

num_headers The number of response headers in the most recent request (restarted at each redirect). Note that the status line IS NOT a header. (Added in 7.73.0)

num_redirects Number of redirects that were followed in the request.

onerror The rest of the output is only shown if the transfer returned a non-zero error (Added in 7.75.0)

proxy_ssl_verify_result
The result of the HTTPS proxy's SSL peer certificate verification that was requested. 0 means the verification was successful. (Added in 7.52.0)

redirect_url When an HTTP request was made without -L, --location to follow redirects (or when --max-redirs is met), this variable will show the actual URL a redirect would have gone to.

referer The Referer: header, if there was any. (Added in 7.76.0)

remote_ip The remote IP address of the most recently done connection - can be either IPv4 or IPv6.

remote_port The remote port number of the most recently done connection.

response_code The numerical response code that was found in the last transfer (formerly known as "http_code").

scheme The URL scheme (sometimes called protocol) that was effectively used. (Added in 7.52.0)

size_download The total amount of bytes that were downloaded. This is the size of the body/data that was transferred, excluding headers.

size_header The total amount of bytes of the downloaded headers.

size_request The total amount of bytes that were sent in the HTTP request.

size_upload The total amount of bytes that were uploaded. This is the size of the body/data that was transferred, excluding headers.

speed_download The average download speed that curl measured for the complete download. Bytes per second.

speed_upload The average upload speed that curl measured for the complete upload. Bytes per second.

ssl_verify_result
The result of the SSL peer certificate verification that was requested. 0 means the verification was successful.

stderr From this point on, the -w, --write-out output will be written to standard error. (Added in 7.63.0)

stdout From this point on, the -w, --write-out output will be written to standard output. This is the default, but can be used to switch back after switching to stderr. (Added in
7.63.0)

time_appconnect
The time, in seconds, it took from the start until the SSL/SSH/etc connect/handshake to the remote host was completed.

time_connect The time, in seconds, it took from the start until the TCP connect to the remote host (or proxy) was completed.

time_namelookup
The time, in seconds, it took from the start until the name resolving was completed.

time_pretransfer
The time, in seconds, it took from the start until the file transfer was just about to begin. This includes all pre-transfer commands and negotiations that are specific to the
particular protocol(s) involved.

time_redirect The time, in seconds, it took for all redirection steps including name lookup, connect, pretransfer and transfer before the final transaction was started. time_redirect shows
the complete execution time for multiple redirections.

time_starttransfer
The time, in seconds, it took from the start until the first byte was just about to be transferred. This includes time_pretransfer and also the time the server needed to calcu‐
late the result.

time_total The total time, in seconds, that the full operation lasted.

url The URL that was fetched. (Added in 7.75.0)

urlnum The URL index number of this transfer, 0-indexed. De-globbed URLs share the same index number as the origin globbed URL. (Added in 7.75.0)

url_effective The URL that was fetched last. This is most meaningful if you have told curl to follow location: headers.

If -w, --write-out is provided several times, the last set value will be used.

Example:
curl -w '%{http_code}\n' https://example.com

See also -v, --verbose and -I, --head.

--xattr
When saving output to a file, this option tells curl to store certain file metadata in extended file attributes. Currently, the URL is stored in the xdg.origin.url attribute and, for HTTP,
the content type is stored in the mime_type attribute. If the file system does not support extended attributes, a warning is issued.

Providing --xattr multiple times has no extra effect. Disable it again with --no-xattr.

Example:
curl --xattr -o storage https://example.com

See also -R, --remote-time, -w, --write-out and -v, --verbose.

FILES
~/.curlrc
Default config file, see -K, --config for details.

ENVIRONMENT
The environment variables can be specified in lower case or upper case. The lower case version has precedence. http_proxy is an exception as it is only available in lower case.

Using an environment variable to set the proxy has the same effect as using the -x, --proxy option.

http_proxy [protocol://]<host>[:port]
Sets the proxy server to use for HTTP.

HTTPS_PROXY [protocol://]<host>[:port]
Sets the proxy server to use for HTTPS.

[url-protocol]_PROXY [protocol://]<host>[:port]
Sets the proxy server to use for [url-protocol], where the protocol is a protocol that curl supports and as specified in a URL. FTP, FTPS, POP3, IMAP, SMTP, LDAP, etc.

ALL_PROXY [protocol://]<host>[:port]
Sets the proxy server to use if no protocol-specific proxy is set.

NO_PROXY <comma-separated list of hosts/domains>
list of host names that should not go through any proxy. If set to an asterisk '*' only, it matches all hosts. Each name in this list is matched as either a domain name which contains the
hostname, or the hostname itself.

This environment variable disables use of the proxy even when specified with the -x, --proxy option. That is NO_PROXY=direct.example.com curl -x http://proxy.example.com http://direct.exam‐
ple.com accesses the target URL directly, and NO_PROXY=direct.example.com curl -x http://proxy.example.com http://somewhere.example.com accesses the target URL through the proxy.

The list of host names can also be include numerical IP addresses, and IPv6 versions should then be given without enclosing brackets.

Since 7.86.0, IP addresses can be specified using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the comparison. For example
"192.168.0.0/16" would match all addresses starting with "192.168".

APPDATA <dir>
On Windows, this variable is used when trying to find the home directory. If the primary home variable are all unset.

COLUMNS <terminal width>
If set, the specified number of characters will be used as the terminal width when the alternative progress-bar is shown. If not set, curl will try to figure it out using other ways.

CURL_CA_BUNDLE <file>
If set, will be used as the --cacert value.

CURL_HOME <dir>
If set, is the first variable curl checks when trying to find its home directory. If not set, it continues to check XDG_CONFIG_HOME

CURL_SSL_BACKEND <TLS backend>
If curl was built with support for "MultiSSL", meaning that it has built-in support for more than one TLS backend, this environment variable can be set to the case insensitive name of the
particular backend to use when curl is invoked. Setting a name that is not a built-in alternative will make curl stay with the default.

SSL backend names (case-insensitive): bearssl, gnutls, gskit, mbedtls, nss, openssl, rustls, schannel, secure-transport, wolfssl

HOME <dir>
If set, this is used to find the home directory when that is needed. Like when looking for the default .curlrc. CURL_HOME and XDG_CONFIG_HOME have preference.

QLOGDIR <directory name>
If curl was built with HTTP/3 support, setting this environment variable to a local directory will make curl produce qlogs in that directory, using file names named after the destination con‐
nection id (in hex). Do note that these files can become rather large. Works with both QUIC backends.

SHELL Used on VMS when trying to detect if using a DCL or a "unix" shell.

SSL_CERT_DIR <dir>
If set, will be used as the --capath value.

SSL_CERT_FILE <path>
If set, will be used as the --cacert value.

SSLKEYLOGFILE <file name>
If you set this environment variable to a file name, curl will store TLS secrets from its connections in that file when invoked to enable you to analyze the TLS traffic in real time using
network analyzing tools such as Wireshark. This works with the following TLS backends: OpenSSL, libressl, BoringSSL, GnuTLS, NSS and wolfSSL.

USERPROFILE <dir>
On Windows, this variable is used when trying to find the home directory. If the other, primary, variable are all unset. If set, curl will use the path "$USERPROFILE\Application Data".

XDG_CONFIG_HOME <dir>
If CURL_HOME is not set, this variable is checked when looking for a default .curlrc file.

PROXY PROTOCOL PREFIXES
The proxy string may be specified with a protocol:// prefix to specify alternative proxy protocols.

If no protocol is specified in the proxy string or if the string does not match a supported one, the proxy will be treated as an HTTP proxy.

The supported proxy protocol prefixes are as follows:

http://
Makes it use it as an HTTP proxy. The default if no scheme prefix is used.

https://
Makes it treated as an HTTPS proxy.

socks4://
Makes it the equivalent of --socks4

socks4a://
Makes it the equivalent of --socks4a

socks5://
Makes it the equivalent of --socks5

socks5h://
Makes it the equivalent of --socks5-hostname

EXIT CODES
There are a bunch of different error codes and their corresponding error messages that may appear under error conditions. At the time of this writing, the exit codes are:

0 Success. The operation completed successfully according to the instructions.

1 Unsupported protocol. This build of curl has no support for this protocol.

2 Failed to initialize.

3 URL malformed. The syntax was not correct.

4 A feature or option that was needed to perform the desired request was not enabled or was explicitly disabled at build-time. To make curl able to do this, you probably need another build of
libcurl.

5 Could not resolve proxy. The given proxy host could not be resolved.

6 Could not resolve host. The given remote host could not be resolved.

7 Failed to connect to host.

8 Weird server reply. The server sent data curl could not parse.

9 FTP access denied. The server denied login or denied access to the particular resource or directory you wanted to reach. Most often you tried to change to a directory that does not exist on
the server.

10 FTP accept failed. While waiting for the server to connect back when an active FTP session is used, an error code was sent over the control connection or similar.

11 FTP weird PASS reply. Curl could not parse the reply sent to the PASS request.

12 During an active FTP session while waiting for the server to connect back to curl, the timeout expired.

13 FTP weird PASV reply, Curl could not parse the reply sent to the PASV request.

14 FTP weird 227 format. Curl could not parse the 227-line the server sent.

15 FTP cannot use host. Could not resolve the host IP we got in the 227-line.

16 HTTP/2 error. A problem was detected in the HTTP2 framing layer. This is somewhat generic and can be one out of several problems, see the error message for details.

17 FTP could not set binary. Could not change transfer method to binary.

18 Partial file. Only a part of the file was transferred.

19 FTP could not download/access the given file, the RETR (or similar) command failed.

21 FTP quote error. A quote command returned error from the server.

22 HTTP page not retrieved. The requested URL was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.

23 Write error. Curl could not write data to a local filesystem or similar.

25 FTP could not STOR file. The server denied the STOR operation, used for FTP uploading.

26 Read error. Various reading problems.

27 Out of memory. A memory allocation request failed.

28 Operation timeout. The specified time-out period was reached according to the conditions.

30 FTP PORT failed. The PORT command failed. Not all FTP servers support the PORT command, try doing a transfer using PASV instead!

31 FTP could not use REST. The REST command failed. This command is used for resumed FTP transfers.

33 HTTP range error. The range "command" did not work.

34 HTTP post error. Internal post-request generation error.

35 SSL connect error. The SSL handshaking failed.

36 Bad download resume. Could not continue an earlier aborted download.

37 FILE could not read file. Failed to open the file. Permissions?

38 LDAP cannot bind. LDAP bind operation failed.

39 LDAP search failed.

41 Function not found. A required LDAP function was not found.

42 Aborted by callback. An application told curl to abort the operation.

43 Internal error. A function was called with a bad parameter.

45 Interface error. A specified outgoing interface could not be used.

47 Too many redirects. When following redirects, curl hit the maximum amount.

48 Unknown option specified to libcurl. This indicates that you passed a weird option to curl that was passed on to libcurl and rejected. Read up in the manual!

49 Malformed telnet option.

52 The server did not reply anything, which here is considered an error.

53 SSL crypto engine not found.

54 Cannot set SSL crypto engine as default.

55 Failed sending network data.

56 Failure in receiving network data.

58 Problem with the local certificate.

59 Could not use specified SSL cipher.

60 Peer certificate cannot be authenticated with known CA certificates.

61 Unrecognized transfer encoding.

63 Maximum file size exceeded.

64 Requested FTP SSL level failed.

65 Sending the data requires a rewind that failed.

66 Failed to initialise SSL Engine.

67 The user name, password, or similar was not accepted and curl failed to log in.

68 File not found on TFTP server.

69 Permission problem on TFTP server.

70 Out of disk space on TFTP server.

71 Illegal TFTP operation.

72 Unknown TFTP transfer ID.

73 File already exists (TFTP).

74 No such user (TFTP).

77 Problem reading the SSL CA cert (path? access rights?).

78 The resource referenced in the URL does not exist.

79 An unspecified error occurred during the SSH session.

80 Failed to shut down the SSL connection.

82 Could not load CRL file, missing or wrong format.

83 Issuer check failed.

84 The FTP PRET command failed.

85 Mismatch of RTSP CSeq numbers.

86 Mismatch of RTSP Session Identifiers.

87 Unable to parse FTP file list.

88 FTP chunk callback reported error.

89 No connection available, the session will be queued.

90 SSL public key does not matched pinned public key.

91 Invalid SSL certificate status.

92 Stream error in HTTP/2 framing layer.

93 An API function was called from inside a callback.

94 An authentication function returned an error.

95 A problem was detected in the HTTP/3 layer. This is somewhat generic and can be one out of several problems, see the error message for details.

96 QUIC connection error. This error may be caused by an SSL library error. QUIC is the protocol used for HTTP/3 transfers.

XX More error codes will appear here in future releases. The existing ones are meant to never change.

BUGS
If you experience any problems with curl, submit an issue in the project's bug tracker on GitHub: https://github.com/curl/curl/issues

AUTHORS / CONTRIBUTORS
Daniel Stenberg is the main author, but the whole list of contributors is found in the separate THANKS file.

WWW
https://curl.se

SEE ALSO
ftp(1), wget(1)

curl 7.88.1 February 19 2023 curl(1)
</nowiki>

CURL - Manpage

2026-02-25T12:41:43Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Quick Examples ==

=== Force to Connect to a given Host ===

Connect to host2 instead of host1 :
<nowiki>
--connect-to <HOST1:PORT1:HOST2:PORT2></nowiki>

=== Get the HTTP Headers of a URL ===

<nowiki>
curl -I --http2 https://<URL></nowiki>

=== Follow Redirects ===

<nowiki>
curl -L <URL></nowiki>

=== Testing The Download Time ===

<nowiki>
curl -D - https://www.ubuntu.com -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/2 301
server: nginx/1.14.0 (Ubuntu)
date: Mon, 21 Jul 2025 10:04:33 GMT
content-type: text/html
content-length: 162
location: https://ubuntu.com/
strict-transport-security: max-age=15724800
link: <https://assets.ubuntu.com>; rel=preconnect; crossorigin, <https://assets.ubuntu.com>; rel=preconnect, <https://res.cloudinary.com>; rel=preconnect
x-cache-status: HIT from content-cache-il3/1

100 162 100 162 0 0 367 0 --:--:-- --:--:-- --:--:-- 368</nowiki>

=== Recording Cookies ===

<nowiki>
curl --cookie-jar received_cookies.txt https://URL -O</nowiki>

== curl --help all ==

<nowiki>
curl --help all
--abstract-unix-socket <path> Connect via abstract Unix domain socket
--alt-svc <filename> Enable alt-svc with this cache file
--anyauth Pick any authentication method
-a, --append Append to target file when uploading
--aws-sigv4 <provider1[:prvdr2[:reg[:srv]]]> AWS V4 signature auth
--basic HTTP Basic Authentication
--ca-native Load CA certs from the OS
--cacert <file> CA certificate to verify peer against
--capath <dir> CA directory to verify peer against
-E, --cert <certificate[:password]> Client certificate file and password
--cert-status Verify server cert status OCSP-staple
--cert-type <type> Certificate type (DER/PEM/ENG/PROV/P12)
--ciphers <list> TLS 1.2 (1.1, 1.0) ciphers to use
--compressed Request compressed response
--compressed-ssh Enable SSH compression
-K, --config <file> Read config from a file
--connect-timeout <seconds> Maximum time allowed to connect
--connect-to <HOST1:PORT1:HOST2:PORT2> Connect to host2 instead of host1
-C, --continue-at <offset> Resumed transfer offset
-b, --cookie <data|filename> Send cookies from string/load from file
-c, --cookie-jar <filename> Save cookies to <filename> after operation
--create-dirs Create necessary local directory hierarchy
--create-file-mode <mode> File mode for created files
--crlf Convert LF to CRLF in upload
--crlfile <file> Certificate Revocation list
--curves <list> (EC) TLS key exchange algorithms to request
-d, --data <data> HTTP POST data
--data-ascii <data> HTTP POST ASCII data
--data-binary <data> HTTP POST binary data
--data-raw <data> HTTP POST data, '@' allowed
--data-urlencode <data> HTTP POST data URL encoded
--delegation <LEVEL> GSS-API delegation permission
--digest HTTP Digest Authentication
-q, --disable Disable .curlrc
--disable-eprt Inhibit using EPRT or LPRT
--disable-epsv Inhibit using EPSV
--disallow-username-in-url Disallow username in URL
--dns-interface <interface> Interface to use for DNS requests
--dns-ipv4-addr <address> IPv4 address to use for DNS requests
--dns-ipv6-addr <address> IPv6 address to use for DNS requests
--dns-servers <addresses> DNS server addrs to use
--doh-cert-status Verify DoH server cert status OCSP-staple
--doh-insecure Allow insecure DoH server connections
--doh-url <URL> Resolve hostnames over DoH
--dump-ca-embed Write the embedded CA bundle to standard output
-D, --dump-header <filename> Write the received headers to <filename>
--ech <config> Configure ECH
--egd-file <file> EGD socket path for random data
--engine <name> Crypto engine to use
--etag-compare <file> Load ETag from file
--etag-save <file> Parse incoming ETag and save to a file
--expect100-timeout <seconds> How long to wait for 100-continue
-f, --fail Fail fast with no output on HTTP errors
--fail-early Fail on first transfer error
--fail-with-body Fail on HTTP errors but save the body
--false-start Enable TLS False Start
-F, --form <name=content> Specify multipart MIME data
--form-escape Escape form fields using backslash
--form-string <name=string> Specify multipart MIME data
--ftp-account <data> Account data string
--ftp-alternative-to-user <command> String to replace USER [name]
--ftp-create-dirs Create the remote dirs if not present
--ftp-method <method> Control CWD usage
--ftp-pasv Send PASV/EPSV instead of PORT
-P, --ftp-port <address> Send PORT instead of PASV
--ftp-pret Send PRET before PASV
--ftp-skip-pasv-ip Skip the IP address for PASV
--ftp-ssl-ccc Send CCC after authenticating
--ftp-ssl-ccc-mode <active/passive> Set CCC mode
--ftp-ssl-control Require TLS for login, clear for transfer
-G, --get Put the post data in the URL and use GET
-g, --globoff Disable URL globbing with {} and []
--happy-eyeballs-timeout-ms <ms> Time for IPv6 before IPv4
--haproxy-clientip <ip> Set address in HAProxy PROXY
--haproxy-protocol Send HAProxy PROXY protocol v1 header
-I, --head Show document info only
-H, --header <header/@file> Pass custom header(s) to server
-h, --help <subject> Get help for commands
--hostpubmd5 <md5> Acceptable MD5 hash of host public key
--hostpubsha256 <sha256> Acceptable SHA256 hash of host public key
--hsts <filename> Enable HSTS with this cache file
--http0.9 Allow HTTP/0.9 responses
-0, --http1.0 Use HTTP/1.0
--http1.1 Use HTTP/1.1
--http2 Use HTTP/2
--http2-prior-knowledge Use HTTP/2 without HTTP/1.1 Upgrade
--http3 Use HTTP/3
--http3-only Use HTTP/3 only
--ignore-content-length Ignore the size of the remote resource
-k, --insecure Allow insecure server connections
--interface <name> Use network interface
--ip-tos <string> Set IP Type of Service or Traffic Class
--ipfs-gateway <URL> Gateway for IPFS
-4, --ipv4 Resolve names to IPv4 addresses
-6, --ipv6 Resolve names to IPv6 addresses
--json <data> HTTP POST JSON
-j, --junk-session-cookies Ignore session cookies read from file
--keepalive-cnt <integer> Maximum number of keepalive probes
--keepalive-time <seconds> Interval time for keepalive probes
--key <key> Private key filename
--key-type <type> Private key file type (DER/PEM/ENG)
--krb <level> Enable Kerberos with security <level>
--libcurl <file> Generate libcurl code for this command line
--limit-rate <speed> Limit transfer speed to RATE
-l, --list-only List only mode
--local-port <range> Use a local port number within RANGE
-L, --location Follow redirects
--location-trusted As --location, but send secrets to other hosts
--login-options <options> Server login options
--mail-auth <address> Originator address of the original email
--mail-from <address> Mail from this address
--mail-rcpt <address> Mail to this address
--mail-rcpt-allowfails Allow RCPT TO command to fail
-M, --manual Display the full manual
--max-filesize <bytes> Maximum file size to download
--max-redirs <num> Maximum number of redirects allowed
-m, --max-time <seconds> Maximum time allowed for transfer
--metalink Process given URLs as metalink XML file
--mptcp Enable Multipath TCP
--negotiate Use HTTP Negotiate (SPNEGO) authentication
-n, --netrc Must read .netrc for username and password
--netrc-file <filename> Specify FILE for netrc
--netrc-optional Use either .netrc or URL
-:, --next Make next URL use separate options
--no-alpn Disable the ALPN TLS extension
-N, --no-buffer Disable buffering of the output stream
--no-clobber Do not overwrite files that already exist
--no-keepalive Disable TCP keepalive on the connection
--no-npn Disable the NPN TLS extension
--no-progress-meter Do not show the progress meter
--no-sessionid Disable SSL session-ID reusing
--noproxy <no-proxy-list> List of hosts which do not use proxy
--ntlm HTTP NTLM authentication
--ntlm-wb HTTP NTLM authentication with winbind
--oauth2-bearer <token> OAuth 2 Bearer Token
-o, --output <file> Write to file instead of stdout
--output-dir <dir> Directory to save files in
-Z, --parallel Perform transfers in parallel
--parallel-immediate Do not wait for multiplexing
--parallel-max <num> Maximum concurrency for parallel transfers
--pass <phrase> Passphrase for the private key
--path-as-is Do not squash .. sequences in URL path
--pinnedpubkey <hashes> Public key to verify peer against
--post301 Do not switch to GET after a 301 redirect
--post302 Do not switch to GET after a 302 redirect
--post303 Do not switch to GET after a 303 redirect
--preproxy <[protocol://]host[:port]> Use this proxy first
-#, --progress-bar Display transfer progress as a bar
--proto <protocols> Enable/disable PROTOCOLS
--proto-default <protocol> Use PROTOCOL for any URL missing a scheme
--proto-redir <protocols> Enable/disable PROTOCOLS on redirect
-x, --proxy <[protocol://]host[:port]> Use this proxy
--proxy-anyauth Pick any proxy authentication method
--proxy-basic Use Basic authentication on the proxy
--proxy-ca-native Load CA certs from the OS to verify proxy
--proxy-cacert <file> CA certificates to verify proxy against
--proxy-capath <dir> CA directory to verify proxy against
--proxy-cert <cert[:passwd]> Set client certificate for proxy
--proxy-cert-type <type> Client certificate type for HTTPS proxy
--proxy-ciphers <list> TLS 1.2 (1.1, 1.0) ciphers to use for proxy
--proxy-crlfile <file> Set a CRL list for proxy
--proxy-digest Digest auth with the proxy
--proxy-header <header/@file> Pass custom header(s) to proxy
--proxy-http2 Use HTTP/2 with HTTPS proxy
--proxy-insecure Skip HTTPS proxy cert verification
--proxy-key <key> Private key for HTTPS proxy
--proxy-key-type <type> Private key file type for proxy
--proxy-negotiate HTTP Negotiate (SPNEGO) auth with the proxy
--proxy-ntlm NTLM authentication with the proxy
--proxy-pass <phrase> Passphrase for private key for HTTPS proxy
--proxy-pinnedpubkey <hashes> FILE/HASHES public key to verify proxy with
--proxy-service-name <name> SPNEGO proxy service name
--proxy-ssl-allow-beast Allow this security flaw for HTTPS proxy
--proxy-ssl-auto-client-cert Auto client certificate for proxy
--proxy-tls13-ciphers <list> TLS 1.3 proxy cipher suites
--proxy-tlsauthtype <type> TLS authentication type for HTTPS proxy
--proxy-tlspassword <string> TLS password for HTTPS proxy
--proxy-tlsuser <name> TLS username for HTTPS proxy
--proxy-tlsv1 TLSv1 for HTTPS proxy
-U, --proxy-user <user:password> Proxy user and password
--proxy1.0 <host[:port]> Use HTTP/1.0 proxy on given port
-p, --proxytunnel HTTP proxy tunnel (using CONNECT)
--pubkey <key> SSH Public key filename
-Q, --quote <command> Send command(s) to server before transfer
--random-file <file> File for reading random data from
-r, --range <range> Retrieve only the bytes within RANGE
--rate <max request rate> Request rate for serial transfers
--raw Do HTTP raw; no transfer decoding
-e, --referer <URL> Referrer URL
-J, --remote-header-name Use the header-provided filename
-O, --remote-name Write output to file named as remote file
--remote-name-all Use the remote filename for all URLs
-R, --remote-time Set remote file's time on local output
--remove-on-error Remove output file on errors
-X, --request <method> Specify request method to use
--request-target <path> Specify the target for this request
--resolve <[+]host:port:addr[,addr]...> Resolve host+port to address
--retry <num> Retry request if transient problems occur
--retry-all-errors Retry all errors (with --retry)
--retry-connrefused Retry on connection refused (with --retry)
--retry-delay <seconds> Wait time between retries
--retry-max-time <seconds> Retry only within this period
--sasl-authzid <identity> Identity for SASL PLAIN authentication
--sasl-ir Initial response in SASL authentication
--service-name <name> SPNEGO service name
-S, --show-error Show error even when -s is used
-i, --show-headers Show response headers in output
--sigalgs <list> TLS signature algorithms to use
-s, --silent Silent mode
--skip-existing Skip download if local file already exists
--socks4 <host[:port]> SOCKS4 proxy on given host + port
--socks4a <host[:port]> SOCKS4a proxy on given host + port
--socks5 <host[:port]> SOCKS5 proxy on given host + port
--socks5-basic Username/password auth for SOCKS5 proxies
--socks5-gssapi Enable GSS-API auth for SOCKS5 proxies
--socks5-gssapi-nec Compatibility with NEC SOCKS5 server
--socks5-gssapi-service <name> SOCKS5 proxy service name for GSS-API
--socks5-hostname <host[:port]> SOCKS5 proxy, pass hostname to proxy
-Y, --speed-limit <speed> Stop transfers slower than this
-y, --speed-time <seconds> Trigger 'speed-limit' abort after this time
--ssl Try enabling TLS
--ssl-allow-beast Allow security flaw to improve interop
--ssl-auto-client-cert Use auto client certificate (Schannel)
--ssl-no-revoke Disable cert revocation checks (Schannel)
--ssl-reqd Require SSL/TLS
--ssl-revoke-best-effort Ignore missing cert CRL dist points
--ssl-sessions <filename> Load/save SSL session tickets from/to this file
-2, --sslv2 SSLv2
-3, --sslv3 SSLv3
--stderr <file> Where to redirect stderr
--styled-output Enable styled output for HTTP headers
--suppress-connect-headers Suppress proxy CONNECT response headers
--tcp-fastopen Use TCP Fast Open
--tcp-nodelay Set TCP_NODELAY
-t, --telnet-option <opt=val> Set telnet option
--tftp-blksize <value> Set TFTP BLKSIZE option
--tftp-no-options Do not send any TFTP options
-z, --time-cond <time> Transfer based on a time condition
--tls-earlydata Allow use of TLSv1.3 early data (0RTT)
--tls-max <VERSION> Maximum allowed TLS version
--tls13-ciphers <list> TLS 1.3 cipher suites to use
--tlsauthtype <type> TLS authentication type
--tlspassword <string> TLS password
--tlsuser <name> TLS username
-1, --tlsv1 TLSv1.0 or greater
--tlsv1.0 TLSv1.0 or greater
--tlsv1.1 TLSv1.1 or greater
--tlsv1.2 TLSv1.2 or greater
--tlsv1.3 TLSv1.3 or greater
--tr-encoding Request compressed transfer encoding
--trace <file> Write a debug trace to FILE
--trace-ascii <file> Like --trace, but without hex output
--trace-config <string> Details to log in trace/verbose output
--trace-ids Transfer + connection ids in verbose output
--trace-time Add time stamps to trace/verbose output
--unix-socket <path> Connect through this Unix domain socket
-T, --upload-file <file> Transfer local FILE to destination
--upload-flags <flags> IMAP upload behavior
--url <url/file> URL(s) to work with
--url-query <data> Add a URL query part
-B, --use-ascii Use ASCII/text transfer
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
--variable <[%]name=text/@file> Set variable
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
--vlan-priority <priority> Set VLAN priority
-w, --write-out <format> Output FORMAT after completion
--xattr Store metadata in extended file attributes</nowiki>

== Manpage ==

<nowiki>
curl(1) curl Manual curl(1)

NAME
curl - transfer a URL

SYNOPSIS
curl [options / URLs]

DESCRIPTION
curl is a tool for transferring data from or to a server. It supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS,
RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. The command is designed to work without user interaction.

curl offers a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, SSL connections, cookies, file transfer resume and more. As you will see below, the number of
features will make your head spin.

curl is powered by libcurl for all transfer-related features. See libcurl(3) for details.

URL
The URL syntax is protocol-dependent. You find a detailed description in RFC 3986.

You can specify multiple URLs or parts of URLs by writing part sets within braces and quoting the URL as in:

"http://site.{one,two,three}.com"

or you can get sequences of alphanumeric series by using [] as in:

"ftp://ftp.example.com/file[1-100].txt"

"ftp://ftp.example.com/file[001-100].txt" (with leading zeros)

"ftp://ftp.example.com/file[a-z].txt"

Nested sequences are not supported, but you can use several ones next to each other:

"http://example.com/archive[1996-1999]/vol[1-4]/part{a,b,c}.html"

You can specify any amount of URLs on the command line. They will be fetched in a sequential manner in the specified order. You can specify command line options and URLs mixed and in any order on
the command line.

You can specify a step counter for the ranges to get every Nth number or letter:

"http://example.com/file[1-100:10].txt"

"http://example.com/file[a-z:2].txt"

When using [] or {} sequences when invoked from a command line prompt, you probably have to put the full URL within double quotes to avoid the shell from interfering with it. This also goes for
other characters treated special, like for example '&', '?' and '*'.

Provide the IPv6 zone index in the URL with an escaped percentage sign and the interface name. Like in

"http://[fe80::3%25eth0]/"

If you specify URL without protocol:// prefix, curl will attempt to guess what protocol you might want. It will then default to HTTP but try other protocols based on often-used host name prefixes.
For example, for host names starting with "ftp." curl will assume you want to speak FTP.

curl will do its best to use what you pass to it as a URL. It is not trying to validate it as a syntactically correct URL by any means but is fairly liberal with what it accepts.

curl will attempt to re-use connections for multiple file transfers, so that getting many files from the same server will not do multiple connects / handshakes. This improves speed. Of course this
is only done on files specified on a single command line and cannot be used between separate curl invocations.

OUTPUT
If not told otherwise, curl writes the received data to stdout. It can be instructed to instead save that data into a local file, using the -o, --output or -O, --remote-name options. If curl is
given multiple URLs to transfer on the command line, it similarly needs multiple options for where to save them.

curl does not parse or otherwise "understand" the content it gets or writes as output. It does no encoding or decoding, unless explicitly asked to with dedicated command line options.

PROTOCOLS
curl supports numerous protocols, or put in URL terms: schemes. Your particular build may not support them all.

DICT Lets you lookup words using online dictionaries.

FILE Read or write local files. curl does not support accessing file:// URL remotely, but when running on Microsoft Windows using the native UNC approach will work.

FTP(S) curl supports the File Transfer Protocol with a lot of tweaks and levers. With or without using TLS.

GOPHER(S)
Retrieve files.

HTTP(S)
curl supports HTTP with numerous options and variations. It can speak HTTP version 0.9, 1.0, 1.1, 2 and 3 depending on build options and the correct command line options.

IMAP(S)
Using the mail reading protocol, curl can "download" emails for you. With or without using TLS.

LDAP(S)
curl can do directory lookups for you, with or without TLS.

MQTT curl supports MQTT version 3. Downloading over MQTT equals "subscribe" to a topic while uploading/posting equals "publish" on a topic. MQTT over TLS is not supported (yet).

POP3(S)
Downloading from a pop3 server means getting a mail. With or without using TLS.

RTMP(S)
The Realtime Messaging Protocol is primarily used to server streaming media and curl can download it.

RTSP curl supports RTSP 1.0 downloads.

SCP curl supports SSH version 2 scp transfers.

SFTP curl supports SFTP (draft 5) done over SSH version 2.

SMB(S) curl supports SMB version 1 for upload and download.

SMTP(S)
Uploading contents to an SMTP server means sending an email. With or without TLS.

TELNET Telling curl to fetch a telnet URL starts an interactive session where it sends what it reads on stdin and outputs what the server sends it.

TFTP curl can do TFTP downloads and uploads.

PROGRESS METER
curl normally displays a progress meter during operations, indicating the amount of transferred data, transfer speeds and estimated time left, etc. The progress meter displays the transfer rate in
bytes per second. The suffixes (k, M, G, T, P) are 1024 based. For example 1k is 1024 bytes. 1M is 1048576 bytes.

curl displays this data to the terminal by default, so if you invoke curl to do an operation and it is about to write data to the terminal, it disables the progress meter as otherwise it would mess
up the output mixing progress meter and response data.

If you want a progress meter for HTTP POST or PUT requests, you need to redirect the response output to a file, using shell redirect (>), -o, --output or similar.

This does not apply to FTP upload as that operation does not spit out any response data to the terminal.

If you prefer a progress "bar" instead of the regular meter, -#, --progress-bar is your friend. You can also disable the progress meter completely with the -s, --silent option.

OPTIONS
Options start with one or two dashes. Many of the options require an additional value next to them.

The short "single-dash" form of the options, -d for example, may be used with or without a space between it and its value, although a space is a recommended separator. The long "double-dash" form,
-d, --data for example, requires a space between it and its value.

Short version options that do not need any additional values can be used immediately next to each other, like for example you can specify all the options -O, -L and -v at once as -OLv.

In general, all boolean options are enabled with --option and yet again disabled with --no-option. That is, you use the same option name but prefix it with "no-". However, in this list we mostly
only list and show the --option version of them.

--abstract-unix-socket <path>
(HTTP) Connect through an abstract Unix domain socket, instead of using the network. Note: netstat shows the path of an abstract socket prefixed with '@', however the <path> argument should
not have this leading character.

If --abstract-unix-socket is provided several times, the last set value will be used.

Example:
curl --abstract-unix-socket socketpath https://example.com

See also --unix-socket. Added in 7.53.0.

--alt-svc <file name>
(HTTPS) This option enables the alt-svc parser in curl. If the file name points to an existing alt-svc cache file, that will be used. After a completed transfer, the cache will be saved to
the file name again if it has been modified.

Specify a "" file name (zero length) to avoid loading/saving and make curl just handle the cache in memory.

If this option is used several times, curl will load contents from all the files but the last one will be used for saving.

--alt-svc can be used several times in a command line

Example:
curl --alt-svc svc.txt https://example.com

See also --resolve and --connect-to. Added in 7.64.1.

--anyauth
(HTTP) Tells curl to figure out authentication method by itself, and use the most secure one the remote site claims to support. This is done by first doing a request and checking the re‐
sponse-headers, thus possibly inducing an extra network round-trip. This is used instead of setting a specific authentication method, which you can do with --basic, --digest, --ntlm, and
--negotiate.

Using --anyauth is not recommended if you do uploads from stdin, since it may require data to be sent twice and then the client must be able to rewind. If the need should arise when uploading
from stdin, the upload operation will fail.

Used together with -u, --user.

Providing --anyauth multiple times has no extra effect.

Example:
curl --anyauth --user me:pwd https://example.com

See also --proxy-anyauth, --basic and --digest.

-a, --append
(FTP SFTP) When used in an upload, this makes curl append to the target file instead of overwriting it. If the remote file does not exist, it will be created. Note that this flag is ignored
by some SFTP servers (including OpenSSH).

Providing -a, --append multiple times has no extra effect. Disable it again with --no-append.

Example:
curl --upload-file local --append ftp://example.com/

See also -r, --range and -C, --continue-at.

--aws-sigv4 <provider1[:provider2[:region[:service]]]>
Use AWS V4 signature authentication in the transfer.

The provider argument is a string that is used by the algorithm when creating outgoing authentication headers.

The region argument is a string that points to a geographic area of a resources collection (region-code) when the region name is omitted from the endpoint.

The service argument is a string that points to a function provided by a cloud (service-code) when the service name is omitted from the endpoint.

If --aws-sigv4 is provided several times, the last set value will be used.

Example:
curl --aws-sigv4 "aws:amz:east-2:es" --user "key:secret" https://example.com

See also --basic and -u, --user. Added in 7.75.0.

--basic
(HTTP) Tells curl to use HTTP Basic authentication with the remote host. This is the default and this option is usually pointless, unless you use it to override a previously set option that
sets a different authentication method (such as --ntlm, --digest, or --negotiate).

Used together with -u, --user.

Providing --basic multiple times has no extra effect.

Example:
curl -u name:password --basic https://example.com

See also --proxy-basic.

--cacert <file>
(TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format. Normally curl is built to
use a default file for this, so this option is typically used to alter that default file.

curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set, and uses the given path as a path to a CA cert bundle. This option overrides that variable.

The windows version of curl will automatically look for a CA certs file named 'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the Current Working Directory, or in any
folder along your PATH.

If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module (libnsspem.so) needs to be available for this option to work properly.

(iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not
set, then curl will use the certificates in the system and user Keychain to verify the peer, which is the preferred method of verifying the peer's certificate chain.

(Schannel only) This option is supported for Schannel in Windows 7 or later with libcurl 7.60 or later. This option is supported for backward compatibility with other SSL engines; instead it
is recommended to use Windows' store of root certificates (the default for Schannel).

If --cacert is provided several times, the last set value will be used.

Example:
curl --cacert CA-file.txt https://example.com

See also --capath and -k, --insecure.

--capath <dir>
(TLS) Tells curl to use the specified certificate directory to verify the peer. Multiple paths can be provided by separating them with ":" (e.g. "path1:path2:path3"). The certificates must
be in PEM format, and if curl is built against OpenSSL, the directory must have been processed using the c_rehash utility supplied with OpenSSL. Using --capath can allow OpenSSL-powered curl
to make SSL-connections much more efficiently than using --cacert if the --cacert file contains many CA certificates.

If this option is set, the default capath value will be ignored.

If --capath is provided several times, the last set value will be used.

Example:
curl --capath /local/directory https://example.com

See also --cacert and -k, --insecure.

--cert-status
(TLS) Tells curl to verify the status of the server certificate by using the Certificate Status Request (aka. OCSP stapling) TLS extension.

If this option is enabled and the server sends an invalid (e.g. expired) response, if the response suggests that the server certificate has been revoked, or no response at all is received,
the verification fails.

This is currently only implemented in the OpenSSL, GnuTLS and NSS backends.

Providing --cert-status multiple times has no extra effect. Disable it again with --no-cert-status.

Example:
curl --cert-status https://example.com

See also --pinnedpubkey. Added in 7.41.0.

--cert-type <type>
(TLS) Tells curl what type the provided client certificate is using. PEM, DER, ENG and P12 are recognized types.

The default type depends on the TLS backend and is usually PEM, however for Secure Transport and Schannel it is P12. If -E, --cert is a pkcs11: URI then ENG is the default type.

If --cert-type is provided several times, the last set value will be used.

Example:
curl --cert-type PEM --cert file https://example.com

See also -E, --cert, --key and --key-type.

-E, --cert <certificate[:password]>
(TLS) Tells curl to use the specified client certificate file when getting a file with HTTPS, FTPS or another SSL-based protocol. The certificate must be in PKCS#12 format if using Secure
Transport, or PEM format if using any other engine. If the optional password is not specified, it will be queried for on the terminal. Note that this option assumes a certificate file that is
the private key and the client certificate concatenated. See -E, --cert and --key to specify them independently.

In the <certificate> portion of the argument, you must escape the character ":" as "\:" so that it is not recognized as the password delimiter. Similarly, you must escape the character "\" as
"\\" so that it is not recognized as an escape character.

If curl is built against the NSS SSL library then this option can tell curl the nickname of the certificate to use within the NSS database defined by the environment variable SSL_DIR (or by
default /etc/pki/nssdb). If the NSS PEM PKCS#11 module (libnsspem.so) is available then PEM files may be loaded.

If you provide a path relative to the current directory, you must prefix the path with "./" in order to avoid confusion with an NSS database nickname.

If curl is built against OpenSSL library, and the engine pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in a PKCS#11 device. A string begin‐
ning with "pkcs11:" will be interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set as "pkcs11" if none was provided and the --cert-type option will
be set as "ENG" if none was provided.

(iOS and macOS only) If curl is built against Secure Transport, then the certificate string can either be the name of a certificate/private key in the system or user keychain, or the path to
a PKCS#12-encoded certificate and private key. If you want to use a file from the current directory, please precede it with "./" prefix, in order to avoid confusion with a nickname.

(Schannel only) Client certificates must be specified by a path expression to a certificate store. (Loading PFX is not supported; you can import it to a store first). You can use "<store lo‐
cation>\<store name>\<thumbprint>" to refer to a certificate in the system certificates store, for example, "CurrentUser\MY\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a". Thumbprint is usually a
SHA-1 hex string which you can see in certificate details. Following store locations are supported: CurrentUser, LocalMachine, CurrentService, Services, CurrentUserGroupPolicy, LocalMachine‐
GroupPolicy, LocalMachineEnterprise.

If -E, --cert is provided several times, the last set value will be used.

Example:
curl --cert certfile --key keyfile https://example.com

See also --cert-type, --key and --key-type.

--ciphers <list of ciphers>
(TLS) Specifies which ciphers to use in the connection. The list of ciphers must specify valid ciphers. Read up on SSL cipher list details on this URL:

https://curl.se/docs/ssl-ciphers.html

If --ciphers is provided several times, the last set value will be used.

Example:
curl --ciphers ECDHE-ECDSA-AES256-CCM8 https://example.com

See also --tlsv1.3.

--compressed-ssh
(SCP SFTP) Enables built-in SSH compression. This is a request, not an order; the server may or may not do it.

Providing --compressed-ssh multiple times has no extra effect. Disable it again with --no-compressed-ssh.

Example:
curl --compressed-ssh sftp://example.com/

See also --compressed. Added in 7.56.0.

--compressed
(HTTP) Request a compressed response using one of the algorithms curl supports, and automatically decompress the content. Headers are not modified.

If this option is used and the server sends an unsupported encoding, curl will report an error. This is a request, not an order; the server may or may not deliver data compressed.

Providing --compressed multiple times has no extra effect. Disable it again with --no-compressed.

Example:
curl --compressed https://example.com

See also --compressed-ssh.

-K, --config <file>
Specify a text file to read curl arguments from. The command line arguments found in the text file will be used as if they were provided on the command line.

Options and their parameters must be specified on the same line in the file, separated by whitespace, colon, or the equals sign. Long option names can optionally be given in the config file
without the initial double dashes and if so, the colon or equals characters can be used as separators. If the option is specified with one or two dashes, there can be no colon or equals char‐
acter between the option and its parameter.

If the parameter contains whitespace (or starts with : or =), the parameter must be enclosed within quotes. Within double quotes, the following escape sequences are available: \\, \", \t, \n,
\r and \v. A backslash preceding any other letter is ignored.

If the first column of a config line is a '#' character, the rest of the line will be treated as a comment.

Only write one option per physical line in the config file.

Specify the filename to -K, --config as '-' to make curl read the file from stdin.

Note that to be able to specify a URL in the config file, you need to specify it using the --url option, and not by simply writing the URL on its own line. So, it could look similar to this:

url = "https://curl.se/docs/"

# --- Example file ---
# this is a comment
url = "example.com"
output = "curlhere.html"
user-agent = "superagent/1.0"

# and fetch another URL too
url = "example.com/docs/manpage.html"
-O
referer = "http://nowhereatall.example.com/"
# --- End of example file ---

When curl is invoked, it (unless -q, --disable is used) checks for a default config file and uses it if found, even when -K, --config is used. The default config file is checked for in the
following places in this order:

1) "$CURL_HOME/.curlrc"

2) "$XDG_CONFIG_HOME/.curlrc" (Added in 7.73.0)

3) "$HOME/.curlrc"

4) Windows: "%USERPROFILE%\.curlrc"

5) Windows: "%APPDATA%\.curlrc"

6) Windows: "%USERPROFILE%\Application Data\.curlrc"

7) Non-Windows: use getpwuid to find the home directory

8) On Windows, if it finds no .curlrc file in the sequence described above, it checks for one in the same dir the curl executable is placed.

On Windows two filenames are checked per location: .curlrc and _curlrc, preferring the former. Older versions on Windows checked for _curlrc only.

-K, --config can be used several times in a command line

Example:
curl --config file.txt https://example.com

See also -q, --disable.

--connect-timeout <fractional seconds>
Maximum time in seconds that you allow curl's connection to take. This only limits the connection phase, so if curl connects within the given period it will continue - if not it will exit.
Since version 7.32.0, this option accepts decimal values.

The "connection phase" is considered complete when the requested TCP, TLS or QUIC handshakes are done.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If --connect-timeout is provided several times, the last set value will be used.

Examples:
curl --connect-timeout 20 https://example.com
curl --connect-timeout 3.14 https://example.com

See also -m, --max-time.

--connect-to <HOST1:PORT1:HOST2:PORT2>

For a request to the given HOST1:PORT1 pair, connect to HOST2:PORT2 instead. This option is suitable to direct requests at a specific server, e.g. at a specific cluster node in a cluster of
servers. This option is only used to establish the network connection. It does NOT affect the hostname/port that is used for TLS/SSL (e.g. SNI, certificate verification) or for the applica‐
tion protocols. "HOST1" and "PORT1" may be the empty string, meaning "any host/port". "HOST2" and "PORT2" may also be the empty string, meaning "use the request's original host/port".

A "host" specified to this option is compared as a string, so it needs to match the name used in request URL. It can be either numerical such as "127.0.0.1" or the full host name such as "ex‐
ample.org".

--connect-to can be used several times in a command line

Example:
curl --connect-to example.com:443:example.net:8443 https://example.com

See also --resolve and -H, --header. Added in 7.49.0.

-C, --continue-at <offset>
Continue/Resume a previous file transfer at the given offset. The given offset is the exact number of bytes that will be skipped, counting from the beginning of the source file before it is
transferred to the destination. If used with uploads, the FTP server command SIZE will not be used by curl.

Use "-C -" to tell curl to automatically find out where/how to resume the transfer. It then uses the given output/input files to figure that out.

If -C, --continue-at is provided several times, the last set value will be used.

Examples:
curl -C - https://example.com
curl -C 400 https://example.com

See also -r, --range.

-c, --cookie-jar <filename>
(HTTP) Specify to which file you want curl to write all cookies after a completed operation. Curl writes all cookies from its in-memory cookie storage to the given file at the end of opera‐
tions. If no cookies are known, no data will be written. The file will be written using the Netscape cookie file format. If you set the file name to a single dash, "-", the cookies will be
written to stdout.

This command line option will activate the cookie engine that makes curl record and use cookies. Another way to activate it is to use the -b, --cookie option.

If the cookie jar cannot be created or written to, the whole curl operation will not fail or even report an error clearly. Using -v, --verbose will get a warning displayed, but that is the
only visible feedback you get about this possibly lethal situation.

If -c, --cookie-jar is provided several times, the last set value will be used.

Examples:
curl -c store-here.txt https://example.com
curl -c store-here.txt -b read-these https://example.com

See also -b, --cookie.

-b, --cookie <data|filename>
(HTTP) Pass the data to the HTTP server in the Cookie header. It is supposedly the data previously received from the server in a "Set-Cookie:" line. The data should be in the format
"NAME1=VALUE1; NAME2=VALUE2". This makes curl use the cookie header with this content explicitly in all outgoing request(s). If multiple requests are done due to authentication, followed
redirects or similar, they will all get this cookie passed on.

If no '=' symbol is used in the argument, it is instead treated as a filename to read previously stored cookie from. This option also activates the cookie engine which will make curl record
incoming cookies, which may be handy if you are using this in combination with the -L, --location option or do multiple URL transfers on the same invoke. If the file name is exactly a minus
("-"), curl will instead read the contents from stdin.

The file format of the file to read cookies from should be plain HTTP headers (Set-Cookie style) or the Netscape/Mozilla cookie file format.

The file specified with -b, --cookie is only used as input. No cookies will be written to the file. To store cookies, use the -c, --cookie-jar option.

If you use the Set-Cookie file format and do not specify a domain then the cookie is not sent since the domain will never match. To address this, set a domain in Set-Cookie line (doing that
will include sub-domains) or preferably: use the Netscape format.

Users often want to both read cookies from a file and write updated cookies back to a file, so using both -b, --cookie and -c, --cookie-jar in the same command line is common.

-b, --cookie can be used several times in a command line

Examples:
curl -b cookiefile https://example.com
curl -b cookiefile -c cookiefile https://example.com

See also -c, --cookie-jar and -j, --junk-session-cookies.

--create-dirs
When used in conjunction with the -o, --output option, curl will create the necessary local directory hierarchy as needed. This option creates the directories mentioned with the -o, --output
option, nothing else. If the -o, --output file name uses no directory, or if the directories it mentions already exist, no directories will be created.

Created dirs are made with mode 0750 on unix style file systems.

To create remote directories when using FTP or SFTP, try --ftp-create-dirs.

Providing --create-dirs multiple times has no extra effect. Disable it again with --no-create-dirs.

Example:
curl --create-dirs --output local/dir/file https://example.com

See also --ftp-create-dirs and --output-dir.

--create-file-mode <mode>
(SFTP SCP FILE) When curl is used to create files remotely using one of the supported protocols, this option allows the user to set which 'mode' to set on the file at creation time, instead
of the default 0644.

This option takes an octal number as argument.

If --create-file-mode is provided several times, the last set value will be used.

Example:
curl --create-file-mode 0777 -T localfile sftp://example.com/new

See also --ftp-create-dirs. Added in 7.75.0.

--crlf (FTP SMTP) Convert LF to CRLF in upload. Useful for MVS (OS/390).

(SMTP added in 7.40.0)

Providing --crlf multiple times has no extra effect. Disable it again with --no-crlf.

Example:
curl --crlf -T file ftp://example.com/

See also -B, --use-ascii.

--crlfile <file>
(TLS) Provide a file using PEM format with a Certificate Revocation List that may specify peer certificates that are to be considered revoked.

If --crlfile is provided several times, the last set value will be used.

Example:
curl --crlfile rejects.txt https://example.com

See also --cacert and --capath.

--curves <algorithm list>
(TLS) Tells curl to request specific curves to use during SSL session establishment according to RFC 8422, 5.1. Multiple algorithms can be provided by separating them with ":" (e.g.
"X25519:P-521"). The parameter is available identically in the "openssl s_client/s_server" utilities.

--curves allows a OpenSSL powered curl to make SSL-connections with exactly the (EC) curve requested by the client, avoiding nontransparent client/server negotiations.

If this option is set, the default curves list built into openssl will be ignored.

If --curves is provided several times, the last set value will be used.

Example:
curl --curves X25519 https://example.com

See also --ciphers. Added in 7.73.0.

--data-ascii <data>
(HTTP) This is just an alias for -d, --data.

--data-ascii can be used several times in a command line

Example:
curl --data-ascii @file https://example.com

See also --data-binary, --data-raw and --data-urlencode.

--data-binary <data>
(HTTP) This posts data exactly as specified with no extra processing whatsoever.

If you start the data with the letter @, the rest should be a filename. Data is posted in a similar manner as -d, --data does, except that newlines and carriage returns are preserved and con‐
versions are never done.

Like -d, --data the default content-type sent to the server is application/x-www-form-urlencoded. If you want the data to be treated as arbitrary binary data by the server then set the con‐
tent-type to octet-stream: -H "Content-Type: application/octet-stream".

If this option is used several times, the ones following the first will append data as described in -d, --data.

--data-binary can be used several times in a command line

Example:
curl --data-binary @filename https://example.com

See also --data-ascii.

--data-raw <data>
(HTTP) This posts data similarly to -d, --data but without the special interpretation of the @ character.

--data-raw can be used several times in a command line

Examples:
curl --data-raw "hello" https://example.com
curl --data-raw "@at@at@" https://example.com

See also -d, --data. Added in 7.43.0.

--data-urlencode <data>
(HTTP) This posts data, similar to the other -d, --data options with the exception that this performs URL-encoding.

To be CGI-compliant, the <data> part should begin with a name followed by a separator and a content specification. The <data> part can be passed to curl using one of the following syntaxes:

content
This will make curl URL-encode the content and pass that on. Just be careful so that the content does not contain any = or @ symbols, as that will then make the syntax match one of the
other cases below!

=content
This will make curl URL-encode the content and pass that on. The preceding = symbol is not included in the data.

name=content
This will make curl URL-encode the content part and pass that on. Note that the name part is expected to be URL-encoded already.

@filename
This will make curl load data from the given file (including any newlines), URL-encode that data and pass it on in the POST.

name@filename
This will make curl load data from the given file (including any newlines), URL-encode that data and pass it on in the POST. The name part gets an equal sign appended, resulting in
name=urlencoded-file-content. Note that the name is expected to be URL-encoded already.

--data-urlencode can be used several times in a command line

Examples:
curl --data-urlencode name=val https://example.com
curl --data-urlencode =encodethis https://example.com
curl --data-urlencode name@file https://example.com
curl --data-urlencode @fileonly https://example.com

See also -d, --data and --data-raw.

-d, --data <data>
(HTTP MQTT) Sends the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. This will
cause curl to pass the data to the server using the content-type application/x-www-form-urlencoded. Compare to -F, --form.

--data-raw is almost the same but does not have a special interpretation of the @ character. To post data purely binary, you should instead use the --data-binary option. To URL-encode the
value of a form field you may use --data-urlencode.

If any of these options is used more than once on the same command line, the data pieces specified will be merged with a separating &-symbol. Thus, using '-d name=daniel -d skill=lousy' would
generate a post chunk that looks like 'name=daniel&skill=lousy'.

If you start the data with the letter @, the rest should be a file name to read the data from, or - if you want curl to read the data from stdin. Posting data from a file named 'foobar' would
thus be done with -d, --data @foobar. When -d, --data is told to read from a file like that, carriage returns and newlines will be stripped out. If you do not want the @ character to have a
special interpretation use --data-raw instead.

-d, --data can be used several times in a command line

Examples:
curl -d "name=curl" https://example.com
curl -d "name=curl" -d "tool=cmdline" https://example.com
curl -d @filename https://example.com

See also --data-binary, --data-urlencode and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file.

--delegation <LEVEL>
(GSS/kerberos) Set LEVEL to tell the server what it is allowed to delegate when it comes to user credentials.

none Do not allow any delegation.

policy Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos service ticket, which is a matter of realm policy.

always Unconditionally allow the server to delegate.

If --delegation is provided several times, the last set value will be used.

Example:
curl --delegation "none" https://example.com

See also -k, --insecure and --ssl.

--digest
(HTTP) Enables HTTP Digest authentication. This is an authentication scheme that prevents the password from being sent over the wire in clear text. Use this in combination with the normal -u,
--user option to set user name and password.

Providing --digest multiple times has no extra effect. Disable it again with --no-digest.

Example:
curl -u name:password --digest https://example.com

See also -u, --user, --proxy-digest and --anyauth. This option is mutually exclusive to --basic and --ntlm and --negotiate.

--disable-eprt
(FTP) Tell curl to disable the use of the EPRT and LPRT commands when doing active FTP transfers. Curl will normally always first attempt to use EPRT, then LPRT before using PORT, but with
this option, it will use PORT right away. EPRT and LPRT are extensions to the original FTP protocol, and may not work on all servers, but they enable more functionality in a better way than
the traditional PORT command.

--eprt can be used to explicitly enable EPRT again and --no-eprt is an alias for --disable-eprt.

If the server is accessed using IPv6, this option will have no effect as EPRT is necessary then.

Disabling EPRT only changes the active behavior. If you want to switch to passive mode you need to not use -P, --ftp-port or force it with --ftp-pasv.

Providing --disable-eprt multiple times has no extra effect. Disable it again with --no-disable-eprt.

Example:
curl --disable-eprt ftp://example.com/

See also --disable-epsv and -P, --ftp-port.

--disable-epsv
(FTP) Tell curl to disable the use of the EPSV command when doing passive FTP transfers. Curl will normally always first attempt to use EPSV before PASV, but with this option, it will not try
using EPSV.

--epsv can be used to explicitly enable EPSV again and --no-epsv is an alias for --disable-epsv.

If the server is an IPv6 host, this option will have no effect as EPSV is necessary then.

Disabling EPSV only changes the passive behavior. If you want to switch to active mode you need to use -P, --ftp-port.

Providing --disable-epsv multiple times has no extra effect. Disable it again with --no-disable-epsv.

Example:
curl --disable-epsv ftp://example.com/

See also --disable-eprt and -P, --ftp-port.

-q, --disable
If used as the first parameter on the command line, the curlrc config file will not be read and used. See the -K, --config for details on the default config file search path.

Providing -q, --disable multiple times has no extra effect. Disable it again with --no-disable.

Example:
curl -q https://example.com

See also -K, --config.

--disallow-username-in-url
(HTTP) This tells curl to exit if passed a URL containing a username. This is probably most useful when the URL is being provided at runtime or similar.

Providing --disallow-username-in-url multiple times has no extra effect. Disable it again with --no-disallow-username-in-url.

Example:
curl --disallow-username-in-url https://example.com

See also --proto. Added in 7.61.0.

--dns-interface <interface>
(DNS) Tell curl to send outgoing DNS requests through <interface>. This option is a counterpart to --interface (which does not affect DNS). The supplied string must be an interface name (not
an address).

If --dns-interface is provided several times, the last set value will be used.

Example:
curl --dns-interface eth0 https://example.com

See also --dns-ipv4-addr and --dns-ipv6-addr. --dns-interface requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-ipv4-addr <address>
(DNS) Tell curl to bind to <ip-address> when making IPv4 DNS requests, so that the DNS requests originate from this address. The argument should be a single IPv4 address.

If --dns-ipv4-addr is provided several times, the last set value will be used.

Example:
curl --dns-ipv4-addr 10.1.2.3 https://example.com

See also --dns-interface and --dns-ipv6-addr. --dns-ipv4-addr requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-ipv6-addr <address>
(DNS) Tell curl to bind to <ip-address> when making IPv6 DNS requests, so that the DNS requests originate from this address. The argument should be a single IPv6 address.

If --dns-ipv6-addr is provided several times, the last set value will be used.

Example:
curl --dns-ipv6-addr 2a04:4e42::561 https://example.com

See also --dns-interface and --dns-ipv4-addr. --dns-ipv6-addr requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--dns-servers <addresses>
Set the list of DNS servers to be used instead of the system default. The list of IP addresses should be separated with commas. Port numbers may also optionally be given as :<port-number>
after each IP address.

If --dns-servers is provided several times, the last set value will be used.

Example:
curl --dns-servers 192.168.0.1,192.168.0.2 https://example.com

See also --dns-interface and --dns-ipv4-addr. --dns-servers requires that the underlying libcurl was built to support c-ares. Added in 7.33.0.

--doh-cert-status
Same as --cert-status but used for DoH (DNS-over-HTTPS).

Providing --doh-cert-status multiple times has no extra effect. Disable it again with --no-doh-cert-status.

Example:
curl --doh-cert-status --doh-url https://doh.example https://example.com

See also --doh-insecure. Added in 7.76.0.

--doh-insecure
Same as -k, --insecure but used for DoH (DNS-over-HTTPS).

Providing --doh-insecure multiple times has no extra effect. Disable it again with --no-doh-insecure.

Example:
curl --doh-insecure --doh-url https://doh.example https://example.com

See also --doh-url. Added in 7.76.0.

--doh-url <URL>
Specifies which DNS-over-HTTPS (DoH) server to use to resolve hostnames, instead of using the default name resolver mechanism. The URL must be HTTPS.

Some SSL options that you set for your transfer will apply to DoH since the name lookups take place over SSL. However, the certificate verification settings are not inherited and can be con‐
trolled separately via --doh-insecure and --doh-cert-status.

This option is unset if an empty string "" is used as the URL. (Added in 7.85.0)

If --doh-url is provided several times, the last set value will be used.

Example:
curl --doh-url https://doh.example https://example.com

See also --doh-insecure. Added in 7.62.0.

-D, --dump-header <filename>
(HTTP FTP) Write the received protocol headers to the specified file. If no headers are received, the use of this option will create an empty file.

When used in FTP, the FTP server response lines are considered being "headers" and thus are saved there.

Having multiple transfers in one set of operations (i.e. the URLs in one -:, --next clause), will append them to the same file, separated by a blank line.

If -D, --dump-header is provided several times, the last set value will be used.

Example:
curl --dump-header store.txt https://example.com

See also -o, --output.

--egd-file <file>
(TLS) Deprecated option. This option is ignored by curl since 7.84.0. Prior to that it only had an effect on curl if built to use old versions of OpenSSL.

Specify the path name to the Entropy Gathering Daemon socket. The socket is used to seed the random engine for SSL connections.

If --egd-file is provided several times, the last set value will be used.

Example:
curl --egd-file /random/here https://example.com

See also --random-file.

--engine <name>
(TLS) Select the OpenSSL crypto engine to use for cipher operations. Use --engine list to print a list of build-time supported engines. Note that not all (and possibly none) of the engines
may be available at runtime.

If --engine is provided several times, the last set value will be used.

Example:
curl --engine flavor https://example.com

See also --ciphers and --curves.

--etag-compare <file>
(HTTP) This option makes a conditional HTTP request for the specific ETag read from the given file by sending a custom If-None-Match header using the stored ETag.

For correct results, make sure that the specified file contains only a single line with the desired ETag. An empty file is parsed as an empty ETag.

Use the option --etag-save to first save the ETag from a response, and then use this option to compare against the saved ETag in a subsequent request.

If --etag-compare is provided several times, the last set value will be used.

Example:
curl --etag-compare etag.txt https://example.com

See also --etag-save and -z, --time-cond. Added in 7.68.0.

--etag-save <file>
(HTTP) This option saves an HTTP ETag to the specified file. An ETag is a caching related header, usually returned in a response.

If no ETag is sent by the server, an empty file is created.

If --etag-save is provided several times, the last set value will be used.

Example:
curl --etag-save storetag.txt https://example.com

See also --etag-compare. Added in 7.68.0.

--expect100-timeout <seconds>
(HTTP) Maximum time in seconds that you allow curl to wait for a 100-continue response when curl emits an Expects: 100-continue header in its request. By default curl will wait one second.
This option accepts decimal values! When curl stops waiting, it will continue as if the response has been received.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If --expect100-timeout is provided several times, the last set value will be used.

Example:
curl --expect100-timeout 2.5 -T file https://example.com

See also --connect-timeout. Added in 7.47.0.

--fail-early
Fail and exit on the first detected transfer error.

When curl is used to do multiple transfers on the command line, it will attempt to operate on each given URL, one by one. By default, it will ignore errors if there are more URLs given and
the last URL's success will determine the error code curl returns. So early failures will be "hidden" by subsequent successful transfers.

Using this option, curl will instead return an error on the first transfer that fails, independent of the amount of URLs that are given on the command line. This way, no transfer failures go
undetected by scripts and similar.

This option is global and does not need to be specified for each use of -:, --next.

This option does not imply -f, --fail, which causes transfers to fail due to the server's HTTP status code. You can combine the two options, however note -f, --fail is not global and is
therefore contained by -:, --next.

Providing --fail-early multiple times has no extra effect. Disable it again with --no-fail-early.

Example:
curl --fail-early https://example.com https://two.example

See also -f, --fail and --fail-with-body. Added in 7.52.0.

--fail-with-body
(HTTP) Return an error on server errors where the HTTP response code is 400 or greater). In normal cases when an HTTP server fails to deliver a document, it returns an HTML document stating
so (which often also describes why and more). This flag will still allow curl to output and save that content but also to return error 22.

This is an alternative option to -f, --fail which makes curl fail for the same circumstances but without saving the content.

Providing --fail-with-body multiple times has no extra effect. Disable it again with --no-fail-with-body.

Example:
curl --fail-with-body https://example.com

See also -f, --fail. This option is mutually exclusive to -f, --fail. Added in 7.76.0.

-f, --fail
(HTTP) Fail fast with no output at all on server errors. This is useful to enable scripts and users to better deal with failed attempts. In normal cases when an HTTP server fails to deliver a
document, it returns an HTML document stating so (which often also describes why and more). This flag will prevent curl from outputting that and return error 22.

This method is not fail-safe and there are occasions where non-successful response codes will slip through, especially when authentication is involved (response codes 401 and 407).

Providing -f, --fail multiple times has no extra effect. Disable it again with --no-fail.

Example:
curl --fail https://example.com

See also --fail-with-body. This option is mutually exclusive to --fail-with-body.

--false-start
(TLS) Tells curl to use false start during the TLS handshake. False start is a mode where a TLS client will start sending application data before verifying the server's Finished message, thus
saving a round trip when performing a full handshake.

This is currently only implemented in the NSS and Secure Transport (on iOS 7.0 or later, or OS X 10.9 or later) backends.

Providing --false-start multiple times has no extra effect. Disable it again with --no-false-start.

Example:
curl --false-start https://example.com

See also --tcp-fastopen. Added in 7.42.0.

--form-escape
(HTTP) Tells curl to pass on names of multipart form fields and files using backslash-escaping instead of percent-encoding.

If --form-escape is provided several times, the last set value will be used.

Example:
curl --form-escape -F 'field\name=curl' -F 'file=@load"this' https://example.com

See also -F, --form. Added in 7.81.0.

--form-string <name=string>
(HTTP SMTP IMAP) Similar to -F, --form except that the value string for the named parameter is used literally. Leading '@' and '<' characters, and the ';type=' string in the value have no
special meaning. Use this in preference to -F, --form if there's any possibility that the string value may accidentally trigger the '@' or '<' features of -F, --form.

--form-string can be used several times in a command line

Example:
curl --form-string "data" https://example.com

See also -F, --form.

-F, --form <name=content>
(HTTP SMTP IMAP) For HTTP protocol family, this lets curl emulate a filled-in form in which a user has pressed the submit button. This causes curl to POST data using the Content-Type multi‐
part/form-data according to RFC 2388.

For SMTP and IMAP protocols, this is the means to compose a multipart mail message to transmit.

This enables uploading of binary files etc. To force the 'content' part to be a file, prefix the file name with an @ sign. To just get the content part from a file, prefix the file name with
the symbol <. The difference between @ and < is then that @ makes a file get attached in the post as a file upload, while the < makes a text field and just get the contents for that text
field from a file.

Tell curl to read content from stdin instead of a file by using - as filename. This goes for both @ and < constructs. When stdin is used, the contents is buffered in memory first by curl to
determine its size and allow a possible resend. Defining a part's data from a named non-regular file (such as a named pipe or similar) is unfortunately not subject to buffering and will be
effectively read at transmission time; since the full size is unknown before the transfer starts, such data is sent as chunks by HTTP and rejected by IMAP.

Example: send an image to an HTTP server, where 'profile' is the name of the form-field to which the file portrait.jpg will be the input:

curl -F profile=@portrait.jpg https://example.com/upload.cgi

Example: send your name and shoe size in two text fields to the server:

curl -F name=John -F shoesize=11 https://example.com/

Example: send your essay in a text field to the server. Send it as a plain text field, but get the contents for it from a local file:

curl -F "story=<hugefile.txt" https://example.com/

You can also tell curl what Content-Type to use by using 'type=', in a manner similar to:

curl -F "web=@index.html;type=text/html" example.com

or

curl -F "name=daniel;type=text/foo" example.com

You can also explicitly change the name field of a file upload part by setting filename=, like this:

curl -F "file=@localfile;filename=nameinpost" example.com

If filename/path contains ',' or ';', it must be quoted by double-quotes like:

curl -F "file=@\"local,file\";filename=\"name;in;post\"" example.com

or

curl -F 'file=@"local,file";filename="name;in;post"' example.com

Note that if a filename/path is quoted by double-quotes, any double-quote or backslash within the filename must be escaped by backslash.

Quoting must also be applied to non-file data if it contains semicolons, leading/trailing spaces or leading double quotes:

curl -F 'colors="red; green; blue";type=text/x-myapp' example.com

You can add custom headers to the field by setting headers=, like

curl -F "submit=OK;headers=\"X-submit-type: OK\"" example.com

or

curl -F "submit=OK;headers=@headerfile" example.com

The headers= keyword may appear more that once and above notes about quoting apply. When headers are read from a file, Empty lines and lines starting with '#' are comments and ignored; each
header can be folded by splitting between two words and starting the continuation line with a space; embedded carriage-returns and trailing spaces are stripped. Here is an example of a
header file contents:

# This file contain two headers.
X-header-1: this is a header

# The following header is folded.
X-header-2: this is
another header

To support sending multipart mail messages, the syntax is extended as follows:
- name can be omitted: the equal sign is the first character of the argument,
- if data starts with '(', this signals to start a new multipart: it can be followed by a content type specification.
- a multipart can be terminated with a '=)' argument.

Example: the following command sends an SMTP mime email consisting in an inline part in two alternative formats: plain text and HTML. It attaches a text file:

curl -F '=(;type=multipart/alternative' \
-F '=plain text message' \
-F '= <body>HTML message</body>;type=text/html' \
-F '=)' -F '=@textfile.txt' ... smtp://example.com

Data can be encoded for transfer using encoder=. Available encodings are binary and 8bit that do nothing else than adding the corresponding Content-Transfer-Encoding header, 7bit that only
rejects 8-bit characters with a transfer error, quoted-printable and base64 that encodes data according to the corresponding schemes, limiting lines length to 76 characters.

Example: send multipart mail with a quoted-printable text message and a base64 attached file:

curl -F '=text message;encoder=quoted-printable' \
-F '=@localfile;encoder=base64' ... smtp://example.com

See further examples and details in the MANUAL.

-F, --form can be used several times in a command line

Example:
curl --form "name=curl" --form "file=@loadthis" https://example.com

See also -d, --data, --form-string and --form-escape. This option is mutually exclusive to -d, --data and -I, --head and -T, --upload-file.

--ftp-account <data>
(FTP) When an FTP server asks for "account data" after user name and password has been provided, this data is sent off using the ACCT command.

If --ftp-account is provided several times, the last set value will be used.

Example:
curl --ftp-account "mr.robot" ftp://example.com/

See also -u, --user.

--ftp-alternative-to-user <command>
(FTP) If authenticating with the USER and PASS commands fails, send this command. When connecting to Tumbleweed's Secure Transport server over FTPS using a client certificate, using "SITE
AUTH" will tell the server to retrieve the username from the certificate.

If --ftp-alternative-to-user is provided several times, the last set value will be used.

Example:
curl --ftp-alternative-to-user "U53r" ftp://example.com

See also --ftp-account and -u, --user.

--ftp-create-dirs
(FTP SFTP) When an FTP or SFTP URL/operation uses a path that does not currently exist on the server, the standard behavior of curl is to fail. Using this option, curl will instead attempt to
create missing directories.

Providing --ftp-create-dirs multiple times has no extra effect. Disable it again with --no-ftp-create-dirs.

Example:
curl --ftp-create-dirs -T file ftp://example.com/remote/path/file

See also --create-dirs.

--ftp-method <method>
(FTP) Control what method curl should use to reach a file on an FTP(S) server. The method argument should be one of the following alternatives:

multicwd
curl does a single CWD operation for each path part in the given URL. For deep hierarchies this means many commands. This is how RFC 1738 says it should be done. This is the default
but the slowest behavior.

nocwd curl does no CWD at all. curl will do SIZE, RETR, STOR etc and give a full path to the server for all these commands. This is the fastest behavior.

singlecwd
curl does one CWD with the full target directory and then operates on the file "normally" (like in the multicwd case). This is somewhat more standards compliant than 'nocwd' but with‐
out the full penalty of 'multicwd'.

If --ftp-method is provided several times, the last set value will be used.

Examples:
curl --ftp-method multicwd ftp://example.com/dir1/dir2/file
curl --ftp-method nocwd ftp://example.com/dir1/dir2/file
curl --ftp-method singlecwd ftp://example.com/dir1/dir2/file

See also -l, --list-only.

--ftp-pasv
(FTP) Use passive mode for the data connection. Passive is the internal default behavior, but using this option can be used to override a previous -P, --ftp-port option.

Reversing an enforced passive really is not doable but you must then instead enforce the correct -P, --ftp-port again.

Passive mode means that curl will try the EPSV command first and then PASV, unless --disable-epsv is used.

Providing --ftp-pasv multiple times has no extra effect. Disable it again with --no-ftp-pasv.

Example:
curl --ftp-pasv ftp://example.com/

See also --disable-epsv.

-P, --ftp-port <address>
(FTP) Reverses the default initiator/listener roles when connecting with FTP. This option makes curl use active mode. curl then tells the server to connect back to the client's specified ad‐
dress and port, while passive mode asks the server to setup an IP address and port for it to connect to. <address> should be one of:

interface
e.g. "eth0" to specify which interface's IP address you want to use (Unix only)

IP address
e.g. "192.168.10.1" to specify the exact IP address

host name
e.g. "my.host.domain" to specify the machine

- make curl pick the same IP address that is already used for the control connection

Disable the use of PORT with --ftp-pasv. Disable the attempt to use the EPRT command instead of PORT by using --disable-eprt. EPRT is really PORT++.

You can also append ":[start]-[end]" to the right of the address, to tell curl what TCP port range to use. That means you specify a port range, from a lower to a higher number. A single number works
as well, but do note that it increases the risk of failure since the port may not be available.

If -P, --ftp-port is provided several times, the last set value will be used.

Examples:
curl -P - ftp:/example.com
curl -P eth0 ftp:/example.com
curl -P 192.168.0.2 ftp:/example.com

See also --ftp-pasv and --disable-eprt.

--ftp-pret
(FTP) Tell curl to send a PRET command before PASV (and EPSV). Certain FTP servers, mainly drftpd, require this non-standard command for directory listings as well as up and downloads in PASV
mode.

Providing --ftp-pret multiple times has no extra effect. Disable it again with --no-ftp-pret.

Example:
curl --ftp-pret ftp://example.com/

See also -P, --ftp-port and --ftp-pasv.

--ftp-skip-pasv-ip
(FTP) Tell curl to not use the IP address the server suggests in its response to curl's PASV command when curl connects the data connection. Instead curl will re-use the same IP address it
already uses for the control connection.

Since curl 7.74.0 this option is enabled by default.

This option has no effect if PORT, EPRT or EPSV is used instead of PASV.

Providing --ftp-skip-pasv-ip multiple times has no extra effect. Disable it again with --no-ftp-skip-pasv-ip.

Example:
curl --ftp-skip-pasv-ip ftp://example.com/

See also --ftp-pasv.

--ftp-ssl-ccc-mode <active/passive>
(FTP) Sets the CCC mode. The passive mode will not initiate the shutdown, but instead wait for the server to do it, and will not reply to the shutdown from the server. The active mode initi‐
ates the shutdown and waits for a reply from the server.

Providing --ftp-ssl-ccc-mode multiple times has no extra effect. Disable it again with --no-ftp-ssl-ccc-mode.

Example:
curl --ftp-ssl-ccc-mode active --ftp-ssl-ccc ftps://example.com/

See also --ftp-ssl-ccc.

--ftp-ssl-ccc
(FTP) Use CCC (Clear Command Channel) Shuts down the SSL/TLS layer after authenticating. The rest of the control channel communication will be unencrypted. This allows NAT routers to follow
the FTP transaction. The default mode is passive.

Providing --ftp-ssl-ccc multiple times has no extra effect. Disable it again with --no-ftp-ssl-ccc.

Example:
curl --ftp-ssl-ccc ftps://example.com/

See also --ssl and --ftp-ssl-ccc-mode.

--ftp-ssl-control
(FTP) Require SSL/TLS for the FTP login, clear for transfer. Allows secure authentication, but non-encrypted data transfers for efficiency. Fails the transfer if the server does not support
SSL/TLS.

Providing --ftp-ssl-control multiple times has no extra effect. Disable it again with --no-ftp-ssl-control.

Example:
curl --ftp-ssl-control ftp://example.com

See also --ssl.

-G, --get
When used, this option will make all data specified with -d, --data, --data-binary or --data-urlencode to be used in an HTTP GET request instead of the POST request that otherwise would be
used. The data will be appended to the URL with a '?' separator.

If used in combination with -I, --head, the POST data will instead be appended to the URL with a HEAD request.

Providing -G, --get multiple times has no extra effect. Disable it again with --no-get.

Examples:
curl --get https://example.com
curl --get -d "tool=curl" -d "age=old" https://example.com
curl --get -I -d "tool=curl" https://example.com

See also -d, --data and -X, --request.

-g, --globoff
This option switches off the "URL globbing parser". When you set this option, you can specify URLs that contain the letters {}[] without having curl itself interpret them. Note that these
letters are not normal legal URL contents but they should be encoded according to the URI standard.

Providing -g, --globoff multiple times has no extra effect. Disable it again with --no-globoff.

Example:
curl -g "https://example.com/{[]}}}}"

See also -K, --config and -q, --disable.

--happy-eyeballs-timeout-ms <milliseconds>
Happy Eyeballs is an algorithm that attempts to connect to both IPv4 and IPv6 addresses for dual-stack hosts, giving IPv6 a head-start of the specified number of milliseconds. If the IPv6 ad‐
dress cannot be connected to within that time, then a connection attempt is made to the IPv4 address in parallel. The first connection to be established is the one that is used.

The range of suggested useful values is limited. Happy Eyeballs RFC 6555 says "It is RECOMMENDED that connection attempts be paced 150-250 ms apart to balance human factors against network
load." libcurl currently defaults to 200 ms. Firefox and Chrome currently default to 300 ms.

If --happy-eyeballs-timeout-ms is provided several times, the last set value will be used.

Example:
curl --happy-eyeballs-timeout-ms 500 https://example.com

See also -m, --max-time and --connect-timeout. Added in 7.59.0.

--haproxy-protocol
(HTTP) Send a HAProxy PROXY protocol v1 header at the beginning of the connection. This is used by some load balancers and reverse proxies to indicate the client's true IP address and port.

This option is primarily useful when sending test requests to a service that expects this header.

Providing --haproxy-protocol multiple times has no extra effect. Disable it again with --no-haproxy-protocol.

Example:
curl --haproxy-protocol https://example.com

See also -x, --proxy. Added in 7.60.0.

-I, --head
(HTTP FTP FILE) Fetch the headers only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document. When used on an FTP or FILE file, curl displays the
file size and last modification time only.

Providing -I, --head multiple times has no extra effect. Disable it again with --no-head.

Example:
curl -I https://example.com

See also -G, --get, -v, --verbose and --trace-ascii.

-H, --header <header/@file>
(HTTP IMAP SMTP) Extra header to include in information sent. When used within an HTTP request, it is added to the regular request headers.

For an IMAP or SMTP MIME uploaded mail built with -F, --form options, it is prepended to the resulting MIME document, effectively including it at the mail global level. It does not affect raw
uploaded mails (Added in 7.56.0).

You may specify any number of extra headers. Note that if you should add a custom header that has the same name as one of the internal ones curl would use, your externally set header will be
used instead of the internal one. This allows you to make even trickier stuff than curl would normally do. You should not replace internally set headers without knowing perfectly well what
you are doing. Remove an internal header by giving a replacement without content on the right side of the colon, as in: -H "Host:". If you send the custom header with no-value then its header
must be terminated with a semicolon, such as -H "X-Custom-Header;" to send "X-Custom-Header:".

curl will make sure that each header you add/replace is sent with the proper end-of-line marker, you should thus not add that as a part of the header content: do not add newlines or carriage
returns, they will only mess things up for you.

This option can take an argument in @filename style, which then adds a header for each line in the input file. Using @- will make curl read the header file from stdin. Added in 7.55.0.

Please note that most anti-spam utilities check the presence and value of several MIME mail headers: these are "From:", "To:", "Date:" and "Subject:" among others and should be added with
this option.

You need --proxy-header to send custom headers intended for an HTTP proxy. Added in 7.37.0.

Passing on a "Transfer-Encoding: chunked" header when doing an HTTP request with a request body, will make curl send the data using chunked encoding.

WARNING: headers set with this option will be set in all HTTP requests - even after redirects are followed, like when told with -L, --location. This can lead to the header being sent to other
hosts than the original host, so sensitive headers should be used with caution combined with following redirects.

-H, --header can be used several times in a command line

Examples:
curl -H "X-First-Name: Joe" https://example.com
curl -H "User-Agent: yes-please/2000" https://example.com
curl -H "Host:" https://example.com
curl -H @headers.txt https://example.com

See also -A, --user-agent and -e, --referer.

-h, --help <category>
Usage help. This lists all commands of the <category>. If no arg was provided, curl will display the most important command line arguments. If the argument "all" was provided, curl will
display all options available. If the argument "category" was provided, curl will display all categories and their meanings.

Example:
curl --help all

See also -v, --verbose.

--hostpubmd5 <md5>
(SFTP SCP) Pass a string containing 32 hexadecimal digits. The string should be the 128 bit MD5 checksum of the remote host's public key, curl will refuse the connection with the host unless
the md5sums match.

If --hostpubmd5 is provided several times, the last set value will be used.

Example:
curl --hostpubmd5 e5c1c49020640a5ab0f2034854c321a8 sftp://example.com/

See also --hostpubsha256.

--hostpubsha256 <sha256>
(SFTP SCP) Pass a string containing a Base64-encoded SHA256 hash of the remote host's public key. Curl will refuse the connection with the host unless the hashes match.

This feature requires libcurl to be built with libssh2 and does not work with other SSH backends.

If --hostpubsha256 is provided several times, the last set value will be used.

Example:
curl --hostpubsha256 NDVkMTQxMGQ1ODdmMjQ3MjczYjAyOTY5MmRkMjVmNDQ= sftp://example.com/

See also --hostpubmd5. Added in 7.80.0.

--hsts <file name>
(HTTPS) This option enables HSTS for the transfer. If the file name points to an existing HSTS cache file, that will be used. After a completed transfer, the cache will be saved to the file
name again if it has been modified.

If curl is told to use HTTP:// for a transfer involving a host name that exists in the HSTS cache, it upgrades the transfer to use HTTPS. Each HSTS cache entry has an individual life time af‐
ter which the upgrade is no longer performed.

Specify a "" file name (zero length) to avoid loading/saving and make curl just handle HSTS in memory.

If this option is used several times, curl will load contents from all the files but the last one will be used for saving.

--hsts can be used several times in a command line

Example:
curl --hsts cache.txt https://example.com

See also --proto. Added in 7.74.0.

--http0.9
(HTTP) Tells curl to be fine with HTTP version 0.9 response.

HTTP/0.9 is a completely headerless response and therefore you can also connect with this to non-HTTP servers and still get a response since curl will simply transparently downgrade - if al‐
lowed.

Since curl 7.66.0, HTTP/0.9 is disabled by default.

Providing --http0.9 multiple times has no extra effect. Disable it again with --no-http0.9.

Example:
curl --http0.9 https://example.com

See also --http1.1, --http2 and --http3. Added in 7.64.0.

-0, --http1.0
(HTTP) Tells curl to use HTTP version 1.0 instead of using its internally preferred HTTP version.

Providing -0, --http1.0 multiple times has no extra effect.

Example:
curl --http1.0 https://example.com

See also --http0.9 and --http1.1. This option is mutually exclusive to --http1.1 and --http2 and --http2-prior-knowledge and --http3.

--http1.1
(HTTP) Tells curl to use HTTP version 1.1.

Providing --http1.1 multiple times has no extra effect.

Example:
curl --http1.1 https://example.com

See also -0, --http1.0 and --http0.9. This option is mutually exclusive to -0, --http1.0 and --http2 and --http2-prior-knowledge and --http3. Added in 7.33.0.

--http2-prior-knowledge
(HTTP) Tells curl to issue its non-TLS HTTP requests using HTTP/2 without HTTP/1.1 Upgrade. It requires prior knowledge that the server supports HTTP/2 straight away. HTTPS requests will
still do HTTP/2 the standard way with negotiated protocol version in the TLS handshake.

Providing --http2-prior-knowledge multiple times has no extra effect. Disable it again with --no-http2-prior-knowledge.

Example:
curl --http2-prior-knowledge https://example.com

See also --http2 and --http3. --http2-prior-knowledge requires that the underlying libcurl was built to support HTTP/2. This option is mutually exclusive to --http1.1 and -0, --http1.0 and
--http2 and --http3. Added in 7.49.0.

--http2
(HTTP) Tells curl to use HTTP version 2.

For HTTPS, this means curl will attempt to negotiate HTTP/2 in the TLS handshake. curl does this by default.

For HTTP, this means curl will attempt to upgrade the request to HTTP/2 using the Upgrade: request header.

When curl uses HTTP/2 over HTTPS, it does not itself insist on TLS 1.2 or higher even though that is required by the specification. A user can add this version requirement with --tlsv1.2.

Providing --http2 multiple times has no extra effect.

Example:
curl --http2 https://example.com

See also --http1.1 and --http3. --http2 requires that the underlying libcurl was built to support HTTP/2. This option is mutually exclusive to --http1.1 and -0, --http1.0 and --http2-prior-
knowledge and --http3. Added in 7.33.0.

--http3-only
(HTTP) **WARNING**: this option is experimental. Do not use in production.

Instructs curl to use HTTP/3 to the host in the URL, with no fallback to earlier HTTP versions. HTTP/3 can only be used for HTTPS and not for HTTP URLs. For HTTP, this option will trigger an
error.

This option allows a user to avoid using the Alt-Svc method of upgrading to HTTP/3 when you know that the target speaks HTTP/3 on the given host and port.

This option will make curl fail if a QUIC connection cannot be established, it will not attempt any other HTTP version on its own. Use --http3 for similar functionality with a fallback.

Providing --http3-only multiple times has no extra effect.

Example:
curl --http3-only https://example.com

See also --http1.1, --http2 and --http3. --http3-only requires that the underlying libcurl was built to support HTTP/3. This option is mutually exclusive to --http1.1 and -0, --http1.0 and
--http2 and --http2-prior-knowledge and --http3. Added in 7.88.0.

--http3
(HTTP) **WARNING**: this option is experimental. Do not use in production.

Tells curl to try HTTP/3 to the host in the URL, but fallback to earlier HTTP versions if the HTTP/3 connection establishment fails. HTTP/3 is only available for HTTPS and not for HTTP URLs.

This option allows a user to avoid using the Alt-Svc method of upgrading to HTTP/3 when you know that the target speaks HTTP/3 on the given host and port.

When asked to use HTTP/3, curl will issue a separate attempt to use older HTTP versions with a slight delay, so if the HTTP/3 transfer fails or is very slow, curl will still try to proceed
with an older HTTP version.

Use --http3-only for similar functionality without a fallback.

Providing --http3 multiple times has no extra effect.

Example:
curl --http3 https://example.com

See also --http1.1 and --http2. --http3 requires that the underlying libcurl was built to support HTTP/3. This option is mutually exclusive to --http1.1 and -0, --http1.0 and --http2 and
--http2-prior-knowledge and --http3-only. Added in 7.66.0.

--ignore-content-length
(FTP HTTP) For HTTP, Ignore the Content-Length header. This is particularly useful for servers running Apache 1.x, which will report incorrect Content-Length for files larger than 2 giga‐
bytes.

For FTP (since 7.46.0), skip the RETR command to figure out the size before downloading a file.

This option does not work for HTTP if libcurl was built to use hyper.

Providing --ignore-content-length multiple times has no extra effect. Disable it again with --no-ignore-content-length.

Example:
curl --ignore-content-length https://example.com

See also --ftp-skip-pasv-ip.

-i, --include
Include the HTTP response headers in the output. The HTTP response headers can include things like server name, cookies, date of the document, HTTP version and more...

To view the request headers, consider the -v, --verbose option.

Providing -i, --include multiple times has no extra effect. Disable it again with --no-include.

Example:
curl -i https://example.com

See also -v, --verbose.

-k, --insecure
(TLS SFTP SCP) By default, every secure connection curl makes is verified to be secure before the transfer takes place. This option makes curl skip the verification step and proceed without
checking.

When this option is not used for protocols using TLS, curl verifies the server's TLS certificate before it continues: that the certificate contains the right name which matches the host name
used in the URL and that the certificate has been signed by a CA certificate present in the cert store. See this online resource for further details:
https://curl.se/docs/sslcerts.html

For SFTP and SCP, this option makes curl skip the known_hosts verification. known_hosts is a file normally stored in the user's home directory in the ".ssh" subdirectory, which contains host
names and their public keys.

WARNING: using this option makes the transfer insecure.

When curl uses secure protocols it trusts responses and allows for example HSTS and Alt-Svc information to be stored and used subsequently. Using -k, --insecure can make curl trust and use
such information from malicious servers.

Providing -k, --insecure multiple times has no extra effect. Disable it again with --no-insecure.

Example:
curl --insecure https://example.com

See also --proxy-insecure, --cacert and --capath.

--interface <name>
Perform an operation using a specified interface. You can enter interface name, IP address or host name. An example could look like:

curl --interface eth0:1 https://www.example.com/

On Linux it can be used to specify a VRF, but the binary needs to either have CAP_NET_RAW or to be run as root. More information about Linux VRF: https://www.kernel.org/doc/Documentation/net‐
working/vrf.txt

If --interface is provided several times, the last set value will be used.

Example:
curl --interface eth0 https://example.com

See also --dns-interface.

-4, --ipv4
This option tells curl to use IPv4 addresses only, and not for example try IPv6.

Providing -4, --ipv4 multiple times has no extra effect. Disable it again with --no-ipv4.

Example:
curl --ipv4 https://example.com

See also --http1.1 and --http2. This option is mutually exclusive to -6, --ipv6.

-6, --ipv6
This option tells curl to use IPv6 addresses only, and not for example try IPv4.

Providing -6, --ipv6 multiple times has no extra effect. Disable it again with --no-ipv6.

Example:
curl --ipv6 https://example.com

See also --http1.1 and --http2. This option is mutually exclusive to -4, --ipv4.

--json <data>
(HTTP) Sends the specified JSON data in a POST request to the HTTP server. --json works as a shortcut for passing on these three options:

--data [arg]
--header "Content-Type: application/json"
--header "Accept: application/json"

There is no verification that the passed in data is actual JSON or that the syntax is correct.

If you start the data with the letter @, the rest should be a file name to read the data from, or a single dash (-) if you want curl to read the data from stdin. Posting data from a file
named 'foobar' would thus be done with --json @foobar and to instead read the data from stdin, use --json @-.

If this option is used more than once on the same command line, the additional data pieces will be concatenated to the previous before sending.

The headers this option sets can be overridden with -H, --header as usual.

--json can be used several times in a command line

Examples:
curl --json '{ "drink": "coffe" }' https://example.com
curl --json '{ "drink":' --json ' "coffe" }' https://example.com
curl --json @prepared https://example.com
curl --json @- https://example.com < json.txt

See also --data-binary and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file. Added in 7.82.0.

-j, --junk-session-cookies
(HTTP) When curl is told to read cookies from a given file, this option will make it discard all "session cookies". This will basically have the same effect as if a new session is started.
Typical browsers always discard session cookies when they are closed down.

Providing -j, --junk-session-cookies multiple times has no extra effect. Disable it again with --no-junk-session-cookies.

Example:
curl --junk-session-cookies -b cookies.txt https://example.com

See also -b, --cookie and -c, --cookie-jar.

--keepalive-time <seconds>
This option sets the time a connection needs to remain idle before sending keepalive probes and the time between individual keepalive probes. It is currently effective on operating systems
offering the TCP_KEEPIDLE and TCP_KEEPINTVL socket options (meaning Linux, recent AIX, HP-UX and more). Keepalives are used by the TCP stack to detect broken networks on idle connections.
The number of missed keepalive probes before declaring the connection down is OS dependent and is commonly 9 or 10. This option has no effect if --no-keepalive is used.

If unspecified, the option defaults to 60 seconds.

If --keepalive-time is provided several times, the last set value will be used.

Example:
curl --keepalive-time 20 https://example.com

See also --no-keepalive and -m, --max-time.

--key-type <type>
(TLS) Private key file type. Specify which type your --key provided private key is. DER, PEM, and ENG are supported. If not specified, PEM is assumed.

If --key-type is provided several times, the last set value will be used.

Example:
curl --key-type DER --key here https://example.com

See also --key.

--key <key>
(TLS SSH) Private key file name. Allows you to provide your private key in this separate file. For SSH, if not specified, curl tries the following candidates in order: '~/.ssh/id_rsa',
'~/.ssh/id_dsa', './id_rsa', './id_dsa'.

If curl is built against OpenSSL library, and the engine pkcs11 is available, then a PKCS#11 URI (RFC 7512) can be used to specify a private key located in a PKCS#11 device. A string begin‐
ning with "pkcs11:" will be interpreted as a PKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option will be set as "pkcs11" if none was provided and the --key-type option will be
set as "ENG" if none was provided.

If curl is built against Secure Transport or Schannel then this option is ignored for TLS protocols (HTTPS, etc). Those backends expect the private key to be already present in the keychain
or PKCS#12 file containing the certificate.

If --key is provided several times, the last set value will be used.

Example:
curl --cert certificate --key here https://example.com

See also --key-type and -E, --cert.

--krb <level>
(FTP) Enable Kerberos authentication and use. The level must be entered and should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use a level that is not one of these,
'private' will instead be used.

If --krb is provided several times, the last set value will be used.

Example:
curl --krb clear ftp://example.com/

See also --delegation and --ssl. --krb requires that the underlying libcurl was built to support Kerberos.

--libcurl <file>
Append this option to any ordinary curl command line, and you will get libcurl-using C source code written to the file that does the equivalent of what your command-line operation does!

This option is global and does not need to be specified for each use of -:, --next.

If --libcurl is provided several times, the last set value will be used.

Example:
curl --libcurl client.c https://example.com

See also -v, --verbose.

--limit-rate <speed>
Specify the maximum transfer rate you want curl to use - for both downloads and uploads. This feature is useful if you have a limited pipe and you would like your transfer not to use your en‐
tire bandwidth. To make it slower than it otherwise would be.

The given speed is measured in bytes/second, unless a suffix is appended. Appending 'k' or 'K' will count the number as kilobytes, 'm' or 'M' makes it megabytes, while 'g' or 'G' makes it
gigabytes. The suffixes (k, M, G, T, P) are 1024 based. For example 1k is 1024. Examples: 200K, 3m and 1G.

The rate limiting logic works on averaging the transfer speed to no more than the set threshold over a period of multiple seconds.

If you also use the -Y, --speed-limit option, that option will take precedence and might cripple the rate-limiting slightly, to help keeping the speed-limit logic working.

If --limit-rate is provided several times, the last set value will be used.

Examples:
curl --limit-rate 100K https://example.com
curl --limit-rate 1000 https://example.com
curl --limit-rate 10M https://example.com

See also --rate, -Y, --speed-limit and -y, --speed-time.

-l, --list-only
(FTP POP3) (FTP) When listing an FTP directory, this switch forces a name-only view. This is especially useful if the user wants to machine-parse the contents of an FTP directory since the
normal directory view does not use a standard look or format. When used like this, the option causes an NLST command to be sent to the server instead of LIST.

Note: Some FTP servers list only files in their response to NLST; they do not include sub-directories and symbolic links.

(POP3) When retrieving a specific email from POP3, this switch forces a LIST command to be performed instead of RETR. This is particularly useful if the user wants to see if a specific mes‐
sage-id exists on the server and what size it is.

Note: When combined with -X, --request, this option can be used to send a UIDL command instead, so the user may use the email's unique identifier rather than its message-id to make the re‐
quest.

Providing -l, --list-only multiple times has no extra effect. Disable it again with --no-list-only.

Example:
curl --list-only ftp://example.com/dir/

See also -Q, --quote and -X, --request.

--local-port <num/range>
Set a preferred single number or range (FROM-TO) of local port numbers to use for the connection(s). Note that port numbers by nature are a scarce resource that will be busy at times so set‐
ting this range to something too narrow might cause unnecessary connection setup failures.

If --local-port is provided several times, the last set value will be used.

Example:
curl --local-port 1000-3000 https://example.com

See also -g, --globoff.

--location-trusted
(HTTP) Like -L, --location, but will allow sending the name + password to all hosts that the site may redirect to. This may or may not introduce a security breach if the site redirects you to
a site to which you will send your authentication info (which is plaintext in the case of HTTP Basic authentication).

Providing --location-trusted multiple times has no extra effect. Disable it again with --no-location-trusted.

Example:
curl --location-trusted -u user:password https://example.com

See also -u, --user.

-L, --location
(HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request
on the new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the ini‐
tial host. If a redirect takes curl to a different host, it will not be able to intercept the user+password. See also --location-trusted on how to change this. You can limit the amount of
redirects to follow by using the --max-redirs option.

When curl follows a redirect and if the request is a POST, it will send the following request with a GET if the HTTP response was 301, 302, or 303. If the response code was any other 3xx
code, curl will re-send the following request using the same unmodified method.

You can tell curl to not change POST requests to GET after a 30x response by using the dedicated options for that: --post301, --post302 and --post303.

The method set with -X, --request overrides the method curl would otherwise select to use.

Providing -L, --location multiple times has no extra effect. Disable it again with --no-location.

Example:
curl -L https://example.com

See also --resolve and --alt-svc.

--login-options <options>
(IMAP LDAP POP3 SMTP) Specify the login options to use during server authentication.

You can use login options to specify protocol specific options that may be used during authentication. At present only IMAP, POP3 and SMTP support login options. For more information about
login options please see RFC 2384, RFC 5092 and IETF draft draft-earhart-url-smtp-00.txt

If --login-options is provided several times, the last set value will be used.

Example:
curl --login-options 'AUTH=*' imap://example.com

See also -u, --user. Added in 7.34.0.

--mail-auth <address>
(SMTP) Specify a single address. This will be used to specify the authentication address (identity) of a submitted message that is being relayed to another server.

If --mail-auth is provided several times, the last set value will be used.

Example:
curl --mail-auth user@example.come -T mail smtp://example.com/

See also --mail-rcpt and --mail-from.

--mail-from <address>
(SMTP) Specify a single address that the given mail should get sent from.

If --mail-from is provided several times, the last set value will be used.

Example:
curl --mail-from user@example.com -T mail smtp://example.com/

See also --mail-rcpt and --mail-auth.

--mail-rcpt-allowfails
(SMTP) When sending data to multiple recipients, by default curl will abort SMTP conversation if at least one of the recipients causes RCPT TO command to return an error.

The default behavior can be changed by passing --mail-rcpt-allowfails command-line option which will make curl ignore errors and proceed with the remaining valid recipients.

If all recipients trigger RCPT TO failures and this flag is specified, curl will still abort the SMTP conversation and return the error received from to the last RCPT TO command.

Providing --mail-rcpt-allowfails multiple times has no extra effect. Disable it again with --no-mail-rcpt-allowfails.

Example:
curl --mail-rcpt-allowfails --mail-rcpt dest@example.com smtp://example.com

See also --mail-rcpt. Added in 7.69.0.

--mail-rcpt <address>
(SMTP) Specify a single email address, user name or mailing list name. Repeat this option several times to send to multiple recipients.

When performing an address verification (VRFY command), the recipient should be specified as the user name or user name and domain (as per Section 3.5 of RFC5321). (Added in 7.34.0)

When performing a mailing list expand (EXPN command), the recipient should be specified using the mailing list name, such as "Friends" or "London-Office". (Added in 7.34.0)

--mail-rcpt can be used several times in a command line

Example:
curl --mail-rcpt user@example.net smtp://example.com

See also --mail-rcpt-allowfails.

-M, --manual
Manual. Display the huge help text.

Example:
curl --manual

See also -v, --verbose, --libcurl and --trace.

--max-filesize <bytes>
(FTP HTTP MQTT) Specify the maximum size (in bytes) of a file to download. If the file requested is larger than this value, the transfer will not start and curl will return with exit code 63.

A size modifier may be used. For example, Appending 'k' or 'K' will count the number as kilobytes, 'm' or 'M' makes it megabytes, while 'g' or 'G' makes it gigabytes. Examples: 200K, 3m and
1G. (Added in 7.58.0)

NOTE: The file size is not always known prior to download, and for such files this option has no effect even if the file transfer ends up being larger than this given limit. If --max-file‐
size is provided several times, the last set value will be used.

Example:
curl --max-filesize 100K https://example.com

See also --limit-rate.

--max-redirs <num>
(HTTP) Set maximum number of redirections to follow. When -L, --location is used, to prevent curl from following too many redirects, by default, the limit is set to 50 redirects. Set this op‐
tion to -1 to make it unlimited.

If --max-redirs is provided several times, the last set value will be used.

Example:
curl --max-redirs 3 --location https://example.com

See also -L, --location.

-m, --max-time <fractional seconds>
Maximum time in seconds that you allow each transfer to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0,
this option accepts decimal values, but the actual timeout will decrease in accuracy as the specified timeout increases in decimal precision.

If you enable retrying the transfer (--retry) then the maximum time counter is reset each time the transfer is retried. You can use --retry-max-time to limit the retry time.

The decimal value needs to provided using a dot (.) as decimal separator - not the local version even if it might be using another separator.

If -m, --max-time is provided several times, the last set value will be used.

Examples:
curl --max-time 10 https://example.com
curl --max-time 2.92 https://example.com

See also --connect-timeout and --retry-max-time.

--metalink
This option was previously used to specify a metalink resource. Metalink support has been disabled in curl since 7.78.0 for security reasons.

If --metalink is provided several times, the last set value will be used.

Example:
curl --metalink file https://example.com

See also -Z, --parallel.

--negotiate
(HTTP) Enables Negotiate (SPNEGO) authentication.

This option requires a library built with GSS-API or SSPI support. Use -V, --version to see if your curl supports GSS-API/SSPI or SPNEGO.

When using this option, you must also provide a fake -u, --user option to activate the authentication code properly. Sending a '-u :' is enough as the user name and password from the -u,
--user option are not actually used.

If this option is used several times, only the first one is used.

Providing --negotiate multiple times has no extra effect.

Example:
curl --negotiate -u : https://example.com

See also --basic, --ntlm, --anyauth and --proxy-negotiate.

--netrc-file <filename>
This option is similar to -n, --netrc, except that you provide the path (absolute or relative) to the netrc file that curl should use. You can only specify one netrc file per invocation.

It will abide by --netrc-optional if specified.

If --netrc-file is provided several times, the last set value will be used.

Example:
curl --netrc-file netrc https://example.com

See also -n, --netrc, -u, --user and -K, --config. This option is mutually exclusive to -n, --netrc.

--netrc-optional
Similar to -n, --netrc, but this option makes the .netrc usage optional and not mandatory as the -n, --netrc option does.

Providing --netrc-optional multiple times has no extra effect. Disable it again with --no-netrc-optional.

Example:
curl --netrc-optional https://example.com

See also --netrc-file. This option is mutually exclusive to -n, --netrc.

-n, --netrc
Makes curl scan the .netrc (_netrc on Windows) file in the user's home directory for login name and password. This is typically used for FTP on Unix. If used with HTTP, curl will enable user
authentication. See netrc(5) and ftp(1) for details on the file format. Curl will not complain if that file does not have the right permissions (it should be neither world- nor group-read‐
able). The environment variable "HOME" is used to find the home directory.

A quick and simple example of how to setup a .netrc to allow curl to FTP to the machine host.domain.com with user name 'myself' and password 'secret' could look similar to:

machine host.domain.com
login myself
password secret

Providing -n, --netrc multiple times has no extra effect. Disable it again with --no-netrc.

Example:
curl --netrc https://example.com

See also --netrc-file, -K, --config and -u, --user. This option is mutually exclusive to --netrc-file and --netrc-optional.

-:, --next
Tells curl to use a separate operation for the following URL and associated options. This allows you to send several URL requests, each with their own specific options, for example, such as
different user names or custom requests for each.

-:, --next will reset all local options and only global ones will have their values survive over to the operation following the -:, --next instruction. Global options include -v, --verbose,
--trace, --trace-ascii and --fail-early.

For example, you can do both a GET and a POST in a single command line:

curl www1.example.com --next -d postthis www2.example.com

-:, --next can be used several times in a command line

Examples:
curl https://example.com --next -d postthis www2.example.com
curl -I https://example.com --next https://example.net/

See also -Z, --parallel and -K, --config. Added in 7.36.0.

--no-alpn
(HTTPS) Disable the ALPN TLS extension. ALPN is enabled by default if libcurl was built with an SSL library that supports ALPN. ALPN is used by a libcurl that supports HTTP/2 to negotiate
HTTP/2 support with the server during https sessions.

Providing --no-alpn multiple times has no extra effect. Disable it again with --alpn.

Example:
curl --no-alpn https://example.com

See also --no-npn and --http2. --no-alpn requires that the underlying libcurl was built to support TLS. Added in 7.36.0.

-N, --no-buffer
Disables the buffering of the output stream. In normal work situations, curl will use a standard buffered output stream that will have the effect that it will output the data in chunks, not
necessarily exactly when the data arrives. Using this option will disable that buffering.

Providing -N, --no-buffer multiple times has no extra effect. Disable it again with --buffer.

Example:
curl --no-buffer https://example.com

See also -#, --progress-bar.

--no-clobber
When used in conjunction with the -o, --output, -J, --remote-header-name, -O, --remote-name, or --remote-name-all options, curl avoids overwriting files that already exist. Instead, a dot and
a number gets appended to the name of the file that would be created, up to filename.100 after which it will not create any file.

Note that this is the negated option name documented. You can thus use --clobber to enforce the clobbering, even if -J, --remote-header-name is specified.

Providing --no-clobber multiple times has no extra effect. Disable it again with --clobber.

Example:
curl --no-clobber --output local/dir/file https://example.com

See also -o, --output and -O, --remote-name. Added in 7.83.0.

--no-keepalive
Disables the use of keepalive messages on the TCP connection. curl otherwise enables them by default.

Note that this is the negated option name documented. You can thus use --keepalive to enforce keepalive.

Providing --no-keepalive multiple times has no extra effect. Disable it again with --keepalive.

Example:
curl --no-keepalive https://example.com

See also --keepalive-time.

--no-npn
(HTTPS) In curl 7.86.0 and later, curl never uses NPN.

Disable the NPN TLS extension. NPN is enabled by default if libcurl was built with an SSL library that supports NPN. NPN is used by a libcurl that supports HTTP/2 to negotiate HTTP/2 support
with the server during https sessions.

Providing --no-npn multiple times has no extra effect. Disable it again with --npn.

Example:
curl --no-npn https://example.com

See also --no-alpn and --http2. --no-npn requires that the underlying libcurl was built to support TLS. Added in 7.36.0.

--no-progress-meter
Option to switch off the progress meter output without muting or otherwise affecting warning and informational messages like -s, --silent does.

Note that this is the negated option name documented. You can thus use --progress-meter to enable the progress meter again.

Providing --no-progress-meter multiple times has no extra effect. Disable it again with --progress-meter.

Example:
curl --no-progress-meter -o store https://example.com

See also -v, --verbose and -s, --silent. Added in 7.67.0.

--no-sessionid
(TLS) Disable curl's use of SSL session-ID caching. By default all transfers are done using the cache. Note that while nothing should ever get hurt by attempting to reuse SSL session-IDs,
there seem to be broken SSL implementations in the wild that may require you to disable this in order for you to succeed.

Note that this is the negated option name documented. You can thus use --sessionid to enforce session-ID caching.

Providing --no-sessionid multiple times has no extra effect. Disable it again with --sessionid.

Example:
curl --no-sessionid https://example.com

See also -k, --insecure.

--noproxy <no-proxy-list>
Comma-separated list of hosts for which not to use a proxy, if one is specified. The only wildcard is a single * character, which matches all hosts, and effectively disables the proxy. Each
name in this list is matched as either a domain which contains the hostname, or the hostname itself. For example, local.com would match local.com, local.com:80, and www.local.com, but not
www.notlocal.com.

Since 7.53.0, This option overrides the environment variables that disable the proxy ('no_proxy' and 'NO_PROXY'). If there's an environment variable disabling a proxy, you can set the noproxy
list to "" to override it.

Since 7.86.0, IP addresses specified to this option can be provided using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the
comparison. For example "192.168.0.0/16" would match all addresses starting with "192.168".

If --noproxy is provided several times, the last set value will be used.

Example:
curl --noproxy "www.example" https://example.com

See also -x, --proxy.

--ntlm-wb
(HTTP) Enables NTLM much in the style --ntlm does, but hand over the authentication to the separate binary ntlmauth application that is executed when needed.

Providing --ntlm-wb multiple times has no extra effect.

Example:
curl --ntlm-wb -u user:password https://example.com

See also --ntlm and --proxy-ntlm.

--ntlm (HTTP) Enables NTLM authentication. The NTLM authentication method was designed by Microsoft and is used by IIS web servers. It is a proprietary protocol, reverse-engineered by clever people
and implemented in curl based on their efforts. This kind of behavior should not be endorsed, you should encourage everyone who uses NTLM to switch to a public and documented authentication
method instead, such as Digest.

If you want to enable NTLM for your proxy authentication, then use --proxy-ntlm.

If this option is used several times, only the first one is used.

Providing --ntlm multiple times has no extra effect.

Example:
curl --ntlm -u user:password https://example.com

See also --proxy-ntlm. --ntlm requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to --basic and --negotiate and --digest and --anyauth.

--oauth2-bearer <token>
(IMAP LDAP POP3 SMTP HTTP) Specify the Bearer Token for OAUTH 2.0 server authentication. The Bearer Token is used in conjunction with the user name which can be specified as part of the --url
or -u, --user options.

The Bearer Token and user name are formatted according to RFC 6750.

If --oauth2-bearer is provided several times, the last set value will be used.

Example:
curl --oauth2-bearer "mF_9.B5f-4.1JqM" https://example.com

See also --basic, --ntlm and --digest. Added in 7.33.0.

--output-dir <dir>
This option specifies the directory in which files should be stored, when -O, --remote-name or -o, --output are used.

The given output directory is used for all URLs and output options on the command line, up until the first -:, --next.

If the specified target directory does not exist, the operation will fail unless --create-dirs is also used.

If --output-dir is provided several times, the last set value will be used.

Example:
curl --output-dir "tmp" -O https://example.com

See also -O, --remote-name and -J, --remote-header-name. Added in 7.73.0.

-o, --output <file>
Write output to <file> instead of stdout. If you are using {} or [] to fetch multiple documents, you should quote the URL and you can use '#' followed by a number in the <file> specifier.
That variable will be replaced with the current string for the URL being fetched. Like in:

curl "http://{one,two}.example.com" -o "file_#1.txt"

or use several variables like:

curl "http://{site,host}.host[1-5].com" -o "#1_#2"

You may use this option as many times as the number of URLs you have. For example, if you specify two URLs on the same command line, you can use it like this:

curl -o aa example.com -o bb example.net

and the order of the -o options and the URLs does not matter, just that the first -o is for the first URL and so on, so the above command line can also be written as

curl example.com example.net -o aa -o bb

See also the --create-dirs option to create the local directories dynamically. Specifying the output as '-' (a single dash) will force the output to be done to stdout.

To suppress response bodies, you can redirect output to /dev/null:

curl example.com -o /dev/null

Or for Windows use nul:

curl example.com -o nul

-o, --output can be used several times in a command line

Examples:
curl -o file https://example.com
curl "http://{one,two}.example.com" -o "file_#1.txt"
curl "http://{site,host}.host[1-5].com" -o "#1_#2"
curl -o file https://example.com -o file2 https://example.net

See also -O, --remote-name, --remote-name-all and -J, --remote-header-name.

--parallel-immediate
When doing parallel transfers, this option will instruct curl that it should rather prefer opening up more connections in parallel at once rather than waiting to see if new transfers can be
added as multiplexed streams on another connection.

This option is global and does not need to be specified for each use of -:, --next.

Providing --parallel-immediate multiple times has no extra effect. Disable it again with --no-parallel-immediate.

Example:
curl --parallel-immediate -Z https://example.com -o file1 https://example.com -o file2

See also -Z, --parallel and --parallel-max. Added in 7.68.0.

--parallel-max <num>
When asked to do parallel transfers, using -Z, --parallel, this option controls the maximum amount of transfers to do simultaneously.

This option is global and does not need to be specified for each use of -:, --next.

The default is 50.

If --parallel-max is provided several times, the last set value will be used.

Example:
curl --parallel-max 100 -Z https://example.com ftp://example.com/

See also -Z, --parallel. Added in 7.66.0.

-Z, --parallel
Makes curl perform its transfers in parallel as compared to the regular serial manner.

This option is global and does not need to be specified for each use of -:, --next.

Providing -Z, --parallel multiple times has no extra effect. Disable it again with --no-parallel.

Example:
curl --parallel https://example.com -o file1 https://example.com -o file2

See also -:, --next and -v, --verbose. Added in 7.66.0.

--pass <phrase>
(SSH TLS) Passphrase for the private key.

If --pass is provided several times, the last set value will be used.

Example:
curl --pass secret --key file https://example.com

See also --key and -u, --user.

--path-as-is
Tell curl to not handle sequences of /../ or /./ in the given URL path. Normally curl will squash or merge them according to standards but with this option set you tell it not to do that.

Providing --path-as-is multiple times has no extra effect. Disable it again with --no-path-as-is.

Example:
curl --path-as-is https://example.com/../../etc/passwd

See also --request-target. Added in 7.42.0.

--pinnedpubkey <hashes>
(TLS) Tells curl to use the specified public key file (or hashes) to verify the peer. This can be a path to a file which contains a single public key in PEM or DER format, or any number of
base64 encoded sha256 hashes preceded by 'sha256//' and separated by ';'.

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public
key provided to this option, curl will abort the connection before sending or receiving any data.

PEM/DER support:

7.39.0: OpenSSL, GnuTLS and GSKit

7.43.0: NSS and wolfSSL

7.47.0: mbedtls

sha256 support:

7.44.0: OpenSSL, GnuTLS, NSS and wolfSSL

7.47.0: mbedtls

Other SSL backends not supported.

If --pinnedpubkey is provided several times, the last set value will be used.

Examples:
curl --pinnedpubkey keyfile https://example.com
curl --pinnedpubkey 'sha256//ce118b51897f4452dc' https://example.com

See also --hostpubsha256. Added in 7.39.0.

--post301
(HTTP) Tells curl to respect RFC 7231/6.4.2 and not convert POST requests into GET requests when following a 301 redirection. The non-RFC behavior is ubiquitous in web browsers, so curl does
the conversion by default to maintain consistency. However, a server may require a POST to remain a POST after such a redirection. This option is meaningful only when using -L, --location.

Providing --post301 multiple times has no extra effect. Disable it again with --no-post301.

Example:
curl --post301 --location -d "data" https://example.com

See also --post302, --post303 and -L, --location.

--post302
(HTTP) Tells curl to respect RFC 7231/6.4.3 and not convert POST requests into GET requests when following a 302 redirection. The non-RFC behavior is ubiquitous in web browsers, so curl does
the conversion by default to maintain consistency. However, a server may require a POST to remain a POST after such a redirection. This option is meaningful only when using -L, --location.

Providing --post302 multiple times has no extra effect. Disable it again with --no-post302.

Example:
curl --post302 --location -d "data" https://example.com

See also --post301, --post303 and -L, --location.

--post303
(HTTP) Tells curl to violate RFC 7231/6.4.4 and not convert POST requests into GET requests when following 303 redirections. A server may require a POST to remain a POST after a 303 redirect‐
ion. This option is meaningful only when using -L, --location.

Providing --post303 multiple times has no extra effect. Disable it again with --no-post303.

Example:
curl --post303 --location -d "data" https://example.com

See also --post302, --post301 and -L, --location.

--preproxy [protocol://]host[:port]
Use the specified SOCKS proxy before connecting to an HTTP or HTTPS -x, --proxy. In such a case curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy. Hence pre proxy.

The pre proxy string should be specified with a protocol:// prefix to specify alternative proxy protocols. Use socks4://, socks4a://, socks5:// or socks5h:// to request the specific SOCKS
version to be used. No protocol specified will make curl default to SOCKS4.

If the port number is not specified in the proxy string, it is assumed to be 1080.

User and password that might be provided in the proxy string are URL decoded by curl. This allows you to pass in special characters such as @ by using %40 or pass in a colon with %3a.

If --preproxy is provided several times, the last set value will be used.

Example:
curl --preproxy socks5://proxy.example -x http://http.example https://example.com

See also -x, --proxy and --socks5. Added in 7.52.0.

-#, --progress-bar
Make curl display transfer progress as a simple progress bar instead of the standard, more informational, meter.

This progress bar draws a single line of '#' characters across the screen and shows a percentage if the transfer size is known. For transfers without a known size, there will be space ship
(-=o=-) that moves back and forth but only while data is being transferred, with a set of flying hash sign symbols on top.

This option is global and does not need to be specified for each use of -:, --next.

Providing -#, --progress-bar multiple times has no extra effect. Disable it again with --no-progress-bar.

Example:
curl -# -O https://example.com

See also --styled-output.

--proto-default <protocol>
Tells curl to use protocol for any URL missing a scheme name.

An unknown or unsupported protocol causes error CURLE_UNSUPPORTED_PROTOCOL (1).

This option does not change the default proxy protocol (http).

Without this option set, curl guesses protocol based on the host name, see --url for details.

If --proto-default is provided several times, the last set value will be used.

Example:
curl --proto-default https ftp.example.com

See also --proto and --proto-redir. Added in 7.45.0.

--proto-redir <protocols>
Tells curl to limit what protocols it may use on redirect. Protocols denied by --proto are not overridden by this option. See --proto for how protocols are represented.

Example, allow only HTTP and HTTPS on redirect:

curl --proto-redir -all,http,https http://example.com

By default curl will only allow HTTP, HTTPS, FTP and FTPS on redirect (since 7.65.2). Specifying all or +all enables all protocols on redirects, which is not good for security.

If --proto-redir is provided several times, the last set value will be used.

Example:
curl --proto-redir =http,https https://example.com

See also --proto.

--proto <protocols>
Tells curl to limit what protocols it may use for transfers. Protocols are evaluated left to right, are comma separated, and are each a protocol name or 'all', optionally prefixed by zero or
more modifiers. Available modifiers are:

+ Permit this protocol in addition to protocols already permitted (this is the default if no modifier is used).

- Deny this protocol, removing it from the list of protocols already permitted.

= Permit only this protocol (ignoring the list already permitted), though subject to later modification by subsequent entries in the comma separated list.

For example:

--proto -ftps uses the default protocols, but disables ftps

--proto -all,https,+http
only enables http and https

--proto =http,https
also only enables http and https

Unknown and disabled protocols produce a warning. This allows scripts to safely rely on being able to disable potentially dangerous protocols, without relying upon support for that protocol
being built into curl to avoid an error.

This option can be used multiple times, in which case the effect is the same as concatenating the protocols into one instance of the option.

If --proto is provided several times, the last set value will be used.

Example:
curl --proto =http,https,sftp https://example.com

See also --proto-redir and --proto-default.

--proxy-anyauth
Tells curl to pick a suitable authentication method when communicating with the given HTTP proxy. This might cause an extra request/response round-trip.

Providing --proxy-anyauth multiple times has no extra effect.

Example:
curl --proxy-anyauth --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-basic and --proxy-digest.

--proxy-basic
Tells curl to use HTTP Basic authentication when communicating with the given proxy. Use --basic for enabling HTTP Basic with a remote host. Basic is the default authentication method curl
uses with proxies.

Providing --proxy-basic multiple times has no extra effect.

Example:
curl --proxy-basic --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-anyauth and --proxy-digest.

--proxy-cacert <file>
Same as --cacert but used in HTTPS proxy context.

If --proxy-cacert is provided several times, the last set value will be used.

Example:
curl --proxy-cacert CA-file.txt -x https://proxy https://example.com

See also --proxy-capath, --cacert, --capath and -x, --proxy. Added in 7.52.0.

--proxy-capath <dir>
Same as --capath but used in HTTPS proxy context.

If --proxy-capath is provided several times, the last set value will be used.

Example:
curl --proxy-capath /local/directory -x https://proxy https://example.com

See also --proxy-cacert, -x, --proxy and --capath. Added in 7.52.0.

--proxy-cert-type <type>
Same as --cert-type but used in HTTPS proxy context.

If --proxy-cert-type is provided several times, the last set value will be used.

Example:
curl --proxy-cert-type PEM --proxy-cert file -x https://proxy https://example.com

See also --proxy-cert. Added in 7.52.0.

--proxy-cert <cert[:passwd]>
Same as -E, --cert but used in HTTPS proxy context.

If --proxy-cert is provided several times, the last set value will be used.

Example:
curl --proxy-cert file -x https://proxy https://example.com

See also --proxy-cert-type. Added in 7.52.0.

--proxy-ciphers <list>
Same as --ciphers but used in HTTPS proxy context.

If --proxy-ciphers is provided several times, the last set value will be used.

Example:
curl --proxy-ciphers ECDHE-ECDSA-AES256-CCM8 -x https://proxy https://example.com

See also --ciphers, --curves and -x, --proxy. Added in 7.52.0.

--proxy-crlfile <file>
Same as --crlfile but used in HTTPS proxy context.

If --proxy-crlfile is provided several times, the last set value will be used.

Example:
curl --proxy-crlfile rejects.txt -x https://proxy https://example.com

See also --crlfile and -x, --proxy. Added in 7.52.0.

--proxy-digest
Tells curl to use HTTP Digest authentication when communicating with the given proxy. Use --digest for enabling HTTP Digest with a remote host.

Providing --proxy-digest multiple times has no extra effect.

Example:
curl --proxy-digest --proxy-user user:passwd -x proxy https://example.com

See also -x, --proxy, --proxy-anyauth and --proxy-basic.

--proxy-header <header/@file>
(HTTP) Extra header to include in the request when sending HTTP to a proxy. You may specify any number of extra headers. This is the equivalent option to -H, --header but is for proxy commu‐
nication only like in CONNECT requests when you want a separate header sent to the proxy to what is sent to the actual remote host.

curl will make sure that each header you add/replace is sent with the proper end-of-line marker, you should thus not add that as a part of the header content: do not add newlines or carriage
returns, they will only mess things up for you.

Headers specified with this option will not be included in requests that curl knows will not be sent to a proxy.

Starting in 7.55.0, this option can take an argument in @filename style, which then adds a header for each line in the input file. Using @- will make curl read the header file from stdin.

This option can be used multiple times to add/replace/remove multiple headers.

--proxy-header can be used several times in a command line

Examples:
curl --proxy-header "X-First-Name: Joe" -x http://proxy https://example.com
curl --proxy-header "User-Agent: surprise" -x http://proxy https://example.com
curl --proxy-header "Host:" -x http://proxy https://example.com

See also -x, --proxy. Added in 7.37.0.

--proxy-insecure
Same as -k, --insecure but used in HTTPS proxy context.

Providing --proxy-insecure multiple times has no extra effect. Disable it again with --no-proxy-insecure.

Example:
curl --proxy-insecure -x https://proxy https://example.com

See also -x, --proxy and -k, --insecure. Added in 7.52.0.

--proxy-key-type <type>
Same as --key-type but used in HTTPS proxy context.

If --proxy-key-type is provided several times, the last set value will be used.

Example:
curl --proxy-key-type DER --proxy-key here -x https://proxy https://example.com

See also --proxy-key and -x, --proxy. Added in 7.52.0.

--proxy-key <key>
Same as --key but used in HTTPS proxy context.

If --proxy-key is provided several times, the last set value will be used.

Example:
curl --proxy-key here -x https://proxy https://example.com

See also --proxy-key-type and -x, --proxy. Added in 7.52.0.

--proxy-negotiate
Tells curl to use HTTP Negotiate (SPNEGO) authentication when communicating with the given proxy. Use --negotiate for enabling HTTP Negotiate (SPNEGO) with a remote host.

Providing --proxy-negotiate multiple times has no extra effect.

Example:
curl --proxy-negotiate --proxy-user user:passwd -x proxy https://example.com

See also --proxy-anyauth and --proxy-basic.

--proxy-ntlm
Tells curl to use HTTP NTLM authentication when communicating with the given proxy. Use --ntlm for enabling NTLM with a remote host.

Providing --proxy-ntlm multiple times has no extra effect.

Example:
curl --proxy-ntlm --proxy-user user:passwd -x http://proxy https://example.com

See also --proxy-negotiate and --proxy-anyauth.

--proxy-pass <phrase>
Same as --pass but used in HTTPS proxy context.

If --proxy-pass is provided several times, the last set value will be used.

Example:
curl --proxy-pass secret --proxy-key here -x https://proxy https://example.com

See also -x, --proxy and --proxy-key. Added in 7.52.0.

--proxy-pinnedpubkey <hashes>
(TLS) Tells curl to use the specified public key file (or hashes) to verify the proxy. This can be a path to a file which contains a single public key in PEM or DER format, or any number of
base64 encoded sha256 hashes preceded by 'sha256//' and separated by ';'.

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. A public key is extracted from this certificate and if it does not exactly match the public
key provided to this option, curl will abort the connection before sending or receiving any data.

If --proxy-pinnedpubkey is provided several times, the last set value will be used.

Examples:
curl --proxy-pinnedpubkey keyfile https://example.com
curl --proxy-pinnedpubkey 'sha256//ce118b51897f4452dc' https://example.com

See also --pinnedpubkey and -x, --proxy. Added in 7.59.0.

--proxy-service-name <name>
This option allows you to change the service name for proxy negotiation.

If --proxy-service-name is provided several times, the last set value will be used.

Example:
curl --proxy-service-name "shrubbery" -x proxy https://example.com

See also --service-name and -x, --proxy. Added in 7.43.0.

--proxy-ssl-allow-beast
Same as --ssl-allow-beast but used in HTTPS proxy context.

Providing --proxy-ssl-allow-beast multiple times has no extra effect. Disable it again with --no-proxy-ssl-allow-beast.

Example:
curl --proxy-ssl-allow-beast -x https://proxy https://example.com

See also --ssl-allow-beast and -x, --proxy. Added in 7.52.0.

--proxy-ssl-auto-client-cert
Same as --ssl-auto-client-cert but used in HTTPS proxy context.

Providing --proxy-ssl-auto-client-cert multiple times has no extra effect. Disable it again with --no-proxy-ssl-auto-client-cert.

Example:
curl --proxy-ssl-auto-client-cert -x https://proxy https://example.com

See also --ssl-auto-client-cert and -x, --proxy. Added in 7.77.0.

--proxy-tls13-ciphers <ciphersuite list>
(TLS) Specifies which cipher suites to use in the connection to your HTTPS proxy when it negotiates TLS 1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3 cipher
suite details on this URL:

https://curl.se/docs/ssl-ciphers.html

This option is currently used only when curl is built to use OpenSSL 1.1.1 or later. If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the --proxy-
ciphers option.

If --proxy-tls13-ciphers is provided several times, the last set value will be used.

Example:
curl --proxy-tls13-ciphers TLS_AES_128_GCM_SHA256 -x proxy https://example.com

See also --tls13-ciphers and --curves. Added in 7.61.0.

--proxy-tlsauthtype <type>
Same as --tlsauthtype but used in HTTPS proxy context.

If --proxy-tlsauthtype is provided several times, the last set value will be used.

Example:
curl --proxy-tlsauthtype SRP -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlsuser. Added in 7.52.0.

--proxy-tlspassword <string>
Same as --tlspassword but used in HTTPS proxy context.

If --proxy-tlspassword is provided several times, the last set value will be used.

Example:
curl --proxy-tlspassword passwd -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlsuser. Added in 7.52.0.

--proxy-tlsuser <name>
Same as --tlsuser but used in HTTPS proxy context.

If --proxy-tlsuser is provided several times, the last set value will be used.

Example:
curl --proxy-tlsuser smith -x https://proxy https://example.com

See also -x, --proxy and --proxy-tlspassword. Added in 7.52.0.

--proxy-tlsv1
Same as -1, --tlsv1 but used in HTTPS proxy context.

Providing --proxy-tlsv1 multiple times has no extra effect.

Example:
curl --proxy-tlsv1 -x https://proxy https://example.com

See also -x, --proxy. Added in 7.52.0.

-U, --proxy-user <user:password>
Specify the user name and password to use for proxy authentication.

If you use a Windows SSPI-enabled curl binary and do either Negotiate or NTLM authentication then you can tell curl to select the user name and password from your environment by specifying a
single colon with this option: "-U :".

On systems where it works, curl will hide the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same sys‐
tem as they will still be visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.

If -U, --proxy-user is provided several times, the last set value will be used.

Example:
curl --proxy-user name:pwd -x proxy https://example.com

See also --proxy-pass.

-x, --proxy [protocol://]host[:port]
Use the specified proxy.

The proxy string can be specified with a protocol:// prefix. No protocol specified or http:// will be treated as HTTP proxy. Use socks4://, socks4a://, socks5:// or socks5h:// to request a
specific SOCKS version to be used.

Unix domain sockets are supported for socks proxy. Set localhost for the host part. e.g. socks5h://localhost/path/to/socket.sock

HTTPS proxy support via https:// protocol prefix was added in 7.52.0 for OpenSSL, GnuTLS and NSS.

Unrecognized and unsupported proxy protocols cause an error since 7.52.0. Prior versions may ignore the protocol and use http:// instead.

If the port number is not specified in the proxy string, it is assumed to be 1080.

This option overrides existing environment variables that set the proxy to use. If there's an environment variable setting a proxy, you can set proxy to "" to override it.

All operations that are performed over an HTTP proxy will transparently be converted to HTTP. It means that certain protocol specific operations might not be available. This is not the case
if you can tunnel through the proxy, as one with the -p, --proxytunnel option.

User and password that might be provided in the proxy string are URL decoded by curl. This allows you to pass in special characters such as @ by using %40 or pass in a colon with %3a.

The proxy host can be specified the same way as the proxy environment variables, including the protocol prefix (http://) and the embedded user + password.

When a proxy is used, the active FTP mode as set with -P, --ftp-port, cannot be used.

If -x, --proxy is provided several times, the last set value will be used.

Example:
curl --proxy http://proxy.example https://example.com

See also --socks5 and --proxy-basic.

--proxy1.0 <host[:port]>
Use the specified HTTP 1.0 proxy. If the port number is not specified, it is assumed at port 1080.

The only difference between this and the HTTP proxy option -x, --proxy, is that attempts to use CONNECT through the proxy will specify an HTTP 1.0 protocol instead of the default HTTP 1.1.

Providing --proxy1.0 multiple times has no extra effect.

Example:
curl --proxy1.0 -x http://proxy https://example.com

See also -x, --proxy, --socks5 and --preproxy.

-p, --proxytunnel
When an HTTP proxy is used -x, --proxy, this option will make curl tunnel through the proxy. The tunnel approach is made with the HTTP proxy CONNECT request and requires that the proxy allows
direct connect to the remote port number curl wants to tunnel through to.

To suppress proxy CONNECT response headers when curl is set to output headers use --suppress-connect-headers.

Providing -p, --proxytunnel multiple times has no extra effect. Disable it again with --no-proxytunnel.

Example:
curl --proxytunnel -x http://proxy https://example.com

See also -x, --proxy.

--pubkey <key>
(SFTP SCP) Public key file name. Allows you to provide your public key in this separate file.

(As of 7.39.0, curl attempts to automatically extract the public key from the private key file, so passing this option is generally not required. Note that this public key extraction requires
libcurl to be linked against a copy of libssh2 1.2.8 or higher that is itself linked against OpenSSL.)

If --pubkey is provided several times, the last set value will be used.

Example:
curl --pubkey file.pub sftp://example.com/

See also --pass.

-Q, --quote <command>
(FTP SFTP) Send an arbitrary command to the remote FTP or SFTP server. Quote commands are sent BEFORE the transfer takes place (just after the initial PWD command in an FTP transfer, to be
exact). To make commands take place after a successful transfer, prefix them with a dash '-'.

(FTP only) To make commands be sent after curl has changed the working directory, just before the file transfer command(s), prefix the command with a '+'. This is not performed when a direc‐
tory listing is performed.

You may specify any number of commands.

By default curl will stop at first failure. To make curl continue even if the command fails, prefix the command with an asterisk (*). Otherwise, if the server returns failure for one of the
commands, the entire operation will be aborted.

You must send syntactically correct FTP commands as RFC 959 defines to FTP servers, or one of the commands listed below to SFTP servers.

This option can be used multiple times.

SFTP is a binary protocol. Unlike for FTP, curl interprets SFTP quote commands itself before sending them to the server. File names may be quoted shell-style to embed spaces or special char‐
acters. Following is the list of all supported SFTP quote commands:

atime date file
The atime command sets the last access time of the file named by the file operand. The <date expression> can be all sorts of date strings, see the curl_getdate(3) man page for date ex‐
pression details. (Added in 7.73.0)

chgrp group file
The chgrp command sets the group ID of the file named by the file operand to the group ID specified by the group operand. The group operand is a decimal integer group ID.

chmod mode file
The chmod command modifies the file mode bits of the specified file. The mode operand is an octal integer mode number.

chown user file
The chown command sets the owner of the file named by the file operand to the user ID specified by the user operand. The user operand is a decimal integer user ID.

ln source_file target_file
The ln and symlink commands create a symbolic link at the target_file location pointing to the source_file location.

mkdir directory_name
The mkdir command creates the directory named by the directory_name operand.

mtime date file
The mtime command sets the last modification time of the file named by the file operand. The <date expression> can be all sorts of date strings, see the curl_getdate(3) man page for
date expression details. (Added in 7.73.0)

pwd The pwd command returns the absolute pathname of the current working directory.

rename source target
The rename command renames the file or directory named by the source operand to the destination path named by the target operand.

rm file
The rm command removes the file specified by the file operand.

rmdir directory
The rmdir command removes the directory entry specified by the directory operand, provided it is empty.

symlink source_file target_file
See ln.

-Q, --quote can be used several times in a command line

Example:
curl --quote "DELE file" ftp://example.com/foo

See also -X, --request.

--random-file <file>
Deprecated option. This option is ignored by curl since 7.84.0. Prior to that it only had an effect on curl if built to use old versions of OpenSSL.

Specify the path name to file containing what will be considered as random data. The data may be used to seed the random engine for SSL connections.

If --random-file is provided several times, the last set value will be used.

Example:
curl --random-file rubbish https://example.com

See also --egd-file.

-r, --range <range>
(HTTP FTP SFTP FILE) Retrieve a byte range (i.e. a partial document) from an HTTP/1.1, FTP or SFTP server or a local FILE. Ranges can be specified in a number of ways.

0-499 specifies the first 500 bytes

500-999 specifies the second 500 bytes

-500 specifies the last 500 bytes

9500- specifies the bytes from offset 9500 and forward

0-0,-1 specifies the first and last byte only(*)(HTTP)

100-199,500-599
specifies two separate 100-byte ranges(*) (HTTP)

(*) = NOTE that this will cause the server to reply with a multipart response, which will be returned as-is by curl! Parsing or otherwise transforming this response is the responsibility of
the caller.

Only digit characters (0-9) are valid in the 'start' and 'stop' fields of the 'start-stop' range syntax. If a non-digit character is given in the range, the server's response will be unspeci‐
fied, depending on the server's configuration.

You should also be aware that many HTTP/1.1 servers do not have this feature enabled, so that when you attempt to get a range, you will instead get the whole document.

FTP and SFTP range downloads only support the simple 'start-stop' syntax (optionally with one of the numbers omitted). FTP use depends on the extended FTP command SIZE.

If -r, --range is provided several times, the last set value will be used.

Example:
curl --range 22-44 https://example.com

See also -C, --continue-at and -a, --append.

--rate <max request rate>
Specify the maximum transfer frequency you allow curl to use - in number of transfer starts per time unit (sometimes called request rate). Without this option, curl will start the next trans‐
fer as fast as possible.

If given several URLs and a transfer completes faster than the allowed rate, curl will wait until the next transfer is started to maintain the requested rate. This option has no effect when
-Z, --parallel is used.

The request rate is provided as "N/U" where N is an integer number and U is a time unit. Supported units are 's' (second), 'm' (minute), 'h' (hour) and 'd' /(day, as in a 24 hour unit). The
default time unit, if no "/U" is provided, is number of transfers per hour.

If curl is told to allow 10 requests per minute, it will not start the next request until 6 seconds have elapsed since the previous transfer was started.

This function uses millisecond resolution. If the allowed frequency is set more than 1000 per second, it will instead run unrestricted.

When retrying transfers, enabled with --retry, the separate retry delay logic is used and not this setting.

If --rate is provided several times, the last set value will be used.

Examples:
curl --rate 2/s https://example.com
curl --rate 3/h https://example.com
curl --rate 14/m https://example.com

See also --limit-rate and --retry-delay. Added in 7.84.0.

--raw (HTTP) When used, it disables all internal HTTP decoding of content or transfer encodings and instead makes them passed on unaltered, raw.

Providing --raw multiple times has no extra effect. Disable it again with --no-raw.

Example:
curl --raw https://example.com

See also --tr-encoding.

-e, --referer <URL>
(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L, --location you can append ";auto" to the -e,
--referer URL to make curl automatically set the previous URL when it follows a Location: header. The ";auto" string can be used alone, even if you do not set an initial -e, --referer.

If -e, --referer is provided several times, the last set value will be used.

Examples:
curl --referer "https://fake.example" https://example.com
curl --referer "https://fake.example;auto" -L https://example.com
curl --referer ";auto" -L https://example.com

See also -A, --user-agent and -H, --header.

-J, --remote-header-name
(HTTP) This option tells the -O, --remote-name option to use the server-specified Content-Disposition filename instead of extracting a filename from the URL. If the server-provided file name
contains a path, that will be stripped off before the file name is used.

The file is saved in the current directory, or in the directory specified with --output-dir.

If the server specifies a file name and a file with that name already exists in the destination directory, it will not be overwritten and an error will occur - unless you allow it by using
the --clobber option. If the server does not specify a file name then this option has no effect.

There's no attempt to decode %-sequences (yet) in the provided file name, so this option may provide you with rather unexpected file names.

This feature uses the name from the "filename" field, it does not yet support the "filename*" field (filenames with explicit character sets).

WARNING: Exercise judicious use of this option, especially on Windows. A rogue server could send you the name of a DLL or other file that could be loaded automatically by Windows or some
third party software.

Providing -J, --remote-header-name multiple times has no extra effect. Disable it again with --no-remote-header-name.

Example:
curl -OJ https://example.com/file

See also -O, --remote-name.

--remote-name-all
This option changes the default action for all given URLs to be dealt with as if -O, --remote-name were used for each one. So if you want to disable that for a specific URL after --remote-
name-all has been used, you must use "-o -" or --no-remote-name.

Providing --remote-name-all multiple times has no extra effect. Disable it again with --no-remote-name-all.

Example:
curl --remote-name-all ftp://example.com/file1 ftp://example.com/file2

See also -O, --remote-name.

-O, --remote-name
Write output to a local file named like the remote file we get. (Only the file part of the remote file is used, the path is cut off.)

The file will be saved in the current working directory. If you want the file saved in a different directory, make sure you change the current working directory before invoking curl with this
option or use --output-dir.

The remote file name to use for saving is extracted from the given URL, nothing else, and if it already exists it will be overwritten. If you want the server to be able to choose the file
name refer to -J, --remote-header-name which can be used in addition to this option. If the server chooses a file name and that name already exists it will not be overwritten.

There is no URL decoding done on the file name. If it has %20 or other URL encoded parts of the name, they will end up as-is as file name.

You may use this option as many times as the number of URLs you have.

-O, --remote-name can be used several times in a command line

Example:
curl -O https://example.com/filename

See also --remote-name-all, --output-dir and -J, --remote-header-name.

-R, --remote-time
When used, this will make curl attempt to figure out the timestamp of the remote file, and if that is available make the local file get that same timestamp.

Providing -R, --remote-time multiple times has no extra effect. Disable it again with --no-remote-time.

Example:
curl --remote-time -o foo https://example.com

See also -O, --remote-name and -z, --time-cond.

--remove-on-error
When curl returns an error when told to save output in a local file, this option removes that saved file before exiting. This prevents curl from leaving a partial file in the case of an error
during transfer.

If the output is not a file, this option has no effect.

Providing --remove-on-error multiple times has no extra effect. Disable it again with --no-remove-on-error.

Example:
curl --remove-on-error -o output https://example.com

See also -f, --fail. Added in 7.83.0.

--request-target <path>
(HTTP) Tells curl to use an alternative "target" (path) instead of using the path as provided in the URL. Particularly useful when wanting to issue HTTP requests without leading slash or
other data that does not follow the regular URL pattern, like "OPTIONS *".

If --request-target is provided several times, the last set value will be used.

Example:
curl --request-target "*" -X OPTIONS https://example.com

See also -X, --request. Added in 7.55.0.

-X, --request <method>
(HTTP) Specifies a custom request method to use when communicating with the HTTP server. The specified request method will be used instead of the method otherwise used (which defaults to
GET). Read the HTTP 1.1 specification for details and explanations. Common additional HTTP requests include PUT and DELETE, but related technologies like WebDAV offers PROPFIND, COPY, MOVE
and more.

Normally you do not need this option. All sorts of GET, HEAD, POST and PUT requests are rather invoked by using dedicated command line options.

This option only changes the actual word used in the HTTP request, it does not alter the way curl behaves. So for example if you want to make a proper HEAD request, using -X HEAD will not
suffice. You need to use the -I, --head option.

The method string you set with -X, --request will be used for all requests, which if you for example use -L, --location may cause unintended side-effects when curl does not change request
method according to the HTTP 30x response codes - and similar.

(FTP) Specifies a custom FTP command to use instead of LIST when doing file lists with FTP.

(POP3) Specifies a custom POP3 command to use instead of LIST or RETR.

(IMAP) Specifies a custom IMAP command to use instead of LIST. (Added in 7.30.0)

(SMTP) Specifies a custom SMTP command to use instead of HELP or VRFY. (Added in 7.34.0)

If -X, --request is provided several times, the last set value will be used.

Examples:
curl -X "DELETE" https://example.com
curl -X NLST ftp://example.com/

See also --request-target.

--resolve <[+]host:port:addr[,addr]...>
Provide a custom address for a specific host and port pair. Using this, you can make the curl requests(s) use a specified address and prevent the otherwise normally resolved address to be
used. Consider it a sort of /etc/hosts alternative provided on the command line. The port number should be the number used for the specific protocol the host will be used for. It means you
need several entries if you want to provide address for the same host but different ports.

By specifying '*' as host you can tell curl to resolve any host and specific port pair to the specified address. Wildcard is resolved last so any --resolve with a specific host and port will
be used first.

The provided address set by this option will be used even if -4, --ipv4 or -6, --ipv6 is set to make curl use another IP version.

By prefixing the host with a '+' you can make the entry time out after curl's default timeout (1 minute). Note that this will only make sense for long running parallel transfers with a lot of
files. In such cases, if this option is used curl will try to resolve the host as it normally would once the timeout has expired.

Support for providing the IP address within [brackets] was added in 7.57.0.

Support for providing multiple IP addresses per entry was added in 7.59.0.

Support for resolving with wildcard was added in 7.64.0.

Support for the '+' prefix was was added in 7.75.0.

This option can be used many times to add many host names to resolve.

--resolve can be used several times in a command line

Example:
curl --resolve example.com:443:127.0.0.1 https://example.com

See also --connect-to and --alt-svc.

--retry-all-errors
Retry on any error. This option is used together with --retry.

This option is the "sledgehammer" of retrying. Do not use this option by default (eg in curlrc), there may be unintended consequences such as sending or receiving duplicate data. Do not use
with redirected input or output. You'd be much better off handling your unique problems in shell script. Please read the example below.

WARNING: For server compatibility curl attempts to retry failed flaky transfers as close as possible to how they were started, but this is not possible with redirected input or output. For
example, before retrying it removes output data from a failed partial transfer that was written to an output file. However this is not true of data redirected to a | pipe or > file, which are
not reset. We strongly suggest you do not parse or record output via redirect in combination with this option, since you may receive duplicate data.

By default curl will not error on an HTTP response code that indicates an HTTP error, if the transfer was successful. For example, if a server replies 404 Not Found and the reply is fully re‐
ceived then that is not an error. When --retry is used then curl will retry on some HTTP response codes that indicate transient HTTP errors, but that does not include most 4xx response codes
such as 404. If you want to retry on all response codes that indicate HTTP errors (4xx and 5xx) then combine with -f, --fail.

Providing --retry-all-errors multiple times has no extra effect. Disable it again with --no-retry-all-errors.

Example:
curl --retry 5 --retry-all-errors https://example.com

See also --retry. Added in 7.71.0.

--retry-connrefused
In addition to the other conditions, consider ECONNREFUSED as a transient error too for --retry. This option is used together with --retry.

Providing --retry-connrefused multiple times has no extra effect. Disable it again with --no-retry-connrefused.

Example:
curl --retry-connrefused --retry 7 https://example.com

See also --retry and --retry-all-errors. Added in 7.52.0.

--retry-delay <seconds>
Make curl sleep this amount of time before each retry when a transfer has failed with a transient error (it changes the default backoff time algorithm between retries). This option is only
interesting if --retry is also used. Setting this delay to zero will make curl use the default backoff time.

If --retry-delay is provided several times, the last set value will be used.

Example:
curl --retry-delay 5 --retry 7 https://example.com

See also --retry.

--retry-max-time <seconds>
The retry timer is reset before the first transfer attempt. Retries will be done as usual (see --retry) as long as the timer has not reached this given limit. Notice that if the timer has not
reached the limit, the request will be made and while performing, it may take longer than this given time period. To limit a single request's maximum time, use -m, --max-time. Set this option
to zero to not timeout retries.

If --retry-max-time is provided several times, the last set value will be used.

Example:
curl --retry-max-time 30 --retry 10 https://example.com

See also --retry.

--retry <num>
If a transient error is returned when curl tries to perform a transfer, it will retry this number of times before giving up. Setting the number to 0 makes curl do no retries (which is the de‐
fault). Transient error means either: a timeout, an FTP 4xx response code or an HTTP 408, 429, 500, 502, 503 or 504 response code.

When curl is about to retry a transfer, it will first wait one second and then for all forthcoming retries it will double the waiting time until it reaches 10 minutes which then will be the
delay between the rest of the retries. By using --retry-delay you disable this exponential backoff algorithm. See also --retry-max-time to limit the total time allowed for retries.

Since curl 7.66.0, curl will comply with the Retry-After: response header if one was present to know when to issue the next retry.

If --retry is provided several times, the last set value will be used.

Example:
curl --retry 7 https://example.com

See also --retry-max-time.

--sasl-authzid <identity>
Use this authorization identity (authzid), during SASL PLAIN authentication, in addition to the authentication identity (authcid) as specified by -u, --user.

If the option is not specified, the server will derive the authzid from the authcid, but if specified, and depending on the server implementation, it may be used to access another user's in‐
box, that the user has been granted access to, or a shared mailbox for example.

If --sasl-authzid is provided several times, the last set value will be used.

Example:
curl --sasl-authzid zid imap://example.com/

See also --login-options. Added in 7.66.0.

--sasl-ir
Enable initial response in SASL authentication.

Providing --sasl-ir multiple times has no extra effect. Disable it again with --no-sasl-ir.

Example:
curl --sasl-ir imap://example.com/

See also --sasl-authzid. Added in 7.31.0.

--service-name <name>
This option allows you to change the service name for SPNEGO.

Examples: --negotiate --service-name sockd would use sockd/server-name.

If --service-name is provided several times, the last set value will be used.

Example:
curl --service-name sockd/server https://example.com

See also --negotiate and --proxy-service-name. Added in 7.43.0.

-S, --show-error
When used with -s, --silent, it makes curl show an error message if it fails.

This option is global and does not need to be specified for each use of -:, --next.

Providing -S, --show-error multiple times has no extra effect. Disable it again with --no-show-error.

Example:
curl --show-error --silent https://example.com

See also --no-progress-meter.

-s, --silent
Silent or quiet mode. Do not show progress meter or error messages. Makes Curl mute. It will still output the data you ask for, potentially even to the terminal/stdout unless you redirect it.

Use -S, --show-error in addition to this option to disable progress meter but still show error messages.

Providing -s, --silent multiple times has no extra effect. Disable it again with --no-silent.

Example:
curl -s https://example.com

See also -v, --verbose, --stderr and --no-progress-meter.

--socks4 <host[:port]>
Use the specified SOCKS4 proxy. If the port number is not specified, it is assumed at port 1080. Using this socket type make curl resolve the host name and passing the address on to the
proxy.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks4://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks4 proxy with -x, --proxy using a socks4:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks4 is provided several times, the last set value will be used.

Example:
curl --socks4 hostname:4096 https://example.com

See also --socks4a, --socks5 and --socks5-hostname.

--socks4a <host[:port]>
Use the specified SOCKS4a proxy. If the port number is not specified, it is assumed at port 1080. This asks the proxy to resolve the host name.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks4a://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks4a proxy with -x, --proxy using a socks4a:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks4a is provided several times, the last set value will be used.

Example:
curl --socks4a hostname:4096 https://example.com

See also --socks4, --socks5 and --socks5-hostname.

--socks5-basic
Tells curl to use username/password authentication when connecting to a SOCKS5 proxy. The username/password authentication is enabled by default. Use --socks5-gssapi to force GSS-API au‐
thentication to SOCKS5 proxies.

Providing --socks5-basic multiple times has no extra effect.

Example:
curl --socks5-basic --socks5 hostname:4096 https://example.com

See also --socks5. Added in 7.55.0.

--socks5-gssapi-nec
As part of the GSS-API negotiation a protection mode is negotiated. RFC 1961 says in section 4.3/4.4 it should be protected, but the NEC reference implementation does not. The option
--socks5-gssapi-nec allows the unprotected exchange of the protection mode negotiation.

Providing --socks5-gssapi-nec multiple times has no extra effect. Disable it again with --no-socks5-gssapi-nec.

Example:
curl --socks5-gssapi-nec --socks5 hostname:4096 https://example.com

See also --socks5.

--socks5-gssapi-service <name>
The default service name for a socks server is rcmd/server-fqdn. This option allows you to change it.

Examples: --socks5 proxy-name --socks5-gssapi-service sockd would use sockd/proxy-name --socks5 proxy-name --socks5-gssapi-service sockd/real-name would use sockd/real-name for cases where
the proxy-name does not match the principal name.

If --socks5-gssapi-service is provided several times, the last set value will be used.

Example:
curl --socks5-gssapi-service sockd --socks5 hostname:4096 https://example.com

See also --socks5.

--socks5-gssapi
Tells curl to use GSS-API authentication when connecting to a SOCKS5 proxy. The GSS-API authentication is enabled by default (if curl is compiled with GSS-API support). Use --socks5-basic
to force username/password authentication to SOCKS5 proxies.

Providing --socks5-gssapi multiple times has no extra effect. Disable it again with --no-socks5-gssapi.

Example:
curl --socks5-gssapi --socks5 hostname:4096 https://example.com

See also --socks5. Added in 7.55.0.

--socks5-hostname <host[:port]>
Use the specified SOCKS5 proxy (and let the proxy resolve the host name). If the port number is not specified, it is assumed at port 1080.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks5h://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks5 hostname proxy with -x, --proxy using a socks5h:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

If --socks5-hostname is provided several times, the last set value will be used.

Example:
curl --socks5-hostname proxy.example:7000 https://example.com

See also --socks5 and --socks4a.

--socks5 <host[:port]>
Use the specified SOCKS5 proxy - but resolve the host name locally. If the port number is not specified, it is assumed at port 1080.

To specify proxy on a unix domain socket, use localhost for host, e.g. socks5://localhost/path/to/socket.sock

This option overrides any previous use of -x, --proxy, as they are mutually exclusive.

This option is superfluous since you can specify a socks5 proxy with -x, --proxy using a socks5:// protocol prefix.

Since 7.52.0, --preproxy can be used to specify a SOCKS proxy at the same time -x, --proxy is used with an HTTP/HTTPS proxy. In such a case curl first connects to the SOCKS proxy and then
connects (through SOCKS) to the HTTP or HTTPS proxy.

This option (as well as --socks4) does not work with IPV6, FTPS or LDAP.

If --socks5 is provided several times, the last set value will be used.

Example:
curl --socks5 proxy.example:7000 https://example.com

See also --socks5-hostname and --socks4a.

-Y, --speed-limit <speed>
If a transfer is slower than this given speed (in bytes per second) for speed-time seconds it gets aborted. speed-time is set with -y, --speed-time and is 30 if not set.

If -Y, --speed-limit is provided several times, the last set value will be used.

Example:
curl --speed-limit 300 --speed-time 10 https://example.com

See also -y, --speed-time, --limit-rate and -m, --max-time.

-y, --speed-time <seconds>
If a transfer runs slower than speed-limit bytes per second during a speed-time period, the transfer is aborted. If speed-time is used, the default speed-limit will be 1 unless set with -Y,
--speed-limit.

This option controls transfers (in both directions) but will not affect slow connects etc. If this is a concern for you, try the --connect-timeout option.

If -y, --speed-time is provided several times, the last set value will be used.

Example:
curl --speed-limit 300 --speed-time 10 https://example.com

See also -Y, --speed-limit and --limit-rate.

--ssl-allow-beast
This option tells curl to not work around a security flaw in the SSL3 and TLS1.0 protocols known as BEAST. If this option is not used, the SSL layer may use workarounds known to cause inter‐
operability problems with some older SSL implementations.

WARNING: this option loosens the SSL security, and by using this flag you ask for exactly that.

Providing --ssl-allow-beast multiple times has no extra effect. Disable it again with --no-ssl-allow-beast.

Example:
curl --ssl-allow-beast https://example.com

See also --proxy-ssl-allow-beast and -k, --insecure.

--ssl-auto-client-cert
Tell libcurl to automatically locate and use a client certificate for authentication, when requested by the server. This option is only supported for Schannel (the native Windows SSL li‐
brary). Prior to 7.77.0 this was the default behavior in libcurl with Schannel. Since the server can request any certificate that supports client authentication in the OS certificate store it
could be a privacy violation and unexpected.

Providing --ssl-auto-client-cert multiple times has no extra effect. Disable it again with --no-ssl-auto-client-cert.

Example:
curl --ssl-auto-client-cert https://example.com

See also --proxy-ssl-auto-client-cert. Added in 7.77.0.

--ssl-no-revoke
(Schannel) This option tells curl to disable certificate revocation checks. WARNING: this option loosens the SSL security, and by using this flag you ask for exactly that.

Providing --ssl-no-revoke multiple times has no extra effect. Disable it again with --no-ssl-no-revoke.

Example:
curl --ssl-no-revoke https://example.com

See also --crlfile. Added in 7.44.0.

--ssl-reqd
(FTP IMAP POP3 SMTP LDAP) Require SSL/TLS for the connection. Terminates the connection if the transfer cannot be upgraded to use SSL/TLS.

This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and rejected by the generic ldap backend if explicit TLS is required.

This option is unnecessary if you use a URL scheme that in itself implies immediate and implicit use of TLS, like for FTPS, IMAPS, POP3S, SMTPS and LDAPS. Such transfers will always fail if
the TLS handshake does not work.

This option was formerly known as --ftp-ssl-reqd.

Providing --ssl-reqd multiple times has no extra effect. Disable it again with --no-ssl-reqd.

Example:
curl --ssl-reqd ftp://example.com

See also --ssl and -k, --insecure.

--ssl-revoke-best-effort
(Schannel) This option tells curl to ignore certificate revocation checks when they failed due to missing/offline distribution points for the revocation check lists.

Providing --ssl-revoke-best-effort multiple times has no extra effect. Disable it again with --no-ssl-revoke-best-effort.

Example:
curl --ssl-revoke-best-effort https://example.com

See also --crlfile and -k, --insecure. Added in 7.70.0.

--ssl (FTP IMAP POP3 SMTP LDAP) Warning: this is considered an insecure option. Consider using --ssl-reqd instead to be sure curl upgrades to a secure connection.

Try to use SSL/TLS for the connection. Reverts to a non-secure connection if the server does not support SSL/TLS. See also --ftp-ssl-control and --ssl-reqd for different levels of encryption
required.

This option is handled in LDAP since version 7.81.0. It is fully supported by the OpenLDAP backend and ignored by the generic ldap backend.

Please note that a server may close the connection if the negotiation does not succeed.

This option was formerly known as --ftp-ssl. That option name can still be used but will be removed in a future version.

Providing --ssl multiple times has no extra effect. Disable it again with --no-ssl.

Example:
curl --ssl pop3://example.com/

See also --ssl-reqd, -k, --insecure and --ciphers.

-2, --sslv2
(SSL) This option previously asked curl to use SSLv2, but starting in curl 7.77.0 this instruction is ignored. SSLv2 is widely considered insecure (see RFC 6176).

Providing -2, --sslv2 multiple times has no extra effect.

Example:
curl --sslv2 https://example.com

See also --http1.1 and --http2. -2, --sslv2 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to -3, --sslv3 and -1, --tlsv1 and --tlsv1.1 and
--tlsv1.2.

-3, --sslv3
(SSL) This option previously asked curl to use SSLv3, but starting in curl 7.77.0 this instruction is ignored. SSLv3 is widely considered insecure (see RFC 7568).

Providing -3, --sslv3 multiple times has no extra effect.

Example:
curl --sslv3 https://example.com

See also --http1.1 and --http2. -3, --sslv3 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to -2, --sslv2 and -1, --tlsv1 and --tlsv1.1 and
--tlsv1.2.

--stderr <file>
Redirect all writes to stderr to the specified file instead. If the file name is a plain '-', it is instead written to stdout.

This option is global and does not need to be specified for each use of -:, --next.

If --stderr is provided several times, the last set value will be used.

Example:
curl --stderr output.txt https://example.com

See also -v, --verbose and -s, --silent.

--styled-output
Enables the automatic use of bold font styles when writing HTTP headers to the terminal. Use --no-styled-output to switch them off.

Styled output requires a terminal that supports bold fonts. This feature is not present on curl for Windows due to lack of this capability.

This option is global and does not need to be specified for each use of -:, --next.

Providing --styled-output multiple times has no extra effect. Disable it again with --no-styled-output.

Example:
curl --styled-output -I https://example.com

See also -I, --head and -v, --verbose. Added in 7.61.0.

--suppress-connect-headers
When -p, --proxytunnel is used and a CONNECT request is made do not output proxy CONNECT response headers. This option is meant to be used with -D, --dump-header or -i, --include which are
used to show protocol headers in the output. It has no effect on debug options such as -v, --verbose or --trace, or any statistics.

Providing --suppress-connect-headers multiple times has no extra effect. Disable it again with --no-suppress-connect-headers.

Example:
curl --suppress-connect-headers --include -x proxy https://example.com

See also -D, --dump-header, -i, --include and -p, --proxytunnel. Added in 7.54.0.

--tcp-fastopen
Enable use of TCP Fast Open (RFC7413).

Providing --tcp-fastopen multiple times has no extra effect. Disable it again with --no-tcp-fastopen.

Example:
curl --tcp-fastopen https://example.com

See also --false-start. Added in 7.49.0.

--tcp-nodelay
Turn on the TCP_NODELAY option. See the curl_easy_setopt(3) man page for details about this option.

Since 7.50.2, curl sets this option by default and you need to explicitly switch it off if you do not want it on.

Providing --tcp-nodelay multiple times has no extra effect. Disable it again with --no-tcp-nodelay.

Example:
curl --tcp-nodelay https://example.com

See also -N, --no-buffer.

-t, --telnet-option <opt=val>
Pass options to the telnet protocol. Supported options are:

TTYPE=<term> Sets the terminal type.

XDISPLOC=<X display> Sets the X display location.

NEW_ENV=<var,val> Sets an environment variable.

-t, --telnet-option can be used several times in a command line

Example:
curl -t TTYPE=vt100 telnet://example.com/

See also -K, --config.

--tftp-blksize <value>
(TFTP) Set TFTP BLKSIZE option (must be >512). This is the block size that curl will try to use when transferring data to or from a TFTP server. By default 512 bytes will be used.

If --tftp-blksize is provided several times, the last set value will be used.

Example:
curl --tftp-blksize 1024 tftp://example.com/file

See also --tftp-no-options.

--tftp-no-options
(TFTP) Tells curl not to send TFTP options requests.

This option improves interop with some legacy servers that do not acknowledge or properly implement TFTP options. When this option is used --tftp-blksize is ignored.

Providing --tftp-no-options multiple times has no extra effect. Disable it again with --no-tftp-no-options.

Example:
curl --tftp-no-options tftp://192.168.0.1/

See also --tftp-blksize. Added in 7.48.0.

-z, --time-cond <time>
(HTTP FTP) Request a file that has been modified later than the given time and date, or one that has been modified before that time. The <date expression> can be all sorts of date strings or
if it does not match any internal ones, it is taken as a filename and tries to get the modification date (mtime) from <file> instead. See the curl_getdate(3) man pages for date expression de‐
tails.

Start the date expression with a dash (-) to make it request for a document that is older than the given date/time, default is a document that is newer than the specified date/time.

If -z, --time-cond is provided several times, the last set value will be used.

Examples:
curl -z "Wed 01 Sep 2021 12:18:00" https://example.com
curl -z "-Wed 01 Sep 2021 12:18:00" https://example.com
curl -z file https://example.com

See also --etag-compare and -R, --remote-time.

--tls-max <VERSION>
(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3.

If the connection is done without TLS, this option has no effect. This includes QUIC-using (HTTP/3) transfers.

default
Use up to recommended TLS version.

1.0 Use up to TLSv1.0.

1.1 Use up to TLSv1.1.

1.2 Use up to TLSv1.2.

1.3 Use up to TLSv1.3.

If --tls-max is provided several times, the last set value will be used.

Examples:
curl --tls-max 1.2 https://example.com
curl --tls-max 1.3 --tlsv1.2 https://example.com

See also --tlsv1.0, --tlsv1.1, --tlsv1.2 and --tlsv1.3. --tls-max requires that the underlying libcurl was built to support TLS. Added in 7.54.0.

--tls13-ciphers <ciphersuite list>
(TLS) Specifies which cipher suites to use in the connection if it negotiates TLS 1.3. The list of ciphers suites must specify valid ciphers. Read up on TLS 1.3 cipher suite details on this
URL:

https://curl.se/docs/ssl-ciphers.html

This option is currently used only when curl is built to use OpenSSL 1.1.1 or later. If you are using a different SSL backend you can try setting TLS 1.3 cipher suites by using the --ciphers
option.

If --tls13-ciphers is provided several times, the last set value will be used.

Example:
curl --tls13-ciphers TLS_AES_128_GCM_SHA256 https://example.com

See also --ciphers and --curves. Added in 7.61.0.

--tlsauthtype <type>
Set TLS authentication type. Currently, the only supported option is "SRP", for TLS-SRP (RFC 5054). If --tlsuser and --tlspassword are specified but --tlsauthtype is not, then this option de‐
faults to "SRP". This option works only if the underlying libcurl is built with TLS-SRP support, which requires OpenSSL or GnuTLS with TLS-SRP support.

If --tlsauthtype is provided several times, the last set value will be used.

Example:
curl --tlsauthtype SRP https://example.com

See also --tlsuser.

--tlspassword <string>
Set password for use with the TLS authentication method specified with --tlsauthtype. Requires that --tlsuser also be set.

This option does not work with TLS 1.3.

If --tlspassword is provided several times, the last set value will be used.

Example:
curl --tlspassword pwd --tlsuser user https://example.com

See also --tlsuser.

--tlsuser <name>
Set username for use with the TLS authentication method specified with --tlsauthtype. Requires that --tlspassword also is set.

This option does not work with TLS 1.3.

If --tlsuser is provided several times, the last set value will be used.

Example:
curl --tlspassword pwd --tlsuser user https://example.com

See also --tlspassword.

--tlsv1.0
(TLS) Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.0. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.0 multiple times has no extra effect.

Example:
curl --tlsv1.0 https://example.com

See also --tlsv1.3. Added in 7.34.0.

--tlsv1.1
(TLS) Forces curl to use TLS version 1.1 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.1. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.1 multiple times has no extra effect.

Example:
curl --tlsv1.1 https://example.com

See also --tlsv1.3 and --tls-max. Added in 7.34.0.

--tlsv1.2
(TLS) Forces curl to use TLS version 1.2 or later when connecting to a remote TLS server.

In old versions of curl this option was documented to allow _only_ TLS 1.2. That behavior was inconsistent depending on the TLS library. Use --tls-max if you want to set a maximum TLS ver‐
sion.

Providing --tlsv1.2 multiple times has no extra effect.

Example:
curl --tlsv1.2 https://example.com

See also --tlsv1.3 and --tls-max. Added in 7.34.0.

--tlsv1.3
(TLS) Forces curl to use TLS version 1.3 or later when connecting to a remote TLS server.

If the connection is done without TLS, this option has no effect. This includes QUIC-using (HTTP/3) transfers.

Note that TLS 1.3 is not supported by all TLS backends.

Providing --tlsv1.3 multiple times has no extra effect.

Example:
curl --tlsv1.3 https://example.com

See also --tlsv1.2 and --tls-max. Added in 7.52.0.

-1, --tlsv1
(SSL) Tells curl to use at least TLS version 1.x when negotiating with a remote TLS server. That means TLS version 1.0 or higher

Providing -1, --tlsv1 multiple times has no extra effect.

Example:
curl --tlsv1 https://example.com

See also --http1.1 and --http2. -1, --tlsv1 requires that the underlying libcurl was built to support TLS. This option is mutually exclusive to --tlsv1.1 and --tlsv1.2 and --tlsv1.3.

--tr-encoding
(HTTP) Request a compressed Transfer-Encoding response using one of the algorithms curl supports, and uncompress the data while receiving it.

Providing --tr-encoding multiple times has no extra effect. Disable it again with --no-tr-encoding.

Example:
curl --tr-encoding https://example.com

See also --compressed.

--trace-ascii <file>
Enables a full trace dump of all incoming and outgoing data, including descriptive information, to the given output file. Use "-" as filename to have the output sent to stdout.

This is similar to --trace, but leaves out the hex part and only shows the ASCII part of the dump. It makes smaller output that might be easier to read for untrained humans.

This option is global and does not need to be specified for each use of -:, --next.

If --trace-ascii is provided several times, the last set value will be used.

Example:
curl --trace-ascii log.txt https://example.com

See also -v, --verbose and --trace. This option is mutually exclusive to --trace and -v, --verbose.

--trace-time
Prepends a time stamp to each trace or verbose line that curl displays.

This option is global and does not need to be specified for each use of -:, --next.

Providing --trace-time multiple times has no extra effect. Disable it again with --no-trace-time.

Example:
curl --trace-time --trace-ascii output https://example.com

See also --trace and -v, --verbose.

--trace <file>
Enables a full trace dump of all incoming and outgoing data, including descriptive information, to the given output file. Use "-" as filename to have the output sent to stdout. Use "%" as
filename to have the output sent to stderr.

This option is global and does not need to be specified for each use of -:, --next.

If --trace is provided several times, the last set value will be used.

Example:
curl --trace log.txt https://example.com

See also --trace-ascii and --trace-time. This option is mutually exclusive to -v, --verbose and --trace-ascii.

--unix-socket <path>
(HTTP) Connect through this Unix domain socket, instead of using the network.

If --unix-socket is provided several times, the last set value will be used.

Example:
curl --unix-socket socket-path https://example.com

See also --abstract-unix-socket. Added in 7.40.0.

-T, --upload-file <file>
This transfers the specified local file to the remote URL. If there is no file part in the specified URL, curl will append the local file name. NOTE that you must use a trailing / on the last
directory to really prove to Curl that there is no file name or curl will think that your last directory name is the remote file name to use. That will most likely cause the upload operation
to fail. If this is used on an HTTP(S) server, the PUT command will be used.

Use the file name "-" (a single dash) to use stdin instead of a given file. Alternately, the file name "." (a single period) may be specified instead of "-" to use stdin in non-blocking mode
to allow reading server output while stdin is being uploaded.

You can specify one -T, --upload-file for each URL on the command line. Each -T, --upload-file + URL pair specifies what to upload and to where. curl also supports "globbing" of the -T, --up‐
load-file argument, meaning that you can upload multiple files to a single URL by using the same URL globbing style supported in the URL.

When uploading to an SMTP server: the uploaded data is assumed to be RFC 5322 formatted. It has to feature the necessary set of headers and mail body formatted correctly by the user as curl
will not transcode nor encode it further in any way.

-T, --upload-file can be used several times in a command line

Examples:
curl -T file https://example.com
curl -T "img[1-1000].png" ftp://ftp.example.com/
curl --upload-file "{file1,file2}" https://example.com

See also -G, --get and -I, --head.

--url-query <data>
(all) This option adds a piece of data, usually a name + value pair, to the end of the URL query part. The syntax is identical to that used for --data-urlencode with one extension:

If the argument starts with a '+' (plus), the rest of the string is provided as-is unencoded.

The query part of a URL is the one following the question mark on the right end.

--url-query can be used several times in a command line

Examples:
curl --url-query name=val https://example.com
curl --url-query =encodethis http://example.net/foo
curl --url-query name@file https://example.com
curl --url-query @fileonly https://example.com
curl --url-query "+name=%20foo" https://example.com

See also --data-urlencode and -G, --get. Added in 7.87.0.

--url <url>
Specify a URL to fetch. This option is mostly handy when you want to specify URL(s) in a config file.

If the given URL is missing a scheme name (such as "http://" or "ftp://" etc) then curl will make a guess based on the host. If the outermost sub-domain name matches DICT, FTP, IMAP, LDAP,
POP3 or SMTP then that protocol will be used, otherwise HTTP will be used. Since 7.45.0 guessing can be disabled by setting a default protocol, see --proto-default for details.

To control where this URL is written, use the -o, --output or the -O, --remote-name options.

WARNING: On Windows, particular file:// accesses can be converted to network accesses by the operating system. Beware!

--url can be used several times in a command line

Example:
curl --url https://example.com

See also -:, --next and -K, --config.

-B, --use-ascii
(FTP LDAP) Enable ASCII transfer. For FTP, this can also be enforced by using a URL that ends with ";type=A". This option causes data sent to stdout to be in text mode for win32 systems.

Providing -B, --use-ascii multiple times has no extra effect. Disable it again with --no-use-ascii.

Example:
curl -B ftp://example.com/README

See also --crlf and --data-ascii.

-A, --user-agent <name>
(HTTP) Specify the User-Agent string to send to the HTTP server. To encode blanks in the string, surround the string with single quote marks. This header can also be set with the -H, --header
or the --proxy-header options.

If you give an empty argument to -A, --user-agent (""), it will remove the header completely from the request. If you prefer a blank header, you can set it to a single space (" ").

If -A, --user-agent is provided several times, the last set value will be used.

Example:
curl -A "Agent 007" https://example.com

See also -H, --header and --proxy-header.

-u, --user <user:password>
Specify the user name and password to use for server authentication. Overrides -n, --netrc and --netrc-optional.

If you simply specify the user name, curl will prompt for a password.

The user name and passwords are split up on the first colon, which makes it impossible to use a colon in the user name with this option. The password can, still.

On systems where it works, curl will hide the given option argument from process listings. This is not enough to protect credentials from possibly getting seen by other users on the same sys‐
tem as they will still be visible for a moment before cleared. Such sensitive data should be retrieved from a file instead or similar and never used in clear text in a command line.

When using Kerberos V5 with a Windows based server you should include the Windows domain name in the user name, in order for the server to successfully obtain a Kerberos Ticket. If you do
not, then the initial authentication handshake may fail.

When using NTLM, the user name can be specified simply as the user name, without the domain, if there is a single domain and forest in your setup for example.

To specify the domain name use either Down-Level Logon Name or UPN (User Principal Name) formats. For example, EXAMPLE\user and user@example.com respectively.

If you use a Windows SSPI-enabled curl binary and perform Kerberos V5, Negotiate, NTLM or Digest authentication then you can tell curl to select the user name and password from your environ‐
ment by specifying a single colon with this option: "-u :".

If -u, --user is provided several times, the last set value will be used.

Example:
curl -u user:secret https://example.com

See also -n, --netrc and -K, --config.

-v, --verbose
Makes curl verbose during the operation. Useful for debugging and seeing what's going on "under the hood". A line starting with '>' means "header data" sent by curl, '<' means "header data"
received by curl that is hidden in normal cases, and a line starting with '*' means additional info provided by curl.

If you only want HTTP headers in the output, -i, --include might be the option you are looking for.

If you think this option still does not give you enough details, consider using --trace or --trace-ascii instead.

This option is global and does not need to be specified for each use of -:, --next.

Use -s, --silent to make curl really quiet.

Providing -v, --verbose multiple times has no extra effect. Disable it again with --no-verbose.

Example:
curl --verbose https://example.com

See also -i, --include. This option is mutually exclusive to --trace and --trace-ascii.

-V, --version
Displays information about curl and the libcurl version it uses.

The first line includes the full version of curl, libcurl and other 3rd party libraries linked with the executable.

The second line (starts with "Protocols:") shows all protocols that libcurl reports to support.

The third line (starts with "Features:") shows specific features libcurl reports to offer. Available features include:

alt-svc
Support for the Alt-Svc: header is provided.

AsynchDNS
This curl uses asynchronous name resolves. Asynchronous name resolves can be done using either the c-ares or the threaded resolver backends.

brotli Support for automatic brotli compression over HTTP(S).

CharConv
curl was built with support for character set conversions (like EBCDIC)

Debug This curl uses a libcurl built with Debug. This enables more error-tracking and memory debugging etc. For curl-developers only!

gsasl The built-in SASL authentication includes extensions to support SCRAM because libcurl was built with libgsasl.

GSS-API
GSS-API is supported.

HSTS HSTS support is present.

HTTP2 HTTP/2 support has been built-in.

HTTP3 HTTP/3 support has been built-in.

HTTPS-proxy
This curl is built to support HTTPS proxy.

IDN This curl supports IDN - international domain names.

IPv6 You can use IPv6 with this.

Kerberos
Kerberos V5 authentication is supported.

Largefile
This curl supports transfers of large files, files larger than 2GB.

libz Automatic decompression (via gzip, deflate) of compressed files over HTTP is supported.

MultiSSL
This curl supports multiple TLS backends.

NTLM NTLM authentication is supported.

NTLM_WB
NTLM delegation to winbind helper is supported.

PSL PSL is short for Public Suffix List and means that this curl has been built with knowledge about "public suffixes".

SPNEGO SPNEGO authentication is supported.

SSL SSL versions of various protocols are supported, such as HTTPS, FTPS, POP3S and so on.

SSPI SSPI is supported.

TLS-SRP
SRP (Secure Remote Password) authentication is supported for TLS.

TrackMemory
Debug memory tracking is supported.

Unicode
Unicode support on Windows.

UnixSockets
Unix sockets support is provided.

zstd Automatic decompression (via zstd) of compressed files over HTTP is supported.

Example:
curl --version

See also -h, --help and -M, --manual.

-w, --write-out <format>
Make curl display information on stdout after a completed transfer. The format is a string that may contain plain text mixed with any number of variables. The format can be specified as a
literal "string", or you can have curl read the format from a file with "@filename" and to tell curl to read the format from stdin you write "@-".

The variables present in the output format will be substituted by the value or text that curl thinks fit, as described below. All variables are specified as %{variable_name} and to output a
normal % you just write them as %%. You can output a newline by using \n, a carriage return with \r and a tab space with \t.

The output will be written to standard output, but this can be switched to standard error by using %{stderr}.

Output HTTP headers from the most recent request by using %header{name} where name is the case insensitive name of the header (without the trailing colon). The header contents are exactly as
sent over the network, with leading and trailing whitespace trimmed. Added in curl 7.84.0.

NOTE: In Windows the %-symbol is a special symbol used to expand environment variables. In batch files all occurrences of % must be doubled when using this option to properly escape. If this
option is used at the command prompt then the % cannot be escaped and unintended expansion is possible.

The variables available are:

certs Output the certificate chain with details. Supported only by the OpenSSL, GnuTLS, Schannel, NSS, GSKit and Secure Transport backends (Added in 7.88.0)

content_type The Content-Type of the requested document, if there was any.

errormsg The error message. (Added in 7.75.0)

exitcode The numerical exitcode of the transfer. (Added in 7.75.0)

filename_effective
The ultimate filename that curl writes out to. This is only meaningful if curl is told to write to a file with the -O, --remote-name or -o, --output option. It's most useful in
combination with the -J, --remote-header-name option.

ftp_entry_path The initial path curl ended up in when logging on to the remote FTP server.

header_json A JSON object with all HTTP response headers from the recent transfer. Values are provided as arrays, since in the case of multiple headers there can be multiple values. (Added
in 7.83.0)

The header names provided in lowercase, listed in order of appearance over the wire. Except for duplicated headers. They are grouped on the first occurrence of that header,
each value is presented in the JSON array.

http_code The numerical response code that was found in the last retrieved HTTP(S) or FTP(s) transfer.

http_connect The numerical code that was found in the last response (from a proxy) to a curl CONNECT request.

http_version The http version that was effectively used. (Added in 7.50.0)

json A JSON object with all available keys.

local_ip The IP address of the local end of the most recently done connection - can be either IPv4 or IPv6.

local_port The local port number of the most recently done connection.

method The http method used in the most recent HTTP request. (Added in 7.72.0)

num_certs Number of server certificates received in the TLS handshake. Supported only by the OpenSSL, GnuTLS, Schannel, NSS, GSKit and Secure Transport backends (Added in 7.88.0)

num_connects Number of new connects made in the recent transfer.

num_headers The number of response headers in the most recent request (restarted at each redirect). Note that the status line IS NOT a header. (Added in 7.73.0)

num_redirects Number of redirects that were followed in the request.

onerror The rest of the output is only shown if the transfer returned a non-zero error (Added in 7.75.0)

proxy_ssl_verify_result
The result of the HTTPS proxy's SSL peer certificate verification that was requested. 0 means the verification was successful. (Added in 7.52.0)

redirect_url When an HTTP request was made without -L, --location to follow redirects (or when --max-redirs is met), this variable will show the actual URL a redirect would have gone to.

referer The Referer: header, if there was any. (Added in 7.76.0)

remote_ip The remote IP address of the most recently done connection - can be either IPv4 or IPv6.

remote_port The remote port number of the most recently done connection.

response_code The numerical response code that was found in the last transfer (formerly known as "http_code").

scheme The URL scheme (sometimes called protocol) that was effectively used. (Added in 7.52.0)

size_download The total amount of bytes that were downloaded. This is the size of the body/data that was transferred, excluding headers.

size_header The total amount of bytes of the downloaded headers.

size_request The total amount of bytes that were sent in the HTTP request.

size_upload The total amount of bytes that were uploaded. This is the size of the body/data that was transferred, excluding headers.

speed_download The average download speed that curl measured for the complete download. Bytes per second.

speed_upload The average upload speed that curl measured for the complete upload. Bytes per second.

ssl_verify_result
The result of the SSL peer certificate verification that was requested. 0 means the verification was successful.

stderr From this point on, the -w, --write-out output will be written to standard error. (Added in 7.63.0)

stdout From this point on, the -w, --write-out output will be written to standard output. This is the default, but can be used to switch back after switching to stderr. (Added in
7.63.0)

time_appconnect
The time, in seconds, it took from the start until the SSL/SSH/etc connect/handshake to the remote host was completed.

time_connect The time, in seconds, it took from the start until the TCP connect to the remote host (or proxy) was completed.

time_namelookup
The time, in seconds, it took from the start until the name resolving was completed.

time_pretransfer
The time, in seconds, it took from the start until the file transfer was just about to begin. This includes all pre-transfer commands and negotiations that are specific to the
particular protocol(s) involved.

time_redirect The time, in seconds, it took for all redirection steps including name lookup, connect, pretransfer and transfer before the final transaction was started. time_redirect shows
the complete execution time for multiple redirections.

time_starttransfer
The time, in seconds, it took from the start until the first byte was just about to be transferred. This includes time_pretransfer and also the time the server needed to calcu‐
late the result.

time_total The total time, in seconds, that the full operation lasted.

url The URL that was fetched. (Added in 7.75.0)

urlnum The URL index number of this transfer, 0-indexed. De-globbed URLs share the same index number as the origin globbed URL. (Added in 7.75.0)

url_effective The URL that was fetched last. This is most meaningful if you have told curl to follow location: headers.

If -w, --write-out is provided several times, the last set value will be used.

Example:
curl -w '%{http_code}\n' https://example.com

See also -v, --verbose and -I, --head.

--xattr
When saving output to a file, this option tells curl to store certain file metadata in extended file attributes. Currently, the URL is stored in the xdg.origin.url attribute and, for HTTP,
the content type is stored in the mime_type attribute. If the file system does not support extended attributes, a warning is issued.

Providing --xattr multiple times has no extra effect. Disable it again with --no-xattr.

Example:
curl --xattr -o storage https://example.com

See also -R, --remote-time, -w, --write-out and -v, --verbose.

FILES
~/.curlrc
Default config file, see -K, --config for details.

ENVIRONMENT
The environment variables can be specified in lower case or upper case. The lower case version has precedence. http_proxy is an exception as it is only available in lower case.

Using an environment variable to set the proxy has the same effect as using the -x, --proxy option.

http_proxy [protocol://]<host>[:port]
Sets the proxy server to use for HTTP.

HTTPS_PROXY [protocol://]<host>[:port]
Sets the proxy server to use for HTTPS.

[url-protocol]_PROXY [protocol://]<host>[:port]
Sets the proxy server to use for [url-protocol], where the protocol is a protocol that curl supports and as specified in a URL. FTP, FTPS, POP3, IMAP, SMTP, LDAP, etc.

ALL_PROXY [protocol://]<host>[:port]
Sets the proxy server to use if no protocol-specific proxy is set.

NO_PROXY <comma-separated list of hosts/domains>
list of host names that should not go through any proxy. If set to an asterisk '*' only, it matches all hosts. Each name in this list is matched as either a domain name which contains the
hostname, or the hostname itself.

This environment variable disables use of the proxy even when specified with the -x, --proxy option. That is NO_PROXY=direct.example.com curl -x http://proxy.example.com http://direct.exam‐
ple.com accesses the target URL directly, and NO_PROXY=direct.example.com curl -x http://proxy.example.com http://somewhere.example.com accesses the target URL through the proxy.

The list of host names can also be include numerical IP addresses, and IPv6 versions should then be given without enclosing brackets.

Since 7.86.0, IP addresses can be specified using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the comparison. For example
"192.168.0.0/16" would match all addresses starting with "192.168".

APPDATA <dir>
On Windows, this variable is used when trying to find the home directory. If the primary home variable are all unset.

COLUMNS <terminal width>
If set, the specified number of characters will be used as the terminal width when the alternative progress-bar is shown. If not set, curl will try to figure it out using other ways.

CURL_CA_BUNDLE <file>
If set, will be used as the --cacert value.

CURL_HOME <dir>
If set, is the first variable curl checks when trying to find its home directory. If not set, it continues to check XDG_CONFIG_HOME

CURL_SSL_BACKEND <TLS backend>
If curl was built with support for "MultiSSL", meaning that it has built-in support for more than one TLS backend, this environment variable can be set to the case insensitive name of the
particular backend to use when curl is invoked. Setting a name that is not a built-in alternative will make curl stay with the default.

SSL backend names (case-insensitive): bearssl, gnutls, gskit, mbedtls, nss, openssl, rustls, schannel, secure-transport, wolfssl

HOME <dir>
If set, this is used to find the home directory when that is needed. Like when looking for the default .curlrc. CURL_HOME and XDG_CONFIG_HOME have preference.

QLOGDIR <directory name>
If curl was built with HTTP/3 support, setting this environment variable to a local directory will make curl produce qlogs in that directory, using file names named after the destination con‐
nection id (in hex). Do note that these files can become rather large. Works with both QUIC backends.

SHELL Used on VMS when trying to detect if using a DCL or a "unix" shell.

SSL_CERT_DIR <dir>
If set, will be used as the --capath value.

SSL_CERT_FILE <path>
If set, will be used as the --cacert value.

SSLKEYLOGFILE <file name>
If you set this environment variable to a file name, curl will store TLS secrets from its connections in that file when invoked to enable you to analyze the TLS traffic in real time using
network analyzing tools such as Wireshark. This works with the following TLS backends: OpenSSL, libressl, BoringSSL, GnuTLS, NSS and wolfSSL.

USERPROFILE <dir>
On Windows, this variable is used when trying to find the home directory. If the other, primary, variable are all unset. If set, curl will use the path "$USERPROFILE\Application Data".

XDG_CONFIG_HOME <dir>
If CURL_HOME is not set, this variable is checked when looking for a default .curlrc file.

PROXY PROTOCOL PREFIXES
The proxy string may be specified with a protocol:// prefix to specify alternative proxy protocols.

If no protocol is specified in the proxy string or if the string does not match a supported one, the proxy will be treated as an HTTP proxy.

The supported proxy protocol prefixes are as follows:

http://
Makes it use it as an HTTP proxy. The default if no scheme prefix is used.

https://
Makes it treated as an HTTPS proxy.

socks4://
Makes it the equivalent of --socks4

socks4a://
Makes it the equivalent of --socks4a

socks5://
Makes it the equivalent of --socks5

socks5h://
Makes it the equivalent of --socks5-hostname

EXIT CODES
There are a bunch of different error codes and their corresponding error messages that may appear under error conditions. At the time of this writing, the exit codes are:

0 Success. The operation completed successfully according to the instructions.

1 Unsupported protocol. This build of curl has no support for this protocol.

2 Failed to initialize.

3 URL malformed. The syntax was not correct.

4 A feature or option that was needed to perform the desired request was not enabled or was explicitly disabled at build-time. To make curl able to do this, you probably need another build of
libcurl.

5 Could not resolve proxy. The given proxy host could not be resolved.

6 Could not resolve host. The given remote host could not be resolved.

7 Failed to connect to host.

8 Weird server reply. The server sent data curl could not parse.

9 FTP access denied. The server denied login or denied access to the particular resource or directory you wanted to reach. Most often you tried to change to a directory that does not exist on
the server.

10 FTP accept failed. While waiting for the server to connect back when an active FTP session is used, an error code was sent over the control connection or similar.

11 FTP weird PASS reply. Curl could not parse the reply sent to the PASS request.

12 During an active FTP session while waiting for the server to connect back to curl, the timeout expired.

13 FTP weird PASV reply, Curl could not parse the reply sent to the PASV request.

14 FTP weird 227 format. Curl could not parse the 227-line the server sent.

15 FTP cannot use host. Could not resolve the host IP we got in the 227-line.

16 HTTP/2 error. A problem was detected in the HTTP2 framing layer. This is somewhat generic and can be one out of several problems, see the error message for details.

17 FTP could not set binary. Could not change transfer method to binary.

18 Partial file. Only a part of the file was transferred.

19 FTP could not download/access the given file, the RETR (or similar) command failed.

21 FTP quote error. A quote command returned error from the server.

22 HTTP page not retrieved. The requested URL was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.

23 Write error. Curl could not write data to a local filesystem or similar.

25 FTP could not STOR file. The server denied the STOR operation, used for FTP uploading.

26 Read error. Various reading problems.

27 Out of memory. A memory allocation request failed.

28 Operation timeout. The specified time-out period was reached according to the conditions.

30 FTP PORT failed. The PORT command failed. Not all FTP servers support the PORT command, try doing a transfer using PASV instead!

31 FTP could not use REST. The REST command failed. This command is used for resumed FTP transfers.

33 HTTP range error. The range "command" did not work.

34 HTTP post error. Internal post-request generation error.

35 SSL connect error. The SSL handshaking failed.

36 Bad download resume. Could not continue an earlier aborted download.

37 FILE could not read file. Failed to open the file. Permissions?

38 LDAP cannot bind. LDAP bind operation failed.

39 LDAP search failed.

41 Function not found. A required LDAP function was not found.

42 Aborted by callback. An application told curl to abort the operation.

43 Internal error. A function was called with a bad parameter.

45 Interface error. A specified outgoing interface could not be used.

47 Too many redirects. When following redirects, curl hit the maximum amount.

48 Unknown option specified to libcurl. This indicates that you passed a weird option to curl that was passed on to libcurl and rejected. Read up in the manual!

49 Malformed telnet option.

52 The server did not reply anything, which here is considered an error.

53 SSL crypto engine not found.

54 Cannot set SSL crypto engine as default.

55 Failed sending network data.

56 Failure in receiving network data.

58 Problem with the local certificate.

59 Could not use specified SSL cipher.

60 Peer certificate cannot be authenticated with known CA certificates.

61 Unrecognized transfer encoding.

63 Maximum file size exceeded.

64 Requested FTP SSL level failed.

65 Sending the data requires a rewind that failed.

66 Failed to initialise SSL Engine.

67 The user name, password, or similar was not accepted and curl failed to log in.

68 File not found on TFTP server.

69 Permission problem on TFTP server.

70 Out of disk space on TFTP server.

71 Illegal TFTP operation.

72 Unknown TFTP transfer ID.

73 File already exists (TFTP).

74 No such user (TFTP).

77 Problem reading the SSL CA cert (path? access rights?).

78 The resource referenced in the URL does not exist.

79 An unspecified error occurred during the SSH session.

80 Failed to shut down the SSL connection.

82 Could not load CRL file, missing or wrong format.

83 Issuer check failed.

84 The FTP PRET command failed.

85 Mismatch of RTSP CSeq numbers.

86 Mismatch of RTSP Session Identifiers.

87 Unable to parse FTP file list.

88 FTP chunk callback reported error.

89 No connection available, the session will be queued.

90 SSL public key does not matched pinned public key.

91 Invalid SSL certificate status.

92 Stream error in HTTP/2 framing layer.

93 An API function was called from inside a callback.

94 An authentication function returned an error.

95 A problem was detected in the HTTP/3 layer. This is somewhat generic and can be one out of several problems, see the error message for details.

96 QUIC connection error. This error may be caused by an SSL library error. QUIC is the protocol used for HTTP/3 transfers.

XX More error codes will appear here in future releases. The existing ones are meant to never change.

BUGS
If you experience any problems with curl, submit an issue in the project's bug tracker on GitHub: https://github.com/curl/curl/issues

AUTHORS / CONTRIBUTORS
Daniel Stenberg is the main author, but the whole list of contributors is found in the separate THANKS file.

WWW
https://curl.se

SEE ALSO
ftp(1), wget(1)

curl 7.88.1 February 19 2023 curl(1)
</nowiki>

HOSTNAME - Manpage

2026-02-25T12:38:24Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Quick Example ==

Get the FQDN of one machine :
<nowiki>
hostname -f</nowiki>

== hostname Manpage ==

<nowiki>
HOSTNAME(1) Linux Programmer's Manual HOSTNAME(1)

NAME
hostname - show or set the system's host name
domainname - show or set the system's NIS/YP domain name
ypdomainname - show or set the system's NIS/YP domain name
nisdomainname - show or set the system's NIS/YP domain name
dnsdomainname - show the system's DNS domain name

SYNOPSIS
hostname [-a|--alias] [-d|--domain] [-f|--fqdn|--long] [-A|--all-fqdns] [-i|--ip-address] [-I|--all-ip-addresses] [-s|--short] [-y|--yp|--nis]
hostname [-b|--boot] [-F|--file filename] [hostname]
hostname [-h|--help] [-V|--version]

domainname [nisdomain] [-F file]
ypdomainname [nisdomain] [-F file]
nisdomainname [nisdomain] [-F file]

dnsdomainname

DESCRIPTION
Hostname is used to display the system's DNS name, and to display or set its hostname or NIS domain name.

GET NAME
When called without any arguments, the program displays the current names:

hostname will print the name of the system as returned by the gethostname(2) function.

domainname will print the NIS domainname of the system. domainname uses the gethostname(2) function, while ypdomainname and nisdomainname use the getdomainname(2).

dnsdomainname will print the domain part of the FQDN (Fully Qualified Domain Name). The complete FQDN of the system is returned with hostname --fqdn (but see the warnings in section THE FQDN below).

SET NAME
When called with one argument or with the --file option, the commands set the host name or the NIS/YP domain name. hostname uses the sethostname(2) function, while all of the three domainname, yp‐
domainname and nisdomainname use setdomainname(2). Note, that this is effective only until the next reboot. Edit /etc/hostname for permanent change.

Note, that only the super-user can change the names.

It is not possible to set the FQDN or the DNS domain name with the dnsdomainname command (see THE FQDN below).

The host name is usually set once at system startup in /etc/init.d/hostname.sh (normally by reading the contents of a file which contains the host name, e.g. /etc/hostname).

THE FQDN
The FQDN (Fully Qualified Domain Name) of the system is the name that the resolver(3) returns for the host name, such as, ursula.example.com. It is usually the hostname followed by the DNS domain
name (the part after the first dot). You can check the FQDN using hostname --fqdn or the domain name using dnsdomainname.

You cannot change the FQDN with hostname or dnsdomainname.

The recommended method of setting the FQDN is to make the hostname be an alias for the fully qualified name using /etc/hosts, DNS, or NIS. For example, if the hostname was "ursula", one might have a
line in /etc/hosts which reads

127.0.1.1 ursula.example.com ursula

Technically: The FQDN is the name getaddrinfo(3) returns for the host name returned by gethostname(2). The DNS domain name is the part after the first dot.

Therefore it depends on the configuration of the resolver (usually in /etc/host.conf) how you can change it. Usually the hosts file is parsed before DNS or NIS, so it is most common to change the
FQDN in /etc/hosts.

If a machine has multiple network interfaces/addresses or is used in a mobile environment, then it may either have multiple FQDNs/domain names or none at all. Therefore avoid using hostname --fqdn,
hostname --domain and dnsdomainname. hostname --ip-address is subject to the same limitations so it should be avoided as well.

OPTIONS
-a, --alias
Display the alias name of the host (if used). This option is deprecated and should not be used anymore.

-A, --all-fqdns
Displays all FQDNs of the machine. This option enumerates all configured network addresses on all configured network interfaces, and translates them to DNS domain names. Addresses that cannot
be translated (i.e. because they do not have an appropriate reverse IP entry) are skipped. Note that different addresses may resolve to the same name, therefore the output may contain dupli‐
cate entries. Do not make any assumptions about the order of the output.

-b, --boot
Always set a hostname; this allows the file specified by -F to be non-existent or empty, in which case the default hostname localhost will be used if none is yet set.

-d, --domain
Display the name of the DNS domain. Don't use the command domainname to get the DNS domain name because it will show the NIS domain name and not the DNS domain name. Use dnsdomainname in‐
stead. See the warnings in section THE FQDN above, and avoid using this option.

-f, --fqdn, --long
Display the FQDN (Fully Qualified Domain Name). A FQDN consists of a short host name and the DNS domain name. Unless you are using bind or NIS for host lookups you can change the FQDN and the
DNS domain name (which is part of the FQDN) in the /etc/hosts file. See the warnings in section THE FQDN above und use hostname --all-fqdns instead wherever possible.

-F, --file filename
Read the host name from the specified file. Comments (lines starting with a `#') are ignored.

-i, --ip-address
Display the network address(es) of the host name. Note that this works only if the host name can be resolved. Avoid using this option; use hostname --all-ip-addresses instead.

-I, --all-ip-addresses
Display all network addresses of the host. This option enumerates all configured addresses on all network interfaces. The loopback interface and IPv6 link-local addresses are omitted. Con‐
trary to option -i, this option does not depend on name resolution. Do not make any assumptions about the order of the output.

-s, --short
Display the short host name. This is the host name cut at the first dot.

-V, --version
Print version information on standard output and exit successfully.

-y, --yp, --nis
Display the NIS domain name. If a parameter is given (or --file name ) then root can also set a new NIS domain.

-h, --help
Print a usage message and exit.

NOTES
The address families hostname tries when looking up the FQDN, aliases and network addresses of the host are determined by the configuration of your resolver. For instance, on GNU Libc systems, the
resolver can be instructed to try IPv6 lookups first by using the inet6 option in /etc/resolv.conf.

FILES
/etc/hostname Historically this file was supposed to only contain the hostname and not the full canonical FQDN. Nowadays most software is able to cope with a full FQDN here. This file is read at
boot time by the system initialization scripts to set the hostname.

/etc/hosts Usually, this is where one sets the domain name by aliasing the host name to the FQDN.

AUTHORS
Peter Tobias, <tobias@et-inf.fho-emden.de>
Bernd Eckenfels, <net-tools@lina.inka.de> (NIS and manpage).
Michael Meskes, <meskes@debian.org>

net-tools 2009-09-16 HOSTNAME(1)</nowiki>

SORT - Base Documentation

2026-02-18T10:30:14Z

Admin: /* Common Errors */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

=== Basic Usage of the `sort` Command ===

The most basic usage of `sort` is to sort lines in a file:

<nowiki>
sort <file_name></nowiki>

This command sorts the content of the specified file in ascending order (alphabetically for text or numerically for numbers).

=== Sorting in Reverse Order ===

To reverse the order of sorting, use the `-r` option:

<nowiki>
sort -r <file_name></nowiki>

This sorts the file in descending order.

=== Sorting Numerically ===

To sort lines based on numeric values, use the `-n` option:

<nowiki>
sort -n <file_name></nowiki>

For example, given a file with the following numbers:

<nowiki>
2
10
1
5</nowiki>

The command `sort -n` will result in:

<nowiki>
1
2
5
10</nowiki>

=== Sorting by a Specific Column ===

You can sort by a specific column of data using the `-k` option. For example, to sort by the second column:

<nowiki>
sort -k 2 <file_name></nowiki>

Assuming the following data in the file:

<nowiki>
apple 3
banana 1
cherry 2</nowiki>

The command `sort -k 2` will result in:

<nowiki>
banana 1
cherry 2
apple 3</nowiki>

=== Sorting with Custom Delimiters ===

You can specify a custom delimiter using the `-t` option. For instance, to sort a CSV file by the second column:

<nowiki>
sort -t ',' -k 2 <file_name></nowiki>

=== Case-insensitive Sorting ===

To sort in a case-insensitive manner, use the `-f` option:

<nowiki>
sort -f <file_name></nowiki>

This treats uppercase and lowercase letters as equal during sorting.

=== Sorting and Removing Duplicates ===

You can combine `sort` with the `-u` option to sort data and remove duplicate lines:

<nowiki>
sort -u <file_name></nowiki>

This command will eliminate any repeated lines while sorting the file.

== Advanced Sorting Features ==

=== Sorting by Multiple Keys ===

You can sort by multiple keys (columns) by specifying multiple `-k` options. For example, to sort first by the second column and then by the third column:

<nowiki>
sort -k 2 -k 3 <file_name></nowiki>

This allows more complex sorting, where data can be ordered based on multiple attributes.

=== Using `sort` with Pipelines ===

You can use `sort` in combination with other commands via pipes. For example, to sort the output of `ls`:

<nowiki>
ls -l | sort -k 5 -n</nowiki>

This command will sort the files by file size in ascending order.

=== Sorting by Date or Time ===

If you have data that includes date and time, you can sort it based on the date. For example, with log files:

<nowiki>
sort -k 1,1 -k 2,2 <log_file></nowiki>

This will sort the log entries by date and then by time.

=== Sorting with Random Order ===

To sort the file in a random order, use the `-R` option:

<nowiki>
sort -R <file_name></nowiki>

This command shuffles the lines in the file randomly.

== Troubleshooting ==

=== Common Errors ===

==== sort: invalid option ====
This error usually occurs when an invalid option is used. Double-check the syntax and the options you are passing to ensure they are valid for your version of `sort`.

==== Sorting Not Working as Expected ====
If sorting does not appear to work, it might be due to:
- Sorting alphabetically when you expect numerical sorting.
- The data might have leading spaces or non-visible characters affecting the sort order. Use the `-b` option to ignore leading spaces or check for hidden characters.

Example:
<nowiki>
sort -b <file_name></nowiki>

==== Sort Not Handling Large Files Efficiently ====
Sorting large files can sometimes be slow. Ensure that your system has sufficient memory to handle large datasets. If needed, use the `-S` option to specify the amount of memory to use for sorting.

==== Unexpected Case Sensitivity ====
If the sort seems case-sensitive but you need case-insensitive sorting, remember to include the `-f` option.

==== File Not Found ====
Ensure the file you are trying to sort exists in the directory you're working in. If the file is missing, `sort` will return an error: `<file_name>: No such file or directory`.

=== Performance Optimization ===

Use the `-S` option to specify the amount of memory used for sorting, which can improve performance for large files.

Example:
<nowiki>
sort -S 50% <large_file></nowiki>

If sorting from a very large dataset, consider splitting the data into smaller chunks and sorting them individually before combining them.

== Useful Links ==

* [GNU Sort Manual](https://www.gnu.org/software/coreutils/manual/html_node/sort-invocation.html)
* [Linux `sort` Command Guide](https://www.geeksforgeeks.org/sort-command-in-linux-with-examples/)
* [Unix `sort` Command Tutorial](https://www.tutorialspoint.com/unix_commands/sort.htm)
* [Linux Sorting Commands](https://linux.die.net/man/1/sort)
* [Linux `sort` Cheatsheet](https://cheatography.com/david-pickering/cheat-sheets/sort-command-linux/)
* [Stack Overflow - Troubleshooting `sort`](https://stackoverflow.com/questions/tagged/sort)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

SORT - Base Documentation

2026-02-18T10:29:18Z

Admin: /* Common Errors */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

=== Basic Usage of the `sort` Command ===

The most basic usage of `sort` is to sort lines in a file:

<nowiki>
sort <file_name></nowiki>

This command sorts the content of the specified file in ascending order (alphabetically for text or numerically for numbers).

=== Sorting in Reverse Order ===

To reverse the order of sorting, use the `-r` option:

<nowiki>
sort -r <file_name></nowiki>

This sorts the file in descending order.

=== Sorting Numerically ===

To sort lines based on numeric values, use the `-n` option:

<nowiki>
sort -n <file_name></nowiki>

For example, given a file with the following numbers:

<nowiki>
2
10
1
5</nowiki>

The command `sort -n` will result in:

<nowiki>
1
2
5
10</nowiki>

=== Sorting by a Specific Column ===

You can sort by a specific column of data using the `-k` option. For example, to sort by the second column:

<nowiki>
sort -k 2 <file_name></nowiki>

Assuming the following data in the file:

<nowiki>
apple 3
banana 1
cherry 2</nowiki>

The command `sort -k 2` will result in:

<nowiki>
banana 1
cherry 2
apple 3</nowiki>

=== Sorting with Custom Delimiters ===

You can specify a custom delimiter using the `-t` option. For instance, to sort a CSV file by the second column:

<nowiki>
sort -t ',' -k 2 <file_name></nowiki>

=== Case-insensitive Sorting ===

To sort in a case-insensitive manner, use the `-f` option:

<nowiki>
sort -f <file_name></nowiki>

This treats uppercase and lowercase letters as equal during sorting.

=== Sorting and Removing Duplicates ===

You can combine `sort` with the `-u` option to sort data and remove duplicate lines:

<nowiki>
sort -u <file_name></nowiki>

This command will eliminate any repeated lines while sorting the file.

== Advanced Sorting Features ==

=== Sorting by Multiple Keys ===

You can sort by multiple keys (columns) by specifying multiple `-k` options. For example, to sort first by the second column and then by the third column:

<nowiki>
sort -k 2 -k 3 <file_name></nowiki>

This allows more complex sorting, where data can be ordered based on multiple attributes.

=== Using `sort` with Pipelines ===

You can use `sort` in combination with other commands via pipes. For example, to sort the output of `ls`:

<nowiki>
ls -l | sort -k 5 -n</nowiki>

This command will sort the files by file size in ascending order.

=== Sorting by Date or Time ===

If you have data that includes date and time, you can sort it based on the date. For example, with log files:

<nowiki>
sort -k 1,1 -k 2,2 <log_file></nowiki>

This will sort the log entries by date and then by time.

=== Sorting with Random Order ===

To sort the file in a random order, use the `-R` option:

<nowiki>
sort -R <file_name></nowiki>

This command shuffles the lines in the file randomly.

== Troubleshooting ==

=== Common Errors ===

1. **"sort: invalid option"**
This error usually occurs when an invalid option is used. Double-check the syntax and the options you are passing to ensure they are valid for your version of `sort`.

2. **Sorting Not Working as Expected**
If sorting does not appear to work, it might be due to:
- Sorting alphabetically when you expect numerical sorting.
- The data might have leading spaces or non-visible characters affecting the sort order. Use the `-b` option to ignore leading spaces or check for hidden characters.

Example:
<nowiki>
sort -b <file_name></nowiki>

3. **Sort Not Handling Large Files Efficiently**
Sorting large files can sometimes be slow. Ensure that your system has sufficient memory to handle large datasets. If needed, use the `-S` option to specify the amount of memory to use for sorting.

4. **Unexpected Case Sensitivity**
If the sort seems case-sensitive but you need case-insensitive sorting, remember to include the `-f` option.

5. **File Not Found**
Ensure the file you are trying to sort exists in the directory you're working in. If the file is missing, `sort` will return an error: `<file_name>: No such file or directory`.

=== Performance Optimization ===

Use the `-S` option to specify the amount of memory used for sorting, which can improve performance for large files.

Example:
<nowiki>
sort -S 50% <large_file></nowiki>

If sorting from a very large dataset, consider splitting the data into smaller chunks and sorting them individually before combining them.

== Useful Links ==

* [GNU Sort Manual](https://www.gnu.org/software/coreutils/manual/html_node/sort-invocation.html)
* [Linux `sort` Command Guide](https://www.geeksforgeeks.org/sort-command-in-linux-with-examples/)
* [Unix `sort` Command Tutorial](https://www.tutorialspoint.com/unix_commands/sort.htm)
* [Linux Sorting Commands](https://linux.die.net/man/1/sort)
* [Linux `sort` Cheatsheet](https://cheatography.com/david-pickering/cheat-sheets/sort-command-linux/)
* [Stack Overflow - Troubleshooting `sort`](https://stackoverflow.com/questions/tagged/sort)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

SORT - Base Documentation

2026-02-18T10:28:27Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' === Basic Usage of the `sort` Command === The most basic usage of `sort` is to sort lines in a file: <nowiki> sort <file_name></nowiki> This command sorts the content of the specified file in ascending order (alphabetically for text or numerically for numbers). === Sorting in Reverse Order === To reverse the order of sorting, use the `-r` option: <nowiki> sort -r <fil..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

=== Basic Usage of the `sort` Command ===

The most basic usage of `sort` is to sort lines in a file:

<nowiki>
sort <file_name></nowiki>

This command sorts the content of the specified file in ascending order (alphabetically for text or numerically for numbers).

=== Sorting in Reverse Order ===

To reverse the order of sorting, use the `-r` option:

<nowiki>
sort -r <file_name></nowiki>

This sorts the file in descending order.

=== Sorting Numerically ===

To sort lines based on numeric values, use the `-n` option:

<nowiki>
sort -n <file_name></nowiki>

For example, given a file with the following numbers:

<nowiki>
2
10
1
5</nowiki>

The command `sort -n` will result in:

<nowiki>
1
2
5
10</nowiki>

=== Sorting by a Specific Column ===

You can sort by a specific column of data using the `-k` option. For example, to sort by the second column:

<nowiki>
sort -k 2 <file_name></nowiki>

Assuming the following data in the file:

<nowiki>
apple 3
banana 1
cherry 2</nowiki>

The command `sort -k 2` will result in:

<nowiki>
banana 1
cherry 2
apple 3</nowiki>

=== Sorting with Custom Delimiters ===

You can specify a custom delimiter using the `-t` option. For instance, to sort a CSV file by the second column:

<nowiki>
sort -t ',' -k 2 <file_name></nowiki>

=== Case-insensitive Sorting ===

To sort in a case-insensitive manner, use the `-f` option:

<nowiki>
sort -f <file_name></nowiki>

This treats uppercase and lowercase letters as equal during sorting.

=== Sorting and Removing Duplicates ===

You can combine `sort` with the `-u` option to sort data and remove duplicate lines:

<nowiki>
sort -u <file_name></nowiki>

This command will eliminate any repeated lines while sorting the file.

== Advanced Sorting Features ==

=== Sorting by Multiple Keys ===

You can sort by multiple keys (columns) by specifying multiple `-k` options. For example, to sort first by the second column and then by the third column:

<nowiki>
sort -k 2 -k 3 <file_name></nowiki>

This allows more complex sorting, where data can be ordered based on multiple attributes.

=== Using `sort` with Pipelines ===

You can use `sort` in combination with other commands via pipes. For example, to sort the output of `ls`:

<nowiki>
ls -l | sort -k 5 -n</nowiki>

This command will sort the files by file size in ascending order.

=== Sorting by Date or Time ===

If you have data that includes date and time, you can sort it based on the date. For example, with log files:

<nowiki>
sort -k 1,1 -k 2,2 <log_file></nowiki>

This will sort the log entries by date and then by time.

=== Sorting with Random Order ===

To sort the file in a random order, use the `-R` option:

<nowiki>
sort -R <file_name></nowiki>

This command shuffles the lines in the file randomly.

== Troubleshooting ==

=== Common Errors ===

1. **"sort: invalid option"**
This error usually occurs when an invalid option is used. Double-check the syntax and the options you are passing to ensure they are valid for your version of `sort`.

2. **Sorting Not Working as Expected**
If sorting does not appear to work, it might be due to:
- Sorting alphabetically when you expect numerical sorting.
- The data might have leading spaces or non-visible characters affecting the sort order. Use the `-b` option to ignore leading spaces or check for hidden characters.

Example:
<nowiki>
sort -b <file_name>
</nowiki>

3. **Sort Not Handling Large Files Efficiently**
Sorting large files can sometimes be slow. Ensure that your system has sufficient memory to handle large datasets. If needed, use the `-S` option to specify the amount of memory to use for sorting.

4. **Unexpected Case Sensitivity**
If the sort seems case-sensitive but you need case-insensitive sorting, remember to include the `-f` option.

5. **File Not Found**
Ensure the file you are trying to sort exists in the directory you're working in. If the file is missing, `sort` will return an error: `<file_name>: No such file or directory`.

=== Performance Optimization ===

Use the `-S` option to specify the amount of memory used for sorting, which can improve performance for large files.

Example:
<nowiki>
sort -S 50% <large_file></nowiki>

If sorting from a very large dataset, consider splitting the data into smaller chunks and sorting them individually before combining them.

== Useful Links ==

* [GNU Sort Manual](https://www.gnu.org/software/coreutils/manual/html_node/sort-invocation.html)
* [Linux `sort` Command Guide](https://www.geeksforgeeks.org/sort-command-in-linux-with-examples/)
* [Unix `sort` Command Tutorial](https://www.tutorialspoint.com/unix_commands/sort.htm)
* [Linux Sorting Commands](https://linux.die.net/man/1/sort)
* [Linux `sort` Cheatsheet](https://cheatography.com/david-pickering/cheat-sheets/sort-command-linux/)
* [Stack Overflow - Troubleshooting `sort`](https://stackoverflow.com/questions/tagged/sort)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:22:21Z

Admin: /* Filters & Descriptions */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

* '''cs-client-addr''': The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-client-port''': The (client) source port on the clientside of the connection.
* '''cs-server-addr''': The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
* '''cs-server-port''': The (server) destination port on the clientside of the connection (i.e. the Virtual Server port).
* '''ss-client-addr''': The (client) source IP address on the serverside of the connection (i.e. the SNAT address).
* '''ss-client-port''': The (client) source port on the serverside of the connection (i.e. the SNAT port).
* '''ss-server-addr''': The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address).
* '''ss-server-port''': The (server) destination port on the serverside of the connection (i.e., the Pool Member port).

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME></nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0</nowiki>

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
* [F5 iHealth](https://ihealth.f5.com/)
* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
* [F5 DevCentral Community](https://community.f5.com/)
* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:21:02Z

Admin: /* USEFUL LINKS */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

*cs-client-addr
**The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-client-port
** The (client) source port on the clientside of the connection
*cs-server-addr
** The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-server-port
** The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
*ss-client-addr
**The (client) source IP address on the serverside of the connection (i.e. the SNAT address)
*ss-client-port
**The (client) source port on the serverside of the connection (i.e. the SNAT port)
*ss-server-addr
**The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
*ss-server-port
** The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME></nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0</nowiki>

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
* [F5 iHealth](https://ihealth.f5.com/)
* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
* [F5 DevCentral Community](https://community.f5.com/)
* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:20:17Z

Admin: /* SHOW VS STATISTICS */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

*cs-client-addr
**The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-client-port
** The (client) source port on the clientside of the connection
*cs-server-addr
** The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-server-port
** The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
*ss-client-addr
**The (client) source IP address on the serverside of the connection (i.e. the SNAT address)
*ss-client-port
**The (client) source port on the serverside of the connection (i.e. the SNAT port)
*ss-server-addr
**The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
*ss-server-port
** The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME></nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0</nowiki>

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
- This guide provides an overview of **F5 BIG-IP LTM CLI commands** and their usage, ideal for network administrators working with F5 load balancers.

* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
- A detailed article covering various **troubleshooting techniques** for F5 BIG-IP LTM, including analyzing logs, inspecting performance statistics, and diagnosing issues.

* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
- A collection of useful **configuration examples** for **F5 BIG-IP LTM**. This includes virtual server, pool, SSL, and other common configuration scenarios.

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
- Documentation on **iRules** for customizing traffic handling, load balancing, SSL offloading, and other network-level operations in **F5 BIG-IP LTM**.

* [F5 Knowledge Base](https://support.f5.com/csp/)
- The official **F5 Knowledge Base** for accessing articles, troubleshooting tips, and frequently asked questions (FAQs) related to **F5 BIG-IP** products.

* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
- Information on how to monitor the **performance** of your **F5 BIG-IP LTM** system, including system stats, metrics, and performance tuning guidelines.

* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
- Step-by-step guide for **SSL offloading** using **F5 BIG-IP LTM**, which helps optimize the decryption of HTTPS traffic.

* [F5 iHealth](https://ihealth.f5.com/)
- A diagnostic tool for **F5 BIG-IP LTM** devices to perform system health checks, collect logs, and get recommendations for system optimization.

* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
- This article provides information on managing **SSL certificates** for **F5 BIG-IP LTM**, including importing, configuring, and troubleshooting SSL certificates.

* [F5 DevCentral Community](https://community.f5.com/)
- **F5 DevCentral** is an active online community for F5 professionals, offering forums, discussions, and resources about **F5 BIG-IP LTM** configuration, troubleshooting, and best practices.

* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
- An essential guide on setting up **high availability** and **failover** between F5 devices, ensuring reliability and continuous service availability.

* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
- The **release notes** for **F5 BIG-IP LTM** provide important information about new features, bug fixes, and changes in each software version.

* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)
- A helpful resource with practical **iRule examples** and best practices to efficiently handle traffic manipulation and load balancing on F5 devices.

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:20:00Z

Admin: /* SHOW VS LOGS */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

*cs-client-addr
**The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-client-port
** The (client) source port on the clientside of the connection
*cs-server-addr
** The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-server-port
** The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
*ss-client-addr
**The (client) source IP address on the serverside of the connection (i.e. the SNAT address)
*ss-client-port
**The (client) source port on the serverside of the connection (i.e. the SNAT port)
*ss-server-addr
**The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
*ss-server-port
** The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME></nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
- This guide provides an overview of **F5 BIG-IP LTM CLI commands** and their usage, ideal for network administrators working with F5 load balancers.

* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
- A detailed article covering various **troubleshooting techniques** for F5 BIG-IP LTM, including analyzing logs, inspecting performance statistics, and diagnosing issues.

* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
- A collection of useful **configuration examples** for **F5 BIG-IP LTM**. This includes virtual server, pool, SSL, and other common configuration scenarios.

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
- Documentation on **iRules** for customizing traffic handling, load balancing, SSL offloading, and other network-level operations in **F5 BIG-IP LTM**.

* [F5 Knowledge Base](https://support.f5.com/csp/)
- The official **F5 Knowledge Base** for accessing articles, troubleshooting tips, and frequently asked questions (FAQs) related to **F5 BIG-IP** products.

* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
- Information on how to monitor the **performance** of your **F5 BIG-IP LTM** system, including system stats, metrics, and performance tuning guidelines.

* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
- Step-by-step guide for **SSL offloading** using **F5 BIG-IP LTM**, which helps optimize the decryption of HTTPS traffic.

* [F5 iHealth](https://ihealth.f5.com/)
- A diagnostic tool for **F5 BIG-IP LTM** devices to perform system health checks, collect logs, and get recommendations for system optimization.

* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
- This article provides information on managing **SSL certificates** for **F5 BIG-IP LTM**, including importing, configuring, and troubleshooting SSL certificates.

* [F5 DevCentral Community](https://community.f5.com/)
- **F5 DevCentral** is an active online community for F5 professionals, offering forums, discussions, and resources about **F5 BIG-IP LTM** configuration, troubleshooting, and best practices.

* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
- An essential guide on setting up **high availability** and **failover** between F5 devices, ensuring reliability and continuous service availability.

* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
- The **release notes** for **F5 BIG-IP LTM** provide important information about new features, bug fixes, and changes in each software version.

* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)
- A helpful resource with practical **iRule examples** and best practices to efficiently handle traffic manipulation and load balancing on F5 devices.

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:19:39Z

Admin: /* Filters & Description */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Descriptions ===

*cs-client-addr
**The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-client-port
** The (client) source port on the clientside of the connection
*cs-server-addr
** The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-server-port
** The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
*ss-client-addr
**The (client) source IP address on the serverside of the connection (i.e. the SNAT address)
*ss-client-port
**The (client) source port on the serverside of the connection (i.e. the SNAT port)
*ss-server-addr
**The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
*ss-server-port
** The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME><nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
- This guide provides an overview of **F5 BIG-IP LTM CLI commands** and their usage, ideal for network administrators working with F5 load balancers.

* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
- A detailed article covering various **troubleshooting techniques** for F5 BIG-IP LTM, including analyzing logs, inspecting performance statistics, and diagnosing issues.

* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
- A collection of useful **configuration examples** for **F5 BIG-IP LTM**. This includes virtual server, pool, SSL, and other common configuration scenarios.

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
- Documentation on **iRules** for customizing traffic handling, load balancing, SSL offloading, and other network-level operations in **F5 BIG-IP LTM**.

* [F5 Knowledge Base](https://support.f5.com/csp/)
- The official **F5 Knowledge Base** for accessing articles, troubleshooting tips, and frequently asked questions (FAQs) related to **F5 BIG-IP** products.

* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
- Information on how to monitor the **performance** of your **F5 BIG-IP LTM** system, including system stats, metrics, and performance tuning guidelines.

* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
- Step-by-step guide for **SSL offloading** using **F5 BIG-IP LTM**, which helps optimize the decryption of HTTPS traffic.

* [F5 iHealth](https://ihealth.f5.com/)
- A diagnostic tool for **F5 BIG-IP LTM** devices to perform system health checks, collect logs, and get recommendations for system optimization.

* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
- This article provides information on managing **SSL certificates** for **F5 BIG-IP LTM**, including importing, configuring, and troubleshooting SSL certificates.

* [F5 DevCentral Community](https://community.f5.com/)
- **F5 DevCentral** is an active online community for F5 professionals, offering forums, discussions, and resources about **F5 BIG-IP LTM** configuration, troubleshooting, and best practices.

* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
- An essential guide on setting up **high availability** and **failover** between F5 devices, ensuring reliability and continuous service availability.

* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
- The **release notes** for **F5 BIG-IP LTM** provide important information about new features, bug fixes, and changes in each software version.

* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)
- A helpful resource with practical **iRule examples** and best practices to efficiently handle traffic manipulation and load balancing on F5 devices.

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:19:25Z

Admin: /* SHOW VS CONNECTIONS */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

=== Filters & Description ===

*cs-client-addr
**The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-client-port
** The (client) source port on the clientside of the connection
*cs-server-addr
** The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-server-port
** The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
*ss-client-addr
**The (client) source IP address on the serverside of the connection (i.e. the SNAT address)
*ss-client-port
**The (client) source port on the serverside of the connection (i.e. the SNAT port)
*ss-server-addr
**The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
*ss-server-port
** The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME><nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
- This guide provides an overview of **F5 BIG-IP LTM CLI commands** and their usage, ideal for network administrators working with F5 load balancers.

* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
- A detailed article covering various **troubleshooting techniques** for F5 BIG-IP LTM, including analyzing logs, inspecting performance statistics, and diagnosing issues.

* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
- A collection of useful **configuration examples** for **F5 BIG-IP LTM**. This includes virtual server, pool, SSL, and other common configuration scenarios.

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
- Documentation on **iRules** for customizing traffic handling, load balancing, SSL offloading, and other network-level operations in **F5 BIG-IP LTM**.

* [F5 Knowledge Base](https://support.f5.com/csp/)
- The official **F5 Knowledge Base** for accessing articles, troubleshooting tips, and frequently asked questions (FAQs) related to **F5 BIG-IP** products.

* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
- Information on how to monitor the **performance** of your **F5 BIG-IP LTM** system, including system stats, metrics, and performance tuning guidelines.

* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
- Step-by-step guide for **SSL offloading** using **F5 BIG-IP LTM**, which helps optimize the decryption of HTTPS traffic.

* [F5 iHealth](https://ihealth.f5.com/)
- A diagnostic tool for **F5 BIG-IP LTM** devices to perform system health checks, collect logs, and get recommendations for system optimization.

* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
- This article provides information on managing **SSL certificates** for **F5 BIG-IP LTM**, including importing, configuring, and troubleshooting SSL certificates.

* [F5 DevCentral Community](https://community.f5.com/)
- **F5 DevCentral** is an active online community for F5 professionals, offering forums, discussions, and resources about **F5 BIG-IP LTM** configuration, troubleshooting, and best practices.

* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
- An essential guide on setting up **high availability** and **failover** between F5 devices, ensuring reliability and continuous service availability.

* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
- The **release notes** for **F5 BIG-IP LTM** provide important information about new features, bug fixes, and changes in each software version.

* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)
- A helpful resource with practical **iRule examples** and best practices to efficiently handle traffic manipulation and load balancing on F5 devices.

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:18:30Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}</nowiki>

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}</nowiki>

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

# Filter # Description
*cs-client-addr
**The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-client-port
** The (client) source port on the clientside of the connection
*cs-server-addr
** The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-server-port
** The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
*ss-client-addr
**The (client) source IP address on the serverside of the connection (i.e. the SNAT address)
*ss-client-port
**The (client) source port on the serverside of the connection (i.e. the SNAT port)
*ss-server-addr
**The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
*ss-server-port
** The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME><nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
- This guide provides an overview of **F5 BIG-IP LTM CLI commands** and their usage, ideal for network administrators working with F5 load balancers.

* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
- A detailed article covering various **troubleshooting techniques** for F5 BIG-IP LTM, including analyzing logs, inspecting performance statistics, and diagnosing issues.

* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
- A collection of useful **configuration examples** for **F5 BIG-IP LTM**. This includes virtual server, pool, SSL, and other common configuration scenarios.

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
- Documentation on **iRules** for customizing traffic handling, load balancing, SSL offloading, and other network-level operations in **F5 BIG-IP LTM**.

* [F5 Knowledge Base](https://support.f5.com/csp/)
- The official **F5 Knowledge Base** for accessing articles, troubleshooting tips, and frequently asked questions (FAQs) related to **F5 BIG-IP** products.

* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
- Information on how to monitor the **performance** of your **F5 BIG-IP LTM** system, including system stats, metrics, and performance tuning guidelines.

* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
- Step-by-step guide for **SSL offloading** using **F5 BIG-IP LTM**, which helps optimize the decryption of HTTPS traffic.

* [F5 iHealth](https://ihealth.f5.com/)
- A diagnostic tool for **F5 BIG-IP LTM** devices to perform system health checks, collect logs, and get recommendations for system optimization.

* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
- This article provides information on managing **SSL certificates** for **F5 BIG-IP LTM**, including importing, configuring, and troubleshooting SSL certificates.

* [F5 DevCentral Community](https://community.f5.com/)
- **F5 DevCentral** is an active online community for F5 professionals, offering forums, discussions, and resources about **F5 BIG-IP LTM** configuration, troubleshooting, and best practices.

* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
- An essential guide on setting up **high availability** and **failover** between F5 devices, ensuring reliability and continuous service availability.

* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
- The **release notes** for **F5 BIG-IP LTM** provide important information about new features, bug fixes, and changes in each software version.

* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)
- A helpful resource with practical **iRule examples** and best practices to efficiently handle traffic manipulation and load balancing on F5 devices.

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM Survival Guide

2026-02-18T10:17:18Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == CHOOSE PARTITION == Enter tmsh and choose partition : <nowiki> tmsh cd /<PARTITION_NAME></nowiki> == SHOW VS CONFIG == <nowiki> # show running-config ltm virtual <VS_NAME> ltm virtual <VS_NAME>_443 { destination 1.2.3.4%1094:443 ip-protocol tcp mask 255.255.255.255 partition LBP3-LBPFM pool Pool_<VS_NAME> profiles { /Common/tcp { }..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== CHOOSE PARTITION ==

Enter tmsh and choose partition :

<nowiki>
tmsh
cd /<PARTITION_NAME></nowiki>

== SHOW VS CONFIG ==

<nowiki>
# show running-config ltm virtual <VS_NAME>
ltm virtual <VS_NAME>_443 {
destination 1.2.3.4%1094:443
ip-protocol tcp
mask 255.255.255.255
partition LBP3-LBPFM
pool Pool_<VS_NAME>
profiles {
/Common/tcp { }
clientssl_<VS_NAME> {
context clientside
}
serverssl_<VS_NAME> {
context serverside
}
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 147
}

== SHOW POOL CONFIG ==

Show Configuration :
<nowiki>
# show running-config ltm pool <POOL_NAME>
ltm pool <POOL_NAME> {
members {
SERVER1:PORT {
address 1.2.3.4
session monitor-enabled
state up
}
SERVER2:PORT {
address 4.3.2.1
session monitor-enabled
state up
}
}
monitor /Common/tcp
partition PARTITION_NAME
}

== SHOW POOL STATISTICS ==

<nowiki>
tmsh show ltm pool <POOL_NAME></nowiki>

== SHOW SSL PROFILES ==

<nowiki>
tmsh show sys crypto cert</nowiki>

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

== SHOW VS CONNECTIONS ==

<nowiki>
tmsh show sys conn cs-server-addr <IP></nowiki>

Example :
<nowiki>
tmsh show sys conn cs-server-addr <IP> | awk '{print $1}' | cut -d ":" -f1 | sort -u</nowiki>
To get :
<nowiki>
IP SRC cliente IP VS Floating VS IP node
cs-client-addr cs-server-addr ss-client-addr ss-server-addr</nowiki>

# Filter # Description
*cs-client-addr
**The (client) source IP address on the clientside of the connection. Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-client-port
** The (client) source port on the clientside of the connection
*cs-server-addr
** The (server) destination IP address on the clientside of the connection (i.e. the Virtual Server IP address). Subnets are allowed by specifying an optional prefix length up to /24 and /56 for IPv4 and IPv6 respectively.
*cs-server-port
** The (server) destination port on the clientside of the connection (i.e. the Virtual Server port)
*ss-client-addr
**The (client) source IP address on the serverside of the connection (i.e. the SNAT address)
*ss-client-port
**The (client) source port on the serverside of the connection (i.e. the SNAT port)
*ss-server-addr
**The (server) destination IP address on the serverside of the connection (i.e., the Pool Member address)
*ss-server-port
** The (server) destination port on the serverside of the connection (i.e., the Pool Member port)

== SHOW VS LOGS ==

<nowiki>
tail /var/log/ltm | grep <VS_NAME><nowiki>

The /var/log/ltm will show the time according to the Time Zone configured while the tmsh show sys log ltm will show the UTC time.

== SHOW VS STATISTICS ==

<nowiki>
# show ltm virtual <VS_NAME>
--------------------------------------------------------------------

Ltm::Virtual Server: <VS_NAME>

--------------------------------------------------------------------

Status
Availability : available
State : enabled
Reason : The virtual server is available
CMP : enabled
CMP Mode : all-cpus
Destination : 1.2.3.4:443
PVA Acceleration : none

Traffic ClientSide Ephemeral General
Bits In 26.2G 0 -
Bits Out 100.2G 0 -
Packets In 10.9M 0 -
Packets Out 16.0M 0 -
Current Connections 0 0 -
Maximum Connections 77 0 -
Total Connections 1.7M 0 -
Evicted Connections 0 0 -
Slow Connections Killed 0 0 -
Min Conn Duration/msec - - 2
Max Conn Duration/msec - - 1.8M
Mean Conn Duration/msec - - 6
Total Requests - - 0

SYN Cookies
Status not-activated
Hardware SYN Cookie Instances 0
Software SYN Cookie Instances 0
Current SYN Cache 0
SYN Cache Overflow 0
Total Software 0
Total Software Accepted 0
Total Software Rejected 0
Total Hardware 0
Total Hardware Accepted 0

Message Routing Framework In Out
Message 0 0
Request 0 0
Response 0 0

CPU Usage Ratio (%)
Last 5 Seconds 0
Last 1 Minute 0
Last 5 Minutes 0

== USEFUL LINKS ==

* [F5 BIG-IP LTM Command Line Interface (CLI) Guide](https://my.f5.com/manage/s/article/K40033505)
- This guide provides an overview of **F5 BIG-IP LTM CLI commands** and their usage, ideal for network administrators working with F5 load balancers.

* [F5 BIG-IP LTM Troubleshooting and Logs](https://my.f5.com/manage/s/article/K53851362)
- A detailed article covering various **troubleshooting techniques** for F5 BIG-IP LTM, including analyzing logs, inspecting performance statistics, and diagnosing issues.

* [F5 BIG-IP LTM Configuration Examples](https://my.f5.com/manage/s/article/K28245234)
- A collection of useful **configuration examples** for **F5 BIG-IP LTM**. This includes virtual server, pool, SSL, and other common configuration scenarios.

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
- Documentation on **iRules** for customizing traffic handling, load balancing, SSL offloading, and other network-level operations in **F5 BIG-IP LTM**.

* [F5 Knowledge Base](https://support.f5.com/csp/)
- The official **F5 Knowledge Base** for accessing articles, troubleshooting tips, and frequently asked questions (FAQs) related to **F5 BIG-IP** products.

* [F5 BIG-IP System Performance Monitoring](https://techdocs.f5.com/t/d/s/article/K85011825)
- Information on how to monitor the **performance** of your **F5 BIG-IP LTM** system, including system stats, metrics, and performance tuning guidelines.

* [F5 SSL Offloading Configuration](https://techdocs.f5.com/t/d/s/article/K15153940)
- Step-by-step guide for **SSL offloading** using **F5 BIG-IP LTM**, which helps optimize the decryption of HTTPS traffic.

* [F5 iHealth](https://ihealth.f5.com/)
- A diagnostic tool for **F5 BIG-IP LTM** devices to perform system health checks, collect logs, and get recommendations for system optimization.

* [F5 BIG-IP SSL Certificate Management](https://techdocs.f5.com/t/d/s/article/K11841)
- This article provides information on managing **SSL certificates** for **F5 BIG-IP LTM**, including importing, configuring, and troubleshooting SSL certificates.

* [F5 DevCentral Community](https://community.f5.com/)
- **F5 DevCentral** is an active online community for F5 professionals, offering forums, discussions, and resources about **F5 BIG-IP LTM** configuration, troubleshooting, and best practices.

* [F5 BIG-IP High Availability and Failover Configuration](https://support.f5.com/csp/article/K11897)
- An essential guide on setting up **high availability** and **failover** between F5 devices, ensuring reliability and continuous service availability.

* [F5 BIG-IP Latest Release Notes](https://support.f5.com/csp/article/K13008)
- The **release notes** for **F5 BIG-IP LTM** provide important information about new features, bug fixes, and changes in each software version.

* [F5 BIG-IP iRule Examples and Best Practices](https://devcentral.f5.com/s/articles/best-practices-for-irules-13372)
- A helpful resource with practical **iRule examples** and best practices to efficiently handle traffic manipulation and load balancing on F5 devices.

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

CISCO-ASA - Cluster Factory Reset

2026-02-18T10:03:18Z

Admin: /* Important Notes */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Removing Contexts in a Cisco ASA Cluster ==

In a **multi-context configuration** on Cisco ASA devices, each context functions as a virtual firewall with its own configuration, interfaces, and policies. If you need to remove a context from your ASA, follow the steps below.

=== Steps to Remove a Context ===

1. **Access the ASA CLI**:
Log in to the ASA device using SSH, console, or other access methods.

2. **Enter Privileged Exec Mode**:
Once logged in, enter privileged exec mode:

<nowiki>
enable</nowiki>

3. **Enter Configuration Mode**:
Enter configuration mode to make changes:

<nowiki>
config terminal</nowiki>

4. **Switch to System Context**:
Since you are working in a multi-context setup, you need to enter the **system context** (the default context):

<nowiki>
changeto system</nowiki>

5. **Remove the Context**:
Use the following command to remove the context:

<nowiki>
no context <context_name></nowiki>

Example:
If the context name is `Sales`, use:

<nowiki>
no context Sales</nowiki>

6. **Verify the Removal**:
After the context is removed, verify it has been deleted using:

<nowiki>
show context</nowiki>

This will list all remaining contexts. The context you removed should no longer appear.

7. **Return to the System Context**:
If you were previously in a specific context, return to the system context using:

<nowiki>
changeto system</nowiki>

8. **Save the Configuration**:
Once the context is removed, save the configuration to ensure changes are persistent:

<nowiki>
write memory</nowiki>

=== Example CLI Session for Removing a Context ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# changeto system
ASA(system)# no context Sales
ASA(system)# show context
</nowiki>

== Factory Reset of a Cisco ASA Cluster ==

Performing a factory reset on a **Cisco ASA Cluster** (e.g., ASA 5500-X or other models) will erase all configurations, including interfaces, routing, VPN settings, and security policies, returning the device to its default settings. Follow the steps below to reset both the active and standby units of an ASA cluster.

=== Steps for Factory Reset of a Cisco ASA Cluster ===

==== Access the ASA CLI ====
Log in to each ASA unit in the cluster (both active and standby units) using SSH, console, or any other method.

==== Check Cluster Configuration ====
Before performing the reset, check the cluster status to ensure you are on the correct member:

<nowiki>
show failover</nowiki>

==== Break the Failover ====
To reset the cluster configuration, you must first break the failover between the active and standby units. Enter the following command on both units:

<nowiki>
no failover</nowiki>

==== Erase the Configuration ====
Erase the **startup configuration** on both units using:

<nowiki>
write erase</nowiki>

Or alternatively:

<nowiki>
erase startup-config</nowiki>

This will remove all configuration settings.

==== Reboot the ASA Unit ====
After erasing the configuration, reboot the ASA unit to apply the changes:

<nowiki>
reload</nowiki>

When prompted to save the configuration, select **No**, as you just erased it.

==== Repeat for Standby Unit ====
After performing the reset on the active unit, repeat the same steps on the **standby unit** in the cluster.

==== Re-enable Failover ====
Once both units are factory reset and rebooted, re-enable the failover process to restore the cluster:

<nowiki>
failover</nowiki>

==== Verify Cluster Synchronization ====
After re-enabling failover, verify that both units in the cluster are synchronized and that the failover is working correctly:

<nowiki>
show failover</nowiki>

=== Example CLI Session for Factory Reset ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# no failover
ASA(config)# write erase
ASA(config)# reload
</nowiki>

After performing the reset on both the active and standby units, re-enable failover and check synchronization:

<nowiki>
ASA(config)# failover
ASA(config)# show failover
</nowiki>

== Important Notes ==

**Backup Configuration**: Always **backup your configuration** before performing a factory reset or removing contexts. Use the following command to back up the configuration:

<nowiki>
copy running-config tftp://<TFTP_server_IP>/backup.cfg</nowiki>

**Impact**: Resetting the device or removing contexts will erase all configurations associated with the context or unit, including interfaces, security policies, routing, and VPN configurations.

**Multi-Context Licensing**: Ensure that your device is licensed for multi-context operation if you plan to use multiple contexts. The reset or removal of contexts will impact how interfaces and resources are allocated.

== Useful Links ==

* [Cisco ASA Documentation](https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/tsd-products-support-series-home.html)
* [Cisco ASA Configuration Guides](https://www.cisco.com/c/en/us/td/docs/security/asa/)
* [Cisco Knowledge Base](https://support.cisco.com/)
* [Cisco ASA Failover Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration-guide/firewall/intro-failover.html)
* [Cisco ASA Cluster Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall-cluster.html)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

CISCO-ASA - Cluster Factory Reset

2026-02-18T10:02:57Z

Admin: /* Verify Cluster Synchronization */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Removing Contexts in a Cisco ASA Cluster ==

In a **multi-context configuration** on Cisco ASA devices, each context functions as a virtual firewall with its own configuration, interfaces, and policies. If you need to remove a context from your ASA, follow the steps below.

=== Steps to Remove a Context ===

1. **Access the ASA CLI**:
Log in to the ASA device using SSH, console, or other access methods.

2. **Enter Privileged Exec Mode**:
Once logged in, enter privileged exec mode:

<nowiki>
enable</nowiki>

3. **Enter Configuration Mode**:
Enter configuration mode to make changes:

<nowiki>
config terminal</nowiki>

4. **Switch to System Context**:
Since you are working in a multi-context setup, you need to enter the **system context** (the default context):

<nowiki>
changeto system</nowiki>

5. **Remove the Context**:
Use the following command to remove the context:

<nowiki>
no context <context_name></nowiki>

Example:
If the context name is `Sales`, use:

<nowiki>
no context Sales</nowiki>

6. **Verify the Removal**:
After the context is removed, verify it has been deleted using:

<nowiki>
show context</nowiki>

This will list all remaining contexts. The context you removed should no longer appear.

7. **Return to the System Context**:
If you were previously in a specific context, return to the system context using:

<nowiki>
changeto system</nowiki>

8. **Save the Configuration**:
Once the context is removed, save the configuration to ensure changes are persistent:

<nowiki>
write memory</nowiki>

=== Example CLI Session for Removing a Context ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# changeto system
ASA(system)# no context Sales
ASA(system)# show context
</nowiki>

== Factory Reset of a Cisco ASA Cluster ==

Performing a factory reset on a **Cisco ASA Cluster** (e.g., ASA 5500-X or other models) will erase all configurations, including interfaces, routing, VPN settings, and security policies, returning the device to its default settings. Follow the steps below to reset both the active and standby units of an ASA cluster.

=== Steps for Factory Reset of a Cisco ASA Cluster ===

==== Access the ASA CLI ====
Log in to each ASA unit in the cluster (both active and standby units) using SSH, console, or any other method.

==== Check Cluster Configuration ====
Before performing the reset, check the cluster status to ensure you are on the correct member:

<nowiki>
show failover</nowiki>

==== Break the Failover ====
To reset the cluster configuration, you must first break the failover between the active and standby units. Enter the following command on both units:

<nowiki>
no failover</nowiki>

==== Erase the Configuration ====
Erase the **startup configuration** on both units using:

<nowiki>
write erase</nowiki>

Or alternatively:

<nowiki>
erase startup-config</nowiki>

This will remove all configuration settings.

==== Reboot the ASA Unit ====
After erasing the configuration, reboot the ASA unit to apply the changes:

<nowiki>
reload</nowiki>

When prompted to save the configuration, select **No**, as you just erased it.

==== Repeat for Standby Unit ====
After performing the reset on the active unit, repeat the same steps on the **standby unit** in the cluster.

==== Re-enable Failover ====
Once both units are factory reset and rebooted, re-enable the failover process to restore the cluster:

<nowiki>
failover</nowiki>

==== Verify Cluster Synchronization ====
After re-enabling failover, verify that both units in the cluster are synchronized and that the failover is working correctly:

<nowiki>
show failover</nowiki>

=== Example CLI Session for Factory Reset ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# no failover
ASA(config)# write erase
ASA(config)# reload
</nowiki>

After performing the reset on both the active and standby units, re-enable failover and check synchronization:

<nowiki>
ASA(config)# failover
ASA(config)# show failover
</nowiki>

== Important Notes ==

- **Backup Configuration**: Always **backup your configuration** before performing a factory reset or removing contexts. Use the following command to back up the configuration:

<nowiki>
copy running-config tftp://<TFTP_server_IP>/backup.cfg</nowiki>

- **Impact**: Resetting the device or removing contexts will erase all configurations associated with the context or unit, including interfaces, security policies, routing, and VPN configurations.

- **Multi-Context Licensing**: Ensure that your device is licensed for multi-context operation if you plan to use multiple contexts. The reset or removal of contexts will impact how interfaces and resources are allocated.

== Useful Links ==

* [Cisco ASA Documentation](https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/tsd-products-support-series-home.html)
* [Cisco ASA Configuration Guides](https://www.cisco.com/c/en/us/td/docs/security/asa/)
* [Cisco Knowledge Base](https://support.cisco.com/)
* [Cisco ASA Failover Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration-guide/firewall/intro-failover.html)
* [Cisco ASA Cluster Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall-cluster.html)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

CISCO-ASA - Cluster Factory Reset

2026-02-18T10:02:38Z

Admin: /* Break the Failover */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Removing Contexts in a Cisco ASA Cluster ==

In a **multi-context configuration** on Cisco ASA devices, each context functions as a virtual firewall with its own configuration, interfaces, and policies. If you need to remove a context from your ASA, follow the steps below.

=== Steps to Remove a Context ===

1. **Access the ASA CLI**:
Log in to the ASA device using SSH, console, or other access methods.

2. **Enter Privileged Exec Mode**:
Once logged in, enter privileged exec mode:

<nowiki>
enable</nowiki>

3. **Enter Configuration Mode**:
Enter configuration mode to make changes:

<nowiki>
config terminal</nowiki>

4. **Switch to System Context**:
Since you are working in a multi-context setup, you need to enter the **system context** (the default context):

<nowiki>
changeto system</nowiki>

5. **Remove the Context**:
Use the following command to remove the context:

<nowiki>
no context <context_name></nowiki>

Example:
If the context name is `Sales`, use:

<nowiki>
no context Sales</nowiki>

6. **Verify the Removal**:
After the context is removed, verify it has been deleted using:

<nowiki>
show context</nowiki>

This will list all remaining contexts. The context you removed should no longer appear.

7. **Return to the System Context**:
If you were previously in a specific context, return to the system context using:

<nowiki>
changeto system</nowiki>

8. **Save the Configuration**:
Once the context is removed, save the configuration to ensure changes are persistent:

<nowiki>
write memory</nowiki>

=== Example CLI Session for Removing a Context ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# changeto system
ASA(system)# no context Sales
ASA(system)# show context
</nowiki>

== Factory Reset of a Cisco ASA Cluster ==

Performing a factory reset on a **Cisco ASA Cluster** (e.g., ASA 5500-X or other models) will erase all configurations, including interfaces, routing, VPN settings, and security policies, returning the device to its default settings. Follow the steps below to reset both the active and standby units of an ASA cluster.

=== Steps for Factory Reset of a Cisco ASA Cluster ===

==== Access the ASA CLI ====
Log in to each ASA unit in the cluster (both active and standby units) using SSH, console, or any other method.

==== Check Cluster Configuration ====
Before performing the reset, check the cluster status to ensure you are on the correct member:

<nowiki>
show failover</nowiki>

==== Break the Failover ====
To reset the cluster configuration, you must first break the failover between the active and standby units. Enter the following command on both units:

<nowiki>
no failover</nowiki>

==== Erase the Configuration ====
Erase the **startup configuration** on both units using:

<nowiki>
write erase</nowiki>

Or alternatively:

<nowiki>
erase startup-config</nowiki>

This will remove all configuration settings.

==== Reboot the ASA Unit ====
After erasing the configuration, reboot the ASA unit to apply the changes:

<nowiki>
reload</nowiki>

When prompted to save the configuration, select **No**, as you just erased it.

==== Repeat for Standby Unit ====
After performing the reset on the active unit, repeat the same steps on the **standby unit** in the cluster.

==== Re-enable Failover ====
Once both units are factory reset and rebooted, re-enable the failover process to restore the cluster:

<nowiki>
failover</nowiki>

==== Verify Cluster Synchronization ====
After re-enabling failover, verify that both units in the cluster are synchronized and that the failover is working correctly:

<nowiki>
show failover</nowiki>

=== Example CLI Session for Factory Reset ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# no failover
ASA(config)# write erase
ASA(config)# reload
</nowiki>

After performing the reset on both the active and standby units, re-enable failover and check synchronization:

<nowiki>
ASA(config)# failover
ASA(config)# show failover
</nowiki>

== Important Notes ==

- **Backup Configuration**: Always **backup your configuration** before performing a factory reset or removing contexts. Use the following command to back up the configuration:

<nowiki>
copy running-config tftp://<TFTP_server_IP>/backup.cfg</nowiki>

- **Impact**: Resetting the device or removing contexts will erase all configurations associated with the context or unit, including interfaces, security policies, routing, and VPN configurations.

- **Multi-Context Licensing**: Ensure that your device is licensed for multi-context operation if you plan to use multiple contexts. The reset or removal of contexts will impact how interfaces and resources are allocated.

== Useful Links ==

* [Cisco ASA Documentation](https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/tsd-products-support-series-home.html)
* [Cisco ASA Configuration Guides](https://www.cisco.com/c/en/us/td/docs/security/asa/)
* [Cisco Knowledge Base](https://support.cisco.com/)
* [Cisco ASA Failover Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration-guide/firewall/intro-failover.html)
* [Cisco ASA Cluster Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall-cluster.html)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

CISCO-ASA - Cluster Factory Reset

2026-02-18T10:02:26Z

Admin: /* Check Cluster Configuration */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Removing Contexts in a Cisco ASA Cluster ==

In a **multi-context configuration** on Cisco ASA devices, each context functions as a virtual firewall with its own configuration, interfaces, and policies. If you need to remove a context from your ASA, follow the steps below.

=== Steps to Remove a Context ===

1. **Access the ASA CLI**:
Log in to the ASA device using SSH, console, or other access methods.

2. **Enter Privileged Exec Mode**:
Once logged in, enter privileged exec mode:

<nowiki>
enable</nowiki>

3. **Enter Configuration Mode**:
Enter configuration mode to make changes:

<nowiki>
config terminal</nowiki>

4. **Switch to System Context**:
Since you are working in a multi-context setup, you need to enter the **system context** (the default context):

<nowiki>
changeto system</nowiki>

5. **Remove the Context**:
Use the following command to remove the context:

<nowiki>
no context <context_name></nowiki>

Example:
If the context name is `Sales`, use:

<nowiki>
no context Sales</nowiki>

6. **Verify the Removal**:
After the context is removed, verify it has been deleted using:

<nowiki>
show context</nowiki>

This will list all remaining contexts. The context you removed should no longer appear.

7. **Return to the System Context**:
If you were previously in a specific context, return to the system context using:

<nowiki>
changeto system</nowiki>

8. **Save the Configuration**:
Once the context is removed, save the configuration to ensure changes are persistent:

<nowiki>
write memory</nowiki>

=== Example CLI Session for Removing a Context ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# changeto system
ASA(system)# no context Sales
ASA(system)# show context
</nowiki>

== Factory Reset of a Cisco ASA Cluster ==

Performing a factory reset on a **Cisco ASA Cluster** (e.g., ASA 5500-X or other models) will erase all configurations, including interfaces, routing, VPN settings, and security policies, returning the device to its default settings. Follow the steps below to reset both the active and standby units of an ASA cluster.

=== Steps for Factory Reset of a Cisco ASA Cluster ===

==== Access the ASA CLI ====
Log in to each ASA unit in the cluster (both active and standby units) using SSH, console, or any other method.

==== Check Cluster Configuration ====
Before performing the reset, check the cluster status to ensure you are on the correct member:

<nowiki>
show failover</nowiki>

==== Break the Failover ====
To reset the cluster configuration, you must first break the failover between the active and standby units. Enter the following command on both units:

<nowiki>no failover</nowiki>

==== Erase the Configuration ====
Erase the **startup configuration** on both units using:

<nowiki>
write erase</nowiki>

Or alternatively:

<nowiki>
erase startup-config</nowiki>

This will remove all configuration settings.

==== Reboot the ASA Unit ====
After erasing the configuration, reboot the ASA unit to apply the changes:

<nowiki>
reload</nowiki>

When prompted to save the configuration, select **No**, as you just erased it.

==== Repeat for Standby Unit ====
After performing the reset on the active unit, repeat the same steps on the **standby unit** in the cluster.

==== Re-enable Failover ====
Once both units are factory reset and rebooted, re-enable the failover process to restore the cluster:

<nowiki>
failover</nowiki>

==== Verify Cluster Synchronization ====
After re-enabling failover, verify that both units in the cluster are synchronized and that the failover is working correctly:

<nowiki>
show failover</nowiki>

=== Example CLI Session for Factory Reset ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# no failover
ASA(config)# write erase
ASA(config)# reload
</nowiki>

After performing the reset on both the active and standby units, re-enable failover and check synchronization:

<nowiki>
ASA(config)# failover
ASA(config)# show failover
</nowiki>

== Important Notes ==

- **Backup Configuration**: Always **backup your configuration** before performing a factory reset or removing contexts. Use the following command to back up the configuration:

<nowiki>
copy running-config tftp://<TFTP_server_IP>/backup.cfg</nowiki>

- **Impact**: Resetting the device or removing contexts will erase all configurations associated with the context or unit, including interfaces, security policies, routing, and VPN configurations.

- **Multi-Context Licensing**: Ensure that your device is licensed for multi-context operation if you plan to use multiple contexts. The reset or removal of contexts will impact how interfaces and resources are allocated.

== Useful Links ==

* [Cisco ASA Documentation](https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/tsd-products-support-series-home.html)
* [Cisco ASA Configuration Guides](https://www.cisco.com/c/en/us/td/docs/security/asa/)
* [Cisco Knowledge Base](https://support.cisco.com/)
* [Cisco ASA Failover Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration-guide/firewall/intro-failover.html)
* [Cisco ASA Cluster Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall-cluster.html)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

CISCO-ASA - Cluster Factory Reset

2026-02-18T10:02:01Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Removing Contexts in a Cisco ASA Cluster ==

In a **multi-context configuration** on Cisco ASA devices, each context functions as a virtual firewall with its own configuration, interfaces, and policies. If you need to remove a context from your ASA, follow the steps below.

=== Steps to Remove a Context ===

1. **Access the ASA CLI**:
Log in to the ASA device using SSH, console, or other access methods.

2. **Enter Privileged Exec Mode**:
Once logged in, enter privileged exec mode:

<nowiki>
enable</nowiki>

3. **Enter Configuration Mode**:
Enter configuration mode to make changes:

<nowiki>
config terminal</nowiki>

4. **Switch to System Context**:
Since you are working in a multi-context setup, you need to enter the **system context** (the default context):

<nowiki>
changeto system</nowiki>

5. **Remove the Context**:
Use the following command to remove the context:

<nowiki>
no context <context_name></nowiki>

Example:
If the context name is `Sales`, use:

<nowiki>
no context Sales</nowiki>

6. **Verify the Removal**:
After the context is removed, verify it has been deleted using:

<nowiki>
show context</nowiki>

This will list all remaining contexts. The context you removed should no longer appear.

7. **Return to the System Context**:
If you were previously in a specific context, return to the system context using:

<nowiki>
changeto system</nowiki>

8. **Save the Configuration**:
Once the context is removed, save the configuration to ensure changes are persistent:

<nowiki>
write memory</nowiki>

=== Example CLI Session for Removing a Context ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# changeto system
ASA(system)# no context Sales
ASA(system)# show context
</nowiki>

== Factory Reset of a Cisco ASA Cluster ==

Performing a factory reset on a **Cisco ASA Cluster** (e.g., ASA 5500-X or other models) will erase all configurations, including interfaces, routing, VPN settings, and security policies, returning the device to its default settings. Follow the steps below to reset both the active and standby units of an ASA cluster.

=== Steps for Factory Reset of a Cisco ASA Cluster ===

==== Access the ASA CLI ====
Log in to each ASA unit in the cluster (both active and standby units) using SSH, console, or any other method.

==== Check Cluster Configuration ====
Before performing the reset, check the cluster status to ensure you are on the correct member:

<nowiki>show failover</nowiki>

==== Break the Failover ====
To reset the cluster configuration, you must first break the failover between the active and standby units. Enter the following command on both units:

<nowiki>no failover</nowiki>

==== Erase the Configuration ====
Erase the **startup configuration** on both units using:

<nowiki>
write erase</nowiki>

Or alternatively:

<nowiki>
erase startup-config</nowiki>

This will remove all configuration settings.

==== Reboot the ASA Unit ====
After erasing the configuration, reboot the ASA unit to apply the changes:

<nowiki>
reload</nowiki>

When prompted to save the configuration, select **No**, as you just erased it.

==== Repeat for Standby Unit ====
After performing the reset on the active unit, repeat the same steps on the **standby unit** in the cluster.

==== Re-enable Failover ====
Once both units are factory reset and rebooted, re-enable the failover process to restore the cluster:

<nowiki>
failover</nowiki>

==== Verify Cluster Synchronization ====
After re-enabling failover, verify that both units in the cluster are synchronized and that the failover is working correctly:

<nowiki>
show failover</nowiki>

=== Example CLI Session for Factory Reset ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# no failover
ASA(config)# write erase
ASA(config)# reload
</nowiki>

After performing the reset on both the active and standby units, re-enable failover and check synchronization:

<nowiki>
ASA(config)# failover
ASA(config)# show failover
</nowiki>

== Important Notes ==

- **Backup Configuration**: Always **backup your configuration** before performing a factory reset or removing contexts. Use the following command to back up the configuration:

<nowiki>
copy running-config tftp://<TFTP_server_IP>/backup.cfg</nowiki>

- **Impact**: Resetting the device or removing contexts will erase all configurations associated with the context or unit, including interfaces, security policies, routing, and VPN configurations.

- **Multi-Context Licensing**: Ensure that your device is licensed for multi-context operation if you plan to use multiple contexts. The reset or removal of contexts will impact how interfaces and resources are allocated.

== Useful Links ==

* [Cisco ASA Documentation](https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/tsd-products-support-series-home.html)
* [Cisco ASA Configuration Guides](https://www.cisco.com/c/en/us/td/docs/security/asa/)
* [Cisco Knowledge Base](https://support.cisco.com/)
* [Cisco ASA Failover Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration-guide/firewall/intro-failover.html)
* [Cisco ASA Cluster Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall-cluster.html)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

CISCO-ASA - Cluster Factory Reset

2026-02-18T10:00:56Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == Removing Contexts in a Cisco ASA Cluster == In a **multi-context configuration** on Cisco ASA devices, each context functions as a virtual firewall with its own configuration, interfaces, and policies. If you need to remove a context from your ASA, follow the steps below. === Steps to Remove a Context === 1. **Access the ASA CLI**: - Log in to the ASA device using S..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Removing Contexts in a Cisco ASA Cluster ==

In a **multi-context configuration** on Cisco ASA devices, each context functions as a virtual firewall with its own configuration, interfaces, and policies. If you need to remove a context from your ASA, follow the steps below.

=== Steps to Remove a Context ===

1. **Access the ASA CLI**:
- Log in to the ASA device using SSH, console, or other access methods.

2. **Enter Privileged Exec Mode**:
- Once logged in, enter privileged exec mode:

<nowiki>
enable</nowiki>

3. **Enter Configuration Mode**:
- Enter configuration mode to make changes:

<nowiki>
config terminal</nowiki>

4. **Switch to System Context**:
- Since you are working in a multi-context setup, you need to enter the **system context** (the default context):

<nowiki>
changeto system</nowiki>

5. **Remove the Context**:
- Use the following command to remove the context:

<nowiki>
no context <context_name></nowiki>

Example:
- If the context name is `Sales`, use:

<nowiki>
no context Sales</nowiki>

6. **Verify the Removal**:
- After the context is removed, verify it has been deleted using:

<nowiki>
show context</nowiki>

This will list all remaining contexts. The context you removed should no longer appear.

7. **Return to the System Context**:
- If you were previously in a specific context, return to the system context using:

<nowiki>
changeto system</nowiki>

8. **Save the Configuration**:
- Once the context is removed, save the configuration to ensure changes are persistent:

<nowiki>
write memory</nowiki>

=== Example CLI Session for Removing a Context ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# changeto system
ASA(system)# no context Sales
ASA(system)# show context
</nowiki>

== Factory Reset of a Cisco ASA Cluster ==

Performing a factory reset on a **Cisco ASA Cluster** (e.g., ASA 5500-X or other models) will erase all configurations, including interfaces, routing, VPN settings, and security policies, returning the device to its default settings. Follow the steps below to reset both the active and standby units of an ASA cluster.

=== Steps for Factory Reset of a Cisco ASA Cluster ===

==== Access the ASA CLI ====
Log in to each ASA unit in the cluster (both active and standby units) using SSH, console, or any other method.

==== Check Cluster Configuration ====
Before performing the reset, check the cluster status to ensure you are on the correct member:

<nowiki>show failover</nowiki>

==== Break the Failover ====
To reset the cluster configuration, you must first break the failover between the active and standby units. Enter the following command on both units:

<nowiki>no failover</nowiki>

==== Erase the Configuration ====
Erase the **startup configuration** on both units using:

<nowiki>
write erase</nowiki>

Or alternatively:

<nowiki>
erase startup-config</nowiki>

This will remove all configuration settings.

==== Reboot the ASA Unit ====
After erasing the configuration, reboot the ASA unit to apply the changes:

<nowiki>
reload</nowiki>

When prompted to save the configuration, select **No**, as you just erased it.

==== Repeat for Standby Unit ====
After performing the reset on the active unit, repeat the same steps on the **standby unit** in the cluster.

==== Re-enable Failover ====
Once both units are factory reset and rebooted, re-enable the failover process to restore the cluster:

<nowiki>
failover</nowiki>

==== Verify Cluster Synchronization ====
After re-enabling failover, verify that both units in the cluster are synchronized and that the failover is working correctly:

<nowiki>
show failover</nowiki>

=== Example CLI Session for Factory Reset ===

<nowiki>
ASA# enable
Password: ********

ASA# config terminal
ASA(config)# no failover
ASA(config)# write erase
ASA(config)# reload
</nowiki>

After performing the reset on both the active and standby units, re-enable failover and check synchronization:

<nowiki>
ASA(config)# failover
ASA(config)# show failover
</nowiki>

== Important Notes ==

- **Backup Configuration**: Always **backup your configuration** before performing a factory reset or removing contexts. Use the following command to back up the configuration:

<nowiki>
copy running-config tftp://<TFTP_server_IP>/backup.cfg</nowiki>

- **Impact**: Resetting the device or removing contexts will erase all configurations associated with the context or unit, including interfaces, security policies, routing, and VPN configurations.

- **Multi-Context Licensing**: Ensure that your device is licensed for multi-context operation if you plan to use multiple contexts. The reset or removal of contexts will impact how interfaces and resources are allocated.

== Useful Links ==

* [Cisco ASA Documentation](https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/tsd-products-support-series-home.html)
* [Cisco ASA Configuration Guides](https://www.cisco.com/c/en/us/td/docs/security/asa/)
* [Cisco Knowledge Base](https://support.cisco.com/)
* [Cisco ASA Failover Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration-guide/firewall/intro-failover.html)
* [Cisco ASA Cluster Configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/firewall-cluster.html)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - iRules

2026-02-18T08:14:31Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Viewing iRules ==

=== Viewing All iRules ===
To display all configured iRules, use the following command:

<nowiki>
tmsh show ltm rule</nowiki>

This command lists all iRules on the system along with their current status.

=== Viewing a Specific iRule ===
To view a specific iRule by name, use:

<nowiki>
tmsh show ltm rule <iRule_name></nowiki>

Example:
<nowiki>
tmsh show ltm rule myrule</nowiki>

This command will display the full content of the `myrule` iRule.

== Creating and Managing iRules ==

=== Creating a New iRule ===
To create a new iRule, use the following command:

<nowiki>
tmsh create ltm rule <iRule_name> { <iRule_script> }</nowiki>

Example:
<nowiki>
tmsh create ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request" } }</nowiki>

This creates an iRule named `myrule` that logs an entry for each HTTP request received.

=== Modifying an Existing iRule ===
To modify an existing iRule, use:

<nowiki>
tmsh modify ltm rule <iRule_name> { <new_iRule_script> }</nowiki>

Example:
<nowiki>
tmsh modify ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request with URI: [HTTP::uri]" } }</nowiki>

This modifies the `myrule` iRule to log the URI of each HTTP request.

=== Deleting an iRule ===
To delete an iRule, use:

<nowiki>
tmsh delete ltm rule <iRule_name></nowiki>

Example:
<nowiki>
tmsh delete ltm rule myrule</nowiki>

This deletes the `myrule` iRule from the system.

== iRule Syntax and Components ==

### Basic iRule Syntax

An iRule consists of **event blocks**, which trigger actions based on specific traffic events. The basic syntax of an iRule looks like this:

<nowiki>
when <event> {
<action>
}</nowiki>

Example:
<nowiki>
when CLIENTSSL_HANDSHAKE {
log local0. "SSL handshake initiated"
}</nowiki>

### Common Events in iRules

- **HTTP_REQUEST**: Triggered when an HTTP request is received.
- **HTTP_RESPONSE**: Triggered when an HTTP response is generated.
- **CLIENTSSL_HANDSHAKE**: Triggered during the SSL handshake.
- **TCP_REQUEST**: Triggered for TCP traffic.

### Common Actions in iRules

- **log**: Logs information to the system log.
- **reject**: Rejects the connection.
- **forward**: Forwards the traffic to the next step.
- **pool**: Directs the traffic to a specific pool or server.

### Example iRule for HTTP Request Logging

<nowiki>
when HTTP_REQUEST {
log local0. "Received HTTP request: [HTTP::uri]"
}</nowiki>

This iRule logs each HTTP request's URI to the system log.

== Assigning iRules to Virtual Servers ==

To assign an iRule to a virtual server, use the following command:

<nowiki>
tmsh modify ltm virtual <vs_name> rules add { <iRule_name> }</nowiki>

Example:
<nowiki>
tmsh modify ltm virtual my_virtual_server rules add { myrule }</nowiki>

This command adds the `myrule` iRule to the `my_virtual_server` virtual server.

=== Removing an iRule from a Virtual Server ===
To remove an iRule from a virtual server, use:

<nowiki>
tmsh modify ltm virtual <vs_name> rules delete { <iRule_name> }</nowiki>

Example:
<nowiki>
tmsh modify ltm virtual my_virtual_server rules delete { myrule }</nowiki>

This removes the `myrule` iRule from the `my_virtual_server` virtual server.

== Troubleshooting iRules ==

=== Viewing iRule Logs ===
To view the logs generated by iRules, use the following command:

<nowiki>
tail -f /var/log/ltm</nowiki>

This command will display the log entries created by iRules on the system.

=== Checking iRule Syntax ===
Before deploying an iRule, it is important to ensure that there are no syntax errors. To validate the syntax of an iRule, use:

<nowiki>
tmsh show ltm rule <iRule_name> syntax</nowiki>

Example:
<nowiki>
tmsh show ltm rule myrule syntax</nowiki>

This command checks for syntax errors in the `myrule` iRule.

=== Debugging iRules ===
For debugging iRules, use the **log** command to print debug messages to the system log. You can enable verbose logging to track the execution flow of the iRule:

<nowiki>
log local0. "Debugging iRule execution: [HTTP::uri]"</nowiki>

Additionally, you can use the following command to increase log verbosity:

<nowiki>
tmsh modify /sys log-config level debug</nowiki>

This will increase the level of logging on the system, helping to debug any issues with iRule execution.

== Useful Links ==

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 BIG-IP iRule Examples](https://techdocs.f5.com/)
* [F5 iRule Tutorials](https://community.f5.com/)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 Downloads](https://downloads.f5.com/)
* [F5 iRules GitHub Repository](https://github.com/f5devcentral)
* [F5 iRules YouTube Channel](https://www.youtube.com/user/F5Networks)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - iRules

2026-02-18T08:14:12Z

Admin: /* iRule Syntax and Components */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Viewing iRules ==

=== Viewing All iRules ===
To display all configured iRules, use the following command:

<nowiki>
tmsh show ltm rule</nowiki>

This command lists all iRules on the system along with their current status.

=== Viewing a Specific iRule ===
To view a specific iRule by name, use:

<nowiki>
tmsh show ltm rule <iRule_name></nowiki>

Example:
<nowiki>
tmsh show ltm rule myrule</nowiki>

This command will display the full content of the `myrule` iRule.

== Creating and Managing iRules ==

=== Creating a New iRule ===
To create a new iRule, use the following command:

<nowiki>
tmsh create ltm rule <iRule_name> { <iRule_script> }</nowiki>

Example:
<nowiki>
tmsh create ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request" } }</nowiki>

This creates an iRule named `myrule` that logs an entry for each HTTP request received.

=== Modifying an Existing iRule ===
To modify an existing iRule, use:

<nowiki>
tmsh modify ltm rule <iRule_name> { <new_iRule_script> }</nowiki>

Example:
<nowiki>
tmsh modify ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request with URI: [HTTP::uri]" } }</nowiki>

This modifies the `myrule` iRule to log the URI of each HTTP request.

=== Deleting an iRule ===
To delete an iRule, use:

<nowiki>
tmsh delete ltm rule <iRule_name></nowiki>

Example:
<nowiki>
tmsh delete ltm rule myrule</nowiki>

This deletes the `myrule` iRule from the system.

== iRule Syntax and Components ==

### Basic iRule Syntax

An iRule consists of **event blocks**, which trigger actions based on specific traffic events. The basic syntax of an iRule looks like this:

<nowiki>
when <event> {
<action>
}</nowiki>

Example:
<nowiki>
when CLIENTSSL_HANDSHAKE {
log local0. "SSL handshake initiated"
}</nowiki>

### Common Events in iRules

- **HTTP_REQUEST**: Triggered when an HTTP request is received.
- **HTTP_RESPONSE**: Triggered when an HTTP response is generated.
- **CLIENTSSL_HANDSHAKE**: Triggered during the SSL handshake.
- **TCP_REQUEST**: Triggered for TCP traffic.

### Common Actions in iRules

- **log**: Logs information to the system log.
- **reject**: Rejects the connection.
- **forward**: Forwards the traffic to the next step.
- **pool**: Directs the traffic to a specific pool or server.

### Example iRule for HTTP Request Logging

<nowiki>
when HTTP_REQUEST {
log local0. "Received HTTP request: [HTTP::uri]"
}</nowiki>

This iRule logs each HTTP request's URI to the system log.

== Assigning iRules to Virtual Servers ==

To assign an iRule to a virtual server, use the following command:

<nowiki>
tmsh modify ltm virtual <vs_name> rules add { <iRule_name> }</nowiki>

Example:
<nowiki>
tmsh modify ltm virtual my_virtual_server rules add { myrule }</nowiki>

This command adds the `myrule` iRule to the `my_virtual_server` virtual server.

=== Removing an iRule from a Virtual Server ===
To remove an iRule from a virtual server, use:

<nowiki>
tmsh modify ltm virtual <vs_name> rules delete { <iRule_name> }</nowiki>

Example:
<nowiki>
tmsh modify ltm virtual my_virtual_server rules delete { myrule }</nowiki>

This removes the `myrule` iRule from the `my_virtual_server` virtual server.

== Troubleshooting iRules ==

=== Viewing iRule Logs ===
To view the logs generated by iRules, use the following command:

<nowiki>
tail -f /var/log/ltm</nowiki>

This command will display the log entries created by iRules on the system.

=== Checking iRule Syntax ===
Before deploying an iRule, it is important to ensure that there are no syntax errors. To validate the syntax of an iRule, use:

<nowiki>
tmsh show ltm rule <iRule_name> syntax</nowiki>

Example:
<nowiki>
tmsh show ltm rule myrule syntax</nowiki>

This command checks for syntax errors in the `myrule` iRule.

=== Debugging iRules ===
For debugging iRules, use the **log** command to print debug messages to the system log. You can enable verbose logging to track the execution flow of the iRule:

<nowiki>
log local0. "Debugging iRule execution: [HTTP::uri]"</nowiki>

Additionally, you can use the following command to increase log verbosity:

<nowiki>
tmsh modify /sys log-config level debug</nowiki>

This will increase the level of logging on the system, helping to debug any issues with iRule execution.

== Useful Links ==

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 BIG-IP iRule Examples](https://techdocs.f5.com/)
* [F5 iRule Tutorials](https://community.f5.com/)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 Downloads](https://downloads.f5.com/)
* [F5 iRules GitHub Repository](https://github.com/f5devcentral)
* [F5 iRules YouTube Channel](https://www.youtube.com/user/F5Networks)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - iRules

2026-02-18T08:13:44Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Viewing iRules ==

=== Viewing All iRules ===
To display all configured iRules, use the following command:

<nowiki>
tmsh show ltm rule</nowiki>

This command lists all iRules on the system along with their current status.

=== Viewing a Specific iRule ===
To view a specific iRule by name, use:

<nowiki>
tmsh show ltm rule <iRule_name></nowiki>

Example:
<nowiki>
tmsh show ltm rule myrule</nowiki>

This command will display the full content of the `myrule` iRule.

== Creating and Managing iRules ==

=== Creating a New iRule ===
To create a new iRule, use the following command:

<nowiki>
tmsh create ltm rule <iRule_name> { <iRule_script> }</nowiki>

Example:
<nowiki>
tmsh create ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request" } }</nowiki>

This creates an iRule named `myrule` that logs an entry for each HTTP request received.

=== Modifying an Existing iRule ===
To modify an existing iRule, use:

<nowiki>
tmsh modify ltm rule <iRule_name> { <new_iRule_script> }</nowiki>

Example:
<nowiki>
tmsh modify ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request with URI: [HTTP::uri]" } }</nowiki>

This modifies the `myrule` iRule to log the URI of each HTTP request.

=== Deleting an iRule ===
To delete an iRule, use:

<nowiki>
tmsh delete ltm rule <iRule_name></nowiki>

Example:
<nowiki>
tmsh delete ltm rule myrule</nowiki>

This deletes the `myrule` iRule from the system.

== iRule Syntax and Components ==

### Basic iRule Syntax

An iRule consists of **event blocks**, which trigger actions based on specific traffic events. The basic syntax of an iRule looks like this:

<nowiki>

when <event> {
<action>
}
</nowiki>

Example:
<nowiki>

when CLIENTSSL_HANDSHAKE {
log local0. "SSL handshake initiated"
}
</nowiki>

### Common Events in iRules

- **HTTP_REQUEST**: Triggered when an HTTP request is received.
- **HTTP_RESPONSE**: Triggered when an HTTP response is generated.
- **CLIENTSSL_HANDSHAKE**: Triggered during the SSL handshake.
- **TCP_REQUEST**: Triggered for TCP traffic.

### Common Actions in iRules

- **log**: Logs information to the system log.
- **reject**: Rejects the connection.
- **forward**: Forwards the traffic to the next step.
- **pool**: Directs the traffic to a specific pool or server.

### Example iRule for HTTP Request Logging

<nowiki>

when HTTP_REQUEST {
log local0. "Received HTTP request: [HTTP::uri]"
}
</nowiki>

This iRule logs each HTTP request's URI to the system log.

== Assigning iRules to Virtual Servers ==

To assign an iRule to a virtual server, use the following command:

<nowiki>
tmsh modify ltm virtual <vs_name> rules add { <iRule_name> }</nowiki>

Example:
<nowiki>
tmsh modify ltm virtual my_virtual_server rules add { myrule }</nowiki>

This command adds the `myrule` iRule to the `my_virtual_server` virtual server.

=== Removing an iRule from a Virtual Server ===
To remove an iRule from a virtual server, use:

<nowiki>
tmsh modify ltm virtual <vs_name> rules delete { <iRule_name> }</nowiki>

Example:
<nowiki>
tmsh modify ltm virtual my_virtual_server rules delete { myrule }</nowiki>

This removes the `myrule` iRule from the `my_virtual_server` virtual server.

== Troubleshooting iRules ==

=== Viewing iRule Logs ===
To view the logs generated by iRules, use the following command:

<nowiki>
tail -f /var/log/ltm</nowiki>

This command will display the log entries created by iRules on the system.

=== Checking iRule Syntax ===
Before deploying an iRule, it is important to ensure that there are no syntax errors. To validate the syntax of an iRule, use:

<nowiki>
tmsh show ltm rule <iRule_name> syntax</nowiki>

Example:
<nowiki>
tmsh show ltm rule myrule syntax</nowiki>

This command checks for syntax errors in the `myrule` iRule.

=== Debugging iRules ===
For debugging iRules, use the **log** command to print debug messages to the system log. You can enable verbose logging to track the execution flow of the iRule:

<nowiki>
log local0. "Debugging iRule execution: [HTTP::uri]"</nowiki>

Additionally, you can use the following command to increase log verbosity:

<nowiki>
tmsh modify /sys log-config level debug</nowiki>

This will increase the level of logging on the system, helping to debug any issues with iRule execution.

== Useful Links ==

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 BIG-IP iRule Examples](https://techdocs.f5.com/)
* [F5 iRule Tutorials](https://community.f5.com/)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 Downloads](https://downloads.f5.com/)
* [F5 iRules GitHub Repository](https://github.com/f5devcentral)
* [F5 iRules YouTube Channel](https://www.youtube.com/user/F5Networks)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - iRules

2026-02-18T08:12:57Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == Viewing iRules == === Viewing All iRules === To display all configured iRules, use the following command: <nowiki>tmsh show ltm rule</nowiki> This command lists all iRules on the system along with their current status. === Viewing a Specific iRule === To view a specific iRule by name, use: <nowiki>tmsh show ltm rule <iRule_name></nowiki> Example: <nowiki>tmsh show lt..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Viewing iRules ==

=== Viewing All iRules ===
To display all configured iRules, use the following command:

<nowiki>tmsh show ltm rule</nowiki>

This command lists all iRules on the system along with their current status.

=== Viewing a Specific iRule ===
To view a specific iRule by name, use:

<nowiki>tmsh show ltm rule <iRule_name></nowiki>

Example:
<nowiki>tmsh show ltm rule myrule</nowiki>

This command will display the full content of the `myrule` iRule.

== Creating and Managing iRules ==

=== Creating a New iRule ===
To create a new iRule, use the following command:

<nowiki>tmsh create ltm rule <iRule_name> { <iRule_script> }</nowiki>

Example:
<nowiki>tmsh create ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request" } }</nowiki>

This creates an iRule named `myrule` that logs an entry for each HTTP request received.

=== Modifying an Existing iRule ===
To modify an existing iRule, use:

<nowiki>tmsh modify ltm rule <iRule_name> { <new_iRule_script> }</nowiki>

Example:
<nowiki>tmsh modify ltm rule myrule { when HTTP_REQUEST { log local0. "Received HTTP request with URI: [HTTP::uri]" } }</nowiki>

This modifies the `myrule` iRule to log the URI of each HTTP request.

=== Deleting an iRule ===
To delete an iRule, use:

<nowiki>tmsh delete ltm rule <iRule_name></nowiki>

Example:
<nowiki>tmsh delete ltm rule myrule</nowiki>

This deletes the `myrule` iRule from the system.

== iRule Syntax and Components ==

### Basic iRule Syntax

An iRule consists of **event blocks**, which trigger actions based on specific traffic events. The basic syntax of an iRule looks like this:

<nowiki>
when <event> {
<action>
}
</nowiki>

Example:
<nowiki>
when CLIENTSSL_HANDSHAKE {
log local0. "SSL handshake initiated"
}
</nowiki>

### Common Events in iRules

- **HTTP_REQUEST**: Triggered when an HTTP request is received.
- **HTTP_RESPONSE**: Triggered when an HTTP response is generated.
- **CLIENTSSL_HANDSHAKE**: Triggered during the SSL handshake.
- **TCP_REQUEST**: Triggered for TCP traffic.

### Common Actions in iRules

- **log**: Logs information to the system log.
- **reject**: Rejects the connection.
- **forward**: Forwards the traffic to the next step.
- **pool**: Directs the traffic to a specific pool or server.

### Example iRule for HTTP Request Logging

<nowiki>
when HTTP_REQUEST {
log local0. "Received HTTP request: [HTTP::uri]"
}
</nowiki>

This iRule logs each HTTP request's URI to the system log.

== Assigning iRules to Virtual Servers ==

To assign an iRule to a virtual server, use the following command:

<nowiki>tmsh modify ltm virtual <vs_name> rules add { <iRule_name> }</nowiki>

Example:
<nowiki>tmsh modify ltm virtual my_virtual_server rules add { myrule }</nowiki>

This command adds the `myrule` iRule to the `my_virtual_server` virtual server.

=== Removing an iRule from a Virtual Server ===
To remove an iRule from a virtual server, use:

<nowiki>tmsh modify ltm virtual <vs_name> rules delete { <iRule_name> }</nowiki>

Example:
<nowiki>tmsh modify ltm virtual my_virtual_server rules delete { myrule }</nowiki>

This removes the `myrule` iRule from the `my_virtual_server` virtual server.

== Troubleshooting iRules ==

=== Viewing iRule Logs ===
To view the logs generated by iRules, use the following command:

<nowiki>tail -f /var/log/ltm</nowiki>

This command will display the log entries created by iRules on the system.

=== Checking iRule Syntax ===
Before deploying an iRule, it is important to ensure that there are no syntax errors. To validate the syntax of an iRule, use:

<nowiki>tmsh show ltm rule <iRule_name> syntax</nowiki>

Example:
<nowiki>tmsh show ltm rule myrule syntax</nowiki>

This command checks for syntax errors in the `myrule` iRule.

=== Debugging iRules ===
For debugging iRules, use the **log** command to print debug messages to the system log. You can enable verbose logging to track the execution flow of the iRule:

<nowiki>log local0. "Debugging iRule execution: [HTTP::uri]"</nowiki>

Additionally, you can use the following command to increase log verbosity:

<nowiki>tmsh modify /sys log-config level debug</nowiki>

This will increase the level of logging on the system, helping to debug any issues with iRule execution.

== Useful Links ==

* [F5 BIG-IP iRule Documentation](https://support.f5.com/csp/article/K19240)
* [F5 BIG-IP iRule Examples](https://techdocs.f5.com/)
* [F5 iRule Tutorials](https://community.f5.com/)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 Downloads](https://downloads.f5.com/)
* [F5 iRules GitHub Repository](https://github.com/f5devcentral)
* [F5 iRules YouTube Channel](https://www.youtube.com/user/F5Networks)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

F5 BIG-IP - LTM CLI Commands

2026-02-18T08:11:16Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == Viewing System Information == To display system information, including the software version, platform, and other relevant details, use the following command: <nowiki> tmsh show sys version</nowiki> This command will output the software version, platform type, and more. == Managing Configuration Files == You can list, view, and manage system configuration files. The co..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Viewing System Information ==
To display system information, including the software version, platform, and other relevant details, use the following command:

<nowiki>
tmsh show sys version</nowiki>

This command will output the software version, platform type, and more.

== Managing Configuration Files ==
You can list, view, and manage system configuration files. The command below displays all configuration files:

<nowiki>
tmsh list /sys config</nowiki>

To view a specific configuration file, use:

<nowiki>
tmsh show /sys config <filename></nowiki>

== Viewing System Status ==
To view the overall status of the system, including all major components, run:

<nowiki>
tmsh show sys status</nowiki>

This shows the status of hardware, software, and critical system components.

== Network Configuration ==

=== Viewing Network Interfaces ===
To list the available network interfaces, run:

<nowiki>
tmsh show net interface</nowiki>

This command displays all physical interfaces and their status, including throughput and error counts.

=== Configuring Network Interfaces ===
To configure a specific network interface, use the following command:

<nowiki>
tmsh modify /net interface <interface_name> mtu <mtu_value> address <ip_address> netmask <netmask_value></nowiki>

For example, configuring `eth0` with an MTU of 1500, IP address `192.168.1.10`, and netmask `255.255.255.0` would be:

<nowiki>
tmsh modify /net interface eth0 mtu 1500 address 192.168.1.10 netmask 255.255.255.0</nowiki>

=== Viewing Routing Information ===
To show routing information, including routes, use:

<nowiki>
tmsh show net route</nowiki>

This command outputs the active routes in the routing table.

== LTM (Local Traffic Manager) Configuration ==

=== Viewing Pools ===
To view the configuration and status of load balancing pools, use:

<nowiki>
tmsh show ltm pool</nowiki>

This command provides a list of all configured pools, along with their status, members, and other relevant details.

=== Creating and Managing Pools ===
To create a new pool, the following command can be used:

<nowiki>
tmsh create ltm pool <pool_name> members add { <ip_address>:<port> }</nowiki>

For example:

<nowiki>
tmsh create ltm pool mypool members add { 192.168.1.20:80 192.168.1.21:80 }</nowiki>

To modify a pool, use the `modify` keyword, and to delete a pool, use the `delete` keyword:

<nowiki>
tmsh modify ltm pool mypool members add { 192.168.1.22:80 }
tmsh delete ltm pool mypool</nowiki>

=== Viewing Virtual Servers ===
To list the virtual servers and their statuses:

<nowiki>
tmsh show ltm virtual</nowiki>

This shows the configured virtual servers, their IP addresses, and their current status.

=== Creating and Managing Virtual Servers ===
To create a new virtual server, the following command is used:

<nowiki>
tmsh create ltm virtual <vs_name> destination <vs_ip>:<vs_port> pool <pool_name> profiles add { http }</nowiki>

For example:

<nowiki>
tmsh create ltm virtual myvirtualserver destination 192.168.1.100:80 pool mypool profiles add { http }</nowiki>

To modify or delete a virtual server, use the `modify` and `delete` commands respectively:

<nowiki>
tmsh modify ltm virtual myvirtualserver destination 192.168.1.101:80
tmsh delete ltm virtual myvirtualserver</nowiki>

== SSL Configuration ==

=== Viewing SSL Profiles ===
To display SSL profile configurations, use the following command:

<nowiki>
tmsh show ltm profile client-ssl</nowiki>

This command lists the SSL profiles used by virtual servers for handling encrypted traffic.

=== Creating and Managing SSL Profiles ===
To create an SSL client profile, use:

<nowiki>
tmsh create ltm profile client-ssl <profile_name> cert <cert_file> key <key_file> options <ssl_options></nowiki>

For example:

<nowiki>
tmsh create ltm profile client-ssl mysslprofile cert /config/ssl/certs/mycert.crt key /config/ssl/keys/mykey.key options { no-ssl-verify }</nowiki>

=== Viewing SSL Certificates ===
To display SSL certificates:

<nowiki>
tmsh show sys crypto cert</nowiki>

This command lists all the certificates installed on the system.

== Traffic and Session Management ==

=== Viewing Active Connections ===
To view active connections on the system, run:

<nowiki>
tmsh show sys connection</nowiki>

This command displays all current connections, including the source and destination IPs, port numbers, and connection states.

=== Managing Sessions ===
To display the current user sessions, use:

<nowiki>
tmsh show /sys user session</nowiki>

This command provides a list of active user sessions along with their associated IP addresses.

== System Diagnostics ==

=== Running a Packet Capture ===
To run a packet capture, the following command can be used:

<nowiki>
tcpdump -i <interface_name> -w /var/tmp/capture.pcap</nowiki>

For example, to capture packets on interface `eth0`:

<nowiki>
tcpdump -i eth0 -w /var/tmp/capture.pcap</nowiki>

== System Logs ==
To view the system logs, run:

<nowiki>
tail -f /var/log/ltm</nowiki>

This command continuously displays logs from the Local Traffic Manager.

=== Viewing System Events ===
For viewing events logged by the system, use the following command:

<nowiki>
tmsh show sys event</nowiki>

This command shows a list of system events and their details.

== Troubleshooting ==

=== Checking System Performance ===
To check the system's performance, including CPU and memory usage:

<nowiki>
tmsh show sys performance</nowiki>

This will display CPU and memory usage, as well as disk and network performance.

=== Checking System Health ===
To check the health status of various system components:

<nowiki>
tmsh show sys health</nowiki>

This command gives an overview of the system's health, including hardware status, disk health, and more.

=== Rebooting the System ===
To reboot the F5 BIG-IP system:

<nowiki>
reboot</nowiki>

This command will initiate a system reboot.

== Useful Links ==

* [F5 BIG-IP Documentation](https://support.f5.com/csp/article/K12820)
* [F5 BIG-IP Command Line Interface (CLI) Guide](https://techdocs.f5.com/)
* [F5 Community](https://community.f5.com/)
* [F5 Knowledge Base](https://support.f5.com/csp/)
* [F5 Downloads](https://downloads.f5.com/)
* [F5 Deployment Guide](https://f5.com/products/big-ip)
* [F5 YouTube Channel](https://www.youtube.com/user/F5Networks)

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

ALTEON - Menu Commands

2026-02-18T08:05:13Z

Admin: /* Hard Reset (Factory Defaults) */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== System Access and Privilege Modes ==

=== User EXEC Mode ===
<nowiki>
/cfg/login</nowiki>

Description:
Accesses the user EXEC mode.

Example:
<nowiki>
/cfg/login</nowiki>

=== Privileged EXEC Mode ===
<nowiki>
/cfg/enable</nowiki>

Description:
Switches to the privileged EXEC mode.

Example:
<nowiki>
/cfg/enable</nowiki>

=== Exit and Session Termination ===
<nowiki>
/exit
/logout</nowiki>

Example:
<nowiki>
/exit</nowiki>

== System Configuration ==

=== Hostname Configuration ===
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

Example:
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

=== Banner Configuration ===
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

Example:
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

=== Time and NTP Configuration ===
<nowiki>
/cfg/system/timezone UTC 0
/cfg/system/ntp server 192.168.100.10</nowiki>
Example:
<nowiki>
/cfg/system/ntp server 10.10.10.5</nowiki>

=== Management IP Configuration ===
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

Example:
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

== Interface and VLAN Configuration ==

=== Physical Port Configuration ===
<nowiki>
/cfg/network/port 5/enable
/cfg/network/port 5/disable</nowiki>

Example:
<nowiki>
/cfg/network/port 3/enable</nowiki>

=== Assign IP Address to Interface ===
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

Example:
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

=== VLAN Creation ===
<nowiki>
/cfg/network/vlan 100
/cfg/network/vlan 100/name DMZ</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200
/cfg/network/vlan 200/name INTERNAL</nowiki>

=== VLAN Port Assignment ===
<nowiki>
/cfg/network/vlan 100/tagged 1
/cfg/network/vlan 100/untagged 2</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200/tagged 3
/cfg/network/vlan 200/untagged 4</nowiki>

== Routing Configuration ==

=== Default Route ===
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 192.168.1.1
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

=== Static Route ===
<nowiki>
/cfg/network/ip-route 10.10.0.0/16 192.168.1.254
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

== High Availability Configuration ==

=== HA Group Definition ===
<nowiki>
/cfg/ha/group 1
/cfg/ha/group 1/peer 10.0.0.2
/cfg/ha/group 1/enable</nowiki>

Example:
<nowiki>
/cfg/ha/group 10
/cfg/ha/group 10/peer 192.168.100.2
/cfg/ha/group 10/enable</nowiki>

=== HA Status Verification ===
<nowiki>
/cfg/ha/status</nowiki>

== Server Load Balancing Configuration ==

=== Real Server Definition ===
<nowiki>
/cfg/slb/real-server WEB1 10.0.1.11/80
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

Example:
<nowiki>
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

=== Health Check Configuration ===
<nowiki>
/cfg/slb/health-check HTTP-CHECK
/cfg/slb/health-check HTTP-CHECK/type http
/cfg/slb/health-check HTTP-CHECK/url "/health"</nowiki>

Example:
<nowiki>
/cfg/slb/health-check TCP-CHECK
/cfg/slb/health-check TCP-CHECK/type tcp</nowiki>

=== Service Group Configuration ===
<nowiki>
/cfg/slb/group WEB-GRP
/cfg/slb/group WEB-GRP/add WEB1
/cfg/slb/group WEB-GRP/method roundrobin</nowiki>

Example:
<nowiki>
/cfg/slb/group APP-GRP
/cfg/slb/group APP-GRP/add APP1
/cfg/slb/group APP-GRP/method leastconn</nowiki>

=== Virtual Server Configuration ===
<nowiki>
/cfg/slb/virtual-server VIP1 203.0.113.10/80
/cfg/slb/virtual-server VIP1/service WEB-GRP
/cfg/slb/virtual-server VIP1/enable</nowiki>

Example:
<nowiki>
/cfg/slb/virtual-server PUBLIC-HTTPS 198.51.100.10/443
/cfg/slb/virtual-server PUBLIC-HTTPS/service APP-GRP
/cfg/slb/virtual-server PUBLIC-HTTPS/enable</nowiki>

== Security Configuration ==

=== SSH Access ===
<nowiki>
/cfg/system/ssh enable
/cfg/system/ssh version 2</nowiki>

Example:
<nowiki>
/cfg/system/ssh enable</nowiki>

=== User Account Creation ===
<nowiki>
/cfg/system/user admin password StrongPass! role admin
/cfg/system/user operator password OpPass123 role operator</nowiki>

Example:
<nowiki>
/cfg/system/user operator password OpPass123 role operator</nowiki>

=== Management Access Restriction ===
<nowiki>
/cfg/system/access-management 10.10.10.0/255.255.255.0
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

Example:
<nowiki>
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

== Monitoring and Logging ==

=== Display Configuration ===
<nowiki>
/cfg/system/show running-config</nowiki>

=== Interface Monitoring ===
<nowiki>
/cfg/system/show interface
/cfg/system/show interface port 5</nowiki>

=== Routing Table Display ===
<nowiki>
/cfg/system/show ip-route</nowiki>

=== Logging Configuration ===
<nowiki>
/cfg/system/logging host 10.1.1.50
/cfg/system/logging level info</nowiki>

Example:
<nowiki>
/cfg/system/logging host 192.168.100.50</nowiki>

== Configuration Management ==

=== Save Configuration ===
<nowiki>
/cfg/system/save</nowiki>

Example:
<nowiki>
/cfg/system/save</nowiki>

=== Backup Configuration ===
<nowiki>
/cfg/system/backup tftp 10.0.0.50 backup.cfg
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

Example:
<nowiki>
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

== Troubleshooting ==

=== Basic Connectivity Tests ===
<nowiki>
/cfg/system/ping 8.8.8.8
/cfg/system/traceroute 8.8.8.8</nowiki>

Verify reachability and routing path.

=== Interface Issues ===
<nowiki>
/cfg/system/show interface</nowiki>

Check link status, administrative state, and error counters.

=== HA Problems ===
<nowiki>
/cfg/ha/show status</nowiki>

Confirm active/standby role and synchronization state.

=== SLB Service Not Responding ===
<nowiki>
/cfg/slb/show group
/cfg/slb/show real-server</nowiki>

Verify health check status and server availability.

=== Configuration Not Persisted ===
<nowiki>
/cfg/system/show running-config</nowiki>

Ensure configuration is saved using:
<nowiki>
/cfg/system/save</nowiki>

== Resetting Configuration ==

This chapter outlines the process for resetting the configuration on an **Alteon Application Switch 5208**. There are different methods for resetting the configuration, including clearing all settings, restoring factory defaults, or performing a soft reset.

=== Soft Reset (Reboot) ===

A soft reset allows the switch to reboot without clearing the configuration. It can be used when you need to refresh the system without losing any saved settings.

<nowiki>
/reset</nowiki>

Description:
This command will reboot the system, retaining all current configurations.

Example:
<nowiki>
/reset</nowiki>

==== After Reboot ====
Once the switch reboots, you can verify the status with the following command:

<nowiki>
/cfg/system/show status</nowiki>

This will display the current state of the system and confirm that the reboot was successful.

=== Hard Reset (Factory Defaults) ===

A **hard reset** restores the switch to its factory default settings. This means that all configurations will be lost, and the switch will revert to the default IP address, hostname, and settings.

To perform a factory reset, follow these steps:

1. Connect to the switch via the **console port** using a terminal client like PuTTY or HyperTerminal.
2. Power off the switch.
3. Press and hold the **reset button** on the front panel of the switch.
4. Power the switch on while still holding the reset button for about **10-15 seconds**.
5. Release the reset button. The switch will now boot up with factory default settings.

Alternatively, the following command can be used to perform a hard reset via the CLI:

<nowiki>
/boot/conf factory</nowiki>

Description:
This command restores the factory default configuration. It erases all user configurations and resets the switch to its out-of-the-box state.

After this process, the switch will require reconfiguration from scratch, including setting the management IP, hostname, and network settings.

==== Verify Reset to Factory Defaults ====
To confirm that the switch has been reset to factory defaults, you can check the configuration:

<nowiki>
/cfg/system/show running-config</nowiki>

This should show minimal or default configurations such as the default IP address `192.168.1.1`, default hostname, and other initial settings.

=== Resetting Specific Configuration Elements ===

In some cases, you might only need to reset certain elements, such as VLAN configurations or interfaces, rather than the entire system.

==== Reset VLAN Configuration ====
To remove a specific VLAN configuration, use the following command:

<nowiki>
/cfg/network/vlan <vlan_id>/reset</nowiki>

Example:
<nowiki>
/cfg/network/vlan 100/reset</nowiki>

This command will reset the specified VLAN to its default settings.

==== Reset Interface Configuration ====
To reset an individual interface configuration, use the following command:

<nowiki>
/cfg/network/port <port_number>/reset</nowiki>

Example:
<nowiki>
/cfg/network/port 5/reset</nowiki>

This will reset the settings for that particular interface, including IP addresses, VLAN assignments, and other configurations.

=== Clearing the Configuration from the Flash Memory ===

If you want to delete the current configuration completely from the switch's flash memory, use the following command:

<nowiki>
/cfg/system/clear-flash</nowiki>

Description:
This command will completely clear the configuration stored in the flash memory, requiring a reboot to apply the changes.

Example:
<nowiki>
/cfg/system/clear-flash</nowiki>

Once the configuration is cleared, the system will boot with the default configuration.

=== Important Notes ===

* **Backup Configurations**: Before performing any reset actions, it is crucial to back up your current configuration to avoid losing important settings. Use the following command to back up to a TFTP server:

<nowiki>
/cfg/system/backup tftp <tftp_ip> <backup_filename></nowiki>

* **Reconfiguration**: After performing a hard reset, you will need to reconfigure the switch from scratch. This includes setting up VLANs, IP addresses, HA groups, and other configurations.

== Useful Links ==

* Radware Support Portal — https://support.radware.com/
* Radware Knowledge Center — https://support.radware.com/Knowledge-Center/
* Radware Community — https://community.radware.com/
* Radware Documentation Library — https://www.radware.com/resources/
* Alteon CLI Reference Guide — https://www.radware.com/products/alteon/
* Alteon Support Page — https://www.radware.com/products/alteon-support/
* Alteon Application Switch Technical Documentation — https://www.radware.com/products/alteon/documentation/
* Alteon Product Page — https://www.radware.com/products/alteon-application-switch/
* Radware Download Center — https://support.radware.com/Downloads/
* Radware Knowledge Base — https://support.radware.com/knowledgebase/
* Radware YouTube Channel (for tutorials) — https://www.youtube.com/user/RadwareOfficial/

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

ALTEON - Menu Commands

2026-02-18T08:04:34Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== System Access and Privilege Modes ==

=== User EXEC Mode ===
<nowiki>
/cfg/login</nowiki>

Description:
Accesses the user EXEC mode.

Example:
<nowiki>
/cfg/login</nowiki>

=== Privileged EXEC Mode ===
<nowiki>
/cfg/enable</nowiki>

Description:
Switches to the privileged EXEC mode.

Example:
<nowiki>
/cfg/enable</nowiki>

=== Exit and Session Termination ===
<nowiki>
/exit
/logout</nowiki>

Example:
<nowiki>
/exit</nowiki>

== System Configuration ==

=== Hostname Configuration ===
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

Example:
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

=== Banner Configuration ===
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

Example:
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

=== Time and NTP Configuration ===
<nowiki>
/cfg/system/timezone UTC 0
/cfg/system/ntp server 192.168.100.10</nowiki>
Example:
<nowiki>
/cfg/system/ntp server 10.10.10.5</nowiki>

=== Management IP Configuration ===
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

Example:
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

== Interface and VLAN Configuration ==

=== Physical Port Configuration ===
<nowiki>
/cfg/network/port 5/enable
/cfg/network/port 5/disable</nowiki>

Example:
<nowiki>
/cfg/network/port 3/enable</nowiki>

=== Assign IP Address to Interface ===
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

Example:
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

=== VLAN Creation ===
<nowiki>
/cfg/network/vlan 100
/cfg/network/vlan 100/name DMZ</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200
/cfg/network/vlan 200/name INTERNAL</nowiki>

=== VLAN Port Assignment ===
<nowiki>
/cfg/network/vlan 100/tagged 1
/cfg/network/vlan 100/untagged 2</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200/tagged 3
/cfg/network/vlan 200/untagged 4</nowiki>

== Routing Configuration ==

=== Default Route ===
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 192.168.1.1
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

=== Static Route ===
<nowiki>
/cfg/network/ip-route 10.10.0.0/16 192.168.1.254
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

== High Availability Configuration ==

=== HA Group Definition ===
<nowiki>
/cfg/ha/group 1
/cfg/ha/group 1/peer 10.0.0.2
/cfg/ha/group 1/enable</nowiki>

Example:
<nowiki>
/cfg/ha/group 10
/cfg/ha/group 10/peer 192.168.100.2
/cfg/ha/group 10/enable</nowiki>

=== HA Status Verification ===
<nowiki>
/cfg/ha/status</nowiki>

== Server Load Balancing Configuration ==

=== Real Server Definition ===
<nowiki>
/cfg/slb/real-server WEB1 10.0.1.11/80
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

Example:
<nowiki>
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

=== Health Check Configuration ===
<nowiki>
/cfg/slb/health-check HTTP-CHECK
/cfg/slb/health-check HTTP-CHECK/type http
/cfg/slb/health-check HTTP-CHECK/url "/health"</nowiki>

Example:
<nowiki>
/cfg/slb/health-check TCP-CHECK
/cfg/slb/health-check TCP-CHECK/type tcp</nowiki>

=== Service Group Configuration ===
<nowiki>
/cfg/slb/group WEB-GRP
/cfg/slb/group WEB-GRP/add WEB1
/cfg/slb/group WEB-GRP/method roundrobin</nowiki>

Example:
<nowiki>
/cfg/slb/group APP-GRP
/cfg/slb/group APP-GRP/add APP1
/cfg/slb/group APP-GRP/method leastconn</nowiki>

=== Virtual Server Configuration ===
<nowiki>
/cfg/slb/virtual-server VIP1 203.0.113.10/80
/cfg/slb/virtual-server VIP1/service WEB-GRP
/cfg/slb/virtual-server VIP1/enable</nowiki>

Example:
<nowiki>
/cfg/slb/virtual-server PUBLIC-HTTPS 198.51.100.10/443
/cfg/slb/virtual-server PUBLIC-HTTPS/service APP-GRP
/cfg/slb/virtual-server PUBLIC-HTTPS/enable</nowiki>

== Security Configuration ==

=== SSH Access ===
<nowiki>
/cfg/system/ssh enable
/cfg/system/ssh version 2</nowiki>

Example:
<nowiki>
/cfg/system/ssh enable</nowiki>

=== User Account Creation ===
<nowiki>
/cfg/system/user admin password StrongPass! role admin
/cfg/system/user operator password OpPass123 role operator</nowiki>

Example:
<nowiki>
/cfg/system/user operator password OpPass123 role operator</nowiki>

=== Management Access Restriction ===
<nowiki>
/cfg/system/access-management 10.10.10.0/255.255.255.0
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

Example:
<nowiki>
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

== Monitoring and Logging ==

=== Display Configuration ===
<nowiki>
/cfg/system/show running-config</nowiki>

=== Interface Monitoring ===
<nowiki>
/cfg/system/show interface
/cfg/system/show interface port 5</nowiki>

=== Routing Table Display ===
<nowiki>
/cfg/system/show ip-route</nowiki>

=== Logging Configuration ===
<nowiki>
/cfg/system/logging host 10.1.1.50
/cfg/system/logging level info</nowiki>

Example:
<nowiki>
/cfg/system/logging host 192.168.100.50</nowiki>

== Configuration Management ==

=== Save Configuration ===
<nowiki>
/cfg/system/save</nowiki>

Example:
<nowiki>
/cfg/system/save</nowiki>

=== Backup Configuration ===
<nowiki>
/cfg/system/backup tftp 10.0.0.50 backup.cfg
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

Example:
<nowiki>
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

== Troubleshooting ==

=== Basic Connectivity Tests ===
<nowiki>
/cfg/system/ping 8.8.8.8
/cfg/system/traceroute 8.8.8.8</nowiki>

Verify reachability and routing path.

=== Interface Issues ===
<nowiki>
/cfg/system/show interface</nowiki>

Check link status, administrative state, and error counters.

=== HA Problems ===
<nowiki>
/cfg/ha/show status</nowiki>

Confirm active/standby role and synchronization state.

=== SLB Service Not Responding ===
<nowiki>
/cfg/slb/show group
/cfg/slb/show real-server</nowiki>

Verify health check status and server availability.

=== Configuration Not Persisted ===
<nowiki>
/cfg/system/show running-config</nowiki>

Ensure configuration is saved using:
<nowiki>
/cfg/system/save</nowiki>

== Resetting Configuration ==

This chapter outlines the process for resetting the configuration on an **Alteon Application Switch 5208**. There are different methods for resetting the configuration, including clearing all settings, restoring factory defaults, or performing a soft reset.

=== Soft Reset (Reboot) ===

A soft reset allows the switch to reboot without clearing the configuration. It can be used when you need to refresh the system without losing any saved settings.

<nowiki>
/reset</nowiki>

Description:
This command will reboot the system, retaining all current configurations.

Example:
<nowiki>
/reset</nowiki>

==== After Reboot ====
Once the switch reboots, you can verify the status with the following command:

<nowiki>
/cfg/system/show status</nowiki>

This will display the current state of the system and confirm that the reboot was successful.

=== Hard Reset (Factory Defaults) ===

A **hard reset** restores the switch to its factory default settings. This means that all configurations will be lost, and the switch will revert to the default IP address, hostname, and settings.

To perform a factory reset, follow these steps:

1. Connect to the switch via the **console port** using a terminal client like PuTTY or HyperTerminal.
2. Power off the switch.
3. Press and hold the **reset button** on the front panel of the switch.
4. Power the switch on while still holding the reset button for about **10-15 seconds**.
5. Release the reset button. The switch will now boot up with factory default settings.

Alternatively, the following command can be used to perform a hard reset via the CLI:

<nowiki>/boot/conf factory</nowiki>

Description:
This command restores the factory default configuration. It erases all user configurations and resets the switch to its out-of-the-box state.

After this process, the switch will require reconfiguration from scratch, including setting the management IP, hostname, and network settings.

==== Verify Reset to Factory Defaults ====
To confirm that the switch has been reset to factory defaults, you can check the configuration:

<nowiki>
/cfg/system/show running-config</nowiki>

This should show minimal or default configurations such as the default IP address `192.168.1.1`, default hostname, and other initial settings.

=== Resetting Specific Configuration Elements ===

In some cases, you might only need to reset certain elements, such as VLAN configurations or interfaces, rather than the entire system.

==== Reset VLAN Configuration ====
To remove a specific VLAN configuration, use the following command:

<nowiki>
/cfg/network/vlan <vlan_id>/reset</nowiki>

Example:
<nowiki>
/cfg/network/vlan 100/reset</nowiki>

This command will reset the specified VLAN to its default settings.

==== Reset Interface Configuration ====
To reset an individual interface configuration, use the following command:

<nowiki>
/cfg/network/port <port_number>/reset</nowiki>

Example:
<nowiki>
/cfg/network/port 5/reset</nowiki>

This will reset the settings for that particular interface, including IP addresses, VLAN assignments, and other configurations.

=== Clearing the Configuration from the Flash Memory ===

If you want to delete the current configuration completely from the switch's flash memory, use the following command:

<nowiki>
/cfg/system/clear-flash</nowiki>

Description:
This command will completely clear the configuration stored in the flash memory, requiring a reboot to apply the changes.

Example:
<nowiki>
/cfg/system/clear-flash</nowiki>

Once the configuration is cleared, the system will boot with the default configuration.

=== Important Notes ===

* **Backup Configurations**: Before performing any reset actions, it is crucial to back up your current configuration to avoid losing important settings. Use the following command to back up to a TFTP server:

<nowiki>
/cfg/system/backup tftp <tftp_ip> <backup_filename></nowiki>

* **Reconfiguration**: After performing a hard reset, you will need to reconfigure the switch from scratch. This includes setting up VLANs, IP addresses, HA groups, and other configurations.

== Useful Links ==

* Radware Support Portal — https://support.radware.com/
* Radware Knowledge Center — https://support.radware.com/Knowledge-Center/
* Radware Community — https://community.radware.com/
* Radware Documentation Library — https://www.radware.com/resources/
* Alteon CLI Reference Guide — https://www.radware.com/products/alteon/
* Alteon Support Page — https://www.radware.com/products/alteon-support/
* Alteon Application Switch Technical Documentation — https://www.radware.com/products/alteon/documentation/
* Alteon Product Page — https://www.radware.com/products/alteon-application-switch/
* Radware Download Center — https://support.radware.com/Downloads/
* Radware Knowledge Base — https://support.radware.com/knowledgebase/
* Radware YouTube Channel (for tutorials) — https://www.youtube.com/user/RadwareOfficial/

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

ALTEON - Menu Commands

2026-02-18T08:04:17Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== System Access and Privilege Modes ==

=== User EXEC Mode ===
<nowiki>
/cfg/login</nowiki>

Description:
Accesses the user EXEC mode.

Example:
<nowiki>
/cfg/login</nowiki>

=== Privileged EXEC Mode ===
<nowiki>
/cfg/enable</nowiki>

Description:
Switches to the privileged EXEC mode.

Example:
<nowiki>
/cfg/enable</nowiki>

==== Exit and Session Termination ====
<nowiki>
/exit
/logout</nowiki>

Example:
<nowiki>
/exit</nowiki>

== System Configuration ==

=== Hostname Configuration ===
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

Example:
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

=== Banner Configuration ===
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

Example:
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

=== Time and NTP Configuration ===
<nowiki>
/cfg/system/timezone UTC 0
/cfg/system/ntp server 192.168.100.10</nowiki>
Example:
<nowiki>
/cfg/system/ntp server 10.10.10.5</nowiki>

=== Management IP Configuration ===
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

Example:
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

== Interface and VLAN Configuration ==

=== Physical Port Configuration ===
<nowiki>
/cfg/network/port 5/enable
/cfg/network/port 5/disable</nowiki>

Example:
<nowiki>
/cfg/network/port 3/enable</nowiki>

=== Assign IP Address to Interface ===
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

Example:
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

=== VLAN Creation ===
<nowiki>
/cfg/network/vlan 100
/cfg/network/vlan 100/name DMZ</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200
/cfg/network/vlan 200/name INTERNAL</nowiki>

=== VLAN Port Assignment ===
<nowiki>
/cfg/network/vlan 100/tagged 1
/cfg/network/vlan 100/untagged 2</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200/tagged 3
/cfg/network/vlan 200/untagged 4</nowiki>

== Routing Configuration ==

=== Default Route ===
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 192.168.1.1
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

=== Static Route ===
<nowiki>
/cfg/network/ip-route 10.10.0.0/16 192.168.1.254
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

== High Availability Configuration ==

=== HA Group Definition ===
<nowiki>
/cfg/ha/group 1
/cfg/ha/group 1/peer 10.0.0.2
/cfg/ha/group 1/enable</nowiki>

Example:
<nowiki>
/cfg/ha/group 10
/cfg/ha/group 10/peer 192.168.100.2
/cfg/ha/group 10/enable</nowiki>

=== HA Status Verification ===
<nowiki>
/cfg/ha/status</nowiki>

== Server Load Balancing Configuration ==

=== Real Server Definition ===
<nowiki>
/cfg/slb/real-server WEB1 10.0.1.11/80
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

Example:
<nowiki>
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

=== Health Check Configuration ===
<nowiki>
/cfg/slb/health-check HTTP-CHECK
/cfg/slb/health-check HTTP-CHECK/type http
/cfg/slb/health-check HTTP-CHECK/url "/health"</nowiki>

Example:
<nowiki>
/cfg/slb/health-check TCP-CHECK
/cfg/slb/health-check TCP-CHECK/type tcp</nowiki>

=== Service Group Configuration ===
<nowiki>
/cfg/slb/group WEB-GRP
/cfg/slb/group WEB-GRP/add WEB1
/cfg/slb/group WEB-GRP/method roundrobin</nowiki>

Example:
<nowiki>
/cfg/slb/group APP-GRP
/cfg/slb/group APP-GRP/add APP1
/cfg/slb/group APP-GRP/method leastconn</nowiki>

=== Virtual Server Configuration ===
<nowiki>
/cfg/slb/virtual-server VIP1 203.0.113.10/80
/cfg/slb/virtual-server VIP1/service WEB-GRP
/cfg/slb/virtual-server VIP1/enable</nowiki>

Example:
<nowiki>
/cfg/slb/virtual-server PUBLIC-HTTPS 198.51.100.10/443
/cfg/slb/virtual-server PUBLIC-HTTPS/service APP-GRP
/cfg/slb/virtual-server PUBLIC-HTTPS/enable</nowiki>

== Security Configuration ==

=== SSH Access ===
<nowiki>
/cfg/system/ssh enable
/cfg/system/ssh version 2</nowiki>

Example:
<nowiki>
/cfg/system/ssh enable</nowiki>

=== User Account Creation ===
<nowiki>
/cfg/system/user admin password StrongPass! role admin
/cfg/system/user operator password OpPass123 role operator</nowiki>

Example:
<nowiki>
/cfg/system/user operator password OpPass123 role operator</nowiki>

=== Management Access Restriction ===
<nowiki>
/cfg/system/access-management 10.10.10.0/255.255.255.0
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

Example:
<nowiki>
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

== Monitoring and Logging ==

=== Display Configuration ===
<nowiki>
/cfg/system/show running-config</nowiki>

=== Interface Monitoring ===
<nowiki>
/cfg/system/show interface
/cfg/system/show interface port 5</nowiki>

=== Routing Table Display ===
<nowiki>
/cfg/system/show ip-route</nowiki>

=== Logging Configuration ===
<nowiki>
/cfg/system/logging host 10.1.1.50
/cfg/system/logging level info</nowiki>

Example:
<nowiki>
/cfg/system/logging host 192.168.100.50</nowiki>

== Configuration Management ==

=== Save Configuration ===
<nowiki>
/cfg/system/save</nowiki>

Example:
<nowiki>
/cfg/system/save</nowiki>

=== Backup Configuration ===
<nowiki>
/cfg/system/backup tftp 10.0.0.50 backup.cfg
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

Example:
<nowiki>
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

== Troubleshooting ==

=== Basic Connectivity Tests ===
<nowiki>
/cfg/system/ping 8.8.8.8
/cfg/system/traceroute 8.8.8.8</nowiki>

Verify reachability and routing path.

=== Interface Issues ===
<nowiki>
/cfg/system/show interface</nowiki>

Check link status, administrative state, and error counters.

=== HA Problems ===
<nowiki>
/cfg/ha/show status</nowiki>

Confirm active/standby role and synchronization state.

=== SLB Service Not Responding ===
<nowiki>
/cfg/slb/show group
/cfg/slb/show real-server</nowiki>

Verify health check status and server availability.

=== Configuration Not Persisted ===
<nowiki>
/cfg/system/show running-config</nowiki>

Ensure configuration is saved using:
<nowiki>
/cfg/system/save</nowiki>

== Resetting Configuration ==

This chapter outlines the process for resetting the configuration on an **Alteon Application Switch 5208**. There are different methods for resetting the configuration, including clearing all settings, restoring factory defaults, or performing a soft reset.

=== Soft Reset (Reboot) ===

A soft reset allows the switch to reboot without clearing the configuration. It can be used when you need to refresh the system without losing any saved settings.

<nowiki>
/reset</nowiki>

Description:
This command will reboot the system, retaining all current configurations.

Example:
<nowiki>
/reset</nowiki>

==== After Reboot ====
Once the switch reboots, you can verify the status with the following command:

<nowiki>
/cfg/system/show status</nowiki>

This will display the current state of the system and confirm that the reboot was successful.

=== Hard Reset (Factory Defaults) ===

A **hard reset** restores the switch to its factory default settings. This means that all configurations will be lost, and the switch will revert to the default IP address, hostname, and settings.

To perform a factory reset, follow these steps:

1. Connect to the switch via the **console port** using a terminal client like PuTTY or HyperTerminal.
2. Power off the switch.
3. Press and hold the **reset button** on the front panel of the switch.
4. Power the switch on while still holding the reset button for about **10-15 seconds**.
5. Release the reset button. The switch will now boot up with factory default settings.

Alternatively, the following command can be used to perform a hard reset via the CLI:

<nowiki>/boot/conf factory</nowiki>

Description:
This command restores the factory default configuration. It erases all user configurations and resets the switch to its out-of-the-box state.

After this process, the switch will require reconfiguration from scratch, including setting the management IP, hostname, and network settings.

==== Verify Reset to Factory Defaults ====
To confirm that the switch has been reset to factory defaults, you can check the configuration:

<nowiki>
/cfg/system/show running-config</nowiki>

This should show minimal or default configurations such as the default IP address `192.168.1.1`, default hostname, and other initial settings.

=== Resetting Specific Configuration Elements ===

In some cases, you might only need to reset certain elements, such as VLAN configurations or interfaces, rather than the entire system.

==== Reset VLAN Configuration ====
To remove a specific VLAN configuration, use the following command:

<nowiki>
/cfg/network/vlan <vlan_id>/reset</nowiki>

Example:
<nowiki>
/cfg/network/vlan 100/reset</nowiki>

This command will reset the specified VLAN to its default settings.

==== Reset Interface Configuration ====
To reset an individual interface configuration, use the following command:

<nowiki>
/cfg/network/port <port_number>/reset</nowiki>

Example:
<nowiki>
/cfg/network/port 5/reset</nowiki>

This will reset the settings for that particular interface, including IP addresses, VLAN assignments, and other configurations.

=== Clearing the Configuration from the Flash Memory ===

If you want to delete the current configuration completely from the switch's flash memory, use the following command:

<nowiki>
/cfg/system/clear-flash</nowiki>

Description:
This command will completely clear the configuration stored in the flash memory, requiring a reboot to apply the changes.

Example:
<nowiki>
/cfg/system/clear-flash</nowiki>

Once the configuration is cleared, the system will boot with the default configuration.

=== Important Notes ===

* **Backup Configurations**: Before performing any reset actions, it is crucial to back up your current configuration to avoid losing important settings. Use the following command to back up to a TFTP server:

<nowiki>
/cfg/system/backup tftp <tftp_ip> <backup_filename></nowiki>

* **Reconfiguration**: After performing a hard reset, you will need to reconfigure the switch from scratch. This includes setting up VLANs, IP addresses, HA groups, and other configurations.

== Useful Links ==

* Radware Support Portal — https://support.radware.com/
* Radware Knowledge Center — https://support.radware.com/Knowledge-Center/
* Radware Community — https://community.radware.com/
* Radware Documentation Library — https://www.radware.com/resources/
* Alteon CLI Reference Guide — https://www.radware.com/products/alteon/
* Alteon Support Page — https://www.radware.com/products/alteon-support/
* Alteon Application Switch Technical Documentation — https://www.radware.com/products/alteon/documentation/
* Alteon Product Page — https://www.radware.com/products/alteon-application-switch/
* Radware Download Center — https://support.radware.com/Downloads/
* Radware Knowledge Base — https://support.radware.com/knowledgebase/
* Radware YouTube Channel (for tutorials) — https://www.youtube.com/user/RadwareOfficial/

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

ALTEON - Menu Commands

2026-02-18T08:00:50Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== System Access and Privilege Modes ==

=== User EXEC Mode ===
<nowiki>
/cfg/login</nowiki>

Description:
Accesses the user EXEC mode.

Example:
<nowiki>
/cfg/login</nowiki>

=== Privileged EXEC Mode ===
<nowiki>
/cfg/enable</nowiki>

Description:
Switches to the privileged EXEC mode.

Example:
<nowiki>
/cfg/enable</nowiki>

==== Exit and Session Termination ====
<nowiki>
/exit
/logout</nowiki>

Example:
<nowiki>
/exit</nowiki>

== System Configuration ==

=== Hostname Configuration ===
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

Example:
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

=== Banner Configuration ===
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

Example:
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

=== Time and NTP Configuration ===
<nowiki>
/cfg/system/timezone UTC 0
/cfg/system/ntp server 192.168.100.10</nowiki>
Example:
<nowiki>
/cfg/system/ntp server 10.10.10.5</nowiki>

=== Management IP Configuration ===
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

Example:
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

== Interface and VLAN Configuration ==

=== Physical Port Configuration ===
<nowiki>
/cfg/network/port 5/enable
/cfg/network/port 5/disable</nowiki>

Example:
<nowiki>
/cfg/network/port 3/enable</nowiki>

=== Assign IP Address to Interface ===
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

Example:
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

=== VLAN Creation ===
<nowiki>
/cfg/network/vlan 100
/cfg/network/vlan 100/name DMZ</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200
/cfg/network/vlan 200/name INTERNAL</nowiki>

=== VLAN Port Assignment ===
<nowiki>
/cfg/network/vlan 100/tagged 1
/cfg/network/vlan 100/untagged 2</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200/tagged 3
/cfg/network/vlan 200/untagged 4</nowiki>

== Routing Configuration ==

=== Default Route ===
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 192.168.1.1
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

=== Static Route ===
<nowiki>
/cfg/network/ip-route 10.10.0.0/16 192.168.1.254
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

== High Availability Configuration ==

=== HA Group Definition ===
<nowiki>
/cfg/ha/group 1
/cfg/ha/group 1/peer 10.0.0.2
/cfg/ha/group 1/enable</nowiki>

Example:
<nowiki>
/cfg/ha/group 10
/cfg/ha/group 10/peer 192.168.100.2
/cfg/ha/group 10/enable</nowiki>

=== HA Status Verification ===
<nowiki>
/cfg/ha/status</nowiki>

== Server Load Balancing Configuration ==

=== Real Server Definition ===
<nowiki>
/cfg/slb/real-server WEB1 10.0.1.11/80
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

Example:
<nowiki>
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

=== Health Check Configuration ===
<nowiki>
/cfg/slb/health-check HTTP-CHECK
/cfg/slb/health-check HTTP-CHECK/type http
/cfg/slb/health-check HTTP-CHECK/url "/health"</nowiki>

Example:
<nowiki>
/cfg/slb/health-check TCP-CHECK
/cfg/slb/health-check TCP-CHECK/type tcp</nowiki>

=== Service Group Configuration ===
<nowiki>
/cfg/slb/group WEB-GRP
/cfg/slb/group WEB-GRP/add WEB1
/cfg/slb/group WEB-GRP/method roundrobin</nowiki>

Example:
<nowiki>
/cfg/slb/group APP-GRP
/cfg/slb/group APP-GRP/add APP1
/cfg/slb/group APP-GRP/method leastconn</nowiki>

=== Virtual Server Configuration ===
<nowiki>
/cfg/slb/virtual-server VIP1 203.0.113.10/80
/cfg/slb/virtual-server VIP1/service WEB-GRP
/cfg/slb/virtual-server VIP1/enable</nowiki>

Example:
<nowiki>
/cfg/slb/virtual-server PUBLIC-HTTPS 198.51.100.10/443
/cfg/slb/virtual-server PUBLIC-HTTPS/service APP-GRP
/cfg/slb/virtual-server PUBLIC-HTTPS/enable</nowiki>

== Security Configuration ==

=== SSH Access ===
<nowiki>
/cfg/system/ssh enable
/cfg/system/ssh version 2</nowiki>

Example:
<nowiki>
/cfg/system/ssh enable</nowiki>

=== User Account Creation ===
<nowiki>
/cfg/system/user admin password StrongPass! role admin
/cfg/system/user operator password OpPass123 role operator</nowiki>

Example:
<nowiki>
/cfg/system/user operator password OpPass123 role operator</nowiki>

=== Management Access Restriction ===
<nowiki>
/cfg/system/access-management 10.10.10.0/255.255.255.0
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

Example:
<nowiki>
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

== Monitoring and Logging ==

=== Display Configuration ===
<nowiki>
/cfg/system/show running-config</nowiki>

=== Interface Monitoring ===
<nowiki>
/cfg/system/show interface
/cfg/system/show interface port 5</nowiki>

=== Routing Table Display ===
<nowiki>
/cfg/system/show ip-route</nowiki>

=== Logging Configuration ===
<nowiki>
/cfg/system/logging host 10.1.1.50
/cfg/system/logging level info</nowiki>

Example:
<nowiki>
/cfg/system/logging host 192.168.100.50</nowiki>

== Configuration Management ==

=== Save Configuration ===
<nowiki>
/cfg/system/save</nowiki>

Example:
<nowiki>
/cfg/system/save</nowiki>

=== Backup Configuration ===
<nowiki>
/cfg/system/backup tftp 10.0.0.50 backup.cfg
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

Example:
<nowiki>
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

== Troubleshooting ==

=== Basic Connectivity Tests ===
<nowiki>
/cfg/system/ping 8.8.8.8
/cfg/system/traceroute 8.8.8.8</nowiki>

Verify reachability and routing path.

=== Interface Issues ===
<nowiki>
/cfg/system/show interface</nowiki>

Check link status, administrative state, and error counters.

=== HA Problems ===
<nowiki>
/cfg/ha/show status</nowiki>

Confirm active/standby role and synchronization state.

=== SLB Service Not Responding ===
<nowiki>
/cfg/slb/show group
/cfg/slb/show real-server</nowiki>

Verify health check status and server availability.

=== Configuration Not Persisted ===
<nowiki>
/cfg/system/show running-config</nowiki>

Ensure configuration is saved using:
<nowiki>
/cfg/system/save</nowiki>

== Resetting Configuration ==

This chapter outlines the process for resetting the configuration on an **Alteon Application Switch 5208**. There are different methods for resetting the configuration, including clearing all settings, restoring factory defaults, or performing a soft reset.

=== Soft Reset (Reboot) ===

A soft reset allows the switch to reboot without clearing the configuration. It can be used when you need to refresh the system without losing any saved settings.

<nowiki>
/reset</nowiki>

Description:
This command will reboot the system, retaining all current configurations.

Example:
<nowiki>
/reset</nowiki>

==== After Reboot ====
Once the switch reboots, you can verify the status with the following command:

<nowiki>
/cfg/system/show status</nowiki>

This will display the current state of the system and confirm that the reboot was successful.

=== Hard Reset (Factory Defaults) ===

A **hard reset** restores the switch to its factory default settings. This means that all configurations will be lost, and the switch will revert to the default IP address, hostname, and settings.

To perform a factory reset, follow these steps:

1. Connect to the switch via the **console port** using a terminal client like PuTTY or HyperTerminal.
2. Power off the switch.
3. Press and hold the **reset button** on the front panel of the switch.
4. Power the switch on while still holding the reset button for about **10-15 seconds**.
5. Release the reset button. The switch will now boot up with factory default settings.

Alternatively, the following command can be used to perform a hard reset via the CLI:

<nowiki>
/cfg/system/reset-factory</nowiki>

Description:
This command will erase all configurations and reset the switch to its factory defaults.

Example:
<nowiki>
/cfg/system/reset-factory</nowiki>

After this process, the switch will require reconfiguration from scratch, including setting the management IP, hostname, and network settings.

==== Verify Reset to Factory Defaults ====
To confirm that the switch has been reset to factory defaults, you can check the configuration:

<nowiki>
/cfg/system/show running-config</nowiki>

This should show minimal or default configurations such as the default IP address `192.168.1.1`, default hostname, and other initial settings.

=== Resetting Specific Configuration Elements ===

In some cases, you might only need to reset certain elements, such as VLAN configurations or interfaces, rather than the entire system.

==== Reset VLAN Configuration ====
To remove a specific VLAN configuration, use the following command:

<nowiki>
/cfg/network/vlan <vlan_id>/reset</nowiki>

Example:
<nowiki>
/cfg/network/vlan 100/reset</nowiki>

This command will reset the specified VLAN to its default settings.

==== Reset Interface Configuration ====
To reset an individual interface configuration, use the following command:

<nowiki>
/cfg/network/port <port_number>/reset</nowiki>

Example:
<nowiki>
/cfg/network/port 5/reset</nowiki>

This will reset the settings for that particular interface, including IP addresses, VLAN assignments, and other configurations.

=== Clearing the Configuration from the Flash Memory ===

If you want to delete the current configuration completely from the switch's flash memory, use the following command:

<nowiki>
/cfg/system/clear-flash</nowiki>

Description:
This command will completely clear the configuration stored in the flash memory, requiring a reboot to apply the changes.

Example:
<nowiki>
/cfg/system/clear-flash</nowiki>

Once the configuration is cleared, the system will boot with the default configuration.

=== Important Notes ===

* **Backup Configurations**: Before performing any reset actions, it is crucial to back up your current configuration to avoid losing important settings. Use the following command to back up to a TFTP server:

<nowiki>
/cfg/system/backup tftp <tftp_ip> <backup_filename></nowiki>

* **Reconfiguration**: After performing a hard reset, you will need to reconfigure the switch from scratch. This includes setting up VLANs, IP addresses, HA groups, and other configurations.

== Useful Links ==

* Radware Support Portal — https://support.radware.com/
* Radware Knowledge Center — https://support.radware.com/Knowledge-Center/
* Radware Community — https://community.radware.com/
* Radware Documentation Library — https://www.radware.com/resources/
* Alteon CLI Reference Guide — https://www.radware.com/products/alteon/
* Alteon Support Page — https://www.radware.com/products/alteon-support/
* Alteon Application Switch Technical Documentation — https://www.radware.com/products/alteon/documentation/
* Alteon Product Page — https://www.radware.com/products/alteon-application-switch/
* Radware Download Center — https://support.radware.com/Downloads/
* Radware Knowledge Base — https://support.radware.com/knowledgebase/
* Radware YouTube Channel (for tutorials) — https://www.youtube.com/user/RadwareOfficial/

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

ALTEON - Menu Commands

2026-02-18T08:00:00Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == System Access and Privilege Modes == === User EXEC Mode === <nowiki> /cfg/login</nowiki> Description: Accesses the user EXEC mode. Example: <nowiki> /cfg/login</nowiki> === Privileged EXEC Mode === <nowiki> /cfg/enable</nowiki> Description: Switches to the privileged EXEC mode. Example: <nowiki> /cfg/enable</nowiki> ==== Exit and Session Termination ==== <nowiki..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== System Access and Privilege Modes ==

=== User EXEC Mode ===
<nowiki>
/cfg/login</nowiki>

Description:
Accesses the user EXEC mode.

Example:
<nowiki>
/cfg/login</nowiki>

=== Privileged EXEC Mode ===
<nowiki>
/cfg/enable</nowiki>

Description:
Switches to the privileged EXEC mode.

Example:
<nowiki>
/cfg/enable</nowiki>

==== Exit and Session Termination ====
<nowiki>
/exit
/logout</nowiki>

Example:
<nowiki>
/exit</nowiki>

== System Configuration ==

=== Hostname Configuration ===
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

Example:
<nowiki>
/cfg/system/hostname Alteon-5208
/cfg/system/hostname Alteon-DataCenter</nowiki>

=== Banner Configuration ===
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

Example:
<nowiki>
/cfg/system/banner motd "Unauthorized access is prohibited"
/cfg/system/banner motd "Only authorized personnel can access this device."</nowiki>

=== Time and NTP Configuration ===
<nowiki>
/cfg/system/timezone UTC 0
/cfg/system/ntp server 192.168.100.10</nowiki>
Example:
<nowiki>
/cfg/system/ntp server 10.10.10.5</nowiki>

=== Management IP Configuration ===
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

Example:
<nowiki>
/cfg/system/interface mgmt/ip-address 192.168.1.10/24
/cfg/system/interface mgmt/ip-address 10.0.0.10/24</nowiki>

== Interface and VLAN Configuration ==

=== Physical Port Configuration ===
<nowiki>
/cfg/network/port 5/enable
/cfg/network/port 5/disable</nowiki>

Example:
<nowiki>
/cfg/network/port 3/enable</nowiki>

=== Assign IP Address to Interface ===
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

Example:
<nowiki>
/cfg/network/port 2/ip-address 172.16.10.2/24
/cfg/network/port 8/ip-address 192.168.50.2/24</nowiki>

=== VLAN Creation ===
<nowiki>
/cfg/network/vlan 100
/cfg/network/vlan 100/name DMZ</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200
/cfg/network/vlan 200/name INTERNAL</nowiki>

=== VLAN Port Assignment ===
<nowiki>
/cfg/network/vlan 100/tagged 1
/cfg/network/vlan 100/untagged 2</nowiki>

Example:
<nowiki>
/cfg/network/vlan 200/tagged 3
/cfg/network/vlan 200/untagged 4</nowiki>

== Routing Configuration ==

=== Default Route ===
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 192.168.1.1
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 0.0.0.0/0 10.0.0.1</nowiki>

=== Static Route ===
<nowiki>
/cfg/network/ip-route 10.10.0.0/16 192.168.1.254
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

Example:
<nowiki>
/cfg/network/ip-route 172.16.0.0/16 10.0.0.254</nowiki>

== High Availability Configuration ==

=== HA Group Definition ===
<nowiki>
/cfg/ha/group 1
/cfg/ha/group 1/peer 10.0.0.2
/cfg/ha/group 1/enable</nowiki>

Example:
<nowiki>
/cfg/ha/group 10
/cfg/ha/group 10/peer 192.168.100.2
/cfg/ha/group 10/enable</nowiki>

=== HA Status Verification ===
<nowiki>
/cfg/ha/status</nowiki>

== Server Load Balancing Configuration ==

=== Real Server Definition ===
<nowiki>
/cfg/slb/real-server WEB1 10.0.1.11/80
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

Example:
<nowiki>
/cfg/slb/real-server APP1 172.16.1.20/443</nowiki>

=== Health Check Configuration ===
<nowiki>
/cfg/slb/health-check HTTP-CHECK
/cfg/slb/health-check HTTP-CHECK/type http
/cfg/slb/health-check HTTP-CHECK/url "/health"</nowiki>

Example:
<nowiki>
/cfg/slb/health-check TCP-CHECK
/cfg/slb/health-check TCP-CHECK/type tcp</nowiki>

=== Service Group Configuration ===
<nowiki>
/cfg/slb/group WEB-GRP
/cfg/slb/group WEB-GRP/add WEB1
/cfg/slb/group WEB-GRP/method roundrobin</nowiki>

Example:
<nowiki>
/cfg/slb/group APP-GRP
/cfg/slb/group APP-GRP/add APP1
/cfg/slb/group APP-GRP/method leastconn</nowiki>

=== Virtual Server Configuration ===
<nowiki>
/cfg/slb/virtual-server VIP1 203.0.113.10/80
/cfg/slb/virtual-server VIP1/service WEB-GRP
/cfg/slb/virtual-server VIP1/enable</nowiki>

Example:
<nowiki>
/cfg/slb/virtual-server PUBLIC-HTTPS 198.51.100.10/443
/cfg/slb/virtual-server PUBLIC-HTTPS/service APP-GRP
/cfg/slb/virtual-server PUBLIC-HTTPS/enable</nowiki>

== Security Configuration ==

=== SSH Access ===
<nowiki>
/cfg/system/ssh enable
/cfg/system/ssh version 2</nowiki>

Example:
<nowiki>
/cfg/system/ssh enable</nowiki>

=== User Account Creation ===
<nowiki>
/cfg/system/user admin password StrongPass! role admin
/cfg/system/user operator password OpPass123 role operator</nowiki>

Example:
<nowiki>
/cfg/system/user operator password OpPass123 role operator</nowiki>

=== Management Access Restriction ===
<nowiki>
/cfg/system/access-management 10.10.10.0/255.255.255.0
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

Example:
<nowiki>
/cfg/system/access-management 192.168.50.0/255.255.255.0</nowiki>

== Monitoring and Logging ==

=== Display Configuration ===
<nowiki>
/cfg/system/show running-config</nowiki>

=== Interface Monitoring ===
<nowiki>
/cfg/system/show interface
/cfg/system/show interface port 5</nowiki>

=== Routing Table Display ===
<nowiki>
/cfg/system/show ip-route</nowiki>

=== Logging Configuration ===
<nowiki>
/cfg/system/logging host 10.1.1.50
/cfg/system/logging level info</nowiki>

Example:
<nowiki>
/cfg/system/logging host 192.168.100.50</nowiki>

== Configuration Management ==

=== Save Configuration ===
<nowiki>
/cfg/system/save</nowiki>

Example:
<nowiki>
/cfg/system/save</nowiki>

=== Backup Configuration ===
<nowiki>
/cfg/system/backup tftp 10.0.0.50 backup.cfg
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

Example:
<nowiki>
/cfg/system/backup tftp 192.168.1.50 adc-backup.cfg</nowiki>

== Troubleshooting ==

=== Basic Connectivity Tests ===
<nowiki>
/cfg/system/ping 8.8.8.8
/cfg/system/traceroute 8.8.8.8</nowiki>

Verify reachability and routing path.

=== Interface Issues ===
<nowiki>
/cfg/system/show interface</nowiki>

Check link status, administrative state, and error counters.

=== HA Problems ===
<nowiki>
/cfg/ha/show status</nowiki>

Confirm active/standby role and synchronization state.

=== SLB Service Not Responding ===
<nowiki>
/cfg/slb/show group
/cfg/slb/show real-server</nowiki>

Verify health check status and server availability.

=== Configuration Not Persisted ===
<nowiki>
/cfg/system/show running-config</nowiki>

Ensure configuration is saved using:
<nowiki>
/cfg/system/save</nowiki>

== Resetting Configuration ==

This chapter outlines the process for resetting the configuration on an **Alteon Application Switch 5208**. There are different methods for resetting the configuration, including clearing all settings, restoring factory defaults, or performing a soft reset.

=== Soft Reset (Reboot) ===

A soft reset allows the switch to reboot without clearing the configuration. It can be used when you need to refresh the system without losing any saved settings.

<nowiki>
/reset</nowiki>

Description:
This command will reboot the system, retaining all current configurations.

Example:
<nowiki>
/reset</nowiki>

==== After Reboot ====
Once the switch reboots, you can verify the status with the following command:

<nowiki>
/cfg/system/show status</nowiki>

This will display the current state of the system and confirm that the reboot was successful.

=== Hard Reset (Factory Defaults) ===

A **hard reset** restores the switch to its factory default settings. This means that all configurations will be lost, and the switch will revert to the default IP address, hostname, and settings.

To perform a factory reset, follow these steps:

1. Connect to the switch via the **console port** using a terminal client like PuTTY or HyperTerminal.
2. Power off the switch.
3. Press and hold the **reset button** on the front panel of the switch.
4. Power the switch on while still holding the reset button for about **10-15 seconds**.
5. Release the reset button. The switch will now boot up with factory default settings.

Alternatively, the following command can be used to perform a hard reset via the CLI:

<nowiki>
/cfg/system/reset-factory</nowiki>

Description:
This command will erase all configurations and reset the switch to its factory defaults.

Example:
<nowiki>
/cfg/system/reset-factory</nowiki>

After this process, the switch will require reconfiguration from scratch, including setting the management IP, hostname, and network settings.

==== Verify Reset to Factory Defaults ====
To confirm that the switch has been reset to factory defaults, you can check the configuration:

<nowiki>
/cfg/system/show running-config</nowiki>

This should show minimal or default configurations such as the default IP address `192.168.1.1`, default hostname, and other initial settings.

=== Resetting Specific Configuration Elements ===

In some cases, you might only need to reset certain elements, such as VLAN configurations or interfaces, rather than the entire system.

==== Reset VLAN Configuration ====
To remove a specific VLAN configuration, use the following command:

<nowiki>
/cfg/network/vlan <vlan_id>/reset</nowiki>

Example:
<nowiki>
/cfg/network/vlan 100/reset</nowiki>

This command will reset the specified VLAN to its default settings.

==== Reset Interface Configuration ====
To reset an individual interface configuration, use the following command:

<nowiki>
/cfg/network/port <port_number>/reset</nowiki>

Example:
<nowiki>
/cfg/network/port 5/reset</nowiki>

This will reset the settings for that particular interface, including IP addresses, VLAN assignments, and other configurations.

=== Clearing the Configuration from the Flash Memory ===

If you want to delete the current configuration completely from the switch's flash memory, use the following command:

<nowiki>
/cfg/system/clear-flash</nowiki>

Description:
This command will completely clear the configuration stored in the flash memory, requiring a reboot to apply the changes.

Example:
<nowiki>
/cfg/system/clear-flash</nowiki>

Once the configuration is cleared, the system will boot with the default configuration.

=== Important Notes ===

* **Backup Configurations**: Before performing any reset actions, it is crucial to back up your current configuration to avoid losing important settings. Use the following command to back up to a TFTP server:

<nowiki>
/cfg/system/backup tftp <tftp_ip> <backup_filename></nowiki>

* **Reconfiguration**: After performing a hard reset, you will need to reconfigure the switch from scratch. This includes setting up VLANs, IP addresses, HA groups, and other configurations.

== Useful Links ==

* Radware Support Portal — https://support.radware.com/
* Radware Knowledge Center — https://support.radware.com/Knowledge-Center/
* Radware Community — https://community.radware.com/
* Radware Documentation Library — https://www.radware.com/resources/
* Alteon CLI Reference Guide — https://www.radware.com/products/alteon/
* Alteon Support Page — https://www.radware.com/products/alteon-support/
* Alteon Application Switch Technical Documentation — https://www.radware.com/products/alteon/documentation/
* Alteon Product Page — https://www.radware.com/products/alteon-application-switch/
* Radware Download Center — https://support.radware.com/Downloads/
* Radware Knowledge Base — https://support.radware.com/knowledgebase/
* Radware YouTube Channel (for tutorials) — https://www.youtube.com/user/RadwareOfficial/

---

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

ACIDBASE - Install With SNORT Setup On Ubuntu 24.4

2026-01-17T15:19:33Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

=== Snort Configuration ===
Before configuring Acidbase, ensure that Snort is properly installed and configured to log alerts to a database. Modify the Snort configuration file (`/etc/snort/snort.conf`) to enable database logging.

<nowiki>
output database: log, mysql, user=snort dbname=snort host=localhost password=your_secure_password</nowiki>

Make sure you replace `your_secure_password` with the password for the Snort database user. This configuration tells Snort to log alerts to a MySQL database.

=== Database Configuration ===
Acidbase requires a database to store Snort's logs and alerts. This guide assumes you are using MySQL, but you can adapt the steps for PostgreSQL.

1. Create the Snort database and user:

<nowiki>
mysql -u root -p
CREATE DATABASE snort;
CREATE USER 'snort'@'localhost' IDENTIFIED BY 'your_secure_password';
GRANT ALL PRIVILEGES ON snort.* TO 'snort'@'localhost';
FLUSH PRIVILEGES;</nowiki>

2. Import Snort's schema into the database. You can find the schema in the Snort directory:

<nowiki>
cd /etc/snort
mysql -u snort -p snort < create_mysql.sql</nowiki>

This step ensures that the Snort database is correctly set up to handle logs and alerts.

=== Acidbase Configuration ===
After Snort is configured to log to the database, configure Acidbase to read from it. The Acidbase configuration file is typically located at `/etc/acidbase/acidbase.conf`.

Edit the configuration file to set the database connection parameters. For example:

<nowiki>
$dbname = 'snort';
$dbuser = 'snort';
$dbpass = 'your_secure_password';
$dbhost = 'localhost';</nowiki>

Replace `your_secure_password` with the actual password you set for the Snort database user.

== Setting Up the Web Interface ==
Acidbase provides a web interface to interact with Snort logs. You need a web server (like Apache) to serve the Acidbase interface.

=== Installing Apache and PHP ===
If not already installed, install Apache and PHP:

<nowiki>
sudo apt update
sudo apt install apache2 php libapache2-mod-php</nowiki>

Then, configure Apache to serve Acidbase. Place the Acidbase files in the web server's root directory (usually `/var/www/html`):

<nowiki>
sudo cp -r /path/to/acidbase/* /var/www/html/
sudo chown -R www-data:www-data /var/www/html/
sudo chmod -R 755 /var/www/html/</nowiki>

Finally, restart Apache:

<nowiki>
sudo systemctl restart apache2</nowiki>

=== Testing the Setup ===
To test the setup, open a web browser and go to `http://localhost/acidbase`. If everything is configured correctly, you should see the Acidbase interface.

== Working with Acidbase ==
Acidbase offers several tools to manage and analyze Snort logs and alerts. Below are some examples of how to use the Acidbase interface.

=== Viewing Alerts ===
Once Snort is running and logging alerts, Acidbase will display these alerts in a tabular format. You can filter alerts by severity, timestamp, or source/destination IP.

To view all alerts, simply navigate to the main page of Acidbase, and it will show the latest alerts recorded by Snort.

=== Searching Alerts ===
You can search alerts by specific parameters. For example, to find all alerts from a specific IP address:

<nowiki>
SELECT * FROM event WHERE src_ip = '192.168.1.100';</nowiki>

This SQL query will display all events from the specified source IP.

=== Managing Alerts ===
Acidbase allows you to delete, flag, or modify alerts. To delete an alert, simply check the box next to the alert and click "Delete." To flag an alert, use the "Flag" button, which will mark it for further review.

=== Exporting Alerts ===
Acidbase also provides options to export alerts to different formats such as CSV, making it easier to share the data or analyze it offline.

To export alerts, select the alerts you wish to export and click the "Export" button, then choose the desired format.

== Advanced Features ==
Acidbase offers several advanced features for managing and analyzing Snort data.

=== Custom Alerts ===
You can create custom alerts by modifying the Snort configuration file and specifying custom rule sets. To create a custom rule:

<nowiki>
alert ip any any -> 192.168.1.0/24 any (msg:"Custom alert"; sid:1000001;)</nowiki>

This rule triggers an alert for any IP that attempts to communicate with the `192.168.1.0/24` network.

=== Using Acidbase with Multiple Snort Instances ===
If you are running multiple Snort instances on different machines, Acidbase can be configured to aggregate logs from multiple databases. In the Acidbase configuration file, specify the IP addresses and credentials for each Snort instance:

<nowiki>
$snort_servers = (
array('host' => '192.168.1.101', 'db' => 'snort', 'user' => 'snort', 'pass' => 'password'),
array('host' => '192.168.1.102', 'db' => 'snort', 'user' => 'snort', 'pass' => 'password')
);</nowiki>

This allows Acidbase to pull data from multiple sources and display it in a unified interface.

== Performance Optimization ==
For large environments with high traffic, it is important to optimize the performance of both Snort and Acidbase.

=== Snort Performance Tuning ===
Optimize Snort's performance by adjusting the `snort.conf` file:

<nowiki>
# Increase the performance of Snort by disabling unnecessary modules
config disable_decode_alert
config disable_decode_ip4</nowiki>

Additionally, you can optimize Snort's packet capture settings, such as increasing the buffer size:

<nowiki>
config buffer_size 262144</nowiki>

=== Acidbase Performance Tuning ===
Acidbase performance can be improved by enabling caching for frequently queried data. Modify the `acidbase.conf` file:

<nowiki>
$cache_enabled = true;
$cache_time = 600; # Cache time in seconds</nowiki>

This will cache query results for 10 minutes, reducing the load on the database.

== Troubleshooting ==
This section addresses common issues encountered while setting up or using Acidbase with Snort.

=== Database Connection Errors ===
If Acidbase is unable to connect to the database, ensure that the database is running and accessible. Check the connection settings in both the Acidbase and Snort configuration files.

Test the connection with the following command:

<nowiki>
mysql -u snort -p -h localhost snort</nowiki>

If the connection fails, check the database logs for errors.

=== Acidbase Interface Not Loading ===
If the Acidbase web interface doesn't load, ensure that the Apache web server is running:

<nowiki>
sudo systemctl status apache2</nowiki>

If the service is inactive, restart it with:

<nowiki>
sudo systemctl restart apache2</nowiki>

=== Snort Alerts Not Showing in Acidbase ===
If Snort is not generating alerts that appear in Acidbase, check the Snort log directory and ensure that alerts are being generated properly. The Snort log file is usually located in `/var/log/snort`.

You can also manually check if the alerts are present in the database with:

<nowiki>
mysql -u snort -p snort -e "SELECT * FROM event;"</nowiki>

== Useful Links ==
* [Snort Official Website](https://www.snort.org/)
* [Acidbase GitHub Repository](https://github.com/acidbase/acidbase)
* [Snort Database Schema Documentation](https://snort.org/documents/)
* [MySQL Documentation](https://dev.mysql.com/doc/)
* [Apache HTTP Server Documentation](https://httpd.apache.org/docs/)
* [How to Optimize Snort Performance](https://www.snort.org/faq/optimizing-snort)

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

TOP - Manpage

2026-01-17T13:17:54Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== top Manpage ==

<nowiki>
TOP(1) User Commands TOP(1)

NAME
top - display Linux processes

SYNOPSIS
top [options]

DESCRIPTION
The top program provides a dynamic real-time view of a running system. It can display system summary information as well as a list of processes or threads currently being managed by the Linux kernel. The types of system summary
information shown and the types, order and size of information displayed for processes are all user configurable and that configuration can be made persistent across restarts.

The program provides a limited interactive interface for process manipulation as well as a much more extensive interface for personal configuration -- encompassing every aspect of its operation. And while top is referred to
throughout this document, you are free to name the program anything you wish. That new name, possibly an alias, will then be reflected on top's display and used when reading and writing a configuration file.

OVERVIEW
Documentation
The remaining Table of Contents

OVERVIEW
Operation
Linux Memory Types
1. COMMAND-LINE Options
2. SUMMARY Display
a. UPTIME and LOAD Averages
b. TASK and CPU States
c. MEMORY Usage
3. FIELDS / Columns Display
a. DESCRIPTIONS of Fields
b. MANAGING Fields
4. INTERACTIVE Commands
a. GLOBAL Commands
b. SUMMARY AREA Commands
c. TASK AREA Commands
1. Appearance
2. Content
3. Size
4. Sorting
d. COLOR Mapping
5. ALTERNATE-DISPLAY Provisions
a. WINDOWS Overview
b. COMMANDS for Windows
c. SCROLLING a Window
d. SEARCHING in a Window
e. FILTERING in a Window
6. FILES
a. PERSONAL Configuration File
b. ADDING INSPECT Entries
c. SYSTEM Configuration File
d. SYSTEM Restrictions File
7. ENVIRONMENT VARIABLE(S)
8. STUPID TRICKS Sampler
a. Kernel Magic
b. Bouncing Windows
c. The Big Bird Window
d. The Ol' Switcheroo
9. BUGS, 10. SEE Also

Operation
When operating top, the two most important keys are the help (h or ?) key and quit (`q') key. Alternatively, you could simply use the traditional interrupt key (^C) when you're done.

When started for the first time, you'll be presented with these traditional elements on the main top screen: 1) Summary Area; 2) Fields/Columns Header; 3) Task Area. Each of these will be explored in the sections that follow.
There is also an Input/Message line between the Summary Area and Columns Header which needs no further explanation.

The main top screen is generally quite adaptive to changes in terminal dimensions under X-Windows. Other top screens may be less so, especially those with static text. It ultimately depends, however, on your particular window
manager and terminal emulator. There may be occasions when their view of terminal size and current contents differs from top's view, which is always based on operating system calls.

Following any re-size operation, if a top screen is corrupted, appears incomplete or disordered, simply typing something innocuous like a punctuation character or cursor motion key will usually restore it. In extreme cases, the
following sequence almost certainly will:
key/cmd objective
^Z suspend top
fg resume top
<Left> force a screen redraw (if necessary)

But if the display is still corrupted, there is one more step you could try. Insert this command after top has been suspended but before resuming it.
key/cmd objective
reset restore your terminal settings

Note: the width of top's display will be limited to 512 positions. Displaying all fields requires approximately 250 characters. Remaining screen width is usually allocated to any variable width columns currently visible. The
variable width columns, such as COMMAND, are noted in topic 3a. DESCRIPTIONS of Fields. Actual output width may also be influenced by the -w switch, which is discussed in topic 1. COMMAND-LINE Options.

Lastly, some of top's screens or functions require the use of cursor motion keys like the standard arrow keys plus the Home, End, PgUp and PgDn keys. If your terminal or emulator does not provide those keys, the following
combinations are accepted as alternatives:
key equivalent-keys
Left alt + h
Down alt + j
Up alt + k
Right alt + l
Home alt + ctrl + h
PgDn alt + ctrl + j
PgUp alt + ctrl + k
End alt + ctrl + l

The Up and Down arrow keys have special significance when prompted for line input terminated with the <Enter> key. Those keys, or their aliases, can be used to retrieve previous input lines which can then be edited and re-input.
And there are four additional keys available with line oriented input.
key special-significance
Up recall older strings for re-editing
Down recall newer strings or erase entire line
Insert toggle between insert and overtype modes
Delete character removed at cursor, moving others left
Home jump to beginning of input line
End jump to end of input line

Linux Memory Types
For our purposes there are three types of memory, and one is optional. First is physical memory, a limited resource where code and data must reside when executed or referenced. Next is the optional swap file, where modified
(dirty) memory can be saved and later retrieved if too many demands are made on physical memory. Lastly we have virtual memory, a nearly unlimited resource serving the following goals:

1. abstraction, free from physical memory addresses/limits
2. isolation, every process in a separate address space
3. sharing, a single mapping can serve multiple needs
4. flexibility, assign a virtual address to a file

Regardless of which of these forms memory may take, all are managed as pages (typically 4096 bytes) but expressed by default in top as KiB (kibibyte). The memory discussed under topic `2c. MEMORY Usage' deals with physical memory
and the swap file for the system as a whole. The memory reviewed in topic `3. FIELDS / Columns Display' embraces all three memory types, but for individual processes.

For each such process, every memory page is restricted to a single quadrant from the table below. Both physical memory and virtual memory can include any of the four, while the swap file only includes #1 through #3. The memory
in quadrant #4, when modified, acts as its own dedicated swap file.

Private | Shared
1 | 2
Anonymous . stack |
. malloc() |
. brk()/sbrk() | . POSIX shm*
. mmap(PRIVATE, ANON) | . mmap(SHARED, ANON)
-----------------------+----------------------
. mmap(PRIVATE, fd) | . mmap(SHARED, fd)
File-backed . pgms/shared libs |
3 | 4

The following may help in interpreting process level memory values displayed as scalable columns and discussed under topic `3a. DESCRIPTIONS of Fields'.

%MEM - simply RES divided by total physical memory
CODE - the `pgms' portion of quadrant 3
DATA - the entire quadrant 1 portion of VIRT plus all
explicit mmap file-backed pages of quadrant 3
RES - anything occupying physical memory which, beginning with
Linux-4.5, is the sum of the following three fields:
RSan - quadrant 1 pages, which include any
former quadrant 3 pages if modified
RSfd - quadrant 3 and quadrant 4 pages
RSsh - quadrant 2 pages
RSlk - subset of RES which cannot be swapped out (any quadrant)
SHR - subset of RES (excludes 1, includes all 2 & 4, some 3)
SWAP - potentially any quadrant except 4
USED - simply the sum of RES and SWAP
VIRT - everything in-use and/or reserved (all quadrants)

Note: Even though program images and shared libraries are considered private to a process, they will be accounted for as shared (SHR) by the kernel.

1. COMMAND-LINE Options
Mandatory arguments to long options are mandatory for short options too.

Although not required, the equals sign can be used with either option form and whitespace before and/or after the `=' is permitted.

-b, --batch
Starts top in Batch mode, which could be useful for sending output from top to other programs or to a file. In this mode, top will not accept input and runs until the iterations limit you've set with the `-n' command-line
option or until killed.

-c, --cmdline-toggle
Starts top with the last remembered `c' state reversed. Thus, if top was displaying command lines, now that field will show program names, and vice versa. See the `c' interactive command for additional information.

-d, --delay = SECS [.TENTHS]
Specifies the delay between screen updates, and overrides the corresponding value in one's personal configuration file or the startup default. Later this can be changed with the `d' or `s' interactive commands.

Fractional seconds are honored, but a negative number is not allowed. In all cases, however, such changes are prohibited if top is running in Secure mode, except for root (unless the `s' command-line option was used). For
additional information on Secure mode see topic 6d. SYSTEM Restrictions File.

-E, --scale-summary-mem = k | m | g | t | p | e
Instructs top to force summary area memory to be scaled as:
k - kibibytes
m - mebibytes
g - gibibytes
t - tebibytes
p - pebibytes
e - exbibytes

Later this can be changed with the `E' command toggle.

-e, --scale-task-mem = k | m | g | t | p
Instructs top to force task area memory to be scaled as:
k - kibibytes
m - mebibytes
g - gibibytes
t - tebibytes
p - pebibytes

Later this can be changed with the `e' command toggle.

-H, --threads-show
Instructs top to display individual threads. Without this command-line option a summation of all threads in each process is shown. Later this can be changed with the `H' interactive command.

-h, --help
Display usage help text, then quit.

-i, --idle-toggle
Starts top with the last remembered `i' state reversed. When this toggle is Off, tasks that have not used any CPU since the last update will not be displayed. For additional information regarding this toggle see topic 4c.
TASK AREA Commands, SIZE.

-n, --iterations = NUMBER
Specifies the maximum number of iterations, or frames, top should produce before ending.

-O, --list-fields
This option acts as a form of help for the -o option shown below. It will cause top to print each of the available field names on a separate line, then quit. Such names are subject to NLS (National Language Support)
translation.

-o, --sort-override = FIELDNAME
Specifies the name of the field on which tasks will be sorted, independent of what is reflected in the configuration file. You can prepend a `+' or `-' to the field name to also override the sort direction. A leading `+' will
force sorting high to low, whereas a `-' will ensure a low to high ordering.

This option exists primarily to support automated/scripted batch mode operation.

-p, --pid = PIDLIST (as: 1,2,3, ... or -p1 -p2 -p3 ...)
Monitor only processes with specified process IDs. However, when combined with Threads mode (`H'), all processes in the thread group (see TGID) of each monitored PID will also be shown.

This option can be given up to 20 times, or you can provide a comma delimited list with up to 20 pids. Co-mingling both approaches is permitted.

A pid value of zero will be treated as the process id of the top program itself once it is running.

This is a command-line option only and should you wish to return to normal operation, it is not necessary to quit and restart top -- just issue any of these interactive commands: `=', `u' or `U'.

The `p', `u' and `U' command-line options are mutually exclusive.

-S, --accum-time-toggle
Starts top with the last remembered `S' state reversed. When Cumulative time mode is On, each process is listed with the cpu time that it and its dead children have used. See the `S' interactive command for additional
information regarding this mode.

-s, --secure-mode
Starts top with secure mode forced, even for root. This mode is far better controlled through a system configuration file (see topic 6. FILES).

-U, --filter-any-user = USER (as: number or name)
Display only processes with a user id or user name matching that given. This option matches on any user (real, effective, saved, or filesystem).

Prepending an exclamation point (`!') to the user id or name instructs top to display only processes with users not matching the one provided.

The `p', `U' and `u' command-line options are mutually exclusive.

-u, --filter-only-euser = USER (as: number or name)
Display only processes with a user id or user name matching that given. This option matches on the effective user id only.

Prepending an exclamation point (`!') to the user id or name instructs top to display only processes with users not matching the one provided.

The `p', `U' and `u' command-line options are mutually exclusive.

-V, --version
Display version information, then quit.

-w, --width [=COLUMNS]
In Batch mode, when used without an argument top will format output using the COLUMNS= and LINES= environment variables, if set. Otherwise, width will be fixed at the maximum 512 columns. With an argument, output width can be
decreased or increased (up to 512) but the number of rows is considered unlimited.

In normal display mode, when used without an argument top will attempt to format output using the COLUMNS= and LINES= environment variables, if set. With an argument, output width can only be decreased, not increased. Whether
using environment variables or an argument with -w, when not in Batch mode actual terminal dimensions can never be exceeded.

Note: Without the use of this command-line option, output width is always based on the terminal at which top was invoked whether or not in Batch mode.

-1, --single-cpu-toggle
Starts top with the last remembered Cpu States portion of the summary area reversed. Either all cpu information will be displayed in a single line or each cpu will be displayed separately, depending on the state of the NUMA
Node command toggle (`2').

See the `1' and `2' interactive commands for additional information.

2. SUMMARY Display
Each of the following three areas are individually controlled through one or more interactive commands. See topic 4b. SUMMARY AREA Commands for additional information regarding these provisions.

2a. UPTIME and LOAD Averages
This portion consists of a single line containing:
program or window name, depending on display mode
current time and length of time since last boot
total number of users
system load avg over the last 1, 5 and 15 minutes

2b. TASK and CPU States
This portion consists of a minimum of two lines. In an SMP environment, additional lines can reflect individual CPU state percentages.

Line 1 shows total tasks or threads, depending on the state of the Threads-mode toggle. That total is further classified as:
running; sleeping; stopped; zombie

Line 2 shows CPU state percentages based on the interval since the last refresh.

As a default, percentages for these individual categories are displayed. Depending on your kernel version, the st field may not be shown.
us : time running un-niced user processes
sy : time running kernel processes
ni : time running niced user processes
id : time spent in the kernel idle handler
wa : time waiting for I/O completion
hi : time spent servicing hardware interrupts
si : time spent servicing software interrupts
st : time stolen from this vm by the hypervisor

The `sy' value above also reflects the time running a virtual cpu for guest operating systems, including those that have been niced.

Beyond the first tasks/threads line, there are alternate CPU display modes available via the 4-way `t' command toggle. They show an abbreviated summary consisting of these elements:
a b c d
%Cpu(s): 75.0/25.0 100[ ... ]

Where: a) is the `user' (us + ni) percentage; b) is the `system' (sy + hi + si + guests) percentage; c) is the total percentage; and d) is one of two visual graphs of those representations. Such graphs also reflect separate
`user' and `system' portions.

If the `4' command toggle is used to yield more than two cpus per line, results will be further abridged eliminating the a) and b) elements. However, that information is still reflected in the graph itself assuming color is
active or, if not, bars vs. blocks are being shown.

See topic 4b. SUMMARY AREA Commands for additional information on the `t' and `4' command toggles.

2c. MEMORY Usage
This portion consists of two lines which may express values in kibibytes (KiB) through exbibytes (EiB) depending on the scaling factor enforced with the `E' interactive command. The /proc/meminfo source fields are shown in
parenthesis.

Line 1 reflects physical memory, classified as:
total ( MemTotal )
free ( MemFree )
used ( MemTotal - MemAvailable )
buff/cache ( Buffers + Cached + SReclaimable )

Line 2 reflects mostly virtual memory, classified as:
total ( SwapTotal )
free ( SwapFree )
used ( SwapTotal - SwapFree )
avail ( MemAvailable, which is physical memory )

The avail number on line 2 is an estimation of physical memory available for starting new applications, without swapping. Unlike the free field, it attempts to account for readily reclaimable page cache and memory slabs. It is
available on kernels 3.14, emulated on kernels 2.6.27+, otherwise the same as free.

In the alternate memory display modes, two abbreviated summary lines are shown consisting of these elements:
a b c
GiB Mem : 18.7/15.738 [ ... ]
GiB Swap: 0.0/7.999 [ ... ]

Where: a) is the percentage used; b) is the total available; and c) is one of two visual graphs of those representations.

In the case of physical memory, the percentage represents the total minus the estimated avail noted above. The `Mem' graph itself is divided between the non-cached portion of used and any remaining memory not otherwise accounted
for by avail. See topic 4b. SUMMARY AREA Commands and the `m' command for additional information on that special 4-way toggle.

This table may help in interpreting the scaled values displayed:
KiB = kibibyte = 1024 bytes
MiB = mebibyte = 1024 KiB = 1,048,576 bytes
GiB = gibibyte = 1024 MiB = 1,073,741,824 bytes
TiB = tebibyte = 1024 GiB = 1,099,511,627,776 bytes
PiB = pebibyte = 1024 TiB = 1,125,899,906,842,624 bytes
EiB = exbibyte = 1024 PiB = 1,152,921,504,606,846,976 bytes

3. FIELDS / Columns
3a. DESCRIPTIONS of Fields
Listed below are top's available process fields (columns). They are shown in strict ascii alphabetical order. You may customize their position and whether or not they are displayable with the `f' (Fields Management) interactive
command.

Any field is selectable as the sort field, and you control whether they are sorted high-to-low or low-to-high. For additional information on sort provisions see topic 4c. TASK AREA Commands, SORTING.

The fields related to physical memory or virtual memory reference `(KiB)' which is the unsuffixed display mode. Such fields may, however, be scaled from KiB through PiB. That scaling is influenced via the `e' interactive command
or established for startup through a build option.

%CPU -- CPU Usage
The task's share of the elapsed CPU time since the last screen update, expressed as a percentage of total CPU time.

In a true SMP environment, if a process is multi-threaded and top is not operating in Threads mode, amounts greater than 100% may be reported. You toggle Threads mode with the `H' interactive command.

Also for multi-processor environments, if Irix mode is Off, top will operate in Solaris mode where a task's cpu usage will be divided by the total number of CPUs. You toggle Irix/Solaris modes with the `I' interactive
command.

Note: When running in forest view mode (`V') with children collapsed (`v'), this field will also include the CPU time of those unseen children. See topic 4c. TASK AREA Commands, CONTENT for more information regarding the `V'
and `v' toggles.

%CUC -- CPU Utilization
This field is identical to %CUU below, except the percentage also reflects reaped child processes.

%CUU -- CPU Utilization
A task's total CPU usage divided by its elapsed running time, expressed as a percentage.

If a process currently displays high CPU usage, this field can help determine if such behavior is normal. Conversely, if a process has low CPU usage currently, %CUU may reflect historically higher demands over its lifetime.

%MEM -- Memory Usage (RES)
A task's currently resident share of available physical memory.

See `OVERVIEW, Linux Memory Types' for additional details.

AGID -- Autogroup Identifier
The autogroup identifier associated with a process. This feature operates in conjunction with the CFS scheduler to improve interactive desktop performance.

When /proc/sys/kernel/sched_autogroup_enabled is set, a new autogroup is created with each new session (see SID). All subsequently forked processes in that session inherit membership in this autogroup. The kernel then
attempts to equalize distribution of CPU cycles across such groups. Thus, an autogroup with many CPU intensive processes (e.g make -j) will not dominate an autogroup with only one or two processes.

When -1 is displayed it means this information is not available.

AGNI -- Autogroup Nice Value
The autogroup nice value which affects scheduling of all processes in that group. A negative nice value means higher priority, whereas a positive nice value means lower priority.

CGNAME -- Control Group Name
The name of the control group to which a process belongs, or `-' if not applicable for that process.

This will typically be the last entry in the full list of control groups as shown under the next heading (CGROUPS). And as is true there, this field is also variable width.

CGROUPS -- Control Groups
The names of the control group(s) to which a process belongs, or `-' if not applicable for that process.

Control Groups provide for allocating resources (cpu, memory, network bandwidth, etc.) among installation-defined groups of processes. They enable fine-grained control over allocating, denying, prioritizing, managing and
monitoring those resources.

Many different hierarchies of cgroups can exist simultaneously on a system and each hierarchy is attached to one or more subsystems. A subsystem represents a single resource.

Note: The CGROUPS field, unlike most columns, is not fixed-width. When displayed, it plus any other variable width columns will be allocated all remaining screen width (up to the maximum 512 characters). Even so, such
variable width fields could still suffer truncation. See topic 5c. SCROLLING a Window for additional information on accessing any truncated data.

CODE -- Code Size (KiB)
The amount of physical memory currently devoted to executable code, also known as the Text Resident Set size or TRS.

See `OVERVIEW, Linux Memory Types' for additional details.

COMMAND -- Command Name or Command Line
Display the command line used to start a task or the name of the associated program. You toggle between command line and name with `c', which is both a command-line option and an interactive command.

When you've chosen to display command lines, processes without a command line (like kernel threads) will be shown with only the program name in brackets, as in this example:
[kthreadd]

This field may also be impacted by the forest view display mode. See the `V' interactive command for additional information regarding that mode.

Note: The COMMAND field, unlike most columns, is not fixed-width. When displayed, it plus any other variable width columns will be allocated all remaining screen width (up to the maximum 512 characters). Even so, such
variable width fields could still suffer truncation. This is especially true for this field when command lines are being displayed (the `c' interactive command.) See topic 5c. SCROLLING a Window for additional information on
accessing any truncated data.

DATA -- Data + Stack Size (KiB)
The amount of private memory reserved by a process. It is also known as the Data Resident Set or DRS. Such memory may not yet be mapped to physical memory (RES) but will always be included in the virtual memory (VIRT)
amount.

See `OVERVIEW, Linux Memory Types' for additional details.

ELAPSED -- Elapsed Running Time
The length of time since a process was started. Thus, the most recently started task will display the smallest time interval.

The value will be expressed as `HH,MM' (hours,minutes) but is subject to additional scaling if the interval becomes too great to fit column width. At that point it will be scaled to `DD+HH' (days+hours) and possibly beyond.

ENVIRON -- Environment variables
Display all of the environment variables, if any, as seen by the respective processes. These variables will be displayed in their raw native order, not the sorted order you are accustomed to seeing with an unqualified `set'.

Note: The ENVIRON field, unlike most columns, is not fixed-width. When displayed, it plus any other variable width columns will be allocated all remaining screen width (up to the maximum 512 characters). Even so, such
variable width fields could still suffer truncation. This is especially true for this field. See topic 5c. SCROLLING a Window for additional information on accessing any truncated data.

EXE -- Executable Path
Where available, this is the full path to the executable, including the program name.

Note: The EXE field, unlike most columns, is not fixed-width. When displayed, it plus any other variable width columns will be allocated all remaining screen width (up to the maximum 512 characters).

Flags -- Task Flags
This column represents the task's current scheduling flags which are expressed in hexadecimal notation and with zeros suppressed. These flags are officially documented in <linux/sched.h>.

GID -- Group Id
The effective group ID.

GROUP -- Group Name
The effective group name.

LOGID -- Login User Id
The user ID used at login. When -1 is displayed it means this information is not available.

LXC -- Lxc Container Name
The name of the lxc container within which a task is running. If a process is not running inside a container, a dash (`-') will be shown.

NI -- Nice Value
The nice value of the task. A negative nice value means higher priority, whereas a positive nice value means lower priority. Zero in this field simply means priority will not be adjusted in determining a task's dispatch-
ability.

Note: This value only affects scheduling priority relative to other processes in the same autogroup. See the `AGID' and `AGNI' fields for additional information on autogroups.

NU -- Last known NUMA node
A number representing the NUMA node associated with the last used processor (`P'). When -1 is displayed it means that NUMA information is not available.

See the `2' and `3' interactive commands for additional NUMA provisions affecting the summary area.

OOMa -- Out of Memory Adjustment Factor
The value, ranging from -1000 to +1000, added to the current out of memory score (OOMs) which is then used to determine which task to kill when memory is exhausted.

OOMs -- Out of Memory Score
The value, ranging from 0 to +1000, used to select task(s) to kill when memory is exhausted. Zero translates to `never kill' whereas 1000 means `always kill'.

P -- Last used CPU (SMP)
A number representing the last used processor. In a true SMP environment this will likely change frequently since the kernel intentionally uses weak affinity. Also, the very act of running top may break this weak affinity
and cause more processes to change CPUs more often (because of the extra demand for cpu time).

PGRP -- Process Group Id
Every process is member of a unique process group which is used for distribution of signals and by terminals to arbitrate requests for their input and output. When a process is created (forked), it becomes a member of the
process group of its parent. By convention, this value equals the process ID (see PID) of the first member of a process group, called the process group leader.

PID -- Process Id
The task's unique process ID, which periodically wraps, though never restarting at zero. In kernel terms, it is a dispatchable entity defined by a task_struct.

This value may also be used as: a process group ID (see PGRP); a session ID for the session leader (see SID); a thread group ID for the thread group leader (see TGID); and a TTY process group ID for the process group leader
(see TPGID).

PPID -- Parent Process Id
The process ID (pid) of a task's parent.

PR -- Priority
The scheduling priority of the task. If you see `rt' in this field, it means the task is running under real time scheduling priority.

Under linux, real time priority is somewhat misleading since traditionally the operating itself was not preemptible. And while the 2.6 kernel can be made mostly preemptible, it is not always so.

PSS -- Proportional Resident Memory, smaps (KiB)
The proportion of this task's share of `RSS' where each page is divided by the number of processes sharing it. It is also the sum of the `PSan', `PSfd' and `PSsh' fields.

For example, if a process has 1000 resident pages alone and 1000 resident pages shared with another process, its `PSS' would be 1500 (times page size).

Accessing smaps values is 10x more costly than other memory statistics and data for other users requires root privileges.

PSan -- Proportional Anonymous Memory, smaps (KiB)
PSfd -- Proportional File Memory, smaps (KiB)
PSsh -- Proportional Shmem Memory, smaps (KiB)
As was true for `PSS' above (total proportional resident memory), these fields represent the proportion of this task's share of each type of memory divided by the number of processes sharing it.

Accessing smaps values is 10x more costly than other memory statistics and data for other users requires root privileges.

RES -- Resident Memory Size (KiB)
A subset of the virtual address space (VIRT) representing the non-swapped physical memory a task is currently using. It is also the sum of the `RSan', `RSfd' and `RSsh' fields.

It can include private anonymous pages, private pages mapped to files (including program images and shared libraries) plus shared anonymous pages. All such memory is backed by the swap file represented separately under SWAP.

Lastly, this field may also include shared file-backed pages which, when modified, act as a dedicated swap file and thus will never impact SWAP.

See `OVERVIEW, Linux Memory Types' for additional details.

RSS -- Resident Memory, smaps (KiB)
Another, more precise view of process non-swapped physical memory. It is obtained from the `smaps_rollup' file and is generally slightly larger than that shown for `RES'.

Accessing smaps values is 10x more costly than other memory statistics and data for other users requires root privileges.

RSan -- Resident Anonymous Memory Size (KiB)
A subset of resident memory (RES) representing private pages not mapped to a file.

RSfd -- Resident File-Backed Memory Size (KiB)
A subset of resident memory (RES) representing the implicitly shared pages supporting program images and shared libraries. It also includes explicit file mappings, both private and shared.

RSlk -- Resident Locked Memory Size (KiB)
A subset of resident memory (RES) which cannot be swapped out.

RSsh -- Resident Shared Memory Size (KiB)
A subset of resident memory (RES) representing the explicitly shared anonymous shm*/mmap pages.

RUID -- Real User Id
The real user ID.

RUSER -- Real User Name
The real user name.

S -- Process Status
The status of the task which can be one of:
D = uninterruptible sleep
I = idle
R = running
S = sleeping
T = stopped by job control signal
t = stopped by debugger during trace
Z = zombie

Tasks shown as running should be more properly thought of as ready to run -- their task_struct is simply represented on the Linux run-queue. Even without a true SMP machine, you may see numerous tasks in this state
depending on top's delay interval and nice value.

SHR -- Shared Memory Size (KiB)
A subset of resident memory (RES) that may be used by other processes. It will include shared anonymous pages and shared file-backed pages. It also includes private pages mapped to files representing program images and
shared libraries.

See `OVERVIEW, Linux Memory Types' for additional details.

SID -- Session Id
A session is a collection of process groups (see PGRP), usually established by the login shell. A newly forked process joins the session of its creator. By convention, this value equals the process ID (see PID) of the first
member of the session, called the session leader, which is usually the login shell.

STARTED -- Start Time Interval
The length of time since system boot when a process started. Thus, the most recently started task will display the largest time interval.

The value will be expressed as `MM:SS' (minutes:seconds). But if the interval is too great to fit column width it will be scaled as `HH,MM' (hours,minutes) and possibly beyond.

SUID -- Saved User Id
The saved user ID.

SUPGIDS -- Supplementary Group IDs
The IDs of any supplementary group(s) established at login or inherited from a task's parent. They are displayed in a comma delimited list.

Note: The SUPGIDS field, unlike most columns, is not fixed-width. When displayed, it plus any other variable width columns will be allocated all remaining screen width (up to the maximum 512 characters).

SUPGRPS -- Supplementary Group Names
The names of any supplementary group(s) established at login or inherited from a task's parent. They are displayed in a comma delimited list.

Note: The SUPGRPS field, unlike most columns, is not fixed-width. When displayed, it plus any other variable width columns will be allocated all remaining screen width (up to the maximum 512 characters).

SUSER -- Saved User Name
The saved user name.

SWAP -- Swapped Size (KiB)
The formerly resident portion of a task's address space written to the swap file when physical memory becomes over committed.

See `OVERVIEW, Linux Memory Types' for additional details.

TGID -- Thread Group Id
The ID of the thread group to which a task belongs. It is the PID of the thread group leader. In kernel terms, it represents those tasks that share an mm_struct.

TIME -- CPU Time
Total CPU time the task has used since it started. When Cumulative mode is On, each process is listed with the cpu time that it and its dead children have used. You toggle Cumulative mode with `S', which is both a
command-line option and an interactive command. See the `S' interactive command for additional information regarding this mode.

TIME+ -- CPU Time, hundredths
The same as TIME, but reflecting more granularity through hundredths of a second.

TPGID -- Tty Process Group Id
The process group ID of the foreground process for the connected tty, or -1 if a process is not connected to a terminal. By convention, this value equals the process ID (see PID) of the process group leader (see PGRP).

TTY -- Controlling Tty
The name of the controlling terminal. This is usually the device (serial port, pty, etc.) from which the process was started, and which it uses for input or output. However, a task need not be associated with a terminal, in
which case you'll see `?' displayed.

UID -- User Id
The effective user ID of the task's owner.

USED -- Memory in Use (KiB)
This field represents the non-swapped physical memory a task is using (RES) plus the swapped out portion of its address space (SWAP).

See `OVERVIEW, Linux Memory Types' for additional details.

USER -- User Name
The effective user name of the task's owner.

USS -- Unique Set Size
The non-swapped portion of physical memory (`RSS') not shared with any other process. It is derived from the `smaps_rollup' file.

Accessing smaps values is 10x more costly than other memory statistics and data for other users requires root privileges.

VIRT -- Virtual Memory Size (KiB)
The total amount of virtual memory used by the task. It includes all code, data and shared libraries plus pages that have been swapped out and pages that have been mapped but not used.

See `OVERVIEW, Linux Memory Types' for additional details.

WCHAN -- Sleeping in Function
This field will show the name of the kernel function in which the task is currently sleeping. Running tasks will display a dash (`-') in this column.

ioR -- I/O Bytes Read
The number of bytes a process caused to be fetched from the storage layer.

Root privileges are required to display `io' data for other users.

ioRop -- I/O Read Operations
The number of read I/O operations (syscalls) for a process. Such calls might not result in actual physical disk I/O.

ioW -- I/O Bytes Written
The number of bytes a process caused to be sent to the storage layer.

ioWop -- I/O Write Operations
The number of write I/O operations (syscalls) for a process. Such calls might not result in actual physical disk I/O.

nDRT -- Dirty Pages Count
The number of pages that have been modified since they were last written to auxiliary storage. Dirty pages must be written to auxiliary storage before the corresponding physical memory location can be used for some other
virtual page.

This field was deprecated with linux 2.6 and is always zero.

nMaj -- Major Page Fault Count
The number of major page faults that have occurred for a task. A page fault occurs when a process attempts to read from or write to a virtual page that is not currently present in its address space. A major page fault is
when auxiliary storage access is involved in making that page available.

nMin -- Minor Page Fault count
The number of minor page faults that have occurred for a task. A page fault occurs when a process attempts to read from or write to a virtual page that is not currently present in its address space. A minor page fault does
not involve auxiliary storage access in making that page available.

nTH -- Number of Threads
The number of threads associated with a process.

nsCGROUP -- CGROUP namespace
The Inode of the namespace used to hide the identity of the control group of which process is a member.

nsIPC -- IPC namespace
The Inode of the namespace used to isolate interprocess communication (IPC) resources such as System V IPC objects and POSIX message queues.

nsMNT -- MNT namespace
The Inode of the namespace used to isolate filesystem mount points thus offering different views of the filesystem hierarchy.

nsNET -- NET namespace
The Inode of the namespace used to isolate resources such as network devices, IP addresses, IP routing, port numbers, etc.

nsPID -- PID namespace
The Inode of the namespace used to isolate process ID numbers meaning they need not remain unique. Thus, each such namespace could have its own `init/systemd' (PID #1) to manage various initialization tasks and reap orphaned
child processes.

nsTIME -- TIME namespace
The Inode of the namespace which allows processes to see different system times in a way similar to the UTS namespace.

nsUSER -- USER namespace
The Inode of the namespace used to isolate the user and group ID numbers. Thus, a process could have a normal unprivileged user ID outside a user namespace while having a user ID of 0, with full root privileges, inside that
namespace.

nsUTS -- UTS namespace
The Inode of the namespace used to isolate hostname and NIS domain name. UTS simply means "UNIX Time-sharing System".

vMj -- Major Page Fault Count Delta
The number of major page faults that have occurred since the last update (see nMaj).

vMn -- Minor Page Fault Count Delta
The number of minor page faults that have occurred since the last update (see nMin).

3b. MANAGING Fields
After pressing the interactive command `f' (Fields Management) you will be presented with a screen showing: 1) the `current' window name; 2) the designated sort field; 3) all fields in their current order along with descriptions.
Entries marked with an asterisk are the currently displayed fields, screen width permitting.

• As the on screen instructions indicate, you navigate among the fields with the Up and Down arrow keys. The PgUp, PgDn, Home and End keys can also be used to quickly reach the first or last available field.

• The Right arrow key selects a field for repositioning and the Left arrow key or the <Enter> key commits that field's placement.

• The `d' key or the <Space> bar toggles a field's display status, and thus the presence or absence of the asterisk.

• The `s' key designates a field as the sort field. See topic 4c. TASK AREA Commands, SORTING for additional information regarding your selection of a sort field.

• The `a' and `w' keys can be used to cycle through all available windows and the `q' or <Esc> keys exit Fields Management.

The Fields Management screen can also be used to change the `current' window/field group in either full-screen mode or alternate-display mode. Whatever was targeted when `q' or <Esc> was pressed will be made current as you return
to the top display. See topic 5. ALTERNATE-DISPLAY Provisions and the `g' interactive command for insight into `current' windows and field groups.

Note: Any window that has been scrolled horizontally will be reset if any field changes are made via the Fields Management screen. Any vertical scrolled position, however, will not be affected. See topic 5c. SCROLLING a Window
for additional information regarding vertical and horizontal scrolling.

4. INTERACTIVE Commands
Listed below is a brief index of commands within categories. Some commands appear more than once -- their meaning or scope may vary depending on the context in which they are issued.

4a. Global-Commands
<Ent/Sp> ?, =, 0,
A, B, d, E, e, g, H, h, I, k, q, r, s, W, X, Y, Z,
^G, ^K, ^N, ^P, ^U, ^L, ^R
4b. Summary-Area-Commands
C, l, t, m, 1, 2, 3, 4, 5, !
4c. Task-Area-Commands
Appearance: b, J, j, x, y, z
Content: c, F, f, O, o, S, U, u, V, v, ^E
Size: #, i, n
Sorting: <, >, f, R
4d. Color-Mapping
<Ret>, a, B, b, H, M, q, S, T, w, z, 0 - 7
5b. Commands-for-Windows
-, _, =, +, A, a, G, g, w
5c. Scrolling-a-Window
C, Up, Dn, Left, Right, PgUp, PgDn, Home, End
5d. Searching-in-a-Window
L, &
5e. Filtering-in-a-Window
O, o, ^O, =, +

4a. GLOBAL Commands
The global interactive commands are always available in both full-screen mode and alternate-display mode. However, some of these interactive commands are not available when running in Secure mode.

If you wish to know in advance whether or not your top has been secured, simply ask for help and view the system summary on the second line.

<Enter> or <Space> :Refresh-Display
These commands awaken top and following receipt of any input the entire display will be repainted. They also force an update of any hotplugged cpu or physical memory changes.

Use either of these keys if you have a large delay interval and wish to see current status,

? | h :Help
There are two help levels available. The first will provide a reminder of all the basic interactive commands. If top is secured, that screen will be abbreviated.

Typing `h' or `?' on that help screen will take you to help for those interactive commands applicable to alternate-display mode.

= :Exit-Display-Limits
Removes restrictions on what is shown. This command will reverse any `i' (idle tasks), `n' (max tasks), `v' (hide children) and `F' focus commands that might be active. It also provides for an exit from PID monitoring,
User filtering, Other filtering, Locate processing and Combine Cpus mode.

Additionally, if the window has been scrolled it will be reset with this command.

0 :Zero-Suppress toggle
This command determines whether zeros are shown or suppressed for many of the fields in a task window. Fields like UID, GID, NI, PR or P are not affected by this toggle.

A :Alternate-Display-Mode toggle
This command will switch between full-screen mode and alternate-display mode. See topic 5. ALTERNATE-DISPLAY Provisions and the `g' interactive command for insight into `current' windows and field groups.

B :Bold-Disable/Enable toggle
This command will influence use of the bold terminfo capability and alters both the summary area and task area for the `current' window. While it is intended primarily for use with dumb terminals, it can be applied
anytime.

Note: When this toggle is On and top is operating in monochrome mode, the entire display will appear as normal text. Thus, unless the `x' and/or `y' toggles are using reverse for emphasis, there will be no visual
confirmation that they are even on.

* d | s :Change-Delay-Time-interval
You will be prompted to enter the delay time, in seconds, between display updates.

Fractional seconds are honored, but a negative number is not allowed. Entering 0 causes (nearly) continuous updates, with an unsatisfactory display as the system and tty driver try to keep up with top's demands. The delay
value is inversely proportional to system loading, so set it with care.

If at any time you wish to know the current delay time, simply ask for help and view the system summary on the second line.

E :Enforce-Summary-Memory-Scale in Summary Area
With this command you can cycle through the available summary area memory scaling which ranges from KiB (kibibytes or 1,024 bytes) through EiB (exbibytes or 1,152,921,504,606,846,976 bytes).

If you see a `+' between a displayed number and the following label, it means that top was forced to truncate some portion of that number. By raising the scaling factor, such truncation can be avoided.

e :Enforce-Task-Memory-Scale in Task Area
With this command you can cycle through the available task area memory scaling which ranges from KiB (kibibytes or 1,024 bytes) through PiB (pebibytes or 1,125,899,906,842,624 bytes).

While top will try to honor the selected target range, additional scaling might still be necessary in order to accommodate current values. If you wish to see a more homogeneous result in the memory columns, raising the
scaling range will usually accomplish that goal. Raising it too high, however, is likely to produce an all zero result which cannot be suppressed with the `0' interactive command.

g :Choose-Another-Window/Field-Group
You will be prompted to enter a number between 1 and 4 designating the field group which should be made the `current' window. You will soon grow comfortable with these 4 windows, especially after experimenting with
alternate-display mode.

H :Threads-mode toggle
When this toggle is On, individual threads will be displayed for all processes in all visible task windows. Otherwise, top displays a summation of all threads in each process.

I :Irix/Solaris-Mode toggle
When operating in Solaris mode (`I' toggled Off), a task's cpu usage will be divided by the total number of CPUs. After issuing this command, you'll be told the new state of this toggle.

* k :Kill-a-task
You will be prompted for a PID and then the signal to send.

Entering no PID or a negative number will be interpreted as the default shown in the prompt (the first task displayed). A PID value of zero means the top program itself.

The default signal, as reflected in the prompt, is SIGTERM. However, you can send any signal, via number or name.

If you wish to abort the kill process, do one of the following depending on your progress:
1) at the pid prompt, type an invalid number
2) at the signal prompt, type 0 (or any invalid signal)
3) at any prompt, type <Esc>

q :Quit

* r :Renice-a-Task
You will be prompted for a PID and then the value to nice it to.

Entering no PID or a negative number will be interpreted as the default shown in the prompt (the first task displayed). A PID value of zero means the top program itself.

A positive nice value will cause a process to lose priority. Conversely, a negative nice value will cause a process to be viewed more favorably by the kernel. As a general rule, ordinary users can only increase the nice
value and are prevented from lowering it.

If you wish to abort the renice process, do one of the following depending on your progress:
1) at the pid prompt, type an invalid number
2) at the nice prompt, type <Enter> with no input
3) at any prompt, type <Esc>

W :Write-the-Configuration-File
This will save all of your options and toggles plus the current display mode and delay time. By issuing this command just before quitting top, you will be able restart later in exactly that same state.

X :Extra-Fixed-Width
Some fields are fixed width and not scalable. As such, they are subject to truncation which would be indicated by a `+' in the last position.

This interactive command can be used to alter the widths of the following fields:

field default field default field default
GID 5 GROUP 8 WCHAN 10
LOGID 5 LXC 8 nsCGROUP 10
RUID 5 RUSER 8 nsIPC 10
SUID 5 SUSER 8 nsMNT 10
UID 5 TTY 8 nsNET 10
USER 8 nsPID 10
nsTIME 10
nsUSER 10
nsUTS 10

You will be prompted for the amount to be added to the default widths shown above. Entering zero forces a return to those defaults.

If you enter a negative number, top will automatically increase the column size as needed until there is no more truncated data.

Note: Whether explicitly or automatically increased, the widths for these fields are never decreased by top. To narrow them you must specify a smaller number or restore the defaults.

Y :Inspect-Other-Output
After issuing the `Y' interactive command, you will be prompted for a target PID. Typing a value or accepting the default results in a separate screen. That screen can be used to view a variety of files or piped command
output while the normal top iterative display is paused.

Note: This interactive command is only fully realized when supporting entries have been manually added to the end of the top configuration file. For details on creating those entries, see topic 6b. ADDING INSPECT Entries.

Most of the keys used to navigate the Inspect feature are reflected in its header prologue. There are, however, additional keys available once you have selected a particular file or command. They are familiar to anyone
who has used the pager `less' and are summarized here for future reference.

key function
= alternate status-line, file or pipeline
/ find, equivalent to `L' locate
n find next, equivalent to `&' locate next
<Space> scroll down, equivalent to <PgDn>
b scroll up, equivalent to <PgUp>
g first line, equivalent to <Home>
G last line, equivalent to <End>

Z :Change-Color-Mapping
This key will take you to a separate screen where you can change the colors for the `current' window, or for all windows. For details regarding this interactive command see topic 4d. COLOR Mapping.

^G :Display-Control-Groups (Ctrl key + `g')
^K :Display-Cmdline (Ctrl key + `k')
^N :Display-Environment (Ctrl key + `n')
^P :Display-Namesspaces (Ctrl key + `p')
^U :Display-Supplementary-Groups (Ctrl key + `u')
Applied to the first process displayed, these commands will show that task's full (potentially wrapped) information. Such data will be displayed in a separate window at the bottom of the screen while normal top monitoring
continues.

Keying the same `Ctrl' command a second time removes that separate window as does the `=' command. Keying a different `Ctrl' combination, while one is already active, immediately transitions to the new information.

Notable among these provisions is the Ctrl+N (environment) command. Its output can be extensive and not easily read when line wrapped. A more readable version can be achieved with an `Inspect' entry in the rcfile like the
following.

pipe ^I Environment ^I cat /proc/%d/environ | tr '\0' '\n'

See the `Y' interactive command above and topic 6b. ADDING INSPECT Entries for additional information.

As an alternative to `Inspect', and available to all of these `Ctrl' commands, the tab key can be used to highlight individual elements in the bottom window.

^L :Logged-Messages (Ctrl key + `l')
The 10 most recent messages are displayed in a separate window at the bottom of the screen while normal top monitoring continues. Keying `^L' a second time removes that window as does the `=' command. Use the tab key to
highlight individual messages.

* ^R :Renice-an-Autogroup (Ctrl key + `r')
You will be prompted for a PID and then the value for its autogroup AGNI.

Entering no PID will be interpreted as the default shown in the prompt (the first task displayed).

A positive AGNI value will cause processes in that autogroup to lose priority. Conversely, a negative value causes them to be viewed more favorably by the kernel. Ordinary users are not allowed to set negative AGNI
values.

If you wish to abort the renice process type <Esc>.

* The commands shown with an asterisk (`*') are not available in Secure mode, nor will they be shown on the level-1 help screen.

4b. SUMMARY AREA Commands
The summary area interactive commands are always available in both full-screen mode and alternate-display mode. They affect the beginning lines of your display and will determine the position of messages and prompts.

These commands always impact just the `current' window/field group. See topic 5. ALTERNATE-DISPLAY Provisions and the `g' interactive command for insight into `current' windows and field groups.

C :Show-scroll-coordinates toggle
Toggle an informational message which is displayed whenever the message line is not otherwise being used. For additional information see topic 5c. SCROLLING a Window.

l :Load-Average/Uptime toggle
This is also the line containing the program name (possibly an alias) when operating in full-screen mode or the `current' window name when operating in alternate-display mode.

t :Task/Cpu-States toggle
This command affects from 2 to many summary area lines, depending on the state of the `1', `2' or `3' command toggles and whether or not top is running under true SMP.

This portion of the summary area is also influenced by the `H' interactive command toggle, as reflected in the total label which shows either Tasks or Threads.

This command serves as a 4-way toggle, cycling through these modes:
1. detailed percentages by category
2. abbreviated user/system and total % + bar graph
3. abbreviated user/system and total % + block graph
4. turn off task and cpu states display

When operating in either of the graphic modes, the display becomes much more meaningful when individual CPUs or NUMA nodes are also displayed. See the the `1', `2' and `3' commands below for additional information.

m :Memory/Swap-Usage toggle
This command affects the two summary area lines dealing with physical and virtual memory.

This command serves as a 4-way toggle, cycling through these modes:
1. detailed percentages by memory type
2. abbreviated % used/total available + bar graph
3. abbreviated % used/total available + block graph
4. turn off memory display

1 :Single/Separate-Cpu-States toggle
This command affects how the `t' command's Cpu States portion is shown. Although this toggle exists primarily to serve massively-parallel SMP machines, it is not restricted to solely SMP environments.

When you see `%Cpu(s):' in the summary area, the `1' toggle is On and all cpu information is gathered in a single line. Otherwise, each cpu is displayed separately as: `%Cpu0, %Cpu1, ...' up to available screen height.

2 :NUMA-Nodes/Cpu-Summary toggle
This command toggles between the `1' command cpu summary display (only) or a summary display plus the cpu usage statistics for each NUMA Node. It is only available if a system has the requisite NUMA support.

3 :Expand-NUMA-Node
You will be invited to enter a number representing a NUMA Node. Thereafter, a node summary plus the statistics for each cpu in that node will be shown until the `1', `2' or `4' command toggle is pressed. This interactive
command is only available if a system has the requisite NUMA support.

4 :Display-Multiple-Elements-Adjacent toggle
This command toggle turns the `1' toggle Off and shows multiple CPU and Memory results on each line. Each successive `4' key adds another CPU until again reverting to separate lines for CPU and Memory results.

A maximum of 8 CPUs per line can be displayed in this manner. However, data truncation may occur before reaching the maximum. That is definitely true when displaying detailed statistics via the `t' command toggle since
such data cannot be scaled like the graphic representations.

If one wished to quickly exit adjacent mode without cycling all the way to 8, simply use the `1' command toggle.

5 :Display-P-Cores-and-E-Cores toggle
This command toggle is only active when the `t' toggle is On and the `1', `2', `3' and `!' toggles are Off, thus showing individual CPU results. It assumes a platform has multiple cores of two distinct types, either multi-
threaded (P-Core) or single-threaded (E-Core).

While normally each cpu is displayed as `%Cpu0, %Cpu1, ...', this toggle can be used to identify and/or filter those cpus by their core type, either P-Core (performance) or E-Core (efficient).

The 1st time `5' is struck, each CPU is displayed as `%CpP' or `%CpE' representing the two core types. The 2nd time, only P-Cores (%CpP) will be shown. The 3rd time, only E-Cores (%CpE) are displayed. When this command
toggle is struck for the 4th time, the CPU display returns to the normal `%Cpu' convention.

If separate performance and efficient categories are not present, this command toggle will have no effect.

! :Combine-Cpus-Mode toggle
This command toggle is intended for massively parallel SMP environments where, even with the `4' command toggle, not all processors can be displayed. With each press of `!' the number of cpus combined is doubled thus
reducing the total number of cpu lines displayed.

For example, with the first press of `!' two cpus will be combined and displayed as `0-1, 2-3, ...' instead of the normal `%Cpu0, %Cpu1, %Cpu2, %Cpu3, ...'. With a second `!' command toggle four cpus are combined and shown
as `0-3, 4-7, ...'. Then the third `!' press, combining eight cpus, shows as `0-7, 8-15, ...', etc.

Such progression continues until individual cpus are again displayed and impacts both the `1' and `4' toggles (one or multiple columns). Use the `=' command to exit Combine Cpus mode.

Note: If the entire summary area has been toggled Off for any window, you would be left with just the message line. In that way, you will have maximized available task rows but (temporarily) sacrificed the program name in
full-screen mode or the `current' window name when in alternate-display mode.

4c. TASK AREA Commands
The task area interactive commands are always available in full-screen mode.

The task area interactive commands are never available in alternate-display mode if the `current' window's task display has been toggled Off (see topic 5. ALTERNATE-DISPLAY Provisions).

APPEARANCE of task window

J :Justify-Numeric-Columns toggle
Alternates between right-justified (the default) and left-justified numeric data. If the numeric data completely fills the available column, this command toggle may impact the column header only.

j :Justify-Character-Columns toggle
Alternates between left-justified (the default) and right-justified character data. If the character data completely fills the available column, this command toggle may impact the column header only.

The following commands will also be influenced by the state of the global `B' (bold enable) toggle.

b :Bold/Reverse toggle
This command will impact how the `x' and `y' toggles are displayed. It may also impact the summary area when a bar graph has been selected for cpu states or memory usage via the `t' or `m' toggles.

x :Column-Highlight toggle
Changes highlighting for the current sort field. If you forget which field is being sorted this command can serve as a quick visual reminder, providing the sort field is being displayed. The sort field might not be
visible because:
1) there is insufficient Screen Width
2) the `f' interactive command turned it Off

y :Row-Highlight toggle
Changes highlighting for "running" tasks. For additional insight into this task state, see topic 3a. DESCRIPTIONS of Fields, the `S' field (Process Status).

Use of this provision provides important insight into your system's health. The only costs will be a few additional tty escape sequences.

z :Color/Monochrome toggle
Switches the `current' window between your last used color scheme and the older form of black-on-white or white-on-black. This command will alter both the summary area and task area but does not affect the state of the
`x', `y' or `b' toggles.

CONTENT of task window

c :Command-Line/Program-Name toggle
This command will be honored whether or not the COMMAND column is currently visible. Later, should that field come into view, the change you applied will be seen.

F :Maintain-Parent-Focus toggle
When in forest view mode, this key serves as a toggle to retain focus on a target task, presumably one with forked children. If forest view mode is Off this key has no effect.

The toggle is applied to the first (topmost) process in the `current' window. Once established, that task is always displayed as the first (topmost) process along with its forked children. All other processes will be
suppressed.

Note: keys like `i' (idle tasks), `n' (max tasks), `v' (hide children) and User/Other filtering remain accessible and can impact what is displayed.

f :Fields-Management
This key displays a separate screen where you can change which fields are displayed, their order and also designate the sort field. For additional information on this interactive command see topic 3b. MANAGING Fields.

O | o :Other-Filtering
You will be prompted for the selection criteria which then determines which tasks will be shown in the `current' window. Your criteria can be made case sensitive or case can be ignored. And you determine if top should
include or exclude matching tasks.

See topic 5e. FILTERING in a window for details on these and additional related interactive commands.

S :Cumulative-Time-Mode toggle
When Cumulative mode is On, each process is listed with the cpu time that it and its dead children have used.

When Off, programs that fork into many separate tasks will appear less demanding. For programs like `init' or a shell this is appropriate but for others, like compilers, perhaps not. Experiment with two task windows
sharing the same sort field but with different `S' states and see which representation you prefer.

After issuing this command, you'll be informed of the new state of this toggle. If you wish to know in advance whether or not Cumulative mode is in effect, simply ask for help and view the window summary on the second
line.

U | u :Show-Specific-User-Only
You will be prompted for the uid or name of the user to display. The -u option matches on effective user whereas the -U option matches on any user (real, effective, saved, or filesystem).

Thereafter, in that task window only matching users will be shown, or possibly no processes will be shown. Prepending an exclamation point (`!') to the user id or name instructs top to display only processes with users not
matching the one provided.

Different task windows can be used to filter different users. Later, if you wish to monitor all users again in the `current' window, re-issue this command but just press <Enter> at the prompt.

V :Forest-View-Mode toggle
In this mode, processes are reordered according to their parents and the layout of the COMMAND column resembles that of a tree. In forest view mode it is still possible to toggle between program name and command line (see
the `c' interactive command) or between processes and threads (see the `H' interactive command).

Note: Typing any key affecting the sort order will exit forest view mode in the `current' window. See topic 4c. TASK AREA Commands, SORTING for information on those keys.

v :Hide/Show-Children toggle
When in forest view mode, this key serves as a toggle to collapse or expand the children of a parent.

The toggle is applied against the first (topmost) process in the `current' window. See topic 5c. SCROLLING a Window for additional information regarding vertical scrolling.

If the target process has not forked any children, this key has no effect. It also has no effect when not in forest view mode.

^E :Scale-CPU-Time-fields (Ctrl key + `e')
The `time' fields are normally displayed with the greatest precision their widths permit. This toggle reduces that precision until it wraps. It also illustrates the scaling those fields might experience automatically,
which usually depends on how long the system runs.

For example, if `MMM:SS.hh' is shown, each ^E keystroke would change it to: `MM:SS', `Hours,MM', `Days+Hours' and finally `Weeks+Days'.

Not all time fields are subject to the full range of such scaling.

SIZE of task window

i :Idle-Process toggle
Displays all tasks or just active tasks. When this toggle is Off, tasks that have not used any CPU since the last update will not be displayed. However, due to the granularity of the %CPU and TIME+ fields, some processes
may still be displayed that appear to have used no CPU.

If this command is applied to the last task display when in alternate-display mode, then it will not affect the window's size, as all prior task displays will have already been painted.

n | # :Set-Maximum-Tasks
You will be prompted to enter the number of tasks to display. The lessor of your number and available screen rows will be used.

When used in alternate-display mode, this is the command that gives you precise control over the size of each currently visible task display, except for the very last. It will not affect the last window's size, as all
prior task displays will have already been painted.

Note: If you wish to increase the size of the last visible task display when in alternate-display mode, simply decrease the size of the task display(s) above it.

SORTING of task window

For compatibility, this top supports most of the former top sort keys. Since this is primarily a service to former top users, these commands do not appear on any help screen.
command sorted-field supported
A start time (non-display) No
M %MEM Yes
N PID Yes
P %CPU Yes
T TIME+ Yes

Before using any of the following sort provisions, top suggests that you temporarily turn on column highlighting using the `x' interactive command. That will help ensure that the actual sort environment matches your intent.

The following interactive commands will only be honored when the current sort field is visible. The sort field might not be visible because:
1) there is insufficient Screen Width
2) the `f' interactive command turned it Off

< :Move-Sort-Field-Left
Moves the sort column to the left unless the current sort field is the first field being displayed.

> :Move-Sort-Field-Right
Moves the sort column to the right unless the current sort field is the last field being displayed.

The following interactive commands will always be honored whether or not the current sort field is visible.

f :Fields-Management
This key displays a separate screen where you can change which field is used as the sort column, among other functions. This can be a convenient way to simply verify the current sort field, when running top with column
highlighting turned Off.

R :Reverse/Normal-Sort-Field toggle
Using this interactive command you can alternate between high-to-low and low-to-high sorts.

4d. COLOR Mapping
When you issue the `Z' interactive command, you will be presented with a separate screen. That screen can be used to change the colors in just the `current' window or in all four windows before returning to the top display.

The following interactive commands are available.
4 upper case letters to select a target
8 numbers to select a color
normal toggles available
B :bold disable/enable
b :running tasks "bold"/reverse
z :color/mono
other commands available
a/w :apply, then go to next/prior
<Enter> :apply and exit
q :abandon current changes and exit

If you use `a' or `w' to cycle the targeted window, you will have applied the color scheme that was displayed when you left that window. You can, of course, easily return to any window and reapply different colors or turn colors
Off completely with the `z' toggle.

The Color Mapping screen can also be used to change the `current' window/field group in either full-screen mode or alternate-display mode. Whatever was targeted when `q' or <Enter> was pressed will be made current as you return
to the top display.

5. ALTERNATE-DISPLAY Provisions
5a. WINDOWS Overview
Field Groups/Windows:
In full-screen mode there is a single window represented by the entire screen. That single window can still be changed to display 1 of 4 different field groups (see the `g' interactive command, repeated below). Each of the 4
field groups has a unique separately configurable summary area and its own configurable task area.

In alternate-display mode, those 4 underlying field groups can now be made visible simultaneously, or can be turned Off individually at your command.

The summary area will always exist, even if it's only the message line. At any given time only one summary area can be displayed. However, depending on your commands, there could be from zero to four separate task displays
currently showing on the screen.

Current Window:
The `current' window is the window associated with the summary area and the window to which task related commands are always directed. Since in alternate-display mode you can toggle the task display Off, some commands might be
restricted for the `current' window.

A further complication arises when you have toggled the first summary area line Off. With the loss of the window name (the `l' toggled line), you'll not easily know what window is the `current' window.

5b. COMMANDS for Windows
- | _ :Show/Hide-Window(s) toggles
The `-' key turns the `current' window's task display On and Off. When On, that task area will show a minimum of the columns header you've established with the `f' interactive command. It will also reflect any other task
area options/toggles you've applied yielding zero or more tasks.

The `_' key does the same for all task displays. In other words, it switches between the currently visible task display(s) and any task display(s) you had toggled Off. If all 4 task displays are currently visible, this
interactive command will leave the summary area as the only display element.

* = | + :Equalize/Reset-Window(s)
The `=' key forces the `current' window's task display to be visible. It also reverses any active `i' (idle tasks), `n' (max tasks), `u/U' (user filter), `o/O' (other filter), `v' (hide children), `F' focused, `L' (locate)
and `!' (combine cpus) commands. Also, if the window had been scrolled, it will be reset with this command. See topic 5c. SCROLLING a Window for additional information regarding vertical and horizontal scrolling.

The `+' key does the same for all windows. The four task displays will reappear, evenly balanced, while retaining any customizations previously applied beyond those noted for the `=' command toggle.

* A :Alternate-Display-Mode toggle
This command will switch between full-screen mode and alternate-display mode.

The first time you issue this command, all four task displays will be shown. Thereafter when you switch modes, you will see only the task display(s) you've chosen to make visible.

* a | w :Next-Window-Forward/Backward
This will change the `current' window, which in turn changes the window to which commands are directed. These keys act in a circular fashion so you can reach any desired window using either key.

Assuming the window name is visible (you have not toggled `l' Off), whenever the `current' window name loses its emphasis/color, that's a reminder the task display is Off and many commands will be restricted.

G :Change-Window/Field-Group-Name
You will be prompted for a new name to be applied to the `current' window. It does not require that the window name be visible (the `l' toggle to be On).

* The interactive commands shown with an asterisk (`*') have use beyond alternate-display mode.
=, A, g are always available
a, w act the same with color mapping
and fields management

* g :Choose-Another-Window/Field-Group
You will be prompted to enter a number between 1 and 4 designating the field group which should be made the `current' window.

In full-screen mode, this command is necessary to alter the `current' window. In alternate-display mode, it is simply a less convenient alternative to the `a' and `w' commands.

5c. SCROLLING a Window
Typically a task window is a partial view into a system's total tasks/threads which shows only some of the available fields/columns. With these scrolling keys, you can move that view vertically or horizontally to reveal any
desired task or column.

Up,PgUp :Scroll-Tasks
Move the view up toward the first task row, until the first task is displayed at the top of the `current' window. The Up arrow key moves a single line while PgUp scrolls the entire window.

Down,PgDn :Scroll-Tasks
Move the view down toward the last task row, until the last task is the only task displayed at the top of the `current' window. The Down arrow key moves a single line while PgDn scrolls the entire window.

Left,Right :Scroll-Columns
Move the view of displayable fields horizontally one column at a time.

Note: As a reminder, some fields/columns are not fixed-width but allocated all remaining screen width when visible. When scrolling right or left, that feature may produce some unexpected results initially.

Additionally, there are special provisions for any variable width field when positioned as the last displayed field. Once that field is reached via the right arrow key, and is thus the only column shown, you can continue
scrolling horizontally within such a field. See the `C' interactive command below for additional information.

Home :Jump-to-Home-Position
Reposition the display to the un-scrolled coordinates.

End :Jump-to-End-Position
Reposition the display so that the rightmost column reflects the last displayable field and the bottom task row represents the last task.

Note: From this position it is still possible to scroll down and right using the arrow keys. This is true until a single column and a single task is left as the only display element.

C :Show-scroll-coordinates toggle
Toggle an informational message which is displayed whenever the message line is not otherwise being used. That message will take one of two forms depending on whether or not a variable width column has also been scrolled.

scroll coordinates: y = n/n (tasks), x = n/n (fields)
scroll coordinates: y = n/n (tasks), x = n/n (fields) + nn

The coordinates shown as n/n are relative to the upper left corner of the `current' window. The additional `+ nn' represents the displacement into a variable width column when it has been scrolled horizontally. Such
displacement occurs in normal 8 character tab stop amounts via the right and left arrow keys.

y = n/n (tasks)
The first n represents the topmost visible task and is controlled by scrolling keys. The second n is updated automatically to reflect total tasks.

x = n/n (fields)
The first n represents the leftmost displayed column and is controlled by scrolling keys. The second n is the total number of displayable fields and is established with the `f' interactive command.

The above interactive commands are always available in full-screen mode but never available in alternate-display mode if the `current' window's task display has been toggled Off.

Note: When any form of filtering is active, you can expect some slight aberrations when scrolling since not all tasks will be visible. This is particularly apparent when using the Up/Down arrow keys.

5d. SEARCHING in a Window
You can use these interactive commands to locate a task row containing a particular value.

L :Locate-a-string
You will be prompted for the case-sensitive string to locate starting from the current window coordinates. There are no restrictions on search string content.

Searches are not limited to values from a single field or column. All of the values displayed in a task row are allowed in a search string. You may include spaces, numbers, symbols and even forest view artwork.

Keying <Enter> with no input will effectively disable the `&' key until a new search string is entered.

& :Locate-next
Assuming a search string has been established, top will attempt to locate the next occurrence.

When a match is found, the current window is repositioned vertically so the task row containing that string is first. The scroll coordinates message can provide confirmation of such vertical repositioning (see the `C' interactive
command). Horizontal scrolling, however, is never altered via searching.

The availability of a matching string will be influenced by the following factors.

a. Which fields are displayable from the total available,
see topic 3b. MANAGING Fields.

b. Scrolling a window vertically and/or horizontally,
see topic 5c. SCROLLING a Window.

c. The state of the command/command-line toggle,
see the `c' interactive command.

d. The stability of the chosen sort column,
for example PID is good but %CPU bad.

If a search fails, restoring the `current' window home (unscrolled) position, scrolling horizontally, displaying command-lines or choosing a more stable sort field could yet produce a successful `&' search.

The above interactive commands are always available in full-screen mode but never available in alternate-display mode if the `current' window's task display has been toggled Off.

5e. FILTERING in a Window
You can use this `Other Filter' feature to establish selection criteria which will then determine which tasks are shown in the `current' window. Such filters can be made persistent if preserved in the rcfile via the `W'
interactive command.

Establishing a filter requires: 1) a field name; 2) an operator; and 3) a selection value, as a minimum. This is the most complex of top's user input requirements so, when you make a mistake, command recall will be your friend.
Remember the Up/Down arrow keys or their aliases when prompted for input.

Filter Basics

1. field names are case sensitive and spelled as in the header

2. selection values need not comprise the full displayed field

3. a selection is either case insensitive or sensitive to case

4. the default is inclusion, prepending `!' denotes exclusions

5. multiple selection criteria can be applied to a task window

6. inclusion and exclusion criteria can be used simultaneously

7. the 1 equality and 2 relational filters can be freely mixed

8. separate unique filters are maintained for each task window

If a field is not turned on or is not currently in view, then your selection criteria will not affect the display. Later, should a filtered field become visible, the selection criteria will then be applied.

Keyboard Summary

O :Other-Filter (upper case)
You will be prompted to establish a case sensitive filter.

o :Other-Filter (lower case)
You will be prompted to establish a filter that ignores case when matching.

^O :Show-Active-Filters (Ctrl key + `o')
This can serve as a reminder of which filters are active in the `current' window. A summary will be shown on the message line until you press the <Enter> key.

= :Reset-Filtering in current window
This clears all of your selection criteria in the `current' window. It also has additional impact so please see topic 4a. GLOBAL Commands.

+ :Reset-Filtering in all windows
This clears the selection criteria in all windows, assuming you are in alternate-display mode. As with the `=' interactive command, it too has additional consequences so you might wish to see topic 5b. COMMANDS for Windows.

Input Requirements

When prompted for selection criteria, the data you provide must take one of two forms. There are 3 required pieces of information, with a 4th as optional. These examples use spaces for clarity but your input generally would
not.
#1 #2 #3 ( required )
Field-Name ? include-if-value
! Field-Name ? exclude-if-value
#4 ( optional )

Items #1, #3 and #4 should be self-explanatory. Item #2 represents both a required delimiter and the operator which must be one of either equality (`=') or relation (`<' or `>').

The `=' equality operator requires only a partial match and that can reduce your `if-value' input requirements. The `>' or `<' relational operators always employ string comparisons, even with numeric fields. They are designed
to work with a field's default justification and with homogeneous data. When some field's numeric amounts have been subjected to scaling while others have not, that data is no longer homogeneous.

If you establish a relational filter and you have changed the default Numeric or Character justification, that filter is likely to fail. When a relational filter is applied to a memory field and you have not changed the
scaling, it may produce misleading results. This happens, for example, because `100.0m' (MiB) would appear greater than `1.000g' (GiB) when compared as strings.

If your filtered results appear suspect, simply altering justification or scaling may yet achieve the desired objective. See the `j', `J' and `e' interactive commands for additional information.

Potential Problems

These GROUP filters could produce the exact same results or the second one might not display anything at all, just a blank task window.
GROUP=root ( only the same results when )
GROUP=ROOT ( invoked via lower case `o' )

Either of these RES filters might yield inconsistent and/or misleading results, depending on the current memory scaling factor. Or both filters could produce the exact same results.
RES>9999 ( only the same results when )
!RES<10000 ( memory scaling is at `KiB' )

This nMin filter illustrates a problem unique to scalable fields. This particular field can display a maximum of 4 digits, beyond which values are automatically scaled to KiB or above. So while amounts greater than 9999
exist, they will appear as 2.6m, 197k, etc.
nMin>9999 ( always a blank task window )

Potential Solutions

These examples illustrate how Other Filtering can be creatively applied to achieve almost any desired result. Single quotes are sometimes shown to delimit the spaces which are part of a filter or to represent a request for
status (^O) accurately. But if you used them with if-values in real life, no matches would be found.

Assuming field nTH is displayed, the first filter will result in only multi-threaded processes being shown. It also reminds us that a trailing space is part of every displayed field. The second filter achieves the exact same
results with less typing.
!nTH=` 1 ' ( ` for clarity only )
nTH>1 ( same with less i/p )

With Forest View mode active and the COMMAND column in view, this filter effectively collapses child processes so that just 3 levels are shown.
!COMMAND=` `- ' ( ` for clarity only )

The final two filters appear as in response to the status request key (^O). In reality, each filter would have required separate input. The PR example shows the two concurrent filters necessary to display tasks with
priorities of 20 or more, since some might be negative. Then by exploiting trailing spaces, the nMin series of filters could achieve the failed `9999' objective discussed above.
`PR>20' + `!PR=-' ( 2 for right result )
`!nMin=0 ' + `!nMin=1 ' + `!nMin=2 ' + `!nMin=3 ' ...

6. FILES
6a. PERSONAL Configuration File
This file is created or updated via the `W' interactive command.

The legacy version is written as `$HOME/.your-name-4-top' + `rc' with a leading period.

A newly created configuration file is written as procps/your-name-4-top' + `rc' without a leading period. The procps directory will be subordinate to either $XDG_CONFIG_HOME when set as an absolute path or the $HOME/.config
directory.

While not intended to be edited manually, here is the general layout:
global # line 1: the program name/alias notation
" # line 2: id,altscr,irixps,delay,curwin
per ea # line a: winname,fieldscur
window # line b: winflags,sortindx,maxtasks,etc
" # line c: summclr,msgsclr,headclr,taskclr
global # line 15: additional miscellaneous settings
" # any remaining lines are devoted to optional
" # active `other filters' discussed in section 5e above
" # plus `inspect' entries discussed in section 6b below

If a valid absolute path to the rcfile cannot be established, customizations made to a running top will be impossible to preserve.

6b. ADDING INSPECT Entries
To exploit the `Y' interactive command, you must add entries at the end of the top personal configuration file. Such entries simply reflect a file to be read or command/pipeline to be executed whose results will then be displayed
in a separate scrollable, searchable window.

If you don't know the location or name of your top rcfile, use the `W' interactive command to rewrite it and note those details.

Inspect entries can be added with a redirected echo or by editing the configuration file. Redirecting an echo risks overwriting the rcfile should it replace (>) rather than append (>>) to that file. Conversely, when using an
editor care must be taken not to corrupt existing lines, some of which could contain unprintable data or unusual characters depending on the top version under which that configuration file was saved.

Those Inspect entries beginning with a `#' character are ignored, regardless of content. Otherwise they consist of the following 3 elements, each of which must be separated by a tab character (thus 2 `\t' total):

.type: literal `file' or `pipe'
.name: selection shown on the Inspect screen
.fmts: string representing a path or command

The two types of Inspect entries are not interchangeable. Those designated `file' will be accessed using fopen and must reference a single file in the `.fmts' element. Entries specifying `pipe' will employ popen, their `.fmts'
element could contain many pipelined commands and, none can be interactive.

If the file or pipeline represented in your `.fmts' deals with the specific PID input or accepted when prompted, then the format string must also contain the `%d' specifier, as these examples illustrate.

.fmts= /proc/%d/numa_maps
.fmts= lsof -P -p %d

For `pipe' type entries only, you may also wish to redirect stderr to stdout for a more comprehensive result. Thus the format string becomes:

.fmts= pmap -x %d 2>&1

Here are examples of both types of Inspect entries as they might appear in the rcfile. The first entry will be ignored due to the initial `#' character. For clarity, the pseudo tab depictions (^I) are surrounded by an extra
space but the actual tabs would not be.

# pipe ^I Sockets ^I lsof -n -P -i 2>&1
pipe ^I Open Files ^I lsof -P -p %d 2>&1
file ^I NUMA Info ^I /proc/%d/numa_maps
pipe ^I Log ^I tail -n100 /var/log/syslog | sort -Mr

Except for the commented entry above, these next examples show what could be echoed to achieve similar results, assuming the rcfile name was `.toprc'. However, due to the embedded tab characters, each of these lines should be
preceded by `/bin/echo -e', not just a simple an `echo', to enable backslash interpretation regardless of which shell you use.

"pipe\tOpen Files\tlsof -P -p %d 2>&1" >> ~/.toprc
"file\tNUMA Info\t/proc/%d/numa_maps" >> ~/.toprc
"pipe\tLog\ttail -n200 /var/log/syslog | sort -Mr" >> ~/.toprc

If any inspect entry you create produces output with unprintable characters they will be displayed in either the ^C notation or hexadecimal <FF> form, depending on their value. This applies to tab characters as well, which will
show as `^I'. If you want a truer representation, any embedded tabs should be expanded. The following example takes what could have been a `file' entry but employs a `pipe' instead so as to expand the embedded tabs.

# next would have contained `\t' ...
# file ^I <your_name> ^I /proc/%d/status
# but this will eliminate embedded `\t' ...
pipe ^I <your_name> ^I cat /proc/%d/status | expand -

Note: Some programs might rely on SIGINT to end. Therefore, if a `pipe' such as the following is established, one must use Ctrl-C to terminate it in order to review the results. This is the single occasion where a `^C' will not
also terminate top.

pipe ^I Trace ^I /usr/bin/strace -p %d 2>&1

Lastly, while `pipe' type entries have been discussed in terms of pipelines and commands, there is nothing to prevent you from including shell scripts as well. Perhaps even newly created scripts designed specifically for the `Y'
interactive command.

For example, as the number of your Inspect entries grows over time, the `Options:' row will be truncated when screen width is exceeded. That does not affect operation other than to make some selections invisible. However, if
some choices are lost to truncation but you want to see more options, there is an easy solution hinted at below.

Inspection Pause at pid ...
Use: left/right then <Enter> ...
Options: help 1 2 3 4 5 6 7 8 9 10 11 ...

The entries in the top rcfile would have a number for the `.name' element and the `help' entry would identify a shell script you've written explaining what those numbered selections actually mean. In that way, many more choices
can be made visible.

6c. SYSTEM Configuration File
This configuration file represents defaults for users who have not saved their own configuration file. The format mirrors exactly the personal configuration file and can also include `inspect' entries as explained above.

Creating it is a simple process.

1. Configure top appropriately for your installation and preserve that configuration with the `W' interactive command.

2. Add and test any desired `inspect' entries.

3. Copy that configuration file to the /etc/ directory as `topdefaultrc'.

6d. SYSTEM Restrictions File
The presence of this file will influence which version of the help screen is shown to an ordinary user.

More importantly, it will limit what ordinary users are allowed to do when top is running. They will not be able to issue the following commands.
k Kill a task
r Renice a task
d or s Change delay/sleep interval

This configuration file is not created by top. Rather, it is created manually and placed it in the /etc/ directory as `toprc'.

It should have exactly two lines, as shown in this example:
s # line 1: secure mode switch
5.0 # line 2: delay interval in seconds

7. ENVIRONMENT VARIABLE(S)
The value set for the following is unimportant, just its presence.

LIBPROC_HIDE_KERNEL
This will prevent display of any kernel threads and exclude such processes from the summary area Tasks/Threads counts.

8. STUPID TRICKS Sampler
Many of these tricks work best when you give top a scheduling boost. So plan on starting him with a nice value of -10, assuming you've got the authority.

7a. Kernel Magic
For these stupid tricks, top needs full-screen mode.

• The user interface, through prompts and help, intentionally implies that the delay interval is limited to tenths of a second. However, you're free to set any desired delay. If you want to see Linux at his scheduling best, try
a delay of .09 seconds or less.

For this experiment, under x-windows open an xterm and maximize it. Then do the following:
. provide a scheduling boost and tiny delay via:
nice -n -10 top -d.09
. keep sorted column highlighting Off so as to
minimize path length
. turn On reverse row highlighting for emphasis
. try various sort columns (TIME/MEM work well),
and normal or reverse sorts to bring the most
active processes into view

What you'll see is a very busy Linux doing what he's always done for you, but there was no program available to illustrate this.

• Under an xterm using `white-on-black' colors, on top's Color Mapping screen set the task color to black and be sure that task highlighting is set to bold, not reverse. Then set the delay interval to around .3 seconds.

After bringing the most active processes into view, what you'll see are the ghostly images of just the currently running tasks.

• Delete the existing rcfile, or create a new symlink. Start this new version then type `T' (a secret key, see topic 4c. Task Area Commands, SORTING) followed by `W' and `q'. Finally, restart the program with -d0 (zero delay).

Your display will be refreshed at three times the rate of the former top, a 300% speed advantage. As top climbs the TIME ladder, be as patient as you can while speculating on whether or not top will ever reach the top.

7b. Bouncing Windows
For these stupid tricks, top needs alternate-display mode.

• With 3 or 4 task displays visible, pick any window other than the last and turn idle processes Off using the `i' command toggle. Depending on where you applied `i', sometimes several task displays are bouncing and sometimes
it's like an accordion, as top tries his best to allocate space.

• Set each window's summary lines differently: one with no memory (`m'); another with no states (`t'); maybe one with nothing at all, just the message line. Then hold down `a' or `w' and watch a variation on bouncing windows
-- hopping windows.

• Display all 4 windows and for each, in turn, set idle processes to Off using the `i' command toggle. You've just entered the "extreme bounce" zone.

7c. The Big Bird Window
This stupid trick also requires alternate-display mode.

• Display all 4 windows and make sure that 1:Def is the `current' window. Then, keep increasing window size with the `n' interactive command until all the other task displays are "pushed out of the nest".

When they've all been displaced, toggle between all visible/invisible windows using the `_' command toggle. Then ponder this:
is top fibbing or telling honestly your imposed truth?

7d. The Ol' Switcheroo
This stupid trick works best without alternate-display mode, since justification is active on a per window basis.

• Start top and make COMMAND the last (rightmost) column displayed. If necessary, use the `c' command toggle to display command lines and ensure that forest view mode is active with the `V' command toggle.

Then use the up/down arrow keys to position the display so that some truncated command lines are shown (`+' in last position). You may have to resize your xterm to produce truncation.

Lastly, use the `j' command toggle to make the COMMAND column right justified.

Now use the right arrow key to reach the COMMAND column. Continuing with the right arrow key, watch closely the direction of travel for the command lines being shown.

some lines travel left, while others travel right

eventually all lines will Switcheroo, and move right

9. BUGS
Please send bug reports to procps@freelists.org.

10. SEE Also
free(1), ps(1), uptime(1), atop(1), slabtop(1), vmstat(8), w(1)

procps-ng August 2023 TOP(1)
</nowiki>

FORTIGATE - SSLVPN Troubleshoot

2026-01-17T13:17:31Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== SSL VPN debug command ==

Use the following diagnose commands to identify SSL VPN issues.
These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.

<nowiki>
diagnose debug application sslvpn -1
diagnose debug enable</nowiki>

The CLI displays debug output similar to the following:

<nowiki>
[282:root]SSL state:before/accept initialization (172.20.120.12)
[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)
[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)
[282:root]SSL state:SSLv3 write finished B (172.20.120.12)
[282:root]SSL state:SSLv3 flush data (172.20.120.12)
[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)
[282:root]SSL state:SSLv3 read finished A (172.20.120.12)
[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)
[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1</nowiki>

To disable the debug :

<nowiki>
diagnose debug disable
diagnose debug reset</nowiki>

== Remote User Authentication Debug Command ==

Use the following diagnose commands to identify remote user authentication issues :

<nowiki>
diagnose debug application fnbamd -1
diagnose debug enable</nowiki>

Use the following diagnose commands to identify SAML user authentication issues :

<nowiki>
diagnose debug application samld -1
diagnose debug enable</nowiki>

== Usefull Links ==

* https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

* https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/502390/debug-commands

TRACEPATH - Manpage

2026-01-17T13:16:45Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == tracepath Manpage == <nowiki> TRACEPATH(8) iputils TRACEPATH(8) NAME tracepath - traces path to a network host discovering MTU along this path SYNOPSIS..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== tracepath Manpage ==

<nowiki>
TRACEPATH(8) iputils TRACEPATH(8)

NAME
tracepath - traces path to a network host discovering MTU along this path

SYNOPSIS

tracepath [-4] [-6] [-n] [-b] [-l pktlen] [-m max_hops] [-p port] [-V] {destination}

DESCRIPTION
It traces the network path to destination discovering MTU along this path. It uses UDP port port or some random port. It is similar to traceroute. However, it does not require superuser privileges and has no fancy options.

tracepath -6 is a good replacement for traceroute6 and classic example of application of Linux error queues. The situation with IPv4 is worse, because commercial IP routers do not return enough information in ICMP error messages.
Probably, it will change, when they are updated. For now it uses Van Jacobson's trick, sweeping a range of UDP ports to maintain trace history.

OPTIONS
-4
Use IPv4 only.

-6
Use IPv6 only.

-n
Print primarily IP addresses numerically.

-b
Print both: Host names and IP addresses.

-l
Sets the initial packet length to pktlen instead of 65535 for IPv4 or 128000 for IPv6.

-m
Set maximum hops (or maximum TTLs) to max_hops instead of 30.

-p
Sets the initial destination port to use.

-V
Print version and exit.

OUTPUT
root@mops:~ # tracepath -6 3ffe:2400:0:109::2
1?: [LOCALHOST] pmtu 1500
1: dust.inr.ac.ru 0.411ms
2: dust.inr.ac.ru asymm 1 0.390ms pmtu 1480
2: 3ffe:2400:0:109::2 463.514ms reached
Resume: pmtu 1480 hops 2 back 2

The first column shows the TTL of the probe, followed by colon. Usually the value of TTL is obtained from the reply from the network, but sometimes it does not contain the necessary information and we have to guess it. In this
case the number is followed by ?.

The second column shows the network hop which replied to the probe. It is either the address of the router or the word [LOCALHOST], if the probe was not sent to the network.

The rest of the line shows miscellaneous information about the path to the corresponding network hop. It contains the value of RTT, and additionally it can show Path MTU when it changes. If the path is asymmetric or the probe
finishes before it reaches the prescribed hop, the number of hops in return direction is shown next to the keyword "asymm". This information is not reliable, e.g. the third line shows asymmetry of 1. This is because the first
probe with TTL of 2 was rejected at the first hop due to Path MTU Discovery.

The last line summarizes information about all the paths to the destination. It shows detected Path MTU, amount of hops to the destination and our guess about the number of hops from the destination to us, which can be different
when the path is asymmetric.

HANDLING ERRORS
In case of errors tracepath prints short error code.
┌─────────────┬──────────────┬───────────────────────────────────────────┐
│ Output │ Code │ Meaning │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ !A │ EACCES │ Communication administratively prohibited │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ !H │ EHOSTUNREACH │ Destination host unreachable │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ !N │ ENETUNREACH │ Destination network unreachable │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ !P │ EPROTO │ Destination protocol unreachable │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ pmtu N │ EMSGSIZE │ Message too long │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ reached │ ECONNREFUSED │ Connection refused │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ │ ETIMEDOUT │ Connection timed out │
├─────────────┼──────────────┼───────────────────────────────────────────┤
│ NET ERROR N │ │ Any other error │
└─────────────┴──────────────┴───────────────────────────────────────────┘

SEE ALSO
traceroute(8), traceroute6(8), ping(8).

AUTHOR
tracepath was written by Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>.

SECURITY
No security issues.

This lapidary deserves to be elaborated. tracepath is not a privileged program, unlike traceroute, ping and other beasts of their kind. tracepath may be executed by everyone who has enough access to the network to send UDP
datagrams to the desired destination using the given port.

AVAILABILITY
tracepath is part of iputils package.

iputils 20250605 TRACEPATH(8)</nowiki>

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

UFW - Manpage

2026-01-17T13:12:04Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == ufw Manpage == <nowiki> UFW:(8) May 2023 UFW:(8) NAME ufw - program for managing a netfilter firewall DESCRIPTION This program is for managing a..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== ufw Manpage ==

<nowiki>
UFW:(8) May 2023 UFW:(8)

NAME
ufw - program for managing a netfilter firewall

DESCRIPTION
This program is for managing a Linux firewall and aims to provide an easy to use interface for the user.

USAGE
ufw [--dry-run] enable|disable|reload

ufw [--force] enable

ufw [--dry-run] default allow|deny|reject [incoming|outgoing|routed]

ufw [--dry-run] logging on|off|LEVEL

ufw [--dry-run] reset

ufw [--dry-run] status [verbose|numbered]

ufw [--dry-run] show REPORT

ufw [--dry-run] [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out] [log|log-all] [ PORT[/PROTOCOL] | APPNAME ] [comment COMMENT]

ufw [--dry-run] [rule] [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out [on INTERFACE]] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME ]] [to ADDRESS [port PORT | app APPNAME ]] [comment COM‐
MENT]

ufw [--dry-run] route [delete] [insert NUM] [prepend] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto PROTOCOL] [from ADDRESS [port PORT | app APPNAME]] [to ADDRESS [port PORT | app APPNAME]] [comment COMMENT]

ufw [--dry-run] [--force] delete NUM

ufw [--dry-run] app list|info|default|update

OPTIONS
--version
show program's version number and exit

-h, --help
show help message and exit

--dry-run
don't modify anything, just show the changes

enable reloads firewall and enables firewall on boot. See REMOTE MANAGEMENT.

disable
unloads firewall and disables firewall on boot

reload reloads firewall

default allow|deny|reject DIRECTION
change the default policy for traffic going DIRECTION, where DIRECTION is one of incoming, outgoing or routed. Note that existing rules will have to be migrated manually when changing the default policy. See RULE SYNTAX for
more on deny and reject.

logging on|off|LEVEL
toggle logging. Logged packets use the LOG_KERN syslog facility. Systems configured for rsyslog support may also log to /var/log/ufw.log. Specifying a LEVEL turns logging on for the specified LEVEL. The default log level is
'low'. See LOGGING for details.

reset Disables and resets firewall to installation defaults. Can also give the --force option to perform the reset without confirmation.

status show status of firewall and ufw managed rules. Use status verbose for extra information. In the status output, 'Anywhere' is synonymous with 'any', 0.0.0.0/0 (IPv4) and ::/0 (IPv6). Note that when using status, there is a
subtle difference when reporting interfaces. For example, if the following rules are added:

ufw allow in on eth0 from 192.168.0.0/16
ufw allow out on eth1 to 10.0.0.0/8
ufw route allow in on eth0 out on eth1 to 10.0.0.0/8 from 192.168.0.0/16
ufw limit 2222/tcp comment 'SSH port'

ufw status will output:

To Action From
-- ------ ----
Anywhere on eth0 ALLOW 192.168.0.0/16
10.0.0.0/8 ALLOW OUT Anywhere on eth1
10.0.0.0/8 on eth1 ALLOW FWD 192.168.0.0/16 on eth0
Anywhere LIMIT Anywhere # SSH port

For the input and output rules, the interface is reported relative to the firewall system as an endpoint, whereas with route rules, the interface is reported relative to the direction packets flow through the firewall.

show REPORT
display information about the running firewall. See REPORTS

allow ARGS
add allow rule. See RULE SYNTAX

deny ARGS
add deny rule. See RULE SYNTAX

reject ARGS
add reject rule. See RULE SYNTAX

limit ARGS
add limit rule. See RULE SYNTAX

delete RULE|NUM
deletes the corresponding RULE

insert NUM RULE
insert the corresponding RULE as rule number NUM

prepend RULE
prepend the corresponding RULE to the top of the ruleset

RULE SYNTAX
Users can specify rules using either a simple syntax or a full syntax. The simple syntax only specifies the port and optionally the protocol to be allowed or denied on the host.

Both syntaxes support specifying a comment for the rule. For existing rules, specifying a different comment updates the comment and specifying '' removes the comment (note, 'insert' and 'prepend' cannot be used to update the com‐
ment).

Example rules using the simple syntax:

ufw allow 53

This rule will allow tcp and udp port 53 to any address on this host. To specify a protocol, append '/protocol' to the port. For example:

ufw allow 25/tcp

This will allow tcp port 25 to any address on this host. ufw will also check /etc/services for the port and protocol if specifying a service by name. Eg:

ufw allow smtp

ufw supports both ingress and egress filtering and users may optionally specify a direction of either in or out for either incoming or outgoing traffic. If no direction is supplied, the rule applies to incoming traffic. Eg:

ufw allow in http
ufw reject out smtp
ufw reject telnet comment 'telnet is unencrypted'

Users can also use a fuller syntax, specifying the source and destination addresses and ports. This syntax is loosely based on OpenBSD's PF syntax. For example:

ufw deny proto tcp to any port 80

This will deny all traffic to tcp port 80 on this host. Another example:

ufw deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25

This will deny all traffic from the RFC1918 Class A network to tcp port 25 with the address 192.168.0.1.

ufw deny proto tcp from 2001:db8::/32 to any port 25

This will deny all traffic from the IPv6 2001:db8::/32 to tcp port 25 on this host. IPv6 must be enabled in /etc/default/ufw for IPv6 firewalling to work.

ufw deny in on eth0 to 224.0.0.1 proto igmp

This will deny all igmp traffic to 224.0.0.1 on the eth0 interface.

ufw allow in on eth0 to 192.168.0.1 proto gre

This will allow all gre traffic to 192.168.0.1 on the eth0 interface.

ufw allow proto tcp from any to any port 80,443,8080:8090 comment 'web app'

The above will allow all traffic to tcp ports 80, 443 and 8080-8090 inclusive and adds a comment for the rule. When specifying multiple ports, the ports list must be numeric, cannot contain spaces and must be modified as a whole.
Eg, in the above example you cannot later try to delete just the '443' port. You cannot specify more than 15 ports (ranges count as 2 ports, so the port count in the above example is 4).

ufw supports several different protocols. The following are valid in any rule and enabled when the protocol is not specified:

tcp
udp

The following have certain restrictions and are not enabled when the protocol is not specified:

ah valid without port number
esp valid without port number
gre valid without port number
vrrp valid without port number
ipv6 valid for IPv4 addresses and without port number
igmp valid for IPv4 addresses and without port number

Rules for traffic not destined for the host itself but instead for traffic that should be routed/forwarded through the firewall should specify the route keyword before the rule (routing rules differ significantly from PF syntax
and instead take into account netfilter FORWARD chain conventions). For example:

ufw route allow in on eth1 out on eth2

This will allow all traffic routed to eth2 and coming in on eth1 to traverse the firewall.

ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcp

This rule allows any packets coming in on eth0 to traverse the firewall out on eth1 to tcp port 80 on 12.34.45.67.

In addition to routing rules and policy, you must also setup IP forwarding. This may be done by setting the following in /etc/ufw/sysctl.conf:

net/ipv4/ip_forward=1
net/ipv6/conf/default/forwarding=1
net/ipv6/conf/all/forwarding=1

then restarting the firewall:

ufw disable
ufw enable

Be aware that setting kernel tunables is operating system specific and ufw sysctl settings may be overridden. See the sysctl manual page for details.

ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to ini‐
tiate 6 or more connections within 30 seconds. See http://www.debian-administration.org/articles/187 for details. Typical usage is:

ufw limit ssh/tcp

Sometimes it is desirable to let the sender know when traffic is being denied, rather than simply ignoring it. In these cases, use reject instead of deny. For example:

ufw reject auth

By default, ufw will apply rules to all available interfaces. To limit this, specify DIRECTION on INTERFACE, where DIRECTION is one of in or out (interface aliases are not supported). For example, to allow all new incoming http
connections on eth0, use:

ufw allow in on eth0 to any port 80 proto tcp

To delete a rule, simply prefix the original rule with delete with or without the rule comment. For example, if the original rule was:

ufw deny 80/tcp

Use this to delete it:

ufw delete deny 80/tcp

You may also specify the rule by NUM, as seen in the status numbered output. For example, if you want to delete rule number '3', use:

ufw delete 3

If you have IPv6 enabled and are deleting a generic rule that applies to both IPv4 and IPv6 (eg 'ufw allow 22/tcp'), deleting by rule number will delete only the specified rule. To delete both with one command, prefix the original
rule with delete.

To insert a rule, specify the new rule as normal, but prefix the rule with the rule number to insert. For example, if you have four rules, and you want to insert a new rule as rule number three, use:

ufw insert 3 deny to any port 22 from 10.0.0.135 proto tcp

Similarly, to add a rule before all other rules matching the rule's IP type, use the prepend rule:

ufw prepend deny from 1.2.3.4

This is particularly useful for dynamic firewalls as found in an IPS. Importantly, if the specified rule is an IPv4 rule, it will be prepended before all other IPv4 rules. If it is an IPv6 rule, it will be prepended before any
IPv6 rules.

To see a list of numbered rules, use:

ufw status numbered

ufw supports per rule logging. By default, no logging is performed when a packet matches a rule. Specifying log will log all new connections matching the rule, and log-all will log all packets matching the rule. For example, to
allow and log all new ssh connections, use:

ufw allow log 22/tcp

See LOGGING for more information on logging.

EXAMPLES
Deny all access to port 53:

ufw deny 53

Allow all access to tcp port 80:

ufw allow 80/tcp

Allow all access from RFC1918 networks to this host:

ufw allow from 10.0.0.0/8
ufw allow from 172.16.0.0/12
ufw allow from 192.168.0.0/16

Deny access to udp port 514 from host 1.2.3.4:

ufw deny proto udp from 1.2.3.4 to any port 514

Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:

ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469

REMOTE MANAGEMENT
When running ufw enable or starting ufw via its initscript, ufw will flush its chains. This is required so ufw can maintain a consistent state, but it may drop existing connections (eg ssh). ufw does support adding rules before
enabling the firewall, so administrators can do:

ufw allow proto tcp from any to any port 22

before running 'ufw enable'. The rules will still be flushed, but the ssh port will be open after enabling the firewall. Please note that once ufw is 'enabled', ufw will not flush the chains when adding or removing rules (but will
when modifying a rule or changing the default policy). By default, ufw will prompt when enabling the firewall while running under ssh. This can be disabled by using 'ufw --force enable'.

APPLICATION INTEGRATION
ufw supports application integration by reading profiles located in /etc/ufw/applications.d. To list the names of application profiles known to ufw, use:

ufw app list

Users can specify an application name when adding a rule (quoting any profile names with spaces). For example, when using the simple syntax, users can use:

ufw allow <name>

Or for the extended syntax:

ufw allow from 192.168.0.0/16 to any app <name>

You should not specify the protocol with either syntax, and with the extended syntax, use app in place of the port clause.

Details on the firewall profile for a given application can be seen with:

ufw app info <name>

where '<name>' is one of the applications seen with the app list command. Users may also specify all to see the profiles for all known applications.

Syntax for the application profiles is a simple .INI format:

[<name>]
title=<title>
description=<description>
ports=<ports>

The 'ports' field may specify a '|'-separated list of ports/protocols where the protocol is optional. A comma-separated list or a range (specified with 'start:end') may also be used to specify multiple ports, in which case the
protocol is required. For example:

[SomeService]
title=Some title
description=Some description
ports=12/udp|34|56,78:90/tcp

In the above example, 'SomeService' may be used in app rules and it specifies UDP port 12, TCP and UDP on port 34 and TCP ports 56 and 78-90 inclusive.

After creating or editing an application profile, users can run:

ufw app update <name>

This command will automatically update the firewall with updated profile information. If specify 'all' for name, then all the profiles will be updated. To update a profile and add a new rule to the firewall automatically, users
can run:

ufw app update --add-new <name>

The behavior of the update --add-new command can be configured using:

ufw app default <policy>

The default application policy is skip, which means that the update --add-new command will do nothing. Users may also specify a policy of allow or deny so the update --add-new command may automatically update the firewall. WARN‐
ING: it may be a security to risk to use a default allow policy for application profiles. Carefully consider the security ramifications before using a default allow policy.

LOGGING
ufw supports multiple logging levels. ufw defaults to a loglevel of 'low' when a loglevel is not specified. Users may specify a loglevel with:

ufw logging LEVEL

LEVEL may be 'off', 'low', 'medium', 'high' and 'full'. Log levels are defined as:

off disables ufw managed logging

low logs all blocked packets not matching the defined policy (with rate limiting), as well as packets matching logged rules

medium log level low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new connections. All logging is done with rate limiting.

high log level medium (without rate limiting), plus all packets with rate limiting

full log level high without rate limiting

Loglevels above medium generate a lot of logging output, and may quickly fill up your disk. Loglevel medium may generate a lot of logging output on a busy system.

Specifying 'on' simply enables logging at log level 'low' if logging is currently not enabled.

REPORTS
The following reports are supported. Each is based on the live system and with the exception of the listening report, is in raw iptables format:

raw
builtins
before-rules
user-rules
after-rules
logging-rules
listening
added

The raw report shows the complete firewall, while the others show a subset of what is in the raw report.

The listening report will display the ports on the live system in the listening state for tcp and the open state for udp, along with the address of the interface and the executable listening on the port. An '*' is used in place of
the address of the interface when the executable is bound to all interfaces on that port. Following this information is a list of rules which may affect connections on this port. The rules are listed in the order they are evalu‐
ated by the kernel, and the first match wins. Please note that the default policy is not listed and tcp6 and udp6 are shown only if IPV6 is enabled.

The added report displays the list of rules as they were added on the command-line. This report does not show the status of the running firewall (use 'ufw status' instead). Because rules are normalized by ufw, rules may look dif‐
ferent than the originally added rule. Also, ufw does not record command ordering, so an equivalent ordering is used which lists IPv6-only rules after other rules.

NOTES
On installation, ufw is disabled with a default incoming policy of deny, a default forward policy of deny, and a default outgoing policy of allow, with stateful tracking for NEW connections for incoming and forwarded connections.
In addition to the above, a default ruleset is put in place that does the following:

- DROP packets with RH0 headers

- DROP INVALID packets

- ACCEPT certain icmp packets (INPUT and FORWARD): destination-unreachable, source-quench, time-exceeded, parameter-problem, and echo-request for IPv4. destination-unreachable, packet-too-big, time-exceeded, parameter-problem, and
echo-request for IPv6.

- ACCEPT icmpv6 packets for stateless autoconfiguration (INPUT)

- ACCEPT ping replies from IPv6 link-local (ffe8::/10) addresses (INPUT)

- ACCEPT DHCP client traffic (INPUT)

- DROP non-local traffic (INPUT)

- ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb for IPv6) for service discovery (INPUT)

- ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for service discovery (INPUT)

Rule ordering is important and the first match wins. Therefore when adding rules, add the more specific rules first with more general rules later.

ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules.

The status command shows basic information about the state of the firewall, as well as rules managed via the ufw command. It does not show rules from the rules files in /etc/ufw. To see the complete state of the firewall, users
can ufw show raw. This displays the filter, nat, mangle and raw tables using:

iptables -n -L -v -x -t <table>
ip6tables -n -L -v -x -t <table>

See the iptables and ip6tables documentation for more details.

If the default policy is set to REJECT, ufw may interfere with rules added outside of the ufw framework. See README for details.

IPV6 is allowed by default. To change this behavior to only accept IPv6 traffic on the loopback interface, set IPV6 to 'no' in /etc/default/ufw and reload ufw. When IPv6 is enabled, you may specify rules in the same way as for
IPv4 rules, and they will be displayed with ufw status. Rules that match both IPv4 and IPv6 addresses apply to both IP versions. For example, when IPv6 is enabled, the following rule will allow access to port 22 for both IPv4 and
IPv6 traffic:

ufw allow 22

IPv6 over IPv4 tunnels and 6to4 are supported by using the 'ipv6' protocol ('41'). This protocol can only be used with the full syntax. For example:

ufw allow to 10.0.0.1 proto ipv6
ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ipv6

IPSec is supported by using the 'esp' ('50') and 'ah' ('51') protocols. These protocols can only be used with the full syntax. For example:

ufw allow to 10.0.0.1 proto esp
ufw allow to 10.0.0.1 from 10.4.0.0/16 proto esp
ufw allow to 10.0.0.1 proto ah
ufw allow to 10.0.0.1 from 10.4.0.0/16 proto ah

keepalived is supported by using the 'vrrp' ('112') protocol. This protocol can only be used with the full syntax. For example:

ufw allow to 224.0.0.0/24 from 10.0.0.1 proto vrrp

In addition to the command-line interface, ufw also provides a framework which allows administrators to modify default behavior as well as take full advantage of netfilter. See the ufw-framework manual page for more information.

SEE ALSO
ufw-framework(8), iptables(8), ip6tables(8), iptables-restore(8), ip6tables-restore(8), sysctl(8), sysctl.conf(5)

AUTHOR
ufw is Copyright 2008-2023, Canonical Ltd.

May 2023 UFW:(8)</nowiki>

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

NMAP - Manpage

2026-01-17T13:11:33Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== nmap --help ==

<nowiki>
Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES</nowiki>

== Manpage ==

<nowiki>
NMAP(1) Nmap Reference Guide NMAP(1)

NAME
nmap - Network exploration tool and security / port scanner

SYNOPSIS
nmap [Scan Type...] [Options] {target specification}

DESCRIPTION
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses
raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions)
they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find
it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists
the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for
connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no
application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or
closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version
details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.

In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.

A typical Nmap scan is shown in Example 1. The only Nmap arguments used in this example are -A, to enable OS and version detection, script scanning, and traceroute; -T4 for faster execution; and
then the hostname.

Example 1. A representative Nmap scan

# nmap -A -T4 scanme.nmap.org

Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.029s latency).
rDNS record for 74.207.244.221: li86-221.members.linode.com
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
646/tcp filtered ldp
1720/tcp filtered H.323/Q.931
9929/tcp open nping-echo Nping echo
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.39
OS details: Linux 2.6.39
Network Distance: 11 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
[Cut first 10 hops for brevity]
11 17.65 ms li86-221.members.linode.com (74.207.244.221)

Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

The newest version of Nmap can be obtained from https://nmap.org. The newest version of this man page is available at https://nmap.org/book/man.html. It is also included as a chapter of Nmap
Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (see https://nmap.org/book/).

OPTIONS SUMMARY
This options summary is printed when Nmap is run with no arguments, and the latest version is always available at https://svn.nmap.org/nmap/docs/nmap.usage.txt. It helps people remember the most
common options, but is no substitute for the in-depth documentation in the rest of this manual. Some obscure options aren't even included here.

Nmap 7.93 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sY/sZ: SCTP INIT/COOKIE-ECHO scans
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports sequentially - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
script-categories.
OS DETECTION:
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--noninteractive: Disable runtime interactions via keyboard
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

TARGET SPECIFICATION
Everything on the Nmap command-line that isn't an option (or option argument) is treated as a target host specification. The simplest case is to specify a target IP address or hostname for scanning.

When a hostname is given as a target, it is resolved via the Domain Name System (DNS) to determine the IP address to scan. If the name resolves to more than one IP address, only the first one will
be scanned. To make Nmap scan all the resolved addresses instead of only the first one, use the --resolve-all option.

Sometimes you wish to scan a whole network of adjacent hosts. For this, Nmap supports CIDR-style addressing. You can append /numbits to an IP address or hostname and Nmap will scan every IP address
for which the first numbits are the same as for the reference IP or hostname given. For example, 192.168.10.0/24 would scan the 256 hosts between 192.168.10.0 (binary: 11000000 10101000 00001010
00000000) and 192.168.10.255 (binary: 11000000 10101000 00001010 11111111), inclusive. 192.168.10.40/24 would scan exactly the same targets. Given that the host scanme.nmap.org is at the IP address
64.13.134.52, the specification scanme.nmap.org/16 would scan the 65,536 IP addresses between 64.13.0.0 and 64.13.255.255. The smallest allowed value is /0, which targets the whole Internet. The
largest value for IPv4 is /32, which scans just the named host or IP address because all address bits are fixed. The largest value for IPv6 is /128, which does the same thing.

CIDR notation is short but not always flexible enough. For example, you might want to scan 192.168.0.0/16 but skip any IPs ending with .0 or .255 because they may be used as subnet network and
broadcast addresses. Nmap supports this through octet range addressing. Rather than specify a normal IP address, you can specify a comma-separated list of numbers or ranges for each octet. For
example, 192.168.0-255.1-254 will skip all addresses in the range that end in .0 or .255, and 192.168.3-5,7.1 will scan the four addresses 192.168.3.1, 192.168.4.1, 192.168.5.1, and 192.168.7.1.
Either side of a range may be omitted; the default values are 0 on the left and 255 on the right. Using - by itself is the same as 0-255, but remember to use 0- in the first octet so the target
specification doesn't look like a command-line option. Ranges need not be limited to the final octets: the specifier 0-255.0-255.13.37 will perform an Internet-wide scan for all IP addresses ending
in 13.37. This sort of broad sampling can be useful for Internet surveys and research.

IPv6 addresses can be specified by their fully qualified IPv6 address or hostname or with CIDR notation for subnets. Octet ranges aren't yet supported for IPv6.

IPv6 addresses with non-global scope need to have a zone ID suffix. On Unix systems, this is a percent sign followed by an interface name; a complete address might be fe80::a8bb:ccff:fedd:eeff%eth0.
On Windows, use an interface index number in place of an interface name: fe80::a8bb:ccff:fedd:eeff%1. You can see a list of interface indexes by running the command netsh.exe interface ipv6 show
interface.

Nmap accepts multiple host specifications on the command line, and they don't need to be the same type. The command nmap scanme.nmap.org 192.168.0.0/8 10.0.0,1,3-7.- does what you would expect.

While targets are usually specified on the command lines, the following options are also available to control target selection:

-iL inputfilename (Input from list)
Reads target specifications from inputfilename. Passing a huge list of hosts is often awkward on the command line, yet it is a common desire. For example, your DHCP server might export a list of
10,000 current leases that you wish to scan. Or maybe you want to scan all IP addresses except for those to locate hosts using unauthorized static IP addresses. Simply generate the list of hosts
to scan and pass that filename to Nmap as an argument to the -iL option. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet
ranges). Each entry must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (-) as the filename if you want Nmap to read hosts from standard input rather than an
actual file.

The input file may contain comments that start with # and extend to the end of the line.

-iR num hosts (Choose random targets)
For Internet-wide surveys and other research, you may want to choose targets at random. The num hosts argument tells Nmap how many IPs to generate. Undesirable IPs such as those in certain
private, multicast, or unallocated address ranges are automatically skipped. The argument 0 can be specified for a never-ending scan. Keep in mind that some network administrators bristle at
unauthorized scans of their networks and may complain. Use this option at your own risk! If you find yourself really bored one rainy afternoon, try the command nmap -Pn -sS -p 80 -iR 0 --open to
locate random web servers for browsing.

--exclude host1[,host2[,...]] (Exclude hosts/networks)
Specifies a comma-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify. The list you pass in uses normal Nmap syntax, so it can
include hostnames, CIDR netblocks, octet ranges, etc. This can be useful when the network you wish to scan includes untouchable mission-critical servers, systems that are known to react
adversely to port scans, or subnets administered by other people.

--excludefile exclude_file (Exclude list from file)
This offers the same functionality as the --exclude option, except that the excluded targets are provided in a newline-, space-, or tab-delimited exclude_file rather than on the command line.

The exclude file may contain comments that start with # and extend to the end of the line.

-n (No DNS resolution)

Tells Nmap to never do reverse DNS resolution on the active IP addresses it finds. Since DNS can be slow even with Nmap's built-in parallel stub resolver, this option can slash scanning times.

-R (DNS resolution for all targets)
Tells Nmap to always do reverse DNS resolution on the target IP addresses. Normally reverse DNS is only performed against responsive (online) hosts.

--resolve-all (Scan each resolved address)
If a hostname target resolves to more than one address, scan all of them. The default behavior is to only scan the first resolved address. Regardless, only addresses in the appropriate address
family will be scanned: IPv4 by default, IPv6 with -6.

--unique (Scan each address only once)
Scan each IP address only once. The default behavior is to scan each address as many times as it is specified in the target list, such as when network ranges overlap or different hostnames
resolve to the same address.

--system-dns (Use system DNS resolver)
By default, Nmap reverse-resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Many requests (often dozens) are
performed in parallel to improve performance. Specify this option to use your system resolver instead (one IP at a time via the getnameinfo call). This is slower and rarely useful unless you
find a bug in the Nmap parallel resolver (please let us know if you do). The system resolver is always used for forward lookups (getting an IP address from a hostname).

--dns-servers server1[,server2[,...]] (Servers to use for reverse DNS queries)
By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv.conf file (Unix) or the Registry (Win32). Alternatively, you may use this option to specify alternate servers.
This option is not honored if you are using --system-dns. Using multiple DNS servers is often faster, especially if you choose authoritative servers for your target IP space. This option can
also improve stealth, as your requests can be bounced off just about any recursive DNS server on the Internet.

This option also comes in handy when scanning private networks. Sometimes only a few name servers provide proper rDNS information, and you may not even know where they are. You can scan the
network for port 53 (perhaps with version detection), then try Nmap list scans (-sL) specifying each name server one at a time with --dns-servers until you find one which works.

This option might not be honored if the DNS response exceeds the size of a UDP packet. In such a situation our DNS resolver will make the best effort to extract a response from the truncated
packet, and if not successful it will fall back to using the system resolver. Also, responses that contain CNAME aliases will fall back to the system resolver.

HOST DISCOVERY
One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning every port of every single IP
address is slow and usually unnecessary. Of course what makes a host interesting depends greatly on the scan purposes. Network administrators may only be interested in hosts running a certain
service, while security auditors may care about every single device with an IP address. An administrator may be comfortable using just an ICMP ping to locate hosts on his internal network, while an
external penetration tester may use a diverse set of dozens of probes in an attempt to evade firewall restrictions.

Because host discovery needs are so diverse, Nmap offers a wide variety of options for customizing the techniques used. Host discovery is sometimes called ping scan, but it goes well beyond the
simple ICMP echo request packets associated with the ubiquitous ping tool. Users can skip the discovery step entirely with a list scan (-sL) or by disabling host discovery (-Pn), or engage the
network with arbitrary combinations of multi-port TCP SYN/ACK, UDP, SCTP INIT and ICMP probes. The goal of these probes is to solicit responses which demonstrate that an IP address is actually
active (is being used by a host or network device). On many networks, only a small percentage of IP addresses are active at any given time. This is particularly common with private address space
such as 10.0.0.0/8. That network has 16 million IPs, but I have seen it used by companies with less than a thousand machines. Host discovery can find those machines in a sparsely allocated sea of IP
addresses.

If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp
request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the -PE -PS443 -PA80 -PP options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for
IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the connect system call.
This host discovery is often sufficient when scanning local networks, but a more comprehensive set of discovery probes is recommended for security auditing.

The -P* options (which select ping types) can be combined. You can increase your odds of penetrating strict firewalls by sending many probe types using different TCP ports/flags and ICMP codes. Also
note that ARP/Neighbor Discovery is done by default against targets on a local Ethernet network even if you specify other -P* options, because it is almost always faster and more effective.

By default, Nmap does host discovery and then performs a port scan against each host it determines is online. This is true even if you specify non-default host discovery types such as UDP probes
(-PU). Read about the -sn option to learn how to perform only host discovery, or use -Pn to skip host discovery and port scan all target addresses. The following options control host discovery:

-sL (List Scan)
The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does
reverse-DNS resolution on the hosts to learn their names. It is often surprising how much useful information simple hostnames give out. For example, fw.chi is the name of one company's Chicago
firewall.

Nmap also reports the total number of IP addresses at the end. The list scan is a good sanity check to ensure that you have proper IP addresses for your targets. If the hosts sport domain names
you do not recognize, it is worth investigating further to prevent scanning the wrong company's network.

Since the idea is to simply print a list of target hosts, options for higher level functionality such as port scanning, OS detection, or host discovery cannot be combined with this. If you wish
to disable host discovery while still performing such higher level functionality, read up on the -Pn (skip host discovery) option.

-sn (No port scan)
This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”, but
you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light
reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host
name.

Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep,
and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries.

The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged
user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless
--send-ip was specified. The -sn option can be combined with any of the discovery probe types (the -P* options) for greater flexibility. If any of those probe type and port number options are
used, the default probes are overridden. When strict firewalls are in place between the source host running Nmap and the target network, using those advanced techniques is recommended. Otherwise
hosts could be missed when the firewall drops probes or their responses.

In previous releases of Nmap, -sn was known as -sP.

-Pn (No ping)
This option skips the host discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning and to gauge the speed of the network. By default, Nmap
only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with -Pn causes Nmap to attempt the requested
scanning functions against every target IP address specified. So if a /16 sized network is specified on the command line, all 65,536 IP addresses are scanned. Proper host discovery is skipped as
with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active. Default timing parameters are used, which
may result in slower scans. To skip host discovery and port scan, while still allowing NSE to run, use the two options -Pn -sn together.

For machines on a local ethernet network, ARP scanning will still be performed (unless --disable-arp-ping or --send-ip is specified) because Nmap needs MAC addresses to further scan target
hosts. In previous versions of Nmap, -Pn was -P0 and -PN.

-PS port list (TCP SYN Ping)
This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 (configurable at compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC in nmap.h). Alternate ports
can be specified as a parameter. The syntax is the same as for the -p except that port type specifiers like T: are not allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note that there
can be no space between -PS and the port list. If multiple probes are specified they will be sent in parallel.

The SYN flag suggests to the remote system that you are attempting to establish a connection. Normally the destination port will be closed, and a RST (reset) packet sent back. If the port
happens to be open, the target will take the second step of a TCP three-way-handshake by responding with a SYN/ACK TCP packet. The machine running Nmap then tears down the nascent connection by
responding with a RST rather than sending an ACK packet which would complete the three-way-handshake and establish a full connection. The RST packet is sent by the kernel of the machine running
Nmap in response to the unexpected SYN/ACK, not by Nmap itself.

Nmap does not care whether the port is open or closed. Either the RST or SYN/ACK response discussed previously tell Nmap that the host is available and responsive.

On Unix boxes, only the privileged user root is generally able to send and receive raw TCP packets. For unprivileged users, a workaround is automatically employed whereby the connect system
call is initiated against each target port. This has the effect of sending a SYN packet to the target host, in an attempt to establish a connection. If connect returns with a quick success or an
ECONNREFUSED failure, the underlying TCP stack must have received a SYN/ACK or RST and the host is marked available. If the connection attempt is left hanging until a timeout is reached, the
host is marked as down.

-PA port list (TCP ACK Ping)
The TCP ACK ping is quite similar to the just-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. Such an ACK packet purports
to be acknowledging data over an established TCP connection, but no such connection exists. So remote hosts should always respond with a RST packet, disclosing their existence in the process.

The -PA option uses the same default port as the SYN probe (80) and can also take a list of destination ports in the same format. If an unprivileged user tries this, the connect workaround
discussed previously is used. This workaround is imperfect because connect is actually sending a SYN packet rather than an ACK.

The reason for offering both SYN and ACK ping probes is to maximize the chances of bypassing firewalls. Many administrators configure routers and other simple firewalls to block incoming SYN
packets except for those destined for public services like the company web site or mail server. This prevents other incoming connections to the organization, while allowing users to make
unobstructed outgoing connections to the Internet. This non-stateful approach takes up few resources on the firewall/router and is widely supported by hardware and software filters. The Linux
Netfilter/iptables firewall software offers the --syn convenience option to implement this stateless approach. When stateless firewall rules such as this are in place, SYN ping probes (-PS) are
likely to be blocked when sent to closed target ports. In such cases, the ACK probe shines as it cuts right through these rules.

Another common type of firewall uses stateful rules that drop unexpected packets. This feature was initially found mostly on high-end firewalls, though it has become much more common over the
years. The Linux Netfilter/iptables system supports this through the --state option, which categorizes packets based on connection state. A SYN probe is more likely to work against such a
system, as unexpected ACK packets are generally recognized as bogus and dropped. A solution to this quandary is to send both SYN and ACK probes by specifying -PS and -PA.

-PU port list (UDP Ping)
Another host discovery option is the UDP ping, which sends a UDP packet to the given ports. For most ports, the packet will be empty, though some use a protocol-specific payload that is more
likely to elicit a response. The payload database is described at https://nmap.org/book/nmap-payloads.html.

Packet content can also be affected with the --data, --data-string, and --data-length options.

The port list takes the same format as with the previously discussed -PS and -PA options. If no ports are specified, the default is 40125. This default can be configured at compile-time by
changing DEFAULT_UDP_PROBE_PORT_SPEC in nmap.h. A highly uncommon port is used by default because sending to open ports is often undesirable for this particular scan type.

Upon hitting a closed port on the target machine, the UDP probe should elicit an ICMP port unreachable packet in return. This signifies to Nmap that the machine is up and available. Many other
types of ICMP errors, such as host/network unreachables or TTL exceeded are indicative of a down or unreachable host. A lack of response is also interpreted this way. If an open port is reached,
most services simply ignore the empty packet and fail to return any response. This is why the default probe port is 40125, which is highly unlikely to be in use. A few services, such as the
Character Generator (chargen) protocol, will respond to an empty UDP packet, and thus disclose to Nmap that the machine is available.

The primary advantage of this scan type is that it bypasses firewalls and filters that only screen TCP. For example, I once owned a Linksys BEFW11S4 wireless broadband router. The external
interface of this device filtered all TCP ports by default, but UDP probes would still elicit port unreachable messages and thus give away the device.

-PY port list (SCTP INIT Ping)
This option sends an SCTP packet containing a minimal INIT chunk. The default destination port is 80 (configurable at compile time by changing DEFAULT_SCTP_PROBE_PORT_SPEC in nmap.h). Alternate
ports can be specified as a parameter. The syntax is the same as for the -p except that port type specifiers like S: are not allowed. Examples are -PY22 and -PY22,80,179,5060. Note that there
can be no space between -PY and the port list. If multiple probes are specified they will be sent in parallel.

The INIT chunk suggests to the remote system that you are attempting to establish an association. Normally the destination port will be closed, and an ABORT chunk will be sent back. If the port
happens to be open, the target will take the second step of an SCTP four-way-handshake by responding with an INIT-ACK chunk. If the machine running Nmap has a functional SCTP stack, then it
tears down the nascent association by responding with an ABORT chunk rather than sending a COOKIE-ECHO chunk which would be the next step in the four-way-handshake. The ABORT packet is sent by
the kernel of the machine running Nmap in response to the unexpected INIT-ACK, not by Nmap itself.

Nmap does not care whether the port is open or closed. Either the ABORT or INIT-ACK response discussed previously tell Nmap that the host is available and responsive.

On Unix boxes, only the privileged user root is generally able to send and receive raw SCTP packets. Using SCTP INIT Pings is currently not possible for unprivileged users.

-PE; -PP; -PM (ICMP Ping Types)
In addition to the unusual TCP, UDP and SCTP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo
request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts. Unfortunately for network explorers, many hosts and firewalls now block these
packets, rather than responding as required by RFC 1122[2]. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators
monitoring an internal network, they can be a practical and efficient approach. Use the -PE option to enable this echo request behavior.

While echo request is the standard ICMP ping query, Nmap does not stop there. The ICMP standards (RFC 792[3] and RFC 950[4] ) also specify timestamp request, information request, and address
mask request packets as codes 13, 15, and 17, respectively. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be
used for host discovery. A system that replies is up and available. Nmap does not currently implement information request packets, as they are not widely supported. RFC 1122 insists that “a host
SHOULD NOT implement these messages”. Timestamp and address mask queries can be sent with the -PP and -PM options, respectively. A timestamp reply (ICMP code 14) or address mask reply (code 18)
discloses that the host is available. These two queries can be valuable when administrators specifically block echo request packets while forgetting that other ICMP queries can be used for the
same purpose.

-PO protocol list (IP Protocol Ping)
One of the newer host discovery options is the IP protocol ping, which sends IP packets with the specified protocol number set in their IP header. The protocol list takes the same format as do
port lists in the previously discussed TCP, UDP and SCTP host discovery options. If no protocols are specified, the default is to send multiple IP packets for ICMP (protocol 1), IGMP (protocol
2), and IP-in-IP (protocol 4). The default protocols can be configured at compile-time by changing DEFAULT_PROTO_PROBE_PORT_SPEC in nmap.h. Note that for the ICMP, IGMP, TCP (protocol 6), UDP
(protocol 17) and SCTP (protocol 132), the packets are sent with the proper protocol headers while other protocols are sent with no additional data beyond the IP header (unless any of --data,
--data-string, or --data-length options are specified).

This host discovery method looks for either responses using the same protocol as a probe, or ICMP protocol unreachable messages which signify that the given protocol isn't supported on the
destination host. Either type of response signifies that the target host is alive.

--disable-arp-ping (No ARP or ND Ping)
Nmap normally does ARP or IPv6 Neighbor Discovery (ND) discovery of locally connected ethernet hosts, even if other host discovery options such as -Pn or -PE are used. To disable this implicit
behavior, use the --disable-arp-ping option.

The default behavior is normally faster, but this option is useful on networks using proxy ARP, in which a router speculatively replies to all ARP requests, making every target appear to be up
according to ARP scan.

--discovery-ignore-rst
In some cases, firewalls may spoof TCP reset (RST) replies in response to probes to unoccupied or disallowed addresses. Since Nmap ordinarily considers RST replies to be proof that the target is
up, this can lead to wasted time scanning targets that aren't there. Using the --discovery-ignore-rst will prevent Nmap from considering these replies during host discovery. You may need to
select extra host discovery options to ensure you don't miss targets in this case.

--traceroute (Trace path to host)
Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans
(-sT) and idle scans (-sI). All traces use Nmap's dynamic timing model and are performed in parallel.

Traceroute works by sending packets with a low TTL (time-to-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host. Standard
traceroute implementations start with a TTL of 1 and increment the TTL until the destination host is reached. Nmap's traceroute starts with a high TTL and then decrements the TTL until it
reaches zero. Doing it backwards lets Nmap employ clever caching algorithms to speed up traces over multiple hosts. On average Nmap sends 5–10 fewer packets per host, depending on network
conditions. If a single subnet is being scanned (i.e. 192.168.0.0/24) Nmap may only have to send two packets to most hosts.

PORT SCANNING BASICS
While Nmap has grown in functionality over the years, it began as an efficient port scanner, and that remains its core function. The simple command nmap target scans 1,000 TCP ports on the host
target. While many port scanners have traditionally lumped all ports into the open or closed states, Nmap is much more granular. It divides ports into six states: open, closed, filtered, unfiltered,
open|filtered, or closed|filtered.

These states are not intrinsic properties of the port itself, but describe how Nmap sees them. For example, an Nmap scan from the same network as the target may show port 135/tcp as open, while a
scan at the same time with the same options from across the Internet might show that port as filtered.

The six port states recognized by Nmap

open
An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. Finding these is often the primary goal of port scanning. Security-minded people know that
each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports, while administrators try to close or protect them with firewalls without thwarting legitimate
users. Open ports are also interesting for non-security scans because they show services available for use on the network.

closed
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host
discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking
such ports with a firewall. Then they would appear in the filtered state, discussed next.

filtered
Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or
host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination
unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the
probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

unfiltered
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports
into this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.

open|filtered
Nmap places ports in this state when it is unable to determine whether a port is open or filtered. This occurs for scan types in which open ports give no response. The lack of response could
also mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas
scans classify ports this way.

closed|filtered
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IP ID idle scan.

PORT SCANNING TECHNIQUES
As a novice performing automotive repair, I can struggle for hours trying to fit my rudimentary tools (hammer, duct tape, wrench, etc.) to the task at hand. When I fail miserably and tow my jalopy
to a real mechanic, he invariably fishes around in a huge tool chest until pulling out the perfect gizmo which makes the job seem effortless. The art of port scanning is similar. Experts understand
the dozens of scan techniques and choose the appropriate one (or combination) for a given task. Inexperienced users and script kiddies, on the other hand, try to solve every problem with the default
SYN scan. Since Nmap is free, the only barrier to port scanning mastery is knowledge. That certainly beats the automotive world, where it may take great skill to determine that you need a strut
spring compressor, then you still have to pay thousands of dollars for it.

Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root access on Unix systems. Using an administrator account on
Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when Npcap has already been loaded into the OS. Requiring root privileges was a serious limitation when
Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far more people have always-on direct Internet access, and
desktop Unix systems (including Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to run on even more desktops. For all these reasons, users have less need
to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more powerful and flexible.

While Nmap attempts to produce accurate results, keep in mind that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be
untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as they should to Nmap probes. FIN, NULL, and Xmas scans are
particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries.

This section documents the dozen or so port scan techniques supported by Nmap. Only one method may be used at a time, except that UDP scan (-sU) and any one of the SCTP scan types (-sY, -sZ) may be
combined with any one of the TCP scan types. As a memory aid, port scan type options are of the form -sC, where C is a prominent character in the scan name, usually the first. The one exception to
this is the deprecated FTP bounce scan (-b). By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root
access on Unix). Of the scans listed in this section, unprivileged users can only execute connect and FTP bounce scans.

-sS (TCP SYN scan)
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive
firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of
specific platforms as Nmap's FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.

This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a
response. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener. If no response is received after several retransmissions, the port is marked as
filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK
flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection (see https://nmap.org/misc/split-handshake.pdf).

-sT (TCP connect scan)
TCP connect scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges. Instead of writing raw packets as most other scan
types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. This is the same high-level system call that
web browsers, P2P clients, and most other network-enabled applications use to establish a connection. It is part of a programming interface known as the Berkeley Sockets API. Rather than read
raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

When SYN scan is available, it is usually a better choice. Nmap has less control over the high level connect call than with raw packets, making it less efficient. The system call completes
connections to open target ports rather than performing the half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target
machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many services on your average Unix system will add a note to syslog,
and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An
administrator who sees a bunch of connection attempts in her logs from a single system should know that she has been connect scanned.

-sU (UDP scans)
While most popular services on the Internet run over the TCP protocol, UDP[5] services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most
common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and
attackers certainly don't ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports.

UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.

UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the
packet is empty unless the --data, --data-string, or --data-length options are specified. If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP
unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received
after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (-sV) can be
used to help differentiate the truly open ports from the filtered ones.

A big challenge with UDP scanning is doing it quickly. Open and filtered ports rarely send any response, leaving Nmap to time out and then conduct retransmissions just in case the probe or
response were lost. Closed ports are often an even bigger problem. They usually send back an ICMP port unreachable error. But unlike the RST packets sent by closed TCP ports in response to a SYN
or connect scan, many hosts rate limit ICMP port unreachable messages by default. Linux and Solaris are particularly strict about this. For example, the Linux 2.4.20 kernel limits destination
unreachable messages to one per second (in net/ipv4/icmp.c).

Nmap detects rate limiting and slows down accordingly to avoid flooding the network with useless packets that the target machine will drop. Unfortunately, a Linux-style limit of one packet per
second makes a 65,536-port scan take more than 18 hours. Ideas for speeding your UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first,
scanning from behind the firewall, and using --host-timeout to skip slow hosts.

-sY (SCTP INIT scan)
SCTP[6] is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is
mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed
quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes
SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states.

This technique is often referred to as half-open scanning, because you don't open a full SCTP association. You send an INIT chunk, as if you are going to open a real association and then wait
for a response. An INIT-ACK chunk indicates the port is listening (open), while an ABORT chunk is indicative of a non-listener. If no response is received after several retransmissions, the port
is marked as filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received.

-sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
These three scan types (even more are possible with the --scanflags option described in the next section) exploit a subtle loophole in the TCP RFC[7] to differentiate between open and closed
ports. Page 65 of RFC 793 says that “if the [destination] port state is CLOSED .... an incoming segment not containing a RST causes a RST to be sent in response.” Then the next page discusses
packets sent to open ports without the SYN, RST, or ACK bits set, stating that: “you are unlikely to get here, but if you do, drop the segment, and return.”

When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is
open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types:

Null scan (-sN)
Does not set any bits (TCP flag header is 0)

FIN scan (-sF)
Sets just the TCP FIN bit.

Xmas scan (-sX)
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If a RST packet is received, the port is considered closed, while no response means it is
open|filtered. The port is marked filtered if an ICMP unreachable error (type 3, code 0, 1, 2, 3, 9, 10, or 13) is received.

The key advantage to these scan types is that they can sneak through certain non-stateful firewalls and packet filtering routers. Another advantage is that these scan types are a little more
stealthy than even a SYN scan. Don't count on this though—most modern IDS products can be configured to detect them. The big downside is that not all systems follow RFC 793 to the letter. A
number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are
Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports
from certain filtered ones, leaving you with the response open|filtered.

-sA (TCP ACK scan)
This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are
stateful or not and which ports are filtered.

The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as
unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3,
code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered.

-sW (TCP Window scan)
Window scan is exactly the same as ACK scan except that it exploits an implementation detail of certain systems to differentiate open ports from closed ones, rather than always printing
unfiltered when a RST is returned. It does this by examining the TCP Window field of the RST packets returned. On some systems, open ports use a positive window size (even for RST packets) while
closed ones have a zero window. So instead of always listing a port as unfiltered when it receives a RST back, Window scan lists the port as open or closed if the TCP Window value in that reset
is positive or zero, respectively.

This scan relies on an implementation detail of a minority of systems out on the Internet, so you can't always trust it. Systems that don't support it will usually return all ports closed. Of
course, it is possible that the machine really has no open ports. If most scanned ports are closed but a few common port numbers (such as 22, 25, 53) are filtered, the system is most likely
susceptible. Occasionally, systems will even show the exact opposite behavior. If your scan shows 1,000 open ports and three closed or filtered ports, then those three may very well be the truly
open ones.

-sM (TCP Maimon scan)
The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two
issues later. This technique is exactly the same as NULL, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793[7] (TCP), a RST packet should be generated in response to
such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open.

--scanflags (Custom TCP scan)
Truly advanced Nmap users need not limit themselves to the canned scan types offered. The --scanflags option allows you to design your own scan by specifying arbitrary TCP flags. Let your
creative juices flow, while evading intrusion detection systems whose vendors simply paged through the Nmap man page adding specific rules!

The --scanflags argument can be a numerical flag value such as 9 (PSH and FIN), but using symbolic names is easier. Just mash together any combination of URG, ACK, PSH, RST, SYN, and FIN. For
example, --scanflags URGACKPSHRSTSYNFIN sets everything, though it's not very useful for scanning. The order these are specified in is irrelevant.

In addition to specifying the desired flags, you can specify a TCP scan type (such as -sA or -sF). That base type tells Nmap how to interpret responses. For example, a SYN scan considers
no-response to indicate a filtered port, while a FIN scan treats the same as open|filtered. Nmap will behave the same way it does for the base scan type, except that it will use the TCP flags
you specify instead. If you don't specify a base type, SYN scan is used.

-sZ (SCTP COOKIE ECHO scan)
SCTP COOKIE ECHO scan is a more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an
ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. Also, there may be non-stateful firewall rulesets blocking INIT chunks,
but not COOKIE ECHO chunks. Don't be fooled into thinking that this will make a port scan invisible; a good IDS will be able to detect SCTP COOKIE ECHO scans too. The downside is that SCTP
COOKIE ECHO scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in both cases.

-sI zombie host[:probeport] (idle scan)
This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the target from your real IP address). Instead, a unique side-channel attack
exploits predictable IP fragmentation ID sequence generation on the zombie host to glean information about the open ports on the target. IDS systems will display the scan as coming from the
zombie machine you specify (which must be up and meet certain criteria). This fascinating scan type is too complex to fully describe in this reference guide, so I wrote and posted an informal
paper with full details at https://nmap.org/book/idlescan.html.

Besides being extraordinarily stealthy (due to its blind nature), this scan type permits mapping out IP-based trust relationships between machines. The port listing shows open ports from the
perspective of the zombie host. So you can try scanning a target using various zombies that you think might be trusted (via router/packet filter rules).

You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IP ID changes. Otherwise Nmap will use the port it uses by default for
TCP pings (80).

-sO (IP protocol scan)
IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol
numbers rather than TCP or UDP port numbers. Yet it still uses the -p option to select scanned protocol numbers, reports its results within the normal port table format, and even uses the same
underlying scan engine as the true port scanning methods. So it is close enough to a port scan that it belongs here.

Besides being useful in its own right, protocol scan demonstrates the power of open-source software. While the fundamental idea is pretty simple, I had not thought to add it nor received any
requests for such functionality. Then in the summer of 2000, Gerhard Rieger conceived the idea, wrote an excellent patch implementing it, and sent it to the announce mailing list (then called
nmap-hackers). I incorporated that patch into the Nmap tree and released a new version the next day. Few pieces of commercial software have users enthusiastic enough to design and contribute
their own improvements!

Protocol scan works in a similar fashion to UDP scan. Instead of iterating through the port number field of a UDP packet, it sends IP packet headers and iterates through the eight-bit IP
protocol field. The headers are usually empty, containing no data and not even the proper header for the claimed protocol. The exceptions are TCP, UDP, ICMP, SCTP, and IGMP. A proper protocol
header for those is included since some systems won't send them otherwise and because Nmap already has functions to create them. Instead of watching for ICMP port unreachable messages, protocol
scan is on the lookout for ICMP protocol unreachable messages. If Nmap receives any response in any protocol from the target host, Nmap marks that protocol as open. An ICMP protocol unreachable
error (type 3, code 2) causes the protocol to be marked as closed while port unreachable (type 3, code 3) marks the protocol open. Other ICMP unreachable errors (type 3, code 0, 1, 9, 10, or 13)
cause the protocol to be marked filtered (though they prove that ICMP is open at the same time). If no response is received after retransmissions, the protocol is marked open|filtered

-b FTP relay host (FTP bounce scan)
An interesting feature of the FTP protocol (RFC 959[8]) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a
third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. One of the abuses this feature allows is causing the FTP server to port scan other
hosts. Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass
firewalls because organizational FTP servers are often placed where they have more access to other internal hosts than any old Internet host would. Nmap supports FTP bounce scan with the -b
option. It takes an argument of the form username:password@server:port. Server is the name or IP address of a vulnerable FTP server. As with a normal URL, you may omit username:password, in
which case anonymous login credentials (user: anonymous password:-wwwuser@) are used. The port number (and preceding colon) may be omitted as well, in which case the default FTP port (21) on
server is used.

This vulnerability was widespread in 1997 when Nmap was released, but has largely been fixed. Vulnerable servers are still around, so it is worth trying when all else fails. If bypassing a
firewall is your goal, scan the target network for port 21 (or even for any FTP services if you scan all ports with version detection) and use the ftp-bounce NSE script. Nmap will tell you
whether the host is vulnerable or not. If you are just trying to cover your tracks, you don't need to (and, in fact, shouldn't) limit yourself to hosts on the target network. Before you go
scanning random Internet addresses for vulnerable FTP servers, consider that sysadmins may not appreciate you abusing their servers in this way.

PORT SPECIFICATION AND SCAN ORDER
In addition to all of the scan methods discussed previously, Nmap offers options for specifying which ports are scanned and whether the scan order is randomized or sequential. By default, Nmap scans
the most common 1,000 ports for each protocol.

-p port ranges (Only scan specified ports)
This option specifies which ports you want to scan and overrides the default. Individual port numbers are OK, as are ranges separated by a hyphen (e.g. 1-1023). The beginning and/or end values
of a range may be omitted, causing Nmap to use 1 and 65535, respectively. So you can specify -p- to scan ports from 1 through 65535. Scanning port zero is allowed if you specify it explicitly.
For IP protocol scanning (-sO), this option specifies the protocol numbers you wish to scan for (0–255).

When scanning a combination of protocols (e.g. TCP and UDP), you can specify a particular protocol by preceding the port numbers by T: for TCP, U: for UDP, S: for SCTP, or P: for IP Protocol.
The qualifier lasts until you specify another qualifier. For example, the argument -p U:53,111,137,T:21-25,80,139,8080 would scan UDP ports 53, 111,and 137, as well as the listed TCP ports. Note
that to scan both UDP and TCP, you have to specify -sU and at least one TCP scan type (such as -sS, -sF, or -sT). If no protocol qualifier is given, the port numbers are added to all protocol
lists. Ports can also be specified by name according to what the port is referred to in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan FTP and
all ports whose names begin with “http”, use -p ftp,http*. Be careful about shell expansions and quote the argument to -p if unsure.

Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in nmap-services. For example, the following will scan all ports in nmap-services equal to or
below 1024: -p [-1024]. Be careful with shell expansions and quote the argument to -p if unsure.

--exclude-ports port ranges (Exclude the specified ports from scanning)
This option specifies which ports you do want Nmap to exclude from scanning. The port ranges are specified similar to -p. For IP protocol scanning (-sO), this option specifies the protocol
numbers you wish to exclude (0–255).

When ports are asked to be excluded, they are excluded from all types of scans (i.e. they will not be scanned under any circumstances). This also includes the discovery phase.

-F (Fast (limited port) scan)
Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.

Nmap needs an nmap-services file with frequency information in order to know which ports are the most common. If port frequency information isn't available, perhaps because of the use of a
custom nmap-services file, Nmap scans all named ports plus ports 1-1024. In that case, -F means to scan only ports that are named in the services file.

-r (Don't randomize ports)
By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable,
but you can specify -r for sequential (sorted from lowest to highest) port scanning instead.

--port-ratio ratio<decimal number between 0 and 1>
Scans all ports in nmap-services file with a ratio greater than the one given. ratio must be between 0.0 and 1.0.

--top-ports n
Scans the n highest-ratio ports found in nmap-services file after excluding all ports specified by --exclude-ports. n must be 1 or greater.

SERVICE AND VERSION DETECTION
Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of about 2,200 well-known services, Nmap would report that those
ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate—the vast majority of daemons listening on TCP port 25 are,
in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports.

Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network
inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which
exploits a server is vulnerable to. Version detection helps you obtain this information.

After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes
database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the
application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux). When possible, Nmap also gets
the Common Platform Enumeration (CPE) representation of this information. Sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user
name, are available. Of course, most services don't provide all of this information. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind
that encryption layer. Some UDP ports are left in the open|filtered state after a UDP port scan is unable to determine whether the port is open or filtered. Version detection will try to elicit a
response from these ports (just as it does with open ports), and change the state to open if it succeeds. open|filtered TCP ports are treated the same way. Note that the Nmap -A option enables
version detection among other things. A paper documenting the workings, usage, and customization of version detection is available at https://nmap.org/book/vscan.html.

When RPC services are discovered, the Nmap RPC grinder is automatically used to determine the RPC program and version numbers. It takes all the TCP/UDP ports detected as RPC and floods them with
SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can effectively obtain the same info as rpcinfo
-p even if the target's portmapper is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan.

When Nmap receives responses from a service but cannot match them to its database, it prints out a special fingerprint and a URL for you to submit it to if you know for sure what is running on the
port. Please take a couple minutes to make the submission so that your find can benefit everyone. Thanks to these submissions, Nmap has about 6,500 pattern matches for more than 650 protocols such
as SMTP, FTP, HTTP, etc.

Version detection is enabled and controlled with the following options:

-sV (Version detection)
Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.

-sR is an alias for -sV. Prior to March 2011, it was used to active the RPC grinder separately from version detection, but now these options are always combined.

--allports (Don't exclude any ports from version detection)
By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP GET requests, binary SSL session
requests, etc. This behavior can be changed by modifying or removing the Exclude directive in nmap-service-probes, or you can specify --allports to scan all ports regardless of any Exclude
directive.

--version-intensity intensity (Set version scan intensity)
When performing a version scan (-sV), Nmap sends a series of probes, each of which is assigned a rarity value between one and nine. The lower-numbered probes are effective against a wide variety
of common services, while the higher-numbered ones are rarely useful. The intensity level specifies which probes should be applied. The higher the number, the more likely it is the service will
be correctly identified. However, high intensity scans take longer. The intensity must be between 0 and 9. The default is 7. When a probe is registered to the target port via the
nmap-service-probes ports directive, that probe is tried regardless of intensity level. This ensures that the DNS probes will always be attempted against any open port 53, the SSL probe will be
done against 443, etc.

--version-light (Enable light mode)
This is a convenience alias for --version-intensity 2. This light mode makes version scanning much faster, but it is slightly less likely to identify services.

--version-all (Try every single probe)
An alias for --version-intensity 9, ensuring that every single probe is attempted against each port.

--version-trace (Trace version scan activity)
This causes Nmap to print out extensive debugging info about what version scanning is doing. It is a subset of what you get with --packet-trace.

OS DETECTION
One of Nmap's best-known features is remote OS detection using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the
responses. After performing dozens of tests such as TCP ISN sampling, TCP options support and ordering, IP ID sampling, and the initial window size check, Nmap compares the results to its nmap-os-db
database of more than 2,600 known OS fingerprints and prints out the OS details if there is a match. Each fingerprint includes a freeform textual description of the OS, and a classification which
provides the vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 10), and device type (general purpose, router, switch, game console, etc). Most fingerprints also have a Common
Platform Enumeration (CPE) representation, like cpe:/o:linux:linux_kernel:2.6.

If Nmap is unable to guess the OS of a machine, and conditions are good (e.g. at least one open port and one closed port were found), Nmap will provide a URL you can use to submit the fingerprint if
you know (for sure) the OS running on the machine. By doing this you contribute to the pool of operating systems known to Nmap and thus it will be more accurate for everyone.

OS detection enables some other tests which make use of information that is gathered during the process anyway. One of these is TCP Sequence Predictability Classification. This measures
approximately how hard it is to establish a forged TCP connection against the remote host. It is useful for exploiting source-IP based trust relationships (rlogin, firewall filters, etc) or for
hiding the source of an attack. This sort of spoofing is rarely performed any more, but many machines are still vulnerable to it. The actual difficulty number is based on statistical sampling and
may fluctuate. It is generally better to use the English classification such as “worthy challenge” or “trivial joke”. This is only reported in normal output in verbose (-v) mode. When verbose mode
is enabled along with -O, IP ID sequence generation is also reported. Most machines are in the “incremental” class, which means that they increment the ID field in the IP header for each packet they
send. This makes them vulnerable to several advanced information gathering and spoofing attacks.

Another bit of extra information enabled by OS detection is a guess at a target's uptime. This uses the TCP timestamp option (RFC 1323[9]) to guess when a machine was last rebooted. The guess can be
inaccurate due to the timestamp counter not being initialized to zero or the counter overflowing and wrapping around, so it is printed only in verbose mode.

A paper documenting the workings, usage, and customization of OS detection is available at https://nmap.org/book/osdetect.html.

OS detection is enabled and controlled with the following options:

-O (Enable OS detection)
Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS detection along with other things.

--osscan-limit (Limit OS detection to promising targets)
OS detection is far more effective if at least one open and one closed TCP port are found. Set this option and Nmap will not even try OS detection against hosts that do not meet this criteria.
This can save substantial time, particularly on -Pn scans against many hosts. It only matters when OS detection is requested with -O or -A.

--osscan-guess; --fuzzy (Guess OS detection results)
When Nmap is unable to detect a perfect OS match, it sometimes offers up near-matches as possibilities. The match has to be very close for Nmap to do this by default. Either of these
(equivalent) options make Nmap guess more aggressively. Nmap will still tell you when an imperfect match is printed and display its confidence level (percentage) for each guess.

--max-os-tries (Set the maximum number of OS detection tries against a target)
When Nmap performs OS detection against a target and fails to find a perfect match, it usually repeats the attempt. By default, Nmap tries five times if conditions are favorable for OS
fingerprint submission, and twice when conditions aren't so good. Specifying a lower --max-os-tries value (such as 1) speeds Nmap up, though you miss out on retries which could potentially
identify the OS. Alternatively, a high value may be set to allow even more retries when conditions are favorable. This is rarely done, except to generate better fingerprints for submission and
integration into the Nmap OS database.

NMAP SCRIPTING ENGINE (NSE)
The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language[10]

) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts
distributed with Nmap, or write their own to meet custom needs.

Tasks we had in mind when creating the system include network discovery, more sophisticated version detection, vulnerability detection. NSE can even be used for vulnerability exploitation.

To reflect those different uses and to simplify the choice of which scripts to run, each script contains a field associating it with one or more categories. Currently defined categories are auth,
broadcast, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln. These are all described at https://nmap.org/book/nse-usage.html#nse-categories.

Scripts are not run in a sandbox and thus could accidentally or maliciously damage your system or invade your privacy. Never run scripts from third parties unless you trust the authors or have
carefully audited the scripts yourself.

The Nmap Scripting Engine is described in detail at https://nmap.org/book/nse.html

and is controlled by the following options:

-sC
Performs a script scan using the default set of scripts. It is equivalent to --script=default. Some of the scripts in this category are considered intrusive and should not be run against a
target network without permission.

--script filename|category|directory/|expression[,...]
Runs a script scan using the comma-separated list of filenames, script categories, and directories. Each element in the list may also be a Boolean expression describing a more complex set of
scripts. Each element is interpreted first as an expression, then as a category, and finally as a file or directory name.

There are two special features for advanced users only. One is to prefix script names and expressions with + to force them to run even if they normally wouldn't (e.g. the relevant service wasn't
detected on the target port). The other is that the argument all may be used to specify every script in Nmap's database. Be cautious with this because NSE contains dangerous scripts such as
exploits, brute force authentication crackers, and denial of service attacks.

File and directory names may be relative or absolute. Absolute names are used directly. Relative paths are looked for in the scripts of each of the following places until found:
--datadir
$NMAPDIR
~/.nmap (not searched on Windows)
APPDATA\nmap (only on Windows)
the directory containing the nmap executable
the directory containing the nmap executable, followed by ../share/nmap (not searched on Windows)
NMAPDATADIR (not searched on Windows)
the current directory.

When a directory name ending in / is given, Nmap loads every file in the directory whose name ends with .nse. All other files are ignored and directories are not searched recursively. When a
filename is given, it does not have to have the .nse extension; it will be added automatically if necessary. Nmap scripts are stored in a scripts subdirectory of the Nmap data directory by
default (see https://nmap.org/book/data-files.html).

For efficiency, scripts are indexed in a database stored in scripts/script.db, which lists the category or categories in which each script belongs. When referring to scripts from script.db by
name, you can use a shell-style ‘*’ wildcard.

nmap --script "http-*"
Loads all scripts whose name starts with http-, such as http-auth and http-open-proxy. The argument to --script had to be in quotes to protect the wildcard from the shell.

More complicated script selection can be done using the and, or, and not operators to build Boolean expressions. The operators have the same precedence[11] as in Lua: not is the highest,
followed by and and then or. You can alter precedence by using parentheses. Because expressions contain space characters it is necessary to quote them.

nmap --script "not intrusive"
Loads every script except for those in the intrusive category.

nmap --script "default or safe"
This is functionally equivalent to nmap --script "default,safe". It loads all scripts that are in the default category or the safe category or both.

nmap --script "default and safe"
Loads those scripts that are in both the default and safe categories.

nmap --script "(default or safe or intrusive) and not http-*"
Loads scripts in the default, safe, or intrusive categories, except for those whose names start with http-.

--script-args n1=v1,n2={n3=v3},n4={v4,v5}
Lets you provide arguments to NSE scripts. Arguments are a comma-separated list of name=value pairs. Names and values may be strings not containing whitespace or the characters ‘{’, ‘}’, ‘=’, or
‘,’. To include one of these characters in a string, enclose the string in single or double quotes. Within a quoted string, ‘\’ escapes a quote. A backslash is only used to escape quotation
marks in this special case; in all other cases a backslash is interpreted literally. Values may also be tables enclosed in {}, just as in Lua. A table may contain simple string values or more
name-value pairs, including nested tables. Many scripts qualify their arguments with the script name, as in xmpp-info.server_name. You may use that full qualified version to affect just the
specified script, or you may pass the unqualified version (server_name in this case) to affect all scripts using that argument name. A script will first check for its fully qualified argument
name (the name specified in its documentation) before it accepts an unqualified argument name. A complex example of script arguments is --script-args
'user=foo,pass=",{}=bar",whois={whodb=nofollow+ripe},xmpp-info.server_name=localhost'. The online NSE Documentation Portal at https://nmap.org/nsedoc/ lists the arguments that each script
accepts.

--script-args-file filename
Lets you load arguments to NSE scripts from a file. Any arguments on the command line supersede ones in the file. The file can be an absolute path, or a path relative to Nmap's usual search path
(NMAPDIR, etc.) Arguments can be comma-separated or newline-separated, but otherwise follow the same rules as for --script-args, without requiring special quoting and escaping, since they are
not parsed by the shell.

--script-help filename|category|directory|expression|all[,...]
Shows help about scripts. For each script matching the given specification, Nmap prints the script name, its categories, and its description. The specifications are the same as those accepted by
--script; so for example if you want help about the ftp-anon script, you would run nmap --script-help ftp-anon. In addition to getting help for individual scripts, you can use this as a preview
of what scripts will be run for a specification, for example with nmap --script-help default.

--script-trace
This option does what --packet-trace does, just one ISO layer higher. If this option is specified all incoming and outgoing communication performed by a script is printed. The displayed
information includes the communication protocol, the source, the target and the transmitted data. If more than 5% of all transmitted data is not printable, then the trace output is in a hex dump
format. Specifying --packet-trace enables script tracing too.

--script-updatedb
This option updates the script database found in scripts/script.db which is used by Nmap to determine the available default scripts and categories. It is only necessary to update the database if
you have added or removed NSE scripts from the default scripts directory or if you have changed the categories of any script. This option is generally used by itself: nmap --script-updatedb.

TIMING AND PERFORMANCE
One of my highest Nmap development priorities has always been performance. A default scan (nmap hostname) of a host on my local network takes a fifth of a second. That is barely enough time to
blink, but adds up when you are scanning hundreds or thousands of hosts. Moreover, certain scan options such as UDP scanning and version detection can increase scan times substantially. So can
certain firewall configurations, particularly response rate limiting. While Nmap utilizes parallelism and many advanced algorithms to accelerate these scans, the user has ultimate control over how
Nmap runs. Expert users carefully craft Nmap commands to obtain only the information they care about while meeting their time constraints.

Techniques for improving scan times include omitting non-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). Optimizing timing parameters can
also make a substantial difference. Those options are listed below.

Some options accept a time parameter. This is specified in seconds by default, though you can append ‘ms’, ‘s’, ‘m’, or ‘h’ to the value to specify milliseconds, seconds, minutes, or hours. So the
--host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.

--min-hostgroup numhosts; --max-hostgroup numhosts (Adjust parallel scan group sizes)
Nmap has the ability to port scan or version scan multiple hosts in parallel. Nmap does this by dividing the target IP space into groups and then scanning one group at a time. In general, larger
groups are more efficient. The downside is that host results can't be provided until the whole group is finished. So if Nmap started out with a group size of 50, the user would not receive any
reports (except for the updates offered in verbose mode) until the first 50 hosts are completed.

By default, Nmap takes a compromise approach to this conflict. It starts out with a group size as low as five so the first results come quickly and then increases the groupsize to as high as
1024. The exact default numbers depend on the options given. For efficiency reasons, Nmap uses larger group sizes for UDP or few-port TCP scans.

When a maximum group size is specified with --max-hostgroup, Nmap will never exceed that size. Specify a minimum size with --min-hostgroup and Nmap will try to keep group sizes above that level.
Nmap may have to use smaller groups than you specify if there are not enough target hosts left on a given interface to fulfill the specified minimum. Both may be set to keep the group size
within a specific range, though this is rarely desired.

These options do not have an effect during the host discovery phase of a scan. This includes plain ping scans (-sn). Host discovery always works in large groups of hosts to improve speed and
accuracy.

The primary use of these options is to specify a large minimum group size so that the full scan runs more quickly. A common choice is 256 to scan a network in /24 sized chunks. For a scan with
many ports, exceeding that number is unlikely to help much. For scans of just a few port numbers, host group sizes of 2048 or more may be helpful.

--min-parallelism numprobes; --max-parallelism numprobes (Adjust probe parallelization)
These options control the total number of probes that may be outstanding for a host group. They are used for port scanning and host discovery. By default, Nmap calculates an ever-changing ideal
parallelism based on network performance. If packets are being dropped, Nmap slows down and allows fewer outstanding probes. The ideal probe number slowly rises as the network proves itself
worthy. These options place minimum or maximum bounds on that variable. By default, the ideal parallelism can drop to one if the network proves unreliable and rise to several hundred in perfect
conditions.

The most common usage is to set --min-parallelism to a number higher than one to speed up scans of poorly performing hosts or networks. This is a risky option to play with, as setting it too
high may affect accuracy. Setting this also reduces Nmap's ability to control parallelism dynamically based on network conditions. A value of 10 might be reasonable, though I only adjust this
value as a last resort.

The --max-parallelism option is sometimes set to one to prevent Nmap from sending more than one probe at a time to hosts. The --scan-delay option, discussed later, is another way to do this.

--min-rtt-timeout time, --max-rtt-timeout time, --initial-rtt-timeout time (Adjust probe timeouts)
Nmap maintains a running timeout value for determining how long it will wait for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of
previous probes.

If the network latency shows itself to be significant and variable, this timeout can grow to several seconds. It also starts at a conservative (high) level and may stay that way for a while when
Nmap scans unresponsive hosts.

Specifying a lower --max-rtt-timeout and --initial-rtt-timeout than the defaults can cut scan times significantly. This is particularly true for pingless (-Pn) scans, and those against heavily
filtered networks. Don't get too aggressive though. The scan can end up taking longer if you specify such a low value that many probes are timing out and retransmitting while the response is in
transit.

If all the hosts are on a local network, 100 milliseconds (--max-rtt-timeout 100ms) is a reasonable aggressive value. If routing is involved, ping a host on the network first with the ICMP ping
utility, or with a custom packet crafter such as Nping that is more likely to get through a firewall. Look at the maximum round trip time out of ten packets or so. You might want to double that
for the --initial-rtt-timeout and triple or quadruple it for the --max-rtt-timeout. I generally do not set the maximum RTT below 100 ms, no matter what the ping times are. Nor do I exceed
1000 ms.

--min-rtt-timeout is a rarely used option that could be useful when a network is so unreliable that even Nmap's default is too aggressive. Since Nmap only reduces the timeout down to the minimum
when the network seems to be reliable, this need is unusual and should be reported as a bug to the nmap-dev mailing list.

--max-retries numtries (Specify the maximum number of port scan probe retransmissions)
When Nmap receives no response to a port scan probe, it could mean the port is filtered. Or maybe the probe or response was simply lost on the network. It is also possible that the target host
has rate limiting enabled that temporarily blocked the response. So Nmap tries again by retransmitting the initial probe. If Nmap detects poor network reliability, it may try many more times
before giving up on a port. While this benefits accuracy, it also lengthens scan times. When performance is critical, scans may be sped up by limiting the number of retransmissions allowed. You
can even specify --max-retries 0 to prevent any retransmissions, though that is only recommended for situations such as informal surveys where occasional missed ports and hosts are acceptable.

The default (with no -T template) is to allow ten retransmissions. If a network seems reliable and the target hosts aren't rate limiting, Nmap usually only does one retransmission. So most
target scans aren't even affected by dropping --max-retries to a low value such as three. Such values can substantially speed scans of slow (rate limited) hosts. You usually lose some
information when Nmap gives up on ports early, though that may be preferable to letting the --host-timeout expire and losing all information about the target.

--host-timeout time (Give up on slow target hosts)
Some hosts simply take a long time to scan. This may be due to poorly performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few
percent of the scanned hosts can eat up a majority of the scan time. Sometimes it is best to cut your losses and skip those hosts initially. Specify --host-timeout with the maximum amount of
time you are willing to wait. For example, specify 30m to ensure that Nmap doesn't waste more than half an hour on a single host. Note that Nmap may be scanning other hosts at the same time
during that half an hour, so it isn't a complete loss. A host that times out is skipped. No port table, OS detection, or version detection results are printed for that host.

The special value 0 can be used to mean “no timeout”, which can be used to override the T5 timing template, which sets the host timeout to 15 minutes.

--script-timeout time
While some scripts complete in fractions of a second, others can take hours or more depending on the nature of the script, arguments passed in, network and application conditions, and more. The
--script-timeout option sets a ceiling on script execution time. Any script instance which exceeds that time will be terminated and no output will be shown. If debugging (-d) is enabled, Nmap
will report on each timeout. For host and service scripts, a script instance only scans a single target host or port and the timeout period will be reset for the next instance.

The special value 0 can be used to mean “no timeout”, which can be used to override the T5 timing template, which sets the script timeout to 10 minutes.

--scan-delay time; --max-scan-delay time (Adjust delay between probes)
This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting. Solaris machines (among
many others) will usually respond to UDP scan probe packets with only one ICMP message per second. Any more than that sent by Nmap will be wasteful. A --scan-delay of 1s will keep Nmap at that
slow rate. Nmap tries to detect rate limiting and adjust the scan delay accordingly, but it doesn't hurt to specify it explicitly if you already know what rate works best.

When Nmap adjusts the scan delay upward to cope with rate limiting, the scan slows down dramatically. The --max-scan-delay option specifies the largest delay that Nmap will allow. A low
--max-scan-delay can speed up Nmap, but it is risky. Setting this value too low can lead to wasteful packet retransmissions and possible missed ports when the target implements strict rate
limiting.

Another use of --scan-delay is to evade threshold based intrusion detection and prevention systems (IDS/IPS).

--min-rate number; --max-rate number (Directly control the scanning rate)
Nmap's dynamic timing does a good job of finding an appropriate speed at which to scan. Sometimes, however, you may happen to know an appropriate scanning rate for a network, or you may have to
guarantee that a scan will be finished by a certain time. Or perhaps you must keep Nmap from scanning too quickly. The --min-rate and --max-rate options are designed for these situations.

When the --min-rate option is given Nmap will do its best to send packets as fast as or faster than the given rate. The argument is a positive real number representing a packet rate in packets
per second. For example, specifying --min-rate 300 means that Nmap will try to keep the sending rate at or above 300 packets per second. Specifying a minimum rate does not keep Nmap from going
faster if conditions warrant.

Likewise, --max-rate limits a scan's sending rate to a given maximum. Use --max-rate 100, for example, to limit sending to 100 packets per second on a fast network. Use --max-rate 0.1 for a slow
scan of one packet every ten seconds. Use --min-rate and --max-rate together to keep the rate inside a certain range.

These two options are global, affecting an entire scan, not individual hosts. They only affect port scans and host discovery scans. Other features like OS detection implement their own timing.

There are two conditions when the actual scanning rate may fall below the requested minimum. The first is if the minimum is faster than the fastest rate at which Nmap can send, which is
dependent on hardware. In this case Nmap will simply send packets as fast as possible, but be aware that such high rates are likely to cause a loss of accuracy. The second case is when Nmap has
nothing to send, for example at the end of a scan when the last probes have been sent and Nmap is waiting for them to time out or be responded to. It's normal to see the scanning rate drop at
the end of a scan or in between hostgroups. The sending rate may temporarily exceed the maximum to make up for unpredictable delays, but on average the rate will stay at or below the maximum.

Specifying a minimum rate should be done with care. Scanning faster than a network can support may lead to a loss of accuracy. In some cases, using a faster rate can make a scan take longer than
it would with a slower rate. This is because Nmap's adaptive retransmission algorithms will detect the network congestion caused by an excessive scanning rate and increase the number of
retransmissions in order to improve accuracy. So even though packets are sent at a higher rate, more packets are sent overall. Cap the number of retransmissions with the --max-retries option if
you need to set an upper limit on total scan time.

--defeat-rst-ratelimit
Many hosts have long used rate limiting to reduce the number of ICMP error messages (such as port-unreachable errors) they send. Some systems now apply similar rate limits to the RST (reset)
packets they generate. This can slow Nmap down dramatically as it adjusts its timing to reflect those rate limits. You can tell Nmap to ignore those rate limits (for port scans such as SYN scan
which don't treat non-responsive ports as open) by specifying --defeat-rst-ratelimit.

Using this option can reduce accuracy, as some ports will appear non-responsive because Nmap didn't wait long enough for a rate-limited RST response. With a SYN scan, the non-response results in
the port being labeled filtered rather than the closed state we see when RST packets are received. This option is useful when you only care about open ports, and distinguishing between closed
and filtered ports isn't worth the extra time.

--defeat-icmp-ratelimit
Similar to --defeat-rst-ratelimit, the --defeat-icmp-ratelimit option trades accuracy for speed, increasing UDP scanning speed against hosts that rate-limit ICMP error messages. Because this
option causes Nmap to not delay in order to receive the port unreachable messages, a non-responsive port will be labeled closed|filtered instead of the default open|filtered. This has the effect
of only treating ports which actually respond via UDP as open. Since many UDP services do not respond in this way, the chance for inaccuracy is greater with this option than with
--defeat-rst-ratelimit.

--nsock-engine iocp|epoll|kqueue|poll|select
Enforce use of a given nsock IO multiplexing engine. Only the select(2)-based fallback engine is guaranteed to be available on your system. Engines are named after the name of the IO management
facility they leverage. Engines currently implemented are epoll, kqueue, poll, and select, but not all will be present on any platform. By default, Nmap will use the "best" engine, i.e. the
first one in this list that is supported. Use nmap -V to see which engines are supported on your platform.

-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)
While the fine-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take
more time than the scan you are trying to optimize. Fortunately, Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0–5) or
their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use
less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and
reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.

These templates allow the user to specify how aggressive they wish to be, while leaving Nmap to pick the exact timing values. The templates also make some minor speed adjustments for which
fine-grained control options do not currently exist. For example, -T4 prohibits the dynamic scan delay from exceeding 10 ms for TCP ports and -T5 caps that value at 5 ms. Templates can be used
in combination with fine-grained controls, and the fine-grained controls that you specify will take precedence over the timing template default for that parameter. I recommend using -T4 when
scanning reasonably modern and reliable networks. Keep that option even when you add fine-grained controls so that you benefit from those extra minor optimizations that it enables.

If you are on a decent broadband or ethernet connection, I would recommend always using -T4. Some people love -T5 though it is too aggressive for my taste. People sometimes specify -T2 because
they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow -T polite really is. Their scan may take ten times
longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options (-T3) and so I normally recommend that for cautious scanners. Omitting version
detection is far more effective than playing with timing values at reducing these problems.

While -T0 and -T1 may be useful for avoiding IDS alerts, they will take an extraordinarily long time to scan thousands of machines or ports. For such a long scan, you may prefer to set the exact
timing values you need rather than rely on the canned -T0 and -T1 values.

The main effects of T0 are serializing the scan so only one port is scanned at a time, and waiting five minutes between sending each probe. T1 and T2 are similar but they only wait 15 seconds
and 0.4 seconds, respectively, between probes. T3 is Nmap's default behavior, which includes parallelization. -T4 does the equivalent of --max-rtt-timeout 1250ms --min-rtt-timeout 100ms
--initial-rtt-timeout 500ms --max-retries 6 and sets the maximum TCP and SCTP scan delay to 10ms. T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout
250ms --max-retries 2 --host-timeout 15m --script-timeout 10m --max-scan-delay as well as setting the maximum TCP and SCTP scan delay to 5ms. Maximum UDP scan delay is not set by T4 or T5, but
it can be set with the --max-scan-delay option.

FIREWALL/IDS EVASION AND SPOOFING
Many Internet pioneers envisioned a global open network with a universal IP address space allowing virtual connections between any two nodes. This allows hosts to act as true peers, serving and
retrieving information from each other. People could access all of their home systems from work, changing the climate control settings or unlocking the doors for early guests. This vision of
universal connectivity has been stifled by address space shortages and security concerns. In the early 1990s, organizations began deploying firewalls for the express purpose of reducing
connectivity. Huge networks were cordoned off from the unfiltered Internet by application proxies, network address translation, and packet filters. The unrestricted flow of information gave way to
tight regulation of approved communication channels and the content that passes over them.

Network obstructions such as firewalls can make mapping a network exceedingly difficult. It will not get any easier, as stifling casual reconnaissance is often a key goal of implementing the
devices. Nevertheless, Nmap offers many features to help understand these complex networks, and to verify that filters are working as intended. It even supports mechanisms for bypassing poorly
implemented defenses. One of the best methods of understanding your network security posture is to try to defeat it. Place yourself in the mind-set of an attacker, and deploy techniques from this
section against your networks. Launch an FTP bounce scan, idle scan, fragmentation attack, or try to tunnel through one of your own proxies.

In addition to restricting network activity, companies are increasingly monitoring traffic with intrusion detection systems (IDS). All of the major IDSs ship with rules designed to detect Nmap scans
because scans are sometimes a precursor to attacks. Many of these products have recently morphed into intrusion prevention systems (IPS) that actively block traffic deemed malicious. Unfortunately
for network administrators and IDS vendors, reliably detecting bad intentions by analyzing packet data is a tough problem. Attackers with patience, skill, and the help of certain Nmap options can
usually pass by IDSs undetected. Meanwhile, administrators must cope with large numbers of false positive results where innocent activity is misdiagnosed and alerted on or blocked.

Occasionally people suggest that Nmap should not offer features for evading firewall rules or sneaking past IDSs. They argue that these features are just as likely to be misused by attackers as used
by administrators to enhance security. The problem with this logic is that these methods would still be used by attackers, who would just find other tools or patch the functionality into Nmap.
Meanwhile, administrators would find it that much harder to do their jobs. Deploying only modern, patched FTP servers is a far more powerful defense than trying to prevent the distribution of tools
implementing the FTP bounce attack.

There is no magic bullet (or Nmap option) for detecting and subverting firewalls and IDS systems. It takes skill and experience. A tutorial is beyond the scope of this reference guide, which only
lists the relevant options and describes what they do.

-f (fragment packets); --mtu (using the specified MTU)
The -f option causes the requested scan (including host discovery scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for
packet filters, intrusion detection systems, and other annoyances to detect what you are doing. Be careful with this! Some programs have trouble handling these tiny packets. The old-school
sniffer named Sniffit segmentation faulted immediately upon receiving the first fragment. Specify this option once, and Nmap splits the packets into eight bytes or less after the IP header. So a
20-byte TCP header would be split into three packets. Two with eight bytes of the TCP header, and one with the final four. Of course each fragment also has an IP header. Specify -f again to use
16 bytes per fragment (reducing the number of fragments). Or you can specify your own offset size with the --mtu option. Don't also specify -f if you use --mtu. The offset must be a multiple of
eight. While fragmented packets won't get by packet filters and firewalls that queue all IP fragments, such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, some networks can't afford
the performance hit this causes and thus leave it disabled. Others can't enable this because fragments may take different routes into their networks. Some source systems defragment outgoing
packets in the kernel. Linux with the iptables connection tracking module is one such example. Do a scan while a sniffer such as Wireshark is running to ensure that sent packets are fragmented.
If your host OS is causing problems, try the --send-eth option to bypass the IP layer and send raw ethernet frames.

Fragmentation is only supported for Nmap's raw packet features, which includes TCP and UDP port scans (except connect scan and FTP bounce scan) and OS detection. Features such as version
detection and the Nmap Scripting Engine generally don't support fragmentation because they rely on your host's TCP stack to communicate with target services.

-D decoy1[,decoy2][,ME][,...] (Cloak a scan with decoys)
Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5–10 port
scans from unique IP addresses, but they won't know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and
other active mechanisms, it is generally an effective technique for hiding your IP address.

Separate each decoy host with commas, and you can optionally use ME as one of the decoys to represent the position for your real IP address. If you put ME in the sixth position or later, some
common port scan detectors (such as Solar Designer's excellent Scanlogd) are unlikely to show your IP address at all. If you don't use ME, Nmap will put you in a random position. You can also
use RND to generate a random, non-reserved IP address, or RND:number to generate number addresses.

Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on
the network. You might want to use IP addresses instead of names (so the decoy networks don't see you in their nameserver logs). Right now random IP address generation is only supported with
IPv4

Decoys are used both in the initial host discovery scan (using ICMP, SYN, ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection (-O).
Decoys do not work with version detection or TCP connect scan. When a scan delay is in effect, the delay is enforced between each batch of spoofed probes, not between each individual probe.
Because decoys are sent as a batch all at once, they may temporarily violate congestion control limits.

It is worth noting that using too many decoys may slow your scan and potentially even make it less accurate. Also, some ISPs will filter out your spoofed packets, but many do not restrict
spoofed IP packets at all.

-S IP_Address (Spoof source address)
In some circumstances, Nmap may not be able to determine your source address (Nmap will tell you if this is the case). In this situation, use -S with the IP address of the interface you wish to
send packets through.

Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a company being repeatedly port scanned by a competitor! The -e
option and -Pn are generally required for this sort of usage. Note that you usually won't receive reply packets back (they will be addressed to the IP you are spoofing), so Nmap won't produce
useful reports.

-e interface (Use specified interface)
Tells Nmap what interface to send and receive packets on. Nmap should be able to detect this automatically, but it will tell you if it cannot.

--source-port portnumber; -g portnumber (Spoof source port number)
One surprisingly common misconfiguration is to trust traffic based only on the source port number. It is easy to understand how this comes about. An administrator will set up a shiny new
firewall, only to be flooded with complaints from ungrateful users whose applications stopped working. In particular, DNS may be broken because the UDP DNS replies from external servers can no
longer enter the network. FTP is another common example. In active FTP transfers, the remote server tries to establish a connection back to the client to transfer the requested file.

Secure solutions to these problems exist, often in the form of application-level proxies or protocol-parsing firewall modules. Unfortunately there are also easier, insecure solutions. Noting
that DNS replies come from port 53 and active FTP from port 20, many administrators have fallen into the trap of simply allowing incoming traffic from those ports. They often assume that no
attacker would notice and exploit such firewall holes. In other cases, administrators consider this a short-term stop-gap measure until they can implement a more secure solution. Then they
forget the security upgrade.

Overworked network administrators are not the only ones to fall into this trap. Numerous products have shipped with these insecure rules. Even Microsoft has been guilty. The IPsec filters that
shipped with Windows 2000 and Windows XP contain an implicit rule that allows all TCP or UDP traffic from port 88 (Kerberos). In another well-known case, versions of the Zone Alarm personal
firewall up to 2.1.25 allowed any incoming UDP packets with the source port 53 (DNS) or 67 (DHCP).

Nmap offers the -g and --source-port options (they are equivalent) to exploit these weaknesses. Simply provide a port number and Nmap will send packets from that port where possible. Most
scanning operations that use raw sockets, including SYN and UDP scans, support the option completely. The option notably doesn't have an effect for any operations that use normal operating
system sockets, including DNS requests, TCP connect scan, version detection, and script scanning. Setting the source port also doesn't work for OS detection, because Nmap must use different port
numbers for certain OS detection tests to work properly.

--data hex string (Append custom binary data to sent packets)
This option lets you include binary data as payload in sent packets. hex string may be specified in any of the following formats: 0xAABBCCDDEEFF..., AABBCCDDEEFF... or
\xAA\xBB\xCC\xDD\xEE\xFF.... Examples of use are --data 0xdeadbeef and --data \xCA\xFE\x09. Note that if you specify a number like 0x00ff no byte-order conversion is performed. Make sure you
specify the information in the byte order expected by the receiver.

--data-string string (Append custom string to sent packets)
This option lets you include a regular string as payload in sent packets. string can contain any string. However, note that some characters may depend on your system's locale and the receiver
may not see the same information. Also, make sure you enclose the string in double quotes and escape any special characters from the shell. Examples: --data-string "Scan conducted by Security
Ops, extension 7192" or --data-string "Ph34r my l33t skills". Keep in mind that nobody is likely to actually see any comments left by this option unless they are carefully monitoring the network
with a sniffer or custom IDS rules.

--data-length number (Append random data to sent packets)
Normally Nmap sends minimalist packets containing only a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. Some UDP ports and IP protocols get a custom
payload by default. This option tells Nmap to append the given number of random bytes to most of the packets it sends, and not to use any protocol-specific payloads. (Use --data-length 0 for no
random or protocol-specific payloads. OS detection (-O) packets are not affected because accuracy there requires probe consistency, but most pinging and portscan packets support this. It slows
things down a little, but can make a scan slightly less conspicuous.

--ip-options S|R [route]|L [route]|T|U ... ; --ip-options hex string (Send packets with specified ip options)
The IP protocol[12] offers several options which may be placed in packet headers. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns. In
fact, many Internet routers block the most dangerous options such as source routing. Yet options can still be useful in some cases for determining and manipulating the network route to target
machines. For example, you may be able to use the record route option to determine a path to a target even when more traditional traceroute-style approaches fail. Or if your packets are being
dropped by a certain firewall, you may be able to specify a different route with the strict or loose source routing options.

The most powerful way to specify IP options is to simply pass in values as the argument to --ip-options. Precede each hex number with \x then the two digits. You may repeat certain characters by
following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*36\x01 is a hex string containing 36 NUL bytes.

Nmap also offers a shortcut mechanism for specifying options. Simply pass the letter R, T, or U to request record-route, record-timestamp, or both options together, respectively. Loose or strict
source routing may be specified with an L or S followed by a space and then a space-separated list of IP addresses.

If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see
https://seclists.org/nmap-dev/2006/q3/52.

--ttl value (Set IP time-to-live field)
Sets the IPv4 time-to-live field in sent packets to the given value.

--randomize-hosts (Randomize target host order)
Tells Nmap to shuffle each group of up to 16384 hosts before it scans them. This can make the scans less obvious to various network monitoring systems, especially when you combine it with slow
timing options. If you want to randomize over larger group sizes, increase PING_GROUP_SZ in nmap.h and recompile. An alternative solution is to generate the target IP list with a list scan (-sL
-n -oN filename), randomize it with a Perl script, then provide the whole list to Nmap with -iL.

--spoof-mac MAC address, prefix, or vendor name (Spoof MAC address)
Asks Nmap to use the given MAC address

for all of the raw ethernet frames it sends. This option implies --send-eth to ensure that Nmap actually sends ethernet-level packets. The MAC given can take several formats. If it is simply the
number 0, Nmap chooses a completely random MAC address for the session. If the given string is an even number of hex digits (with the pairs optionally separated by a colon), Nmap will use those
as the MAC. If fewer than 12 hex digits are provided, Nmap fills in the remainder of the six bytes with random values. If the argument isn't a zero or hex string, Nmap looks through
nmap-mac-prefixes to find a vendor name containing the given string (it is case insensitive). If a match is found, Nmap uses the vendor's OUI (three-byte prefix) and fills out the remaining
three bytes randomly. Valid --spoof-mac argument examples are Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco. This option only affects raw packet scans such as SYN scan or OS
detection, not connection-oriented features such as version detection or the Nmap Scripting Engine.

--proxies Comma-separated list of proxy URLs (Relay TCP connections through a chain of proxies)
Asks Nmap to establish TCP connections with a final target through supplied chain of one or more HTTP or SOCKS4 proxies. Proxies can help hide the true source of a scan or evade certain firewall
restrictions, but they can hamper scan performance by increasing latency. Users may need to adjust Nmap timeouts and other scan parameters accordingly. In particular, a lower --max-parallelism
may help because some proxies refuse to handle as many concurrent connections as Nmap opens by default.

This option takes a list of proxies as argument, expressed as URLs in the format proto://host:port. Use commas to separate node URLs in a chain. No authentication is supported yet. Valid
protocols are HTTP and SOCKS4.

Warning: this feature is still under development and has limitations. It is implemented within the nsock library and thus has no effect on the ping, port scanning and OS discovery phases of a
scan. Only NSE and version scan benefit from this option so far—other features may disclose your true address. SSL connections are not yet supported, nor is proxy-side DNS resolution (hostnames
are always resolved by Nmap).

--badsum (Send packets with bogus TCP/UDP checksums)
Asks Nmap to use an invalid TCP, UDP or SCTP checksum for packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming
from a firewall or IDS that didn't bother to verify the checksum. For more details on this technique, see https://nmap.org/p60-12.html

--adler32 (Use deprecated Adler32 instead of CRC32C for SCTP checksums)
Asks Nmap to use the deprecated Adler32 algorithm for calculating the SCTP checksum. If --adler32 is not given, CRC-32C (Castagnoli) is used. RFC 2960[13] originally defined Adler32 as checksum
algorithm for SCTP; RFC 4960[6] later redefined the SCTP checksums to use CRC-32C. Current SCTP implementations should be using CRC-32C, but in order to elicit responses from old, legacy SCTP
implementations, it may be preferable to use Adler32.

OUTPUT
Any security tool is only as useful as the output it generates. Complex tests and algorithms are of little value if they aren't presented in an organized and comprehensible fashion. Given the number
of ways Nmap is used by people and other software, no single format can please everyone. So Nmap offers several formats, including the interactive mode for humans to read directly and XML for easy
parsing by software.

In addition to offering different output formats, Nmap provides options for controlling the verbosity of output as well as debugging messages. Output types may be sent to standard output or to named
files, which Nmap can append to or clobber. Output files may also be used to resume aborted scans.

Nmap makes output available in five different formats. The default is called interactive output, and it is sent to standard output (stdout). There is also normal output, which is similar to
interactive except that it displays less runtime information and warnings since it is expected to be analyzed after the scan completes rather than interactively.

XML output is one of the most important output types, as it can be converted to HTML, easily parsed by programs such as Nmap graphical user interfaces, or imported into databases.

The two remaining output types are the simple grepable output which includes most information for a target host on a single line, and sCRiPt KiDDi3 0utPUt for users who consider themselves |<-r4d.

While interactive output is the default and has no associated command-line options, the other four format options use the same syntax. They take one argument, which is the filename that results
should be stored in. Multiple formats may be specified, but each format may only be specified once. For example, you may wish to save normal output for your own review while saving XML of the same
scan for programmatic analysis. You might do this with the options -oX myscan.xml -oN myscan.nmap. While this chapter uses the simple names like myscan.xml for brevity, more descriptive names are
generally recommended. The names chosen are a matter of personal preference, though I use long ones that incorporate the scan date and a word or two describing the scan, placed in a directory named
after the company I'm scanning.

While these options save results to files, Nmap still prints interactive output to stdout as usual. For example, the command nmap -oX myscan.xml target prints XML to myscan.xml and fills standard
output with the same interactive results it would have printed if -oX wasn't specified at all. You can change this by passing a hyphen character as the argument to one of the format types. This
causes Nmap to deactivate interactive output, and instead print results in the format you specified to the standard output stream. So the command nmap -oX - target will send only XML output to
stdout. Serious errors may still be printed to the normal error stream, stderr.

Unlike some Nmap arguments, the space between the logfile option flag (such as -oX) and the filename or hyphen is mandatory. If you omit the flags and give arguments such as -oG- or -oXscan.xml, a
backwards compatibility feature of Nmap will cause the creation of normal format output files named G- and Xscan.xml respectively.

All of these arguments support strftime-like conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are all exactly the same as in strftime. %T is the same as %H%M%S, %R is the same as %H%M,
and %D is the same as %m%d%y. A % followed by any other character just yields that character (%% gives you a percent symbol). So -oX 'scan-%T-%D.xml' will use an XML file with a name in the form of
scan-144840-121307.xml.

Nmap also offers options to control scan verbosity and to append to output files rather than clobbering them. All of these options are described below.

Nmap Output Formats

-oN filespec (normal output)
Requests that normal output be directed to the given filename. As discussed above, this differs slightly from interactive output.

-oX filespec (XML output)
Requests that XML output be directed to the given filename. Nmap includes a document type definition (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended
for programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal elements of the format, and often enumerates the attributes and values they can take on. The
latest version is always available from https://svn.nmap.org/nmap/docs/nmap.dtd.

XML offers a stable format that is easily parsed by software. Free XML parsers are available for all major computer languages, including C/C++, Perl, Python, and Java. People have even written
bindings for most of these languages to handle Nmap output and execution specifically. Examples are Nmap::Scanner[14] and Nmap::Parser[15] in Perl CPAN. In almost all cases that a non-trivial
application interfaces with Nmap, XML is the preferred format.

The XML output references an XSL stylesheet which can be used to format the results as HTML. The easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE.
By default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to the hard-coded nmap.xsl filesystem path. Use the --webxml or --stylesheet options to create
portable XML files that render as HTML on any web-connected machine.

-oS filespec (ScRipT KIdd|3 oUTpuT)
Script kiddie output is like interactive output, except that it is post-processed to better suit the l33t HaXXorZ who previously looked down on Nmap due to its consistent capitalization and
spelling. Humor impaired people should note that this option is making fun of the script kiddies before flaming me for supposedly “helping them”.

-oG filespec (grepable output)
This output format is covered last because it is deprecated. The XML output format is far more powerful, and is nearly as convenient for experienced users. XML is a standard for which dozens of
excellent parsers are available, while grepable output is my own simple hack. XML is extensible to support new Nmap features as they are released, while I often must omit those features from
grepable output for lack of a place to put them.

Nevertheless, grepable output is still quite popular. It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep, awk,
cut, sed, diff, and Perl. Even I usually use it for one-off tests done at the command line. Finding all the hosts with the SSH port open or that are running Solaris takes only a simple grep to
identify the hosts, piped to an awk or cut command to print the desired fields.

Grepable output consists of comments (lines starting with a pound (#)) and target lines. A target line includes a combination of six labeled fields, separated by tabs and followed with a colon.
The fields are Host, Ports, Protocols, Ignored State, OS, Seq Index, IP ID, and Status.

The most important of these fields is generally Ports, which gives details on each interesting port. It is a comma separated list of port entries. Each port entry represents one interesting
port, and takes the form of seven slash (/) separated subfields. Those subfields are: Port number, State, Protocol, Owner, Service, SunRPC info, and Version info.

As with XML output, this man page does not allow for documenting the entire format. A more detailed look at the Nmap grepable output format is available from
https://nmap.org/book/output-formats-grepable-output.html.

-oA basename (Output to all formats)
As a convenience, you may specify -oA basename to store scan results in normal, XML, and grepable formats at once. They are stored in basename.nmap, basename.xml, and basename.gnmap,
respectively. As with most programs, you can prefix the filenames with a directory path, such as ~/nmaplogs/foocorp/ on Unix or c:\hacking\sco on Windows.

Verbosity and debugging options

-v (Increase verbosity level), -vlevel (Set verbosity level)
Increases the verbosity level, causing Nmap to print more information about the scan in progress. Open ports are shown as they are found and completion time estimates are provided when Nmap
thinks a scan will take more than a few minutes. Use it twice or more for even greater verbosity: -vv, or give a verbosity level directly, for example -v3.

Most changes only affect interactive output, and some also affect normal and script kiddie output. The other output types are meant to be processed by machines, so Nmap can give substantial
detail by default in those formats without fatiguing a human user. However, there are a few changes in other modes where output size can be reduced substantially by omitting some detail. For
example, a comment line in the grepable output that provides a list of all ports scanned is only printed in verbose mode because it can be quite long.

-d (Increase debugging level), -dlevel (Set debugging level)
When even verbose mode doesn't provide sufficient data for you, debugging is available to flood you with much more! As with the verbosity option (-v), debugging is enabled with a command-line
flag (-d) and the debug level can be increased by specifying it multiple times, as in -dd, or by setting a level directly. For example, -d9 sets level nine. That is the highest effective level
and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

Debugging output is useful when a bug is suspected in Nmap, or if you are simply confused as to what Nmap is doing and why. As this feature is mostly intended for developers, debug lines aren't
always self-explanatory. You may get something like: Timeout vals: srtt: -1 rttvar: -1 to: 1000000 delta 14987 ==> srtt: 14987 rttvar: 14987 to: 100000. If you don't understand a line, your only
recourses are to ignore it, look it up in the source code, or request help from the development list (nmap-dev). Some lines are self explanatory, but the messages become more obscure as the
debug level is increased.

--reason (Host and port state reasons)
Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A
RST packet from a closed port or an echo reply from an alive host. The information Nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (-sS and -PS) are very
detailed, but the TCP connect scan (-sT) is limited by the implementation of the connect system call. This feature is automatically enabled by the debug option (-d) and the results are stored in
XML log files even if this option is not specified.

--stats-every time (Print periodic timing stats)
Periodically prints a timing status message after each interval of time. The time is a specification of the kind described in the section called “TIMING AND PERFORMANCE”; so for example, use
--stats-every 10s to get a status update every 10 seconds. Updates are printed to interactive output (the screen) and XML output.

--packet-trace (Trace packets and data sent and received)
Causes Nmap to print a summary of every packet sent or received. This is often used for debugging, but is also a valuable way for new users to understand exactly what Nmap is doing under the
covers. To avoid printing thousands of lines, you may want to specify a limited number of ports to scan, such as -p20-30. If you only care about the goings on of the version detection subsystem,
use --version-trace instead. If you only care about script tracing, specify --script-trace. With --packet-trace, you get all of the above.

--open (Show only open (or possibly open) ports)
Sometimes you only care about ports you can actually connect to (open ones), and don't want results cluttered with closed, filtered, and closed|filtered ports. Output customization is normally
done after the scan using tools such as grep, awk, and Perl, but this feature was added due to overwhelming requests. Specify --open to only see hosts with at least one open, open|filtered, or
unfiltered port, and only see ports in those states. These three states are treated just as they normally are, which means that open|filtered and unfiltered may be condensed into counts if there
are an overwhelming number of them.

Beginning with Nmap 7.40, the --open option implies

--defeat-rst-ratelimit, because that option only affects closed and filtered ports, which are hidden by --open.

--iflist (List interfaces and routes)
Prints the interface list and system routes as detected by Nmap and quits. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP connection as
ethernet).

Miscellaneous output options

--append-output (Append to rather than clobber output files)
When you specify a filename to an output format flag such as -oX or -oN, that file is overwritten by default. If you prefer to keep the existing content of the file and append the new results,
specify the --append-output option. All output filenames specified in that Nmap execution will then be appended to rather than clobbered. This doesn't work well for XML (-oX) scan data as the
resultant file generally won't parse properly until you fix it up by hand.

--resume filename (Resume aborted scan)
Some extensive Nmap runs take a very long time—on the order of days. Such scans don't always run to completion. Restrictions may prevent Nmap from being run during working hours, the network
could go down, the machine Nmap is running on might suffer a planned or unplanned reboot, or Nmap itself could crash. The administrator running Nmap could cancel it for any other reason as well,
by pressing ctrl-C. Restarting the whole scan from the beginning may be undesirable. Fortunately, if scan output files were kept, the user can ask Nmap to resume scanning with the target it was
working on when execution ceased. Simply specify the --resume option and pass the output file as its argument. No other arguments are permitted, as Nmap parses the output file to use the same
ones specified previously. Simply call Nmap as nmap --resume logfilename. Nmap will append new results to the data files specified in the previous execution. Scans can be resumed from any of the
3 major output formats: Normal, Grepable, or XML

--noninteractive (Disable runtime interactions)
At times, such as when running Nmap in a shell background, it might be undesirable for Nmap to monitor and respond to user keyboard input when running. (See the section called “RUNTIME
INTERACTION” about how to control Nmap during a scan.) Use option --noninteractive to prevent Nmap taking control of the terminal.

--stylesheet path or URL (Set XSL stylesheet to transform XML output)
Nmap ships with an XSL stylesheet named nmap.xsl for viewing or translating XML output to HTML. The XML output includes an xml-stylesheet directive which points to nmap.xml where it was
initially installed by Nmap. Run the XML file through an XSLT processor such as xsltproc[16] to produce an HTML file. Directly opening the XML file in a browser no longer works well because
modern browsers limit the locations a stylesheet may be loaded from. If you wish to use a different stylesheet, specify it as the argument to --stylesheet. You must pass the full pathname or
URL. One common invocation is --stylesheet https://nmap.org/svn/docs/nmap.xsl. This tells an XSLT processor to load the latest version of the stylesheet from Nmap.Org. The --webxml option does
the same thing with less typing and memorization. Loading the XSL from Nmap.Org makes it easier to view results on a machine that doesn't have Nmap (and thus nmap.xsl) installed. So the URL is
often more useful, but the local filesystem location of nmap.xsl is used by default for privacy reasons.

--webxml (Load stylesheet from Nmap.Org)
This is a convenience option, nothing more than an alias for --stylesheet https://nmap.org/svn/docs/nmap.xsl.

--no-stylesheet (Omit XSL stylesheet declaration from XML)
Specify this option to prevent Nmap from associating any XSL stylesheet with its XML output. The xml-stylesheet directive is omitted.

MISCELLANEOUS OPTIONS
This section describes some important (and not-so-important) options that don't really fit anywhere else.

-6 (Enable IPv6 scanning)
Nmap has IPv6 support for its most popular features. Ping scanning, port scanning, version detection, and the Nmap Scripting Engine all support IPv6. The command syntax is the same as usual
except that you also add the -6 option. Of course, you must use IPv6 syntax if you specify an address rather than a hostname. An address might look like 3ffe:7501:4819:2000:210:f3ff:fe03:14d0,
so hostnames are recommended. The output looks the same as usual, with the IPv6 address on the “interesting ports” line being the only IPv6 giveaway.

While IPv6 hasn't exactly taken the world by storm, it gets significant use in some (usually Asian) countries and most modern operating systems support it. To use Nmap with IPv6, both the source
and target of your scan must be configured for IPv6. If your ISP (like most of them) does not allocate IPv6 addresses to you, free tunnel brokers are widely available and work fine with Nmap. I
use the free IPv6 tunnel broker service at http://www.tunnelbroker.net. Other tunnel brokers are listed at Wikipedia[17]. 6to4 tunnels are another popular, free approach.

On Windows, raw-socket IPv6 scans are supported only on ethernet devices (not tunnels), and only on Windows Vista and later. Use the --unprivileged option in other situations.

-A (Aggressive scan options)
This option enables additional advanced and aggressive options. Presently this enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute). More
features may be added in the future. The point is to enable a comprehensive set of scan options without people having to remember a large set of flags. However, because script scanning with the
default set is considered intrusive, you should not use -A against target networks without permission. This option only enables features, and not timing options (such as -T4) or verbosity
options (-v) that you might want as well. Options which require privileges (e.g. root access) such as OS detection and traceroute will only be enabled if those privileges are available.

--datadir directoryname (Specify custom Nmap data file location)
Nmap obtains some special data at runtime in files named nmap-service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap-mac-prefixes, and nmap-os-db. If the location of any of these files
has been specified (using the --servicedb or --versiondb options), that location is used for that file. After that, Nmap searches these files in the directory specified with the --datadir option
(if any). Any files not found there, are searched for in the directory specified by the NMAPDIR environment variable. Next comes ~/.nmap for real and effective UIDs; or on Windows,
HOME\AppData\Roaming\nmap (where HOME is the user's home directory, like C:\Users\user). This is followed by the location of the nmap executable and the same location with ../share/nmap
appended. Then a compiled-in location such as /usr/local/share/nmap or /usr/share/nmap.

--servicedb services file (Specify custom services file)
Asks Nmap to use the specified services file rather than the nmap-services data file that comes with Nmap. Using this option also causes a fast scan (-F) to be used. See the description for
--datadir for more information on Nmap's data files.

--versiondb service probes file (Specify custom service probes file)
Asks Nmap to use the specified service probes file rather than the nmap-service-probes data file that comes with Nmap. See the description for --datadir for more information on Nmap's data
files.

--send-eth (Use raw ethernet sending)
Asks Nmap to send packets at the raw ethernet (data link) layer rather than the higher IP (network) layer. By default, Nmap chooses the one which is generally best for the platform it is running
on. Raw sockets (IP layer) are generally most efficient for Unix machines, while ethernet frames are required for Windows operation since Microsoft disabled raw socket support. Nmap still uses
raw IP packets on Unix despite this option when there is no other choice (such as non-ethernet connections).

--send-ip (Send at raw IP level)
Asks Nmap to send packets via raw IP sockets rather than sending lower level ethernet frames. It is the complement to the --send-eth option discussed previously.

--privileged (Assume that the user is fully privileged)
Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on Unix systems. By default
Nmap quits if such operations are requested but geteuid is not zero. --privileged is useful with Linux kernel capabilities and similar systems that may be configured to allow unprivileged users
to perform raw-packet scans. Be sure to provide this option flag before any flags for options that require privileges (SYN scan, OS detection, etc.). The NMAP_PRIVILEGED environment variable may
be set as an equivalent alternative to --privileged.

--unprivileged (Assume that the user lacks raw socket privileges)
This option is the opposite of --privileged. It tells Nmap to treat the user as lacking network raw socket and sniffing privileges. This is useful for testing, debugging, or when the raw network
functionality of your operating system is somehow broken. The NMAP_UNPRIVILEGED environment variable may be set as an equivalent alternative to --unprivileged.

--release-memory (Release memory before quitting)
This option is only useful for memory-leak debugging. It causes Nmap to release allocated memory just before it quits so that actual memory leaks are easier to spot. Normally Nmap skips this as
the OS does this anyway upon process termination.

-V; --version (Print version number)
Prints the Nmap version number and exits.

-h; --help (Print help summary page)
Prints a short help screen with the most common command flags. Running Nmap without any arguments does the same thing.

RUNTIME INTERACTION
During the execution of Nmap, all key presses are captured. This allows you to interact with the program without aborting and restarting it. Certain special keys will change options, while any other
keys will print out a status message telling you about the scan. The convention is that lowercase letters increase the amount of printing, and uppercase letters decrease the printing. You may also
press ‘?’ for help.

v / V
Increase / decrease the verbosity level

d / D
Increase / decrease the debugging Level

p / P
Turn on / off packet tracing

?
Print a runtime interaction help screen

Anything else
Print out a status message like this:

Stats: 0:00:07 elapsed; 20 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 20:57 (0:00:12 remaining)

EXAMPLES
Here are some Nmap usage examples, from the simple and routine to a little more complex and esoteric. Some actual IP addresses and domain names are used to make things more concrete. In their place
you should substitute addresses/names from your own network. While I don't think port scanning other networks is or should be illegal, some network administrators don't appreciate unsolicited
scanning of their networks and may complain. Getting permission first is the best approach.

For testing purposes, you have permission to scan the host scanme.nmap.org. This permission only includes scanning via Nmap and not testing exploits or denial of service attacks. To conserve
bandwidth, please do not initiate more than a dozen scans against that host per day. If this free scanning target service is abused, it will be taken down and Nmap will report Failed to resolve
given hostname/IP: scanme.nmap.org. These permissions also apply to the hosts scanme2.nmap.org, scanme3.nmap.org, and so on, though those hosts do not currently exist.

nmap -v scanme.nmap.org

This option scans all reserved TCP ports on the machine scanme.nmap.org . The -v option enables verbose mode.

nmap -sS -O scanme.nmap.org/24

Launches a stealth SYN scan against each machine that is up out of the 256 IPs on the /24 sized network where Scanme resides. It also tries to determine what operating system is running on each host
that is up and running. This requires root privileges because of the SYN scan and OS detection.

nmap -sV -p 22,53,110,143,4564 198.116.0-255.1-127

Launches host enumeration and a TCP scan at the first half of each of the 255 possible eight-bit subnets in the 198.116.0.0/16 address space. This tests whether the systems run SSH, DNS, POP3, or
IMAP on their standard ports, or anything on port 4564. For any of these ports found open, version detection is used to determine what application is running.

nmap -v -iR 100000 -Pn -p 80

Asks Nmap to choose 100,000 hosts at random and scan them for web servers (port 80). Host enumeration is disabled with -Pn since first sending a couple probes to determine whether a host is up is
wasteful when you are only probing one port on each target host anyway.

nmap -Pn -p80 -oX logs/pb-port80scan.xml -oG logs/pb-port80scan.gnmap 216.163.128.20/20

This scans 4096 IPs for any web servers (without pinging them) and saves the output in grepable and XML formats.

NMAP BOOK
While this reference guide details all material Nmap options, it can't fully demonstrate how to apply those features to quickly solve real-world tasks. For that, we released Nmap Network Scanning:
The Official Nmap Project Guide to Network Discovery and Security Scanning. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common
networking tasks with the Nmap Scripting Engine. Hints and instructions are provided for common Nmap tasks such as taking network inventory, penetration testing, detecting rogue wireless access
points, and quashing network worm outbreaks. Examples and diagrams show actual communication on the wire. More than half of the book is available free online. See https://nmap.org/book for more
information.

BUGS
Like its author, Nmap isn't perfect. But you can help make it better by sending bug reports or even writing patches. If Nmap doesn't behave the way you expect, first upgrade to the latest version
available from https://nmap.org. If the problem persists, do some research to determine whether it has already been discovered and addressed. Try searching for the problem or error message on Google
since that aggregates so many forums. If nothing comes of this, create an Issue on our tracker (http://issues.nmap.org) and/or mail a bug report to <dev@nmap.org>. If you subscribe to the nmap-dev
list before posting, your message will bypass moderation and get through more quickly. Subscribe at https://nmap.org/mailman/listinfo/dev. Please include everything you have learned about the
problem, as well as what version of Nmap you are using and what operating system version it is running on. Other suggestions for improving Nmap may be sent to the Nmap dev mailing list as well.

If you are able to write a patch improving Nmap or fixing a bug, that is even better! Instructions for submitting patches or git pull requests are available from
https://github.com/nmap/nmap/blob/master/CONTRIBUTING.md

Particularly sensitive issues such as a security reports may be sent directly to Nmap's author Fyodor directly at <fyodor@nmap.org>. All other reports and comments should use the dev list or issue
tracker instead because more people read, follow, and respond to those.

AUTHORS
Gordon “Fyodor” Lyon <fyodor@nmap.org> wrote and released Nmap in 1997. Since then, hundreds of people have made valuable contributions, as detailed in the CHANGELOG file distributed with Nmap and
also available from https://nmap.org/changelog.html. David Fifield and Daniel Miller deserve special recognition for their enormous multi-year contributions!

LEGAL NOTICES
Nmap Copyright and Licensing
The Nmap Security Scanner is (C) 1996–2022 Nmap Software LLC ("The Nmap Project"). Nmap is also a registered trademark of the Nmap Project. It is published under the Nmap Public Source License[18].
This generally allows end users to download and use Nmap for free. It doesn't allow Nmap to be used and redistributed within commercial software or hardware products (including appliances, virtual
machines, and traditional applications). We fund the project by selling a special Nmap OEM Edition for this purpose, as described at https://nmap.org/oem. Hundreds of large and small software
vendors have already purchased OEM licenses to embed Nmap technology such as host discovery, port scanning, OS detection, version detection, and the Nmap Scripting Engine within their products.

The Nmap Project has permission to redistribute Npcap, a packet capturing driver and library for the Microsoft Windows platform. Npcap is a separate work with it's own license rather than this Nmap
license. Since the Npcap license does not permit redistribution without special permission, our Nmap Windows binary packages which contain Npcap may not be redistributed without special permission.

Even though the NPSL is based on GPLv2, it contains different provisions and is not directly compatible. It is incompatible with some other open source licenses as well. In some cases we can
relicense portions of Nmap or grant special permissions to use it in other open source software. Please contact fyodor@nmap.org with any such requests. Similarly, we don't incorporate incompatible
open source software into Nmap without special permission from the copyright holders.

If you have received a written license agreement or contract for Nmap (such as an Nmap OEM license[19]) stating terms other than these, you may choose to use and redistribute Nmap under those terms
instead.

Creative Commons License for this Nmap Guide
This Nmap Reference Guide is (C) 2005–2022 Nmap Software LLC. It is hereby placed under version 3.0 of the Creative Commons Attribution License[20]. This allows you redistribute and modify the work
as you desire, as long as you credit the original source. Alternatively, you may choose to treat this document as falling under the same license as Nmap itself (discussed previously).

Source Code Availability and Community Contributions
Source is provided to this software because we believe users have a right to know exactly what a program is going to do before they run it. This also allows you to audit the software for security
holes.

Source code also allows you to port Nmap to new platforms, fix bugs, and add new features. You are highly encouraged to submit your changes as Github Pull Requests (PR) or send them to
<dev@nmap.org> for possible incorporation into the main distribution. By submitting such changes, it is assumed that you are offering the Nmap Project the unlimited, non-exclusive right to reuse,
modify, and relicense the code. This is important because the inability to relicense code has caused devastating problems for other Free Software projects (such as KDE and NASM). We also sell
commercial licenses to Nmap OEM[21]. If you wish to specify special license conditions of your contributions, just say so when you send them.

No Warranty
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

It should also be noted that Nmap has occasionally been known to crash poorly written applications, TCP/IP stacks, and even operating systems. While this is extremely rare, it is important to keep
in mind. Nmap should never be run against mission critical systems unless you are prepared to suffer downtime. We acknowledge here that Nmap may crash your systems or networks and we disclaim all
liability for any damage or problems Nmap could cause.

Inappropriate Usage
Because of the slight risk of crashes and because a few black hats like to use Nmap for reconnaissance prior to attacking systems, there are administrators who become upset and may complain when
their system is scanned. Thus, it is often advisable to request permission before doing even a light scan of a network.

Nmap should never be installed with special privileges (e.g. suid root). That would open up a major security vulnerability as other users on the system (or attackers) could use it for privilege
escalation.

Nmap is not designed, manufactured, or intended for use in hazardous environments requiring fail- safe performance where the failure of the software could lead directly to death, personal injury, or
significant physical or environmental damage.

Third-Party Software and Funding Notices
This product includes software developed by the Apache Software Foundation[22]. A modified version of the Libpcap portable packet capture library[23] is distributed along with Nmap. The Windows
version of Nmap utilizes the Libpcap-derived Ncap library[24] instead. Regular expression support is provided by the PCRE library[25], which is open-source software, written by Philip Hazel.
Certain raw networking functions use the Libdnet[26] networking library, which was written by Dug Song. A modified version is distributed with Nmap. Nmap can optionally link with the OpenSSL
cryptography toolkit[27] for SSL version detection support. The Nmap Scripting Engine uses an embedded version of the Lua programming language[28]. The Liblinear linear classification library[29]
is used for our IPv6 OS detection machine learning techniques[30].

All of the third-party software described in this paragraph is freely redistributable under BSD-style software licenses.

Binary packages for Windows and Mac OS X include support libraries necessary to run Zenmap and Ndiff with Python and PyGTK. (Unix platforms commonly make these libraries easy to install, so they are
not part of the packages.) A listing of these support libraries and their licenses is included in the LICENSES files.

This software was supported in part through the Google Summer of Code[31] and the DARPA CINDER program[32] (DARPA-BAA-10-84).

United States Export Control
Nmap only uses encryption when compiled with the optional OpenSSL support and linked with OpenSSL. When compiled without OpenSSL support, the Nmap Project believes that Nmap is not subject to U.S.
Export Administration Regulations (EAR)[33] export control. As such, there is no applicable ECCN (export control classification number) and exportation does not require any special license, permit,
or other governmental authorization.

When compiled with OpenSSL support or distributed as source code, the Nmap Project believes that Nmap falls under U.S. ECCN 5D002[34] (“Information Security Software”). We distribute Nmap under the
TSU exception for publicly available encryption software defined in EAR 740.13(e)[35].

NOTES
1. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
https://nmap.org/book/

2. RFC 1122
http://www.rfc-editor.org/rfc/rfc1122.txt

3. RFC 792
http://www.rfc-editor.org/rfc/rfc792.txt

4. RFC 950
http://www.rfc-editor.org/rfc/rfc950.txt

5. UDP
http://www.rfc-editor.org/rfc/rfc768.txt

6. SCTP
http://www.rfc-editor.org/rfc/rfc4960.txt

7. TCP RFC
http://www.rfc-editor.org/rfc/rfc793.txt

8. RFC 959
http://www.rfc-editor.org/rfc/rfc959.txt

9. RFC 1323
http://www.rfc-editor.org/rfc/rfc1323.txt

10. Lua programming language
http://lua.org

11. precedence
http://www.lua.org/manual/5.1/manual.html#2.5.3

12. IP protocol
http://www.rfc-editor.org/rfc/rfc791.txt

13. RFC 2960
http://www.rfc-editor.org/rfc/rfc2960.txt

14. Nmap::Scanner
http://sourceforge.net/projects/nmap-scanner/

15. Nmap::Parser
http://nmapparser.wordpress.com/

16. xsltproc
http://xmlsoft.org/XSLT/

17. listed at Wikipedia
http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers

18. Nmap Public Source License
https://nmap.org/npsl

19. Nmap OEM license
https://nmap.org/oem/

20. Creative Commons Attribution License
http://creativecommons.org/licenses/by/3.0/

21. Nmap OEM
https://nmap.org/oem

22. Apache Software Foundation
https://www.apache.org

23. Libpcap portable packet capture library
https://www.tcpdump.org

24. Ncap library
https://npcap.com

25. PCRE library
https://pcre.org

26. Libdnet
http://libdnet.sourceforge.net

27. OpenSSL cryptography toolkit
https://openssl.org

28. Lua programming language
https://lua.org

29. Liblinear linear classification library
https://www.csie.ntu.edu.tw/~cjlin/liblinear/

30. IPv6 OS detection machine learning techniques
https://nmap.org/book/osdetect-guess.html#osdetect-guess-ipv6

31. Google Summer of Code
https://nmap.org/soc/

32. DARPA CINDER program
https://www.fbo.gov/index?s=opportunity&mode=form&id=585e02a51f77af5cb3c9e06b9cc82c48&tab=core&_cview=1

33. Export Administration Regulations (EAR)
https://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear

34. 5D002
https://www.bis.doc.gov/index.php/documents/regulations-docs/federal-register-notices/federal-register-2014/951-ccl5-pt2/file

35. EAR 740.13(e)
https://www.bis.doc.gov/index.php/documents/regulations-docs/2341-740-2/file

Nmap 08/31/2022 NMAP(1)</nowiki>

WHOIS - Manpage

2026-01-17T11:36:12Z

Admin: /* Querying an ASN (Autonomous System Number) */

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Quick Examples ==

=== `-i` (IP Address Information) ===
This option queries information for an IP address.

Example:
<nowiki>
whois -i 192.168.1.1</nowiki>

This will provide WHOIS information for the IP address `192.168.1.1`.

=== `-r` (Recursive) ===
The `-r` option enables recursive queries to gather more information about a domain.

Example:
<nowiki>
whois -r example.com</nowiki>

=== Querying an ASN (Autonomous System Number) ===
If you want to retrieve information about a specific ASN:
<nowiki>
whois AS15169</nowiki>

== whois Manpage ==

<nowiki>
WHOIS(1) Debian GNU/Linux WHOIS(1)

NAME
whois - client for the whois directory service

SYNOPSIS
whois [ { -h | --host } HOST ] [ { -p | --port } PORT ] [ -abBcdGHIKlLmMrRx ] [ -g SOURCE:FIRST-LAST ] [ -i ATTR[,ATTR]... ] [ -s SOURCE[,SOURCE]... ] [ -T TYPE[,TYPE]... ] [ --verbose ] [ --no-recursion ] OBJECT

whois -q KEYWORD

whois -t TYPE

whois -v TYPE

whois --help

whois --version

DESCRIPTION
whois searches for an object in a RFC 3912 database.

This version of the whois client tries to guess the right server to ask for the specified object. If no guess can be made it will connect to whois.networksolutions.com for NIC handles or whois.arin.net for IPv4 addresses and net‐
work names.

OPTIONS
-h HOST, --host=HOST Connect to HOST.

-H Do not display the legal disclaimers that some registries like to show you.

-p PORT, --port=PORT Connect to PORT.

-I First query whois.iana.org and then follow its referral to the whois server authoritative for that request. This works for IP addresses, AS numbers and domains. BEWARE: this implies that the IANA server will receive your
complete query.

--no-recursion
Disable recursion from registry to registrar servers.

--verbose
Be verbose.

--help Display online help.

--version
Display the program version.

Other options are flags understood by whois.ripe.net and some other RIPE-like servers:

-a Also search all the mirrored databases.

-b Return brief IP address ranges with abuse contact.

-B Disable objects filtering. (Show the e-mail addresses.)

-c Return the smallest IP address range with a reference to an irt object.

-d Return the reverse DNS delegation object too.

-g SOURCE:FIRST-LAST Search updates from SOURCE database between FIRST and LAST update serial number. It is useful to obtain Near Real Time Mirroring stream.

-G Disable grouping of associated objects.

-i ATTR[,ATTR]... Inverse-search objects having associated attributes. ATTR is the attribute name, while the positional OBJECT argument is the attribute value.

-K Return primary key attributes only. An exception is the members attribute of set objects, which is always returned. Another exception are all attributes of the objects organisation, person and role, that are never re‐
turned.

-l Return the one level less specific object.

-L Return all levels of less specific objects.

-m Return all one level more specific objects.

-M Return all levels of more specific objects.

-q KEYWORD Return information about the server. KEYWORD can be version for the server version, sources for the list of database sources or types for the list of supported object types.

-r Disable recursive lookups for contact information.

-R Disable following referrals and force showing the object from the local copy in the server.

-s SOURCE[,SOURCE]... Request the server to search for objects mirrored from SOURCE. Sources are delimited by comma, and the order is significant. Use the -q sources parameter to obtain a list of valid sources.

-t TYPE Return the template for a object of TYPE.

-T TYPE[,TYPE]... Restrict the search to objects of TYPE. Multiple types are separated by a comma.

-v TYPE Return the verbose template for a object of TYPE.

-x Search for only exact match on network address prefix.

NOTES
When querying the Verisign gTLDs (e.g. .com, .net...) thin registry servers for a domain, the program will automatically prepend the domain keyword to only show domain records. The nameserver or registrar keywords must be used to
show other kinds of records.

When querying whois.arin.net for IPv4 or IPv6 networks, the CIDR netmask length will be automatically removed from the query string.

When querying whois.nic.ad.jp for AS numbers, the program will automatically convert the request in the appropriate format, inserting a space after the string AS.

When querying whois.denic.de for domain names and no other flags have been specified, the program will automatically add the flag -T dn.

When querying whois.dk-hostmaster.dk for domain names and no other flags have been specified, the program will automatically add the flag --show-handles.

RIPE-specific command line options are ignored when querying non-RIPE servers. This may or may not be the behaviour intended by the user. When using non-standard query parameters then the command line options which are not to be
interpreted by the client must follow the -- separator (which marks the beginning of the query string).

If the /etc/whois.conf configuration file exists, it will be consulted to find a server before applying the normal rules. Each line of the file should contain a regular expression to be matched against the query text and the
whois server to use, separated by white space. IDN domains must use the ACE format.

The whois protocol does not specify an encoding for characters which cannot be represented by ASCII and implementations vary wildly. If the program knows that a specific server uses a certain encoding, if needed it will transcode
the server output to the encoding specified by the current system locale.

Command line arguments will always be interpreted accordingly to the current system locale and converted to the IDN ASCII Compatible Encoding.

FILES
/etc/whois.conf

ENVIRONMENT
LANG When querying whois.nic.ad.jp and whois.jprs.jp English text is requested unless the LANG or LC_MESSAGES environment variables specify a Japanese locale.

WHOIS_OPTIONS
A list of options which will be evaluated before the ones specified on the command line.

WHOIS_SERVER
This server will be queried if the program cannot guess where some kind of objects are located. If the variable does not exist then whois.arin.net will be queried.

SEE ALSO
whois.conf(5).

RFC 3912: WHOIS Protocol Specification.

RIPE Database Query Reference Manual: <https://www.ripe.net/data-tools/support/documentation/ripe-database-query-reference-manual>

BUGS
The program may have buffer overflows in the command line parser: be sure to not pass untrusted data to it. It should be rewritten to use a dynamic strings library.

HISTORY
This program closely tracks the user interface of the whois client developed at RIPE by Ambrose Magee and others on the base of the original BSD client.

AUTHOR
Whois and this man page were written by Marco d'Itri <md@linux.it> and are licensed under the terms of the GNU General Public License, version 2 or later.

Marco d'Itri 2019-12-30 WHOIS(1)</nowiki>

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

WHOIS - Manpage

2026-01-17T11:35:55Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == Quick Examples == === `-i` (IP Address Information) === This option queries information for an IP address. Example: <nowiki> whois -i 192.168.1.1</nowiki> This will provide WHOIS information for the IP address `192.168.1.1`. === `-r` (Recursive) === The `-r` option enables recursive queries to gather more information about a domain. Example: <nowiki> whois -r exampl..."

WC - Manpage

2026-01-17T11:30:02Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Quick Example ==

Count the lines of a command return :

<nowiki>
first command | wc -l</nowiki>

== wc Manpage ==

<nowiki>
WC(1) User Commands WC(1)

NAME
wc - print newline, word, and byte counts for each file

SYNOPSIS
wc [OPTION]... [FILE]...
wc [OPTION]... --files0-from=F

DESCRIPTION
Print newline, word, and byte counts for each FILE, and a total line if more than one FILE is specified. A word is a nonempty sequence of non white space delimited by white space characters or by start or end of input.

With no FILE, or when FILE is -, read standard input.

The options below may be used to select which counts are printed, always in the following order: newline, word, character, byte, maximum line length.

-c, --bytes
print the byte counts

-m, --chars
print the character counts

-l, --lines
print the newline counts

--files0-from=F
read input from the files specified by NUL-terminated names in file F; If F is - then read names from standard input

-L, --max-line-length
print the maximum display width

-w, --words
print the word counts

--total=WHEN
when to print a line with total counts; WHEN can be: auto, always, only, never

--help display this help and exit

--version
output version information and exit

AUTHOR
Written by Paul Rubin and David MacKenzie.

REPORTING BUGS
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Report any translation bugs to <https://translationproject.org/team/>

SEE ALSO
Full documentation <https://www.gnu.org/software/coreutils/wc>
or available locally via: info '(coreutils) wc invocation'

Packaged by Debian (9.7-3)
Copyright © 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

GNU coreutils 9.7 June 2025 WC(1)</nowiki>

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

WC - Manpage

2026-01-17T11:28:00Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == wc Manpage == <nowiki> WC(1) User Commands WC(1) NAME wc - print newline, word, and byte counts for each file SYNOPSIS wc [OPTION]... [FILE]......"

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== wc Manpage ==

<nowiki>
WC(1) User Commands WC(1)

NAME
wc - print newline, word, and byte counts for each file

SYNOPSIS
wc [OPTION]... [FILE]...
wc [OPTION]... --files0-from=F

DESCRIPTION
Print newline, word, and byte counts for each FILE, and a total line if more than one FILE is specified. A word is a nonempty sequence of non white space delimited by white space characters or by start or end of input.

With no FILE, or when FILE is -, read standard input.

The options below may be used to select which counts are printed, always in the following order: newline, word, character, byte, maximum line length.

-c, --bytes
print the byte counts

-m, --chars
print the character counts

-l, --lines
print the newline counts

--files0-from=F
read input from the files specified by NUL-terminated names in file F; If F is - then read names from standard input

-L, --max-line-length
print the maximum display width

-w, --words
print the word counts

--total=WHEN
when to print a line with total counts; WHEN can be: auto, always, only, never

--help display this help and exit

--version
output version information and exit

AUTHOR
Written by Paul Rubin and David MacKenzie.

REPORTING BUGS
GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Report any translation bugs to <https://translationproject.org/team/>

SEE ALSO
Full documentation <https://www.gnu.org/software/coreutils/wc>
or available locally via: info '(coreutils) wc invocation'

Packaged by Debian (9.7-3)
Copyright © 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

GNU coreutils 9.7 June 2025 WC(1)</nowiki>

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

MTR - Manpage

2026-01-17T11:27:05Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== mtr --help ==

<nowiki>
Usage:
mtr [options] hostname

-F, --filename FILE read hostname(s) from a file
-4 use IPv4 only
-6 use IPv6 only
-u, --udp use UDP instead of ICMP echo
-T, --tcp use TCP instead of ICMP echo
-I, --interface NAME use named network interface
-a, --address ADDRESS bind the outgoing socket to ADDRESS
-f, --first-ttl NUMBER set what TTL to start
-m, --max-ttl NUMBER maximum number of hops
-U, --max-unknown NUMBER maximum unknown host
-P, --port PORT target port number for TCP, SCTP, or UDP
-L, --localport LOCALPORT source port number for UDP
-s, --psize PACKETSIZE set the packet size used for probing
-B, --bitpattern NUMBER set bit pattern to use in payload
-i, --interval SECONDS ICMP echo request interval
-G, --gracetime SECONDS number of seconds to wait for responses
-Q, --tos NUMBER type of service field in IP header
-e, --mpls display information from ICMP extensions
-Z, --timeout SECONDS seconds to keep probe sockets open
-M, --mark MARK mark each sent packet
-r, --report output using report mode
-w, --report-wide output wide report
-c, --report-cycles COUNT set the number of pings sent
-j, --json output json
-x, --xml output xml
-C, --csv output comma separated values
-l, --raw output raw format
-p, --split split output
-t, --curses use curses terminal interface
--displaymode MODE select initial display mode
-n, --no-dns do not resolve host names
-b, --show-ips show IP numbers and host names
-o, --order FIELDS select output fields
-y, --ipinfo NUMBER select IP information in output
-z, --aslookup display AS number
-h, --help display this help and exit
-v, --version output version information and exit

See the 'man 8 mtr' for details.</nowiki>

== Manpage ==

<nowiki>
MTR(8) System Administration MTR(8)

NAME
mtr - a network diagnostic tool

SYNOPSIS
mtr [-4|-6] [-F FILENAME] [--report] [--report-wide] [--xml] [--gtk] [--curses] [--displaymode MODE] [--raw] [--csv] [--json] [--split] [--no-dns] [--show-ips] [-o FIELDS] [-y IPINFO] [--aslookup]
[-i INTERVAL] [-c COUNT] [-s PACKETSIZE] [-B BITPATTERN] [-G GRACEPERIOD] [-Q TOS] [--mpls] [-I NAME] [-a ADDRESS] [-f FIRST-TTL] [-m MAX-TTL] [-U MAX-UNKNOWN] [--udp] [--tcp] [--sctp] [-P PORT]
[-L LOCALPORT] [-Z TIMEOUT] [-M MARK] HOSTNAME

DESCRIPTION
mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.

As mtr starts, it investigates the network connection between the host mtr runs on and HOSTNAME by sending packets with purposely low TTLs. It continues to send packets with low TTL, noting the re‐
sponse time of the intervening routers. This allows mtr to print the response percentage and response times of the internet route to HOSTNAME. A sudden increase in packet loss or response time is
often an indication of a bad (or simply overloaded) link.

The results are usually reported as round-trip-response times in milliseconds and the percentage of packet loss.

OPTIONS
-h, --help
Print the summary of command line argument options.

-v, --version
Print the installed version of mtr.

-4 Use IPv4 only.

-6 Use IPv6 only. (IPV4 may be used for DNS lookups.)

-F FILENAME, --filename FILENAME
Reads the list of hostnames from the specified file.

-r, --report
This option puts mtr into report mode. When in this mode, mtr will run for the number of cycles specified by the -c option, and then print statistics and exit.

This mode is useful for generating statistics about network quality.
Note that each running instance of mtr generates a significant amount of network traffic. Using mtr to measure the quality of your network may result in decreased network performance.

-w, --report-wide
This option puts mtr into wide report mode. When in this mode, mtr will not cut hostnames in the report.

-x, --xml
Use this option to tell mtr to use the xml output format. This format is better suited for automated processing of the measurement results.

-t, --curses
Use this option to force mtr to use the curses based terminal interface (if available). In case the list of hops exceeds the height of your terminal, you can use the + and - keys to scroll
up and down half a page.

Ctrl-L clears spurious error messages that may overwrite other parts of the display.

--displaymode MODE
Use this option to select the initial display mode: 0 (default) selects statistics, 1 selects the stripchart without latency information, and 2 selects the stripchart with latency informa‐
tion.

-g, --gtk
Use this option to force mtr to use the GTK+ based X11 window interface (if available). GTK+ must have been available on the system when mtr was built for this to work. See the GTK+ web
page at ⟨http://www.gtk.org/⟩ for more information about GTK+.

-l, --raw
Use the raw output format. This format is better suited for archival of the measurement results. It could be parsed to be presented into any of the other display methods.

Example of the raw output format:
h 0 10.1.1.1
p 0 339
h 1 46.149.16.4
p 1 530
h 2 172.31.1.16
p 2 531
h 3 82.221.168.236
p 3 1523
h 5 195.130.211.8
p 5 1603
h 6 193.4.58.17
p 6 1127
h 7 193.4.58.17
d 7 www.isnic.is

-C, --csv
Use the Comma-Separated-Value (CSV) output format. (Note: The separator is actually a semi-colon ';'.)

Example of the CSV output format:
MTR.0.86+git:16e39fc0;1435562787;OK;nic.is;1;r-76520-PROD.greenqloud.internal;288
MTR.0.86+git:16e39fc0;1435562787;OK;nic.is;2;46.149.16.4;2086
MTR.0.86+git:16e39fc0;1435562787;OK;nic.is;3;172.31.1.16;600
MTR.0.86+git:16e39fc0;1435562787;OK;nic.is;4;82.221.168.236;1163
MTR.0.86+git:16e39fc0;1435562787;OK;nic.is;5;???;0
MTR.0.86+git:16e39fc0;1435562787;OK;nic.is;6;rix-k2-gw.isnic.is;1654
MTR.0.86+git:16e39fc0;1435562787;OK;nic.is;7;www.isnic.is;1036

-j, --json
Use this option to tell mtr to use the JSON output format. This format is better suited for automated processing of the measurement results. Jansson library must have been available on the
system when mtr was built for this to work.

-p, --split
Use this option to set mtr to spit out a format that is suitable for a split-user interface.

-n, --no-dns
Use this option to force mtr to display numeric IP numbers and not try to resolve the host names.

-b, --show-ips
Use this option to tell mtr to display both the host names and numeric IP numbers. In split mode this adds an extra field to the output. In report mode, there is usually too little space to
add the IPs, and they will be truncated. Use the wide report (-w) mode to see the IPs in report mode.

-o FIELDS, --order FIELDS
Use this option to specify which fields to display and in which order. You may use one or more space characters to separate fields.
Available fields:

┌──┬─────────────────────┐
│L │ Loss ratio │
├──┼─────────────────────┤
│D │ Dropped packets │
├──┼─────────────────────┤
│R │ Received packets │
├──┼─────────────────────┤
│S │ Sent Packets │
├──┼─────────────────────┤
│N │ Newest RTT(ms) │
├──┼─────────────────────┤
│B │ Min/Best RTT(ms) │
├──┼─────────────────────┤
│A │ Average RTT(ms) │
├──┼─────────────────────┤
│W │ Max/Worst RTT(ms) │
├──┼─────────────────────┤
│V │ Standard Deviation │
├──┼─────────────────────┤
│G │ Geometric Mean │
├──┼─────────────────────┤
│J │ Current Jitter │
├──┼─────────────────────┤
│M │ Jitter Mean/Avg. │
├──┼─────────────────────┤
│X │ Worst Jitter │
├──┼─────────────────────┤
│I │ Interarrival Jitter │
└──┴─────────────────────┘
Example: -o "LSD NBAW X"

-y n, --ipinfo n
Displays information about each IP hop. Valid values for n are:

0 Display AS number (equivalent to -z)
1 Display IP prefix
2 Display country code of the origin AS
3 Display RIR (ripencc, arin, ...)
4 Display the allocation date of the IP prefix

It is possible to cycle between these fields at runtime (using the y key).

-z, --aslookup
Displays the Autonomous System (AS) number alongside each hop. Equivalent to --ipinfo 0.

Example (columns to the right not shown for clarity):
1. AS??? r-76520-PROD.greenqloud.internal
2. AS51969 46.149.16.4
3. AS??? 172.31.1.16
4. AS30818 82.221.168.236
5. ???
6. AS??? rix-k2-gw.isnic.is
7. AS1850 www.isnic.is

-i SECONDS, --interval SECONDS
Use this option to specify the positive number of seconds between ICMP ECHO requests. The default value for this parameter is one second. The root user may choose values between zero and
one.

-c COUNT, --report-cycles COUNT
Use this option to set the number of pings sent to determine both the machines on the network and the reliability of those machines. Each cycle lasts one second.

-s PACKETSIZE, --psize PACKETSIZE
This option sets the packet size used for probing. It is in bytes, inclusive IP and ICMP headers.

If set to a negative number, every iteration will use a different, random packet size up to that number.

-B NUM, --bitpattern NUM
Specifies bit pattern to use in payload. Should be within range 0 - 255. If NUM is greater than 255, a random pattern is used.

-G SECONDS, --gracetime SECONDS
Use this option to specify the positive number of seconds to wait for responses after the final request. The default value is five seconds.

-Q NUM, --tos NUM
Specifies value for type of service field in IP header. Should be within range 0 - 255.

-e, --mpls
Use this option to tell mtr to display information from ICMP extensions for MPLS (RFC 4950) that are encoded in the response packets.

-I NAME, --interface NAME
Use the network interface with a specific name for sending network probes. This can be useful when you have multiple network interfaces with routes to your destination, for example both
wired Ethernet and WiFi, and wish to test a particular interface.

-a ADDRESS, --address ADDRESS
Use this option to bind the outgoing socket to ADDRESS, so that all packets will be sent with ADDRESS as source address. NOTE that this option doesn't apply to DNS requests (which could be
and could not be what you want).

-f NUM, --first-ttl NUM
Specifies with what TTL to start. Defaults to 1.

-m NUM, --max-ttl NUM
Specifies the maximum number of hops (max time-to-live value) traceroute will probe. Default is 30.

-U NUM, --max-unknown NUM
Specifies the maximum unknown host. Default is 5.

-u, --udp
Use UDP datagrams instead of ICMP ECHO.

-T, --tcp
Use TCP SYN packets instead of ICMP ECHO. PACKETSIZE is ignored, since SYN packets can not contain data.

-S, --sctp
Use Stream Control Transmission Protocol packets instead of ICMP ECHO.

-P PORT, --port PORT
The target port number for TCP/SCTP/UDP traces.

-L LOCALPORT, --localport LOCALPORT
The source port number for UDP traces.

-Z SECONDS, --timeout SECONDS
The number of seconds to keep probe sockets open before giving up on the connection. Using large values for this, especially combined with a short interval, will use up a lot of file de‐
scriptors.

-M MARK, --mark MARK
Set the mark for each packet sent through this socket similar to the netfilter MARK target but socket-based. MARK is 32 unsigned integer. See socket(7) for full description of this socket
option.

ENVIRONMENT
mtr recognizes a few environment variables.

MTR_OPTIONS
This environment variable allows one to specify options, as if they were passed on the command line. It is parsed before reading the actual command line options, so that options specified in
MTR_OPTIONS are overridden by command-line options.

Example:

MTR_OPTIONS="-4 -c 1" mtr -6 localhost

would send one probe (because of -c 1) towards ::1 (because of -6, which overrides the -4 passed in MTR_OPTIONS).

MTR_PACKET
A path to the mtr-packet executable, to be used for sending and receiving network probes. If MTR_PACKET is unset, the PATH will be used to search for an mtr-packet executable.

DISPLAY
Specifies an X11 server for the GTK+ frontend.

INTERACTIVE CONTROL
mtr can be controlled while it is running with the following keys:
?|h help
p pause (SPACE to resume)
d switching display mode
e toggle MPLS information on/off
n toggle DNS on/off
r reset all counters
o str set the columns to display, default str='LRS N BAWV'
j toggle latency(LS NABWV)/jitter(DR AGJMXI) stats
c <n> report cycle n, default n=infinite
i <n> set the ping interval to n seconds, default n=1
f <n> set the initial time-to-live(ttl), default n=1
m <n> set the max time-to-live, default n= # of hops
s <n> set the packet size to n or random(n<0)
b <c> set ping bit pattern to c(0..255) or random(c<0)
Q <t> set ping packet's TOS to t
u switch between ICMP ECHO and UDP datagrams
y switching IP info
z toggle ASN info on/off
q exit

BUGS
Some modern routers give a lower priority to ICMP ECHO packets than to other network traffic. Consequently, the reliability of these routers reported by mtr will be significantly lower than the ac‐
tual reliability of these routers.

CONTACT INFORMATION
For the latest version, see the mtr web page at ⟨http://www.bitwizard.nl/mtr/⟩

For patches, bug reports, or feature requests, please open an issue on GitHub at: ⟨https://github.com/traviscross/mtr⟩.

SEE ALSO
mtr-packet(8), traceroute(8), ping(8), socket(7), TCP/IP Illustrated (Stevens, ISBN 0201633469).

mtr 0.95 MTR(8)</nowiki>

HYDRA - Manpage

2026-01-17T10:03:04Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== hydra --help ==

<nowiki>
HYDRA(1) General Commands Manual HYDRA(1)

NAME
hydra - a very fast network logon cracker which supports many different services

SYNOPSIS
hydra
[[[-l LOGIN|-L FILE] [-p PASS|-P FILE|-x OPT -y]] | [-C FILE]]
[-e nsr] [-u] [-f|-F] [-M FILE] [-o FILE] [-b FORMAT]
[-t TASKS] [-T TASKS] [-w TIME] [-W TIME] [-m OPTIONS] [-s PORT]
[-c TIME] [-S] [-O] [-4|6] [-I] [-vV] [-d]
server service [OPTIONS]

DESCRIPTION
Hydra is a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

This tool gives researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.

Currently this tool supports:
adam6500 afp asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) mysql5 ncp
nntp oracle oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp radmin2 redis rexec rlogin rpcap rsh rtsp s7-300 sapr3 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

For most protocols SSL is supported (e.g. https-get, ftp-ssl, etc.). If not all necessary libraries are found during compile time, your available services will be less. Type "hydra" to see what is available.

Options
target a target to attack, can be an IPv4 address, IPv6 address or DNS name.

service
a service to attack, see the list of protocols available

OPTIONAL SERVICE PARAMETER
Some modules have optional or mandatory options. type "hydra -U <servicename>"
to get help on on the options of a service.

-R restore a previously aborted session. Requires a hydra.restore file was written. Options are restored, but can be changed by setting them after -R on the command line

-S connect via SSL

-O use old SSL v2 and v3

-s PORT
if the service is on a different default port, define it here

-l LOGIN
or -L FILE login with LOGIN name, or load several logins from FILE

-p PASS
or -P FILE try password PASS, or load several passwords from FILE

-x min:max:charset
generate passwords from min to max length. charset can contain 1
for numbers, a for lowcase and A for upcase characters.
Any other character is added is put to the list.
Example: 1:2:a1%.
The generated passwords will be of length 1 to 2 and contain
lowcase letters, numbers and/or percent signs and dots.

-y disable use of symbols in -x bruteforce, see above

-e nsr additional checks, "n" for null password, "s" try login as pass, "r" try the reverse login as pass

-C FILE
colon separated "login:pass" format, instead of -L/-P options

-u by default Hydra checks all passwords for one login and then tries the next login. This option loops around the passwords, so the first password is tried on all logins, then the next password.

-f exit after the first found login/password pair (per host if -M)

-F exit after the first found login/password pair for any host (for usage with -M)

-M FILE
server list for parallel attacks, one entry per line

-o FILE
write found login/password pairs to FILE instead of stdout

-b FORMAT
specify the format for the -o FILE: text(default), json, jsonv1

-t TASKS
run TASKS number of connects in parallel (default: 16)

-m OPTIONS
module specific options. See hydra -U <module> what options are available.

-w TIME
defines the max wait time in seconds for responses (default: 32)

-W TIME
defines a wait time between each connection a task performs. This usually only makes sense if a low task number is used, .e.g -t 1

-c TIME
the wait time in seconds per login attempt over all threads (-t 1 is recommended) This usually only makes sense if a low task number is used, .e.g -t 1

-4 / -6
prefer IPv4 (default) or IPv6 addresses

-v / -V
verbose mode / show login+pass combination for each attempt

-d debug mode

-I ignore an existing restore file (don't wait 10 seconds)

-h, --help
Show summary of options.

SEE ALSO
xhydra(1), pw-inspector(1).
The programs are documented fully by van Hauser <vh@thc.org>

AUTHOR
hydra was written by van Hauser / THC <vh@thc.org> Find new versions or report bugs at https://github.com/vanhauser-thc/thc-hydra

This manual page was written by Daniel Echeverry <epsilon77@gmail.com>, for the Debian project (and may be used by others).

01/01/2023 HYDRA(1)</nowiki>

JITSI-MEET - Base Documentation

2026-01-17T09:46:23Z

Admin:

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Jitsi Meet Configuration ==

=== Configuration Files ===
Jitsi Meet is configured through several key files. These files control the behavior of Jitsi Meet, such as authentication, video quality, and the user interface.

Key configuration files:
* **/etc/jitsi/meet/{your-domain}-config.js**: This file contains the main configuration options for Jitsi Meet, including UI settings, authentication, and video quality.
* **/etc/jitsi/jicofo/sip-communicator.properties**: Configuration file for Jicofo (Jitsi Conference Focus), which handles conference management.
* **/etc/jitsi/videobridge/config**: This configuration file is for the Jitsi Videobridge, which handles media routing for video conferences.

Example configuration in `/etc/jitsi/meet/{your-domain}-config.js`:
<nowiki>
var config = {
hosts: {
domain: 'meet.example.com',
muc: 'conference.meet.example.com',
focus: 'focus.meet.example.com'
},
testing: {
enableFirefoxHD: true
},
resolution: 720,
enableDisplayName: true
};</nowiki>

This example configures basic domain names and enables 720p resolution.

=== Configuring Jitsi Videobridge ===
The Jitsi Videobridge is responsible for routing video and audio streams during a conference. It can be configured through `/etc/jitsi/videobridge/config`.

Example to set the number of video channels:
<nowiki>
# In /etc/jitsi/videobridge/config
VIDEOBRIDGE_MAX_CHANNELS=50</nowiki>

This increases the number of video channels the bridge can handle.

== Security Concepts ==

=== SSL/TLS Encryption ===
Jitsi Meet should be configured to use SSL/TLS to secure communication between clients and the server. Let's Encrypt can be used for automatic certificate generation.

To enable SSL on Jitsi Meet:
* Configure Nginx to use SSL for the domain hosting Jitsi Meet.
* Use the `certbot` tool to automatically fetch and renew SSL certificates from Let's Encrypt.

Example configuration for Nginx (found in `/etc/nginx/sites-available/{your-domain}`):
<nowiki>
server {
listen 443 ssl;
server_name meet.example.com;
ssl_certificate /etc/letsencrypt/live/meet.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meet.example.com/privkey.pem;
...
}</nowiki>

This configures SSL for the domain and ensures secure HTTPS connections.

=== Authentication and User Management ===
For added security, Jitsi Meet can integrate with various authentication systems (e.g., JWT, LDAP, OAuth).

To enable JWT authentication, configure the `prosody` server (XMPP server used by Jitsi) to validate tokens:
<nowiki>
# In /etc/prosody/conf.d/meet.example.com.cfg.lua
VirtualHost "meet.example.com"
authentication = "token"
app_id = "your-app-id"
app_secret = "your-app-secret"</nowiki>

This example shows how to configure token authentication by setting an app ID and secret.

=== Protecting Jitsi Meet Services ===
To protect your Jitsi Meet services, such as Jicofo and Jitsi Videobridge, make sure only authorized clients can connect.

Configure firewalls to block unnecessary ports and limit service exposure. For example, only allow HTTPS traffic on port 443 and disable other unused ports.

Example of firewall rules with `ufw`:
<nowiki>
ufw allow 443/tcp
ufw allow 10000:20000/udp
ufw enable</nowiki>

This opens only the necessary ports for Jitsi Meet (HTTPS and media ports).

== Advanced Configurations ==

=== Configuring Jitsi Meet for Large Conferences ===
Jitsi Meet supports scaling to handle larger conferences by adjusting video resolution and load balancing between multiple Videobridges.

You can configure the maximum number of participants per conference in the config file:
<nowiki>
# In /etc/jitsi/meet/{your-domain}-config.js
constraints: {
video: {
height: {
ideal: 720,
max: 1080
}
},
maxParticipants: 50
}</nowiki>

This sets a maximum of 50 participants per conference and limits video height to 1080p.

=== Multi-Server Setup ===
For better performance and scalability, you can deploy multiple Jitsi Videobridges across different machines. This requires configuring load balancing.

First, set up a load balancer (such as HAProxy) to distribute traffic to multiple Videobridges. Then, configure each Videobridge with the same domain in `/etc/jitsi/videobridge/config`.

Example of HAProxy configuration:
<nowiki>
frontend https_front
bind *:443
default_backend videobridge_back

backend videobridge_back
balance roundrobin
server bridge1 192.168.1.2:8080 check
server bridge2 192.168.1.3:8080 check</nowiki>

This configures HAProxy to distribute requests between `bridge1` and `bridge2`.

== Troubleshooting ==

=== Jitsi Meet Not Loading or Connecting ===
If Jitsi Meet is not loading or connecting:
* Check if the Nginx server is running and serving SSL correctly.
<nowiki>
systemctl status nginx</nowiki>
* Ensure that the correct ports are open for HTTPS and media (ports 443, 10000–20000 UDP).
<nowiki>
ufw status</nowiki>
* Verify if the necessary Jitsi services are running (Jicofo, Videobridge). <nowiki>
systemctl status jicofo
systemctl status jitsi-videobridge2</nowiki>

If services are not running, try restarting them:
<nowiki>
systemctl restart jicofo
systemctl restart jitsi-videobridge2</nowiki>

=== Audio and Video Issues ===
If participants are experiencing audio or video problems:
* Check if your Videobridges are properly configured and running.
<nowiki>
systemctl status jitsi-videobridge2</nowiki>
* Verify network connectivity for the UDP media ports (10000–20000).
* Ensure that the client’s browser is supported (e.g., Chrome or Firefox).

For more detailed troubleshooting:
<nowiki>
journalctl -u jicofo
journalctl -u jitsi-videobridge2</nowiki>

These logs can provide insights into errors or misconfigurations.

=== Performance Issues ===
If you notice performance issues, such as lag or high CPU usage:
* Monitor server resources:
<nowiki>
top</nowiki>
* Verify server load and traffic using:
<nowiki>
netstat -tuln</nowiki>
* If running a multi-server setup, check load balancing and resource allocation between Videobridges.

Example of checking CPU usage for Jitsi services:
<nowiki>
ps aux | grep jitsi</nowiki>

== Useful Links ==

* https://jitsi.org/
* https://github.com/jitsi/jitsi-meet
* https://jitsi.github.io/handbook/
* https://community.jitsi.org/
* https://jitsi.org/downloads/
* https://github.com/jitsi/jicofo
* https://github.com/jitsi/jitsi-videobridge
* https://www.digitalocean.com/community/tutorials/how-to-set-up-jitsi-meet-video-conferencing-on-ubuntu-20-04

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

JITSI-MEET - Base Documentation

2026-01-17T09:46:04Z

Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == Jitsi Meet Configuration == === Configuration Files === Jitsi Meet is configured through several key files. These files control the behavior of Jitsi Meet, such as authentication, video quality, and the user interface. Key configuration files: * **/etc/jitsi/meet/{your-domain}-config.js**: This file contains the main configuration options for Jitsi Meet, including UI set..."

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== Jitsi Meet Configuration ==

=== Configuration Files ===
Jitsi Meet is configured through several key files. These files control the behavior of Jitsi Meet, such as authentication, video quality, and the user interface.

Key configuration files:
* **/etc/jitsi/meet/{your-domain}-config.js**: This file contains the main configuration options for Jitsi Meet, including UI settings, authentication, and video quality.
* **/etc/jitsi/jicofo/sip-communicator.properties**: Configuration file for Jicofo (Jitsi Conference Focus), which handles conference management.
* **/etc/jitsi/videobridge/config**: This configuration file is for the Jitsi Videobridge, which handles media routing for video conferences.

Example configuration in `/etc/jitsi/meet/{your-domain}-config.js`:
<nowiki>
var config = {
hosts: {
domain: 'meet.example.com',
muc: 'conference.meet.example.com',
focus: 'focus.meet.example.com'
},
testing: {
enableFirefoxHD: true
},
resolution: 720,
enableDisplayName: true
};
</nowiki>

This example configures basic domain names and enables 720p resolution.

=== Configuring Jitsi Videobridge ===
The Jitsi Videobridge is responsible for routing video and audio streams during a conference. It can be configured through `/etc/jitsi/videobridge/config`.

Example to set the number of video channels:
<nowiki>
# In /etc/jitsi/videobridge/config
VIDEOBRIDGE_MAX_CHANNELS=50
</nowiki>

This increases the number of video channels the bridge can handle.

== Security Concepts ==

=== SSL/TLS Encryption ===
Jitsi Meet should be configured to use SSL/TLS to secure communication between clients and the server. Let's Encrypt can be used for automatic certificate generation.

To enable SSL on Jitsi Meet:
* Configure Nginx to use SSL for the domain hosting Jitsi Meet.
* Use the `certbot` tool to automatically fetch and renew SSL certificates from Let's Encrypt.

Example configuration for Nginx (found in `/etc/nginx/sites-available/{your-domain}`):
<nowiki>
server {
listen 443 ssl;
server_name meet.example.com;
ssl_certificate /etc/letsencrypt/live/meet.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/meet.example.com/privkey.pem;
...
}</nowiki>

This configures SSL for the domain and ensures secure HTTPS connections.

=== Authentication and User Management ===
For added security, Jitsi Meet can integrate with various authentication systems (e.g., JWT, LDAP, OAuth).

To enable JWT authentication, configure the `prosody` server (XMPP server used by Jitsi) to validate tokens:
<nowiki>
# In /etc/prosody/conf.d/meet.example.com.cfg.lua
VirtualHost "meet.example.com"
authentication = "token"
app_id = "your-app-id"
app_secret = "your-app-secret"</nowiki>

This example shows how to configure token authentication by setting an app ID and secret.

=== Protecting Jitsi Meet Services ===
To protect your Jitsi Meet services, such as Jicofo and Jitsi Videobridge, make sure only authorized clients can connect.

Configure firewalls to block unnecessary ports and limit service exposure. For example, only allow HTTPS traffic on port 443 and disable other unused ports.

Example of firewall rules with `ufw`:
<nowiki>
ufw allow 443/tcp
ufw allow 10000:20000/udp
ufw enable</nowiki>

This opens only the necessary ports for Jitsi Meet (HTTPS and media ports).

== Advanced Configurations ==

=== Configuring Jitsi Meet for Large Conferences ===
Jitsi Meet supports scaling to handle larger conferences by adjusting video resolution and load balancing between multiple Videobridges.

You can configure the maximum number of participants per conference in the config file:
<nowiki>
# In /etc/jitsi/meet/{your-domain}-config.js
constraints: {
video: {
height: {
ideal: 720,
max: 1080
}
},
maxParticipants: 50
}</nowiki>

This sets a maximum of 50 participants per conference and limits video height to 1080p.

=== Multi-Server Setup ===
For better performance and scalability, you can deploy multiple Jitsi Videobridges across different machines. This requires configuring load balancing.

First, set up a load balancer (such as HAProxy) to distribute traffic to multiple Videobridges. Then, configure each Videobridge with the same domain in `/etc/jitsi/videobridge/config`.

Example of HAProxy configuration:
<nowiki>
frontend https_front
bind *:443
default_backend videobridge_back

backend videobridge_back
balance roundrobin
server bridge1 192.168.1.2:8080 check
server bridge2 192.168.1.3:8080 check</nowiki>

This configures HAProxy to distribute requests between `bridge1` and `bridge2`.

== Troubleshooting ==

=== Jitsi Meet Not Loading or Connecting ===
If Jitsi Meet is not loading or connecting:
* Check if the Nginx server is running and serving SSL correctly.
<nowiki>
systemctl status nginx</nowiki>
* Ensure that the correct ports are open for HTTPS and media (ports 443, 10000–20000 UDP).
<nowiki>
ufw status</nowiki>
* Verify if the necessary Jitsi services are running (Jicofo, Videobridge). <nowiki>
systemctl status jicofo
systemctl status jitsi-videobridge2</nowiki>

If services are not running, try restarting them:
<nowiki>
systemctl restart jicofo
systemctl restart jitsi-videobridge2</nowiki>

=== Audio and Video Issues ===
If participants are experiencing audio or video problems:
* Check if your Videobridges are properly configured and running.
<nowiki>
systemctl status jitsi-videobridge2</nowiki>
* Verify network connectivity for the UDP media ports (10000–20000).
* Ensure that the client’s browser is supported (e.g., Chrome or Firefox).

For more detailed troubleshooting:
<nowiki>
journalctl -u jicofo
journalctl -u jitsi-videobridge2</nowiki>

These logs can provide insights into errors or misconfigurations.

=== Performance Issues ===
If you notice performance issues, such as lag or high CPU usage:
* Monitor server resources:
<nowiki>
top</nowiki>
* Verify server load and traffic using:
<nowiki>
netstat -tuln</nowiki>
* If running a multi-server setup, check load balancing and resource allocation between Videobridges.

Example of checking CPU usage for Jitsi services:
<nowiki>
ps aux | grep jitsi</nowiki>

== Useful Links ==

* https://jitsi.org/
* https://github.com/jitsi/jitsi-meet
* https://jitsi.github.io/handbook/
* https://community.jitsi.org/
* https://jitsi.org/downloads/
* https://github.com/jitsi/jicofo
* https://github.com/jitsi/jitsi-videobridge
* https://www.digitalocean.com/community/tutorials/how-to-set-up-jitsi-meet-video-conferencing-on-ubuntu-20-04

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''