Chinese Man Manual: TCPDUMP

xiaoxiao2021-03-06 58

Tcpdumpsection: Maintenance Commands (8)

Updated: 30 June 1997

Name (Name) TCPDUMP - Data flow on the network

Overview (Synopsis)

TCPDUMP [

-adeflnnopqstvx] [

-C

Count] [

-F

File]

[

-i

Interface] [

-r

File] [

-S

Snaplen]

[

-T

TYPE] [

-w

File] [

Expression]

Description (Description)

TCPDUMP prints a header that matches Boolean expression expression on a web interface.

For the NIT or BPF interface of SunOS: To run TCPDUMP, you must have / dev / nit or / dev / bpf * read access.

For Solaris DLPI: You must have a network simulation device, such as / dev / le read access.

For HP-UX DLPI: You must be root, or install it into root setting UID program. For Irix's Snoop: You must be root, or set it to root Settings UID program. For Linux: you must be Root, or install it into a ROOT setting UID program.

For Ultrix and Digital UNIX: Once the super user opens the Promiscuous-mode, any user can run TCPDUMP any user using PFConfig (8).

For BSD: You must have / dev / bpf * read access.

Options (options)

-A

Try to convert networks and broadcast addresses into names.

-C

Be received

After the count message.

-d

Translate compiled packet matching templates (packet-matching code) to readable form, passing to standard output, then exiting.

-DD

Packet-matching code to Packet-Matching Code

The form of the C program piece is output.

-DDD

Packet-matching code is output in a decimal number (with the total number of front).

-e

The link layer header is displayed.

-f

Display 'external' Internet addresses in digital form, not character form (this option is used to get on the problem of sun-yellow server with bad brain, it is generally suspended when it translates external network digital addresses.) .

-F

Put

File's content is used as a filter expression. Ignore the expression on the command line.

-i

monitor

Interface. If you do not specify an interface,

TCPDUMP In the system's interface list, the number is the smallest, and the interface has been configured (except for loopback). When checking, it will interrupt the connection.

-L

Row buffer standard output. View data while capturing data. For example,

`` tcpdump -l | Tee dat '' or `` tcpdump -l> DAT & TAIL -F DAT ''.

Don't convert the address into a name (that is, host address, port number, etc.)

Do not display the domain name part in the host name. For example, if you use this option,

Tcpdump only shows `` nic '', not `` nic.ddn.mil ''.

-O

It is forbidden to run the packet matching template. Only when you suspect that the optimizer has bugs.

-p

It is forbidden to put the interface into Promiscuous mode. Note that the interface may be in Promiscuous mode for other reasons; therefore, '-P' cannot be used as an e Ether host {local-hw-addr} or ether Broadcast 'shorthand.-Q

Fast output. Show less protocol information, the output line will be a little bit.

-r

From

Reading a Data Report in File (the file is created with the -w option). if

File is `` - '', read standard input.

-S

Intercept from each message

Snaplen bytes of data instead of default 68 (if the NIT of SunOS, the minimum is 96). 68 bytes apply to IP, ICMP, TCP, and UDP, but it is possible to cut off the name server and NFS packets Agreement information (see below). If the output is specified` `[|

Proto] '', TCPDUMP can point out the data newspapers that are too small, here

PROTO is a protocol layer name that truncation occurs. Note that a larger capture range has increased the time of processing packets, and the corresponding reduction of the number of buffers of the message may result in the loss of the message. You should put

Snaplen is as small as possible, as long as you can accommodate the protocol information you need.

-T

Pass through

Expression "Packed the message to explain the designated

Type. Type known:

RPC (Remote Procedure Call),

RTP (Real-time Application Protocol Real-Time Applications Protocol),

RTCP (Real-Time Application Control Protocol Real-Time Applications Control Protocol),

VAT (Visual Audio Tool Visual Audio Tool), and

WB (Distributed Whiteboard Distributed White Board).

-S

Show absolute, not opposing TCP serial numbers.

-t

It is forbidden to display the time stamp logo.

-TT

Show an unformatted timestamp flag.

-V

(A little bit) Cumbersome output. For example, display the living cycle and service types in the IP datagram.

-VV

More cumbersome output. For example, the additional fields of the NFS response packet are displayed.

-w

Deposit the original packet

File, not analyzed and displayed. They can be displayed with the -R option later. if

File is `` - '', write to standard output.

-x

Each packet is displayed in the form of a 16-based number (after removing the link layer header). You can display a smaller full packet, otherwise only display

Snaplen bytes.

EXPRESSION

Data report to choose to dump. If not specified

Expression, in turn, all packets of the network. Otherwise, only dump

Expression is `True 'Data News.

Expression is composed of one or more primitives. The primitive is usually composed of one or more modifier (Qualifier) that identifies one or more modifiers, and the trimming subparagraph:

Type

Type modified monograph indicates what type of identity name or identifies the number represents. You can use the type of type.

Host,

Net and

Port. `Host foo ',` Net 128.3', `Port 20 '. If you do not specify the type of modified sub-modified sub-treatment, use the default

Host.

DIR

Directional modification indicates relative

The logo is transmitted (data is incoming or outgoing ID). The direction that can be used

SRC,

DST,

SRC OR DST and

SRC and

DST., `src foo ',` DST NET 128.3', `src or dst port ftp-data '. If you do not specify the direction to modify the child, use the default SRC or DST. For` null' link layer (ie Simply like a point-to-point agreement such as SLIP), with

Inbound and

Outbound Trees Specifies the required transmission direction.

Proto

Agreement modified sub-requires the specified protocol. The protocols that can be used are:

Ether,

FDDI,

IP,

ARP,

RARP,

Decnet,

LAT,

SCA,

Moprc,

MOPDL,

TCP and

UDP., `Ether SRC FOO ',` ARP NET 128.3', `TCP Port 21 '. If you do not specify a protocol modification, you use all the type of protocol. For example,` src foo' refers to `(IP or ARP or RARP) SRC FOO '(pay attention to the latter does not conform to grammar), `Net bar' refers to` (IP or ARP or RARP) Net Bar ', `port 53' refers to` (TCP or UDP) Port 53 '.

[`fddi 'is actually the alias of` ether'; the analyzer treats them as `` Use the data link layer on the specified network interface. The 'FDDI header contains a source address similar to the Ethernet protocol, and usually contains Similar to the Type of the Ethernet protocol, you can filter the FDDI domain, just like the analysis of the Ether aspect. The FDDI header also contains other domains, but you cannot explicitly describe in the filter expression.]

As the above, there are some special `primitive 'keywords, which are different from the above mode: Gateway, Broadcast, Less, Greater and mathematical expressions. These are described later.

More complex filter expressions can be set up by AND, OR and NOT. For example, `Host foo and not port ftp and not port ftp-data '. For less knocking, you can ignore the same modification. For example, `TCP DST port ftp or ftp-data or domain 'is actually the` TCP DST Port FTP or TCP DST Port FTP-DATA or TCP DST Port Domain'.

The allowed primitives are:

Dst Host

Host

If the destination address domain of IP in the packet is

Host, the logic is true.

Host can be both an address or a host name.

SRC Host

Host

If the source site domain of IP in the message is

Host, the logic is true.

Host

If the source site domain or destination address domain of IP in the packet is

Host, the logic is true. All Host expressions can be added above.

IP,

ARP, or

Rarp keyword is prefix, just like:

IP host host

It is equivalent to:

Ether Proto / IP and host Host

in case

Host is a host name with multiple IP addresses, and each address of it will be inspected.

Ether DST

ehost

If the packet's Ether destination address is

EHOST, the logic is true.

Ehost can be both names (/ etc / ethers) or numbers (see also seeking digital format

Ethers (3n)).

Ether SRC

ehost

If the message is the Ethernet address of the message is

Ehost, the logic is true. Evener Host

ehost

If the packet's Etheri-source address or an Etheristic address is

EHOST, the logic is true.

Gateway

Host

If the packet

Host When doing a gateway, the logic is true. That is to say, the Ethernet or destination address of the message is

Host, but the source address of IP is not

Host.

Host must be a host name, and must exist / etc / hosts and / etc / ethers. (A equivalent expression is

Ether Host Ehost And Not Host Host

for

Host / EHOST, it can be both names or numbers.)

DST NET

Net

If the packet is the IP destination address belongs to the network number

Net, the logic is true.

NET can be both names (existing / etc / networks), or a network number. (See

NetWorks (4)).

SRC NET

Net

If the IP source address of the message belongs to the network number

Net, the logic is true.

Net

If the IP source address or destination address of the message belongs to the network number

Net, the logic is true.

Net

Mask

If the IP address matchs the specified network mask (Netmask)

NET, the logic is true. This primitive can be used

SRC or

DST modification.

Net

Net /

Len

If the IP address matches the specified network mask

Net, the logic is true, the effective bit wide of the mask is

This original language can be used

SRC or

DST modification.

DST Port

port

If the message is IP / TCP or IP / UDP, and the destination port is

Port, logic is true.

Port is a number or the name described in / etc / services (see

TCP (4P) and

UDP (4P)). If you use the name, check the port number and protocol. If you use a number, or have a secondary name, you only check the port number (for example,

DST Port 513 will display TCP / Login data and UDP / WHO data, and

Port Domain will display TCP / Domain and UDP / DOMAIN data).

SRC Port

port

If the source port number of the message is

Port, logic is true.

port

If the source port or destination port of the message is

Port, the logic is true. The above-mentioned port expressions can be used in keywords

TCP or

UDP is prefixed, like:

TCP SRC Port Port

It only matches the source port is

Port of the TCP message.

Less

Length

If the length of the packet is less than or equal

Length, logic is true. It is equivalent to:

Len <= Length.

Greater

Length

If the length of the message is greater than or equal to

Length, logic is true. It is equivalent to:

Len> = Length.

IP Proto

Protocol

If the message is an IP datagram (see

IP (4P))

The protocol type of its content is

Protocol, logic is true.

Protocol can be a number or one of the following names:

ICMP,

IGRP,

UDP,

ND, or

TCP. Note these identifiers

TCP,

UDP, and

ICMP is also the same keyword, so you must use a backslash (/) escape, and it should be // in the c-shell.

Ether Broadcast

If the message is an ever widely broadcast, the logic is true. Keywords

Ether is optional.

IP Broadcast

If the message is an IP broadcast message, the logic is true. TCPDUMP checks all 0 and all 1 broadcast agreement, and check the local subnet mask. Ether MultiCast

If the message is a Multicast, the logic is true. Keywords

Ether is optional. This is actually `

tER [0] & 1! = 0 '.

IP Multicast

If the message is a multi-optical message, the logic is true.

Ether Proto

Protocol

If the packet protocol belongs to the Type of Type

Protocol, logic is true.

Protocol can be a number or a name, such as

IP,

ARP, or

Note These identifiers are also keywords, so they must be escaped with backslash (/). [If it is fddi (for example ,`

FDDI Protocol Arp ', protocol identifies from 802.2 Logical Link Control (LLC) header, which is usually located on the top of the FDDI header. When filtered by the protocol identifies the message,

TCPDUMP assumes that all FDDI messages contain LLC headers, and the LLC header is SNAP format.]

Decnet SRC

Host

If the source address of the DECNET is

Host, the logic is true, the form of the host address may be `` 10.123 '', or the DECNET host name. [Only the ULTRIX system configured to run the Decnet host name.]

Decnet DST

Host

If the dest address of the DECNET is

Host, the logic is true.

Decnet Host

Host

If the source address or destination address of the DECNET is

Host, the logic is true.

IP,

ARP,

RARP,

Decnet

Yes:

Ether Proto P

Shorthand form, where

P is one of the above agreements.

LAT,

Moprc,

MOPDL

Yes:

Ether Proto P

Shorthand form, where

P is one of the above agreements. Note

TCPDUMP does not currently know how to analyze these protocols.

TCP,

UDP,

ICMP

Yes:

IP Proto P

Shorthand form, where

P is one of the above agreements.

EXPR RELOP EXPR

If this relationship is established, the logic is true, of which

RELOP is>, <,> =, <=, =,! = one,

EXPR is a mathematical expression that consists of a constant (standard C grammatical form), a normal binary operator [ , -, *, /, &, |], a length operator, and the specified message data access operator To access the data in the message, use the following syntax:

Proto [expr: size]

Proto is

Ether, FDDI, IP, ARP, RARP, TCP, UDP, OR

One of ICMP, and also points out the protocol layer of the subscript operation.

EXPR gives the offset of byte units that relative to the specified protocol layer.

SIZE is an option, pointing out the number of bytes of interest; it can be 1, 2, 4, default is 1 byte. By keyword

The length operator given by LEN indicates the length of the message.

For example, `ether [0] & 1! = 0 'captures all multi-purpose transfer packets. Expressions` IP [0] & 0xf! = 5' captures all IP packets with optional domains. Expressure` ip [6: 2] & 0x1FFF = 0 'only captures datagram that is not fragmented and the film offset is 0. This check is implicit in TCP and UDP subscript operations. For example, TCP [0] must be TCP header The first byte is instead of the first byte of an IP piece. The primitive can be used in conjunction with the following method:

The original words and operators enclosed in the arc (the garden arc is dedicated in the shell, so it must be escaped).

Reverse operation (`

! 'OR`

NOT ').

Connection operation (`

&& 'or `

And ').

Or operation (`

|| 'OR`

OR ').

The reverse operation has the highest priority. Or the operation and connection operations have the same priority, combined from left to right when the operation is calculated. Note that the connection requires an explicit and operator, rather than parallel.

If the identifier is given, but did not give the keyword, then the keyword that is closely used. For example,

NOT HOST VS AND ACE

As a

NOT HOST VS AND HOST ACE

Shorthand, should not be

Not (Host VS or Ace)

Confused.

Expression parameters can be transmitted to TCPDUMP as a single parameter, or as a composite parameter, the latter is more convenient. Generally, if the expression contains the shell metacharacter, pass a single parameter is easier. Composite parameters Use a space to join before being parsed.

Example (Examples)

Show all packets that enter and exit Sundown:

Tcpdump host sundown

Display the message transfer between Helios and host Hot, ACE:

Tcpdump host helios and / (hot or ace /)

Display ACE and IP packets from all hosts other than Helios:

TCPDUMP IP Host Ace and Not Helios

Display the network data between the host and the host of Berkeley:

TCPDUMP NET UCB-Ether

Display all FTP packets through the gateway SNUP (note that this expression is enclosed by single quotes, preventing the shell interpretation of the arc):

TCPDUMP 'GATEWAY SNUP AND (Port FTP or FTP-DATA)'

Display neither from the local host, nor network data to the local host (if you pass the gateway to some other network, this practice will not send the data to your local network).

TCPDUMP IP and Not Net LocalNet

Displays the start and end messages of each TCP session (SYN and FIN packets), and there is a remote host in the session.

TCPDUMP 'TCP [13] & 3! = 0 and not src and dst net localnet'

The IP datagram that is greater than 576 bytes through the gateway SNUP:

TCPDUMP 'GATEWAY SNUP AND IP [2: 2]> 576'

Display IP broadcasts or multi-purpose datagrams, which are not transmitted by the broadcast or multi-conveyed form of Ethernet:

TCPDUMP 'Ether [0] & 1 = 0 and IP [16]> = 224'

Show all ICMP packets that are not reconciliation requests / answers (that is, not ping packets):

TCPDUMP 'ICMP [0]! = 8 and ICMP [0]! = 0 "

Output format

The output format of TCPDUMP depends on the protocol. The following description gives a brief description and examples of most formats.

Link Level Headers

If the '-e' option is given, the link layer header is displayed. On the Ethernet, the source address, protocol, and packet length of the packet are displayed.

On the FDDI network, '-e' option causes Tcpdump to display the frame control 'domain, source address, and packet length. (`Frame control" domain is responsible for explaining the rest of the packet. General Post (such as It is said that there is an IP datagram) is a `asynchronous 'message, the priority is between 0 and 7; for example,` async4'. These are considered to contain 802.2 logical link control (LLC) packets; if they are not ISO datagram Or the so-called SNAP packet shows the LLC header.

(Note: In the following description, it is assumed that you are familiar with the SLIP compression algorithm described in RFC-1144.)

On the SLIP link, TCPDUMP displays the direction indication (`` I '' refers to Inbound, `` '' refers to Outbound, packet type, and compressed information. First, the message type. There are three types of IP, UTCP And CTCP. For IP packets no longer display more link information. For TCP packets, the connection ID is displayed later. If the message is compressed, the encoded header is displayed. Special case with * s The N and * SA N is shown, and the N is the change in the change in sequence number (or sequence number and its confirmation). If it is not a special case, it will display 0 or how many changes. Change is made from u (urgent pointer), W (Window), A (ACK), S (SEQUENCE NUMBER) and I (Packet ID) indicate, followed by a change amount ( n or -n), or another value (= n). Finally display the packet The sum of data, and the length of the compressed header.

For example, the following line shows an outgoing compressed TCP packet, there is an implicit connection ID; confirmation (ACK) change is 6, the sequence number is 49, the message ID is 6; there are three bytes Data and six bytes of compressed headers:

O CTCP * A 6 S 49 I 6 3 (6)

ARP / RARP packet

ARP / RARP packet output display request type and its parameters. The output format tends to be able to explain itself. Here is a simple example, from host RTSG to the 'rlogin' start section of the host CSAM:

ARP WHO-HAS CSAM TELL RTSG

ARP Reply CSAM IS-AT CSAM

The first line of explanation RTSG issues an ARP message to ask the Internet host CSAM Ethernet address. CSAM uses its Ethernet address (in this example, the Ethernet address is capitalized, the Internet address is lowercase).

If you look at it with tcpdump -n, you should clear some:

ARP WHO-HAS 128.3.254.6 Tell 128.3.254.68

ARP Reply 128.3.254.6 IS-AT 02: 07: 01: 01: 01: C4

If you use tcpdump -e, you can see that the first message is broadcast, the second message is point-to-point:

RTSG Broadcast 0806 64: ARP WHO-HAS CSAM TELL RTSG

CSAM RTSG 0806 64: ARP Reply CSAM IS-AT CSAM Here the first message indicates that the Ethernet source address is RTSG, the destination address is the Ethernet broadcast address, the type field is 16-based number 0806 (type ether_arp), the packet Long 64 bytes long.

TCP packet

(Note: In the following description, you are assumed to be familiar with the TCP protocol described in RFC-793. If you don't understand this protocol, whether this article is still tcpdump, it is not large for you)

Generally speaking, the output format of the TCP protocol is:

SRC> DST: Flags Data-Seqno Ack WINDOW Urgent Options

SRC and

DST is a source IP address and port.

Flags is S (SYN), F (FIN), P (PUSH) or R (RST) or separate `'(no sign), or combinations thereof.

Data-seqno illustrates the location of the data in this packet in the flow sequence number (see below).

The ACK is the sequence number of the next received byte in this connection.

WINDOW is the byte size of the source machine receive buffer on this connection.

URG indicates that the packet is `Urgent 'data.

Options is TCP optional header, enclosed with a spare bracket (for example,

SRC, DST and Flags are certainly existed. Other fields are based on the TCP header content of the message, only the necessary part.

Below is the start part of the host CSAM from the host RTSG Rlogin.

RTSG.1023> CSAM.Login: s 768512: 768512 (0) WIN 4096

Csam.login> RTSG.1023: S 947648: 947648 (0) ACK 768513 WIN 4096

RTSG.1023> CSAM.Login:. ACK 1 WIN 4096

RTSG.1023> CSAM.Login: P 1:

2 (1) ACK 1 WIN 4096

Csam.login> RTSG.1023:. ACK 2 WIN 4096

RTSG.1023> CSAM.Login: P 2:21 (19) ACK 1 WIN 4096

Csam.login> RTSG.1023: P 1:

2 (1) ACK 21 WIN 4077

Csam.login> RTSG.1023: P 2:

3 (1) ACK 21 WIN 4077 URG 1

Csam.login> RTSG.1023: P 3:

4 (1) ACK 21 WIN 4077 URG 1

The first line is to say from RTSG TCP port 1023 to CSAM

The login port sends a message.

S flag indicates set up

SYN logo. The number of packets is 768512, no data. (This is written to `first (nbytes) ', meaning` from the sequence number

First to

Last, not included

Last, there is

NBYTES bytes of user data '.) There is no piggy-backed ACK, the valid receiving window is 4096 bytes, with a maximum segment size (Max-segment-size) option, requesting settings MSS 1024 byte.

CSAM responds in a similar form, just increasing the RTSG SYN's belt confirmation. Then RTSG confirms the CSAM's syn. `'Means that there is no setting flag. This message does not contain data, so there is no data. Note that this confirmation stream number is a small integer (1). When TCPDUMP first discovers a TCP session, it displays the flow sequence number carrying the packet. In the subsequent message, it displays the current packet and the initial one. The difference between the packets. This means starting from the first message, the future sequence number can understand the relative displacement of the data stream As Relative Byte Positions in the Conversation's Data Street (with the first data byte each direction being `1 ').` -S' options can change this feature, directly display the original stream number. In the sixth line, RTSG is passed to the 19-byte data of the CSAM (bytes 2 to 20). The message is set. Push logo. Chain V. CSAM indicates that it receives RTSG data, the byte number is 21, but does not include the 21 byte. Obviously most data is within the buffer of the socket, because the data received by the CSAM It is less than 19 bytes. At the same time, the CSAM sends a byte data to the RTSG. Eight and Ninth lines show that the CSAM sends two bytes of emergency data to RTSG.

If the capture area is set too much, TCPDUMP cannot capture the complete TCP header, TCPDUMP will translate the captured part as much as possible, then display the `` [| tcp] '', indicating that the rest cannot be translated. If the header contains One forged option (One with a length thing's estother, tcpdump display `` [bad opt] '' and no longer translating other options (because it is impossible to judge where start) If the length of the header indicates that there is an option, the IP datagram is insufficient, and it is impossible to save the option. TCPDUMP displays the `` [bad hdr length] ''.

UDP packet

The UDP format is like this RWHO message:

Actinide.Who> Broadcast.Who: UDP 84

That is to say to put a UDP datagna from the host

Actinide

WHO port is sent

Broadcast, Internet broadcast address

The WHO port. The message contains 84-bytes of user data.

Some UDP services can identify (from source port numbers), thereby displaying higher-level protocol information. In particular, domain service requests (RFC-1034/1035) and NFS RPC calls (RFC-1050).

UDP Domain Service Request (Name Server Requests)

(Note: The following description is assumed to be familiar with the domain name service agreement illustrated by RFC-1035. If you are not familiar with this agreement, the following content is like a book.)

The format of the domain name service request is

SRC> DST: ID OP? Flags Qtype Qclass Name (LEN)

H2OPOLO.1538> Helios.domain: 3 a? ucbvax.berkeley.edu. (37)

Host

H2OPOLO Access

Domain name service on Helios, inquiry

UCBVAX.BERKELEY.EDU. The associated address record (Qtype = a). The query number is `$ 1 '.` ' indicates that it is set.

Recursive request logo. The query length is 37 bytes, excluding UDP and IP headers. The query operation is a normal QUERY operation, so the OP domain can be ignored. If the op is set to other things, it should be displayed in `3 'and` 'Between. Similar, qclass is ordinary

C_in type, also neglected. Other types of QCLASS should be displayed later in `a '.

TCPDUMP will check some irregularities, and the corresponding results are placed in square brackets as the supplementary domain: if a query contains the answer, the name service, or the management part, display ancount, nscount, or arcount as `[na] ', `[nn] 'or` [nau]', the N represents the corresponding quantity. If in the second and third bytes, any one answer bits (AA, RA or RCODE) or any one must be zero ' The bit is set, and the `[B2 & 3 = X] ', where x is the number of 16-based sixth and third bytes.

UDP name service answer

The format of the name service answer is

SRC> DST: ID OP RCODE FLAGS A / N / AU TYPE CLASS DATA (LEN)

Helios.domain> H2OPOLO.1538: 3 3/3/7 A 128.32.137.3 (273)

Helios.domain> H2opolo.1537: 2 nxdomain * 0/1/0 (97)

In the first example,

Helios answered

H2opolo's logo is 3, a total of 3 answers records, 3 name service records, and 7 management structure records. The first answer record is a (address), the data is Internet address 128.32.137.3. answer The full length is 273 bytes, does not include UDP and IP headers. Class (c_in) recorded as a record can ignore OP (inquiry) and RCODE (NoError).

In the second example, Helios makes a domain name not existent (NXDOMAIN), no answer record, a name service record, and no management structure. `* 'Indicates an authority answer (Authoritative Answer) Since there is no answer, Type, Class and Data are not displayed here.

Other logo characters can be displayed as `- '(no recursive valid (RA)) and` |' (set message truncation (TC)). If `question 'is not valid, you will display` [NQ]'.

Note that the name service is inquiry and answering the general saying, 68-byte Snaplen may not be able to capture enough message content. If you are in the case of the name service, you can use the -s option to increase the capture buffer. ` -s 128 'should have a good effect.

NFS request and response

Sun NFS request and response display format is:

Src.xID> DST.NFS: LEN OP ARGS

SRC.NFS> DST.XID: Reply Stat Len Op Results

Sushi.6709> WRL.NFS: 112 Readlink FH 21, 24 / 10.73165

Wrl.nfs> Sushi.6709: reply ok 40 ready "../var"

Sushi.201b> WRL.NFS:

144 Lookup FH 9, 74 / 4096.6878 "Xcolors"

Wrl.nfs> Sushi.201b:

Reply OK 128 Lookup FH 9, 74 / 4134.3150 in the first line, host

Sushi

WRL sending number is

6709 trading session (note the number behind the source host is the transaction number,

Not a port). This request is 112 bytes, does not include UDP and IP headers. Execute on the file handle (FH) 21, 24 / 10.731657119

Readlink operation. (If your luck is good, just like this, the file handle can be translated into the primary and second device number, i node number, and event number (Generation Number).)

WRL answers the `ok 'and the connection content.

In the third line, Sushi requests WRL to find `Xcolors' in directory files 9, 74 / 4096.6878. Note that the print format of the data depends on the type of operation. The format should be self-explanatory.

Additional information can be displayed for the -v (Verbose) option. For example:

Sushi.1372a> WRL.NFS:

148 Read FH 21,11 / 12.195 8192 Bytes @ 24576

WRL.NFS> Sushi.1372a:

Reply OK 1472 Read Reg 100664 IDS 417/0 SZ 29388

(-V also makes it displaying the TTL, ID, and Split fields of the IP header, omitting them in this example.) in the first line,

Sushi request

WRL starts from the offset location 24576 of files 21, 11 / 12.195, read 8192 bytes.

WRL answers `OK '; the packets displayed in the second line are the first fragment of the response, so only 1472 bytes (the rest of the data passed in subsequent fragment, but because there is no NFS or even UDP headers in these fractions. Therefore, according to the filter expression used, it may not be displayed). The -v option also displays some file properties (they are sent back as the attached part of the file data): File type (ordinary file `` reg ''), Access mode (eight input), UID and GID, and file size.

If you give a -V option (-VV), more details can be displayed.

Note that the amount of data requested by NFS is very large, unless Snaplen is increasing, many details cannot be displayed. Try a try` -s 192 'option.

NFS response packets have not explicitly indicated RPC operations. Therefore, tcpdump retains a `` recent '' request record, and the response message is matched according to the transaction number. If the answer packet does not have the corresponding request message, it cannot be analyzed.

KIP AppleTalk (DDP on UDP)

AppleTalk DDP Packet In the UDP datagram, the DDP packet is packed after unpacking (that is, ignoring all UDP header information). File /etc/atalk.names is used to translate the AppleTalk network and the node number into Name. This file's line format is

Number name

1.254 Ether

16.1 ICSD-NET

1.254.110 ACE

The first two lines give the network name of AppleTalk. The third line gives the name of a host (the host and network according to the third set of numbers) - the network number

It must be two sets of numbers, host numbers

It must be three sets of numbers.) The number and name are separated by a blank character (space or tab).

The /etc/atalk.names file can contain a row of idle or notes (in `# ').

AppleTalk address is displayed in this format

Net.host.port

144.1.209.2> ICSD-NET.112.220

Office.2> ICSD-NET.112.220

JSSMAG.149.235> ICSD-NET.2 (if there is no existence

/etc/atalk.names, or lacks a valid item inside, in order to display the address in digital form.) In the first example, the NBP (DDP port 2) of the 209 node of Network 144.1 transmits data to the 220 port of the network ICSD 112 node. The second line is the same as above, just know the full name of the source node (`office '). Third line is the NBP port broadcast from the network JSSMAG's 149 node (pay attention to broadcast address (255) hidden Includes in the network name of the homeless number - so distinguishing the node name and network name in /etc/atalk.names is a good idea).

Tcpdump can translate packet content of NBP (name connection protocol) and ATP (AppleTalk interactive protocol). Other protocols only dump the protocol name (or number, if the protocol is not registered) and the message size.

The output format of the NBP packet is like the following example:

ICSD-NET.112.220> JSSMAG.2: NBP-LKUP 190: "=: laserwriter @ *"

JSSMAG.209.2> ICSD-NET.112.220: NBP-Reply 190: "RM1140: LaserWriter @ *" 250

Techpit.2> ICSD-NET.112.220: NBP-Reply 190: "Techpit: laserwriter @ *" 186

The first line is the broadcast of the network ICSD 112 host on the network jssmag, which is a name query request for the name LaserWriter. NBP identification number of the name query request is 190. The second line shows the answer to this request (note they have the same Identification number), host JSSMag.209 indicates that the resource of LaserWriter is registered in its 250 port. The name is "RM1140". The third line is the other answer of this request. The 186 port of the host Techpit has "Techpit" registered by LaserWriter. .

The ATP packet format is shown in the following example:

JSSMag.209.165> Helios.132: ATP-REQ 12266 <0-7> 0xae030001

Helios.132> JSSMag.209.165: ATP-RESP 12266: 0 (512) 0xae040000

Helios.132> JSSMAG.209.165: ATP-RESP 12266: 1 (512) 0xae040000

Helios.132> JSSMAG.209.165: ATP-RESP 12266: 2 (512) 0xae040000

Helios.132> JSSMAG.209.165: ATP-RESP 12266: 3 (512) 0xae040000

Helios.132> JSSMAG.209.165: ATP-RESP 12266: 4 (512) 0xae040000

Helios.132> JSSMAG.209.165: ATP-RESP 12266: 5 (512) 0xae040000

Helios.132> JSSMAG.209.165: ATP-RESP 12266: 6 (512) 0xae040000

Helios.132> JSSMag.209.165: ATP-RESP * 12266: 7 (512) 0xae040000

JSSMAG.209.165> Helios.132: ATP-REQ 12266 <3, 5> 0xae030001

Helios.132> JSSMag.209.165: ATP-RESP 12266: 3 (512) 0xae040000Helios.132> JSSMAG.209.165: ATP-RESP 12266: 5 (512) 0xae040000

JSSMag.209.165> Helios.132: ATP-REL 12266 <0-7> 0xae030001

JSSMAG.209.133> Helios.132: ATP-REQ * 12267 <0-7> 0xae030002

JSSMAG.209 initiated 12266 transactions to the host Helios, requested 8 packets (`<0-7> '). The number of hexadecimal numbers at the end is the value of the USERDATA' domain.

Helios responds with 8 512 bytes of packets. He followed the `: Digit 'behind the extension, gave the serial number during the transaction process, and the numbers within the parentheses are the amount of data, which does not include an ATP header. The `* 'of the message 7 indicates the EOM bit.

The JSSMAG.209 then requests the retransmission of the third & 5 message. Helios has completed the retransmission JSSMag.209 ended this transaction. Finally, JSSMAG.209 initiated the next transaction request. The requested `* 'indicates that XO is not set ( Only once).

IP fragmentation

The INTERNET Data News of the Split is shown

(FRAG ID: SIZE @ Offset )

(FRAG ID: SIZE @ Offset)

(The first form indicates more fractions. The second form shows that this is the last piece.)

ID is a fragmentation identification number. Size is a slice size (byte), does not include IP headers. Offset is the offset of the fragment in the original datagram (byte).

Each piece of fragmentation can be printed. The first fragment contains a high-level protocol header that displays the information of the slice after the protocol information. The first slice will no longer contain a high-level protocol header, so Split information is displayed later. For example, the following is a part of the FTP transmission from Arizona.edu to LBL-RTSG.ARPA, and the passing CSNET looks up with a 576-byte datagram:

Arizona.ftp-data> RTSG.1170:. 1024: 1332 (308) ACK 1 WIN 4096 (FRAG 595A: 328 @ 0 )

Arizona> RTSG: (FRAG 595A: 204 @ 328)

RTSG.1170> arizona.ftp-data:. ACK 1536 WIN 2560

Here, you need to pay attention to: First, the address of the second row does not include port numbers. This is because TCP protocol information is fully installed in the first fragment, so it is impossible to know the port or flow sequence number when the subsequent fragmentation is displayed. Secondly, the first line of TCP flow sequence number has a 308-byte user data, which is actually 512 bytes (the first slice 308 and the second shard 204 bytes). If you are looking for Empty cave in the flow number, or try to match the message confirmation (ACK), then you are upright.

If the IP of the message is marked with not a fragmentation flag, add (DF) at the end when displayed.

Timestamp

By default, there are timestamps in front of all output lines. Time stamp is the current time, the display format is

HH: mm: ss.frac

The precision and kernel clock are the same. Time stamp reflects the time of the kernel receives the message. From the Ethernet interface to receive the packet to the kernel response 'interrupt has a lag, this lag is not considered.

9cbs

New Post(0)