Name (Name) TCPDUMP - Data Stream Overview on Dump Network (Synopsis) TCPDump [-ADeflnnopqstvx] [-c count] [-f file] [-i interface] [-r file] [-S snake] [-t TYPE] [-W file] [expression] Description (Description) TCPDUMP Prints the header of Bur Expression Expression on a network interface. For SunOS NIT or BPF interface: To run TCPDUMP, you must have / dev / Nit or / dev / bpf * read access. For Solaris's DLPI: You must have a network simulation device, such as / dev / le read access. For HP-UX DLPI: You must be root Or put it into root settings UID program. For Irix's Snoop: You must be root, or install it into a root setting UID program. For Linux: You must be root, or install it into root Setting UID Program. For Ultrix and Digital UNIX: Once the Super User uses PFConfig (8) open Promiscuous-mode, any user can run TCPDUMP. For BSD: You must have / dev / bpf * read access. Options -A Try to convert the network and broadcast addresses into a name. -C When receiving the count message. -D translates the compiled packet matching template (packet-matching code) to readable form, Send a standard output, then exit. -DD outputs the packet matching code in the form of a C program. -DDD outputs the packet matching template (Packet-Matching Code) output in decimal number (front plus Total number of tops). -E shows a link layer header. -F displays the external Internet address in digital form, not a character shape (This option is used to get on the problem of the Sun Yellow Pages Server of the Bench Breaking - Generally speaking, it will hang up when translating external network digital addresses). -F uses File's content as a filter expression. Ignore The expression on the command line. -I listens to Interface. If the interface is not specified, TCPDUMP is looking for the number, the number is smalled, except for the connection, and the LoopBack is selected. -L line buffer Standard output. Can be used to capture data while viewing data. For example, `` tcpdump -l | tee dat or `` tcpdump -l> DAT & TAIL -F DAT. -N Don't convert the address into a name (that is, host address , Port number, etc.) -N does not display the domain name section in the host name. For example, Tcpdump only displays the `` NIC instead of `` nic.ddn.mil. -O Prohibition of running packet matching template optimization The device is only useful when you suspect that the optimizer has bugs. -P prohibits the interface to Promiscuous mode. Note that the interface may be in Promiscuous mode for other reasons; therefore, -P cannot be used as `ether host {local-hw -Addr} or Ether Broadcast's shorthand. -Q fast output. Show less protocol information, the output line will be a little bit. -r reads the datagram from the File (the file is created with the -w option). If File `
-, attending standard input. -S intercepts the Snaplen bytes from each message, rather than default 68 (if it is SunOS NIT, the minimum is 96). 68 bytes apply to IP, ICMP, TCP and UDP, but it is possible to cut off the name server and NFS packets (see below). If you specify `` [Proto], Tcpdump can point out the data report that the capture amount is too small, the proto is Truncation The protocol layer name. Note that the larger capture range is used to increase the time of processing packets, and the corresponding reduction of the number of buffers of the message may result in the loss of the message. You should set the Snaplen as much as possible Small, as long as it can accommodate the protocol information you need. -T interpret the message selected by "Expression" into the specified type. Currently known types are: RPC (Remote Procedure Procedure Call), RTP (Real-Time Application Protocol Real-Time Applications Protocol), RTCP (Real Time Application Control Protocol Real-Time Applications Control Protocol), VAT (Visual Audio Tool Visual Audio Tool, and WB (Distributed Whiteboard Distributed White Board). -S Display Absolute, rather than the relative TCP serial number. -T prohibits the display timestamp logo. -TT shows an unformatted timestamp flag. -V (a little bit) cumbersome output. For example, display the survival in IP datagram Cycle and service types. -VV is more cumbersome output. For example, the additional fields of NFS response packets are displayed. -W Solve raw packets into file instead of analysis and display. They can be displayed with the -R option later. Yes `` -, write to the standard output. -X Displays each message in the form of a 16-based number (after removing the link layer header). You can display a smaller full packet, otherwise only Snaplen bytes. Expression is used to select a duplicate dump. If you do not specify an Expression, you will dump all packets of the network. Otherwise, only dump relative to Expres SiON is a datagram. EXPRESSION one or more primitives. The primitive is usually composed of one or more modifier (Qualifier) that identifies (Id, Name or), and Identifies one or more modifier (Qualifier). There are three different types: TYPE type modified monograph indicates what type of identity name or identifies the number represents. You can use Host, Net and Port. For example, `Host foo,` Net 128.3, `port 20. If not Specify type modification sub-modifier uses the default host. DIR direction modified the child pointed out that the transmission direction of the identifier (the data is incoming or outgoing identifier). The direction that can be used with SRC, DST, SRC or DST and SRC AND DST For example, `src foo,` DST NET 128.3, `src or dst port ftp-data. If you do not specify a direction modified, use the default SRC or DST. For` null link layer (that is, like SLIP) Point-to-point protocol), specify the required transmission direction with Inbound and Outbound modifications. The Proto protocol modifies the subscriptions to match the specified protocol. The protocols you can use are: Ether, FDDI, IP, ARP, RARP, DECNET, LAT, SCA, MOPRC, MOPDL, TCP and UDP. For example, `ether src foo,` ARP NET 128.3, `
TCP Port 21. If you do not specify a protocol modification, use all the type of protocol. For example, `src foo means` (IP or ARP or RARP) src foo (pay attention to the latter does not match the grammar), `Net bar finger` ( IP or ARP or RARP) NET BAR, `port 53 refers to the` (TCP or UDP) Port 53. [`fddi is actually the alias of` Ether; the analyzer treats them as a data chain on the specified network interface Road layer. The FDDI header contains a source address similar to the Ethernet protocol, and usually contains a packet type similar to the Ethernet protocol, so you can filter the FDDI domain, just like the analysis of the Too much. The FDDI header also contains other domains, but you It is not possible to explicitly describe in the filter expression. As the above, there are some special `primitive keywords, they are different from the above mode: Gateway, Broadcast, Less, Greater and mathematical expressions. These are behind Narrative. More complex filter expressions can be built through the AND, OR and NOT connection primms. For example, `Host foo and not port ftp and not port ftp-data. For less calls, you can ignore the same modified sub- For example, `TCP DST port ftp or ftp-data or domain is actually`
TCP DST Port FTP or TCP DST Port Data or TCP DST Port Domain. Allowed primitives: DST host Host If the destination address domain in the message is Host, the logic is true. Host can be an address, Can be a host name. SRC Host Host If the source address domain of IP in the packet is Host, the logic is true. Host Host If the source site domain or destination address domain in the packet is Host, the logic is true. Above Host expressions can be prefixed with IP, ARP, or RARP keyword, like: ip host host, equivalent to: ether proto ip and host host If Host is host name with multiple IP addresses, it Each address will be inspected. Ether DST EHOST If the packet's Ether destination address is ehost, the logic is true. Ehost can be both name (/ etc / ethers), or digital format, other Ethers (3N)). Ether SRC EHOST If the Etheri source address of the message is Ether, the logic is true. Ether Host Ehost If the Etheri-source address or Ether destination address is ehost, the logic is true. Gateway Host If the message That is true. That is to say, the message's Etheri source or destination address is Host, but the source address of IP is not host. Host must be a host name, and must exist / etc / hosts and / ETC / Ethers. (A equivalent expression is Ether host ehost and not host Host For Host / Ehost, it can be both names or numbers.) DST NET NET If the IP destination address of the message belongs to the network number Net, logic is true. NET can be both names (existing / etc / networks), or a network number. (See NetWorks (4)). SRC NET NET If the IP source address of the message belongs to the network number NET , The logic is true. Net NET If the IP source address or destination address of the message belongs to the network number NET, the logic is true. Net Net Mask Mask If the IP address matchs the NETMask Net Mask, the logic is true. This primitive can be modified with SRC or DST. Net Net / LEN If the IP address matches NET that specifies the network mask, the logic is true, the effective bit wide of the mask is LEN. This primitive can be modified with SRC or DST. DST Port Port If the packet is IP / TCP or IP / UDP, and the destination port is port, the logic is true. Port is a number, or the name illustrated in / etc / services (see TCP (4P) and UDP (4p)). If you use the name, check the port number and protocol. If you use a number, or have a secondary name, you only check the port number (for example, DST Port 513 will display TCP / Login data and UDP / WHO) Data, while port Domain will display TCP / Domain and UDP / DOMAIN data). SRC port port If the source port number of the packet is port, the logic is true. Port port If the source port or destination port of the packet is Port, The logic is true. The above-mentioned port expressions can be prefixed with keyword TCP or UDP, like:
TCP SRC Port Port It matches the source port is a TCP packet of Port. Less length If the length of the packet is less than or equal to Length, the logic is true. It is equivalent to: len <= length. Greater length If the length is greater than equivalent Length, logic is true. It is equivalent to: len> = Length. IP protocol If packet is an IP datagram (see IP (4P)), the protocol type of its content is protocol, the logic is true. Protocol can be The numbers can also be one of the following names: ICMP, IGRP, UDP, ND, or TCP. Note that these identifiers TCP, UDP, and ICMP are also keywords, so they must use a backslash () escape, in The C-shell should be /. Ether Broadcast If the message is an Ethervilion, the logic is true. The keyword ether is optional. IP Broadcast If the message is the IP broadcast message, the logic is true. Tcpdump Check All 0 and all broadcast aggregates, and check the local subnet mask. Ether multicast If the message is Multicast, the logic is true. Keyword Ether is optional. This is actually `Ether [0] & 1! = 0 i Multicast If the message is a multi-purpose transfer message, the logic is true. Ether Proto Protocol If the packet protocol belongs to the Type of Protocol, the logic is true. Protocol It can be a number or a name, such as IP, ARP, or RARP. Note that these identifiers are also keywords, so they must be escaped with backslash (). [If FDDI (for example, `fddi protocol arp), protocol Identifies from the 802.2 Logical Link Control (LLC) header, which is usually located on the top of the FDDI header. When the packet is identified according to the protocol, TCPDUMP assumes that all FDDI messages contain LLC headers, and the LLC header is Snap format.] Decnet SRC HO ST If the source address of the DECNET is Host, the logic is true, the form of the host address may be `` 10.123, or the DECNET host name. [Only configured to run the Decnet host name.] DECNET DST HOST If The destination address of the DECNET is Host, the logic is true. Decnet Host Host If the Decnet's source address or destination address is Host, the logic is true. IP, ARP, RARP, DECNET is: Ether Proto P Shi, where P is One of the above protocols. LAT, MOPRC, MOPDL are: Ether Proto P's shorthand form, where P is one of the above protocols. Note TCPDUMP does not know how to analyze these protocols. TCP, UDP, ICMP is: ip proto p Dedicated form, where P is one of the above agreements. If this relationship is established, the logic is true, where relop is>, <,> =, <=, =,! =, Expr is a mathematical expression , By the constant (standard C grammar), ordinary binary operators [ , -, *, /, &
, A length operator, and the specified message data access operator. To access the data in the message, use the following syntax: proto [expr: size] Proto is Ether, FDDI, IP, ARP, RARP One of the TCP, UDP, or ICMP, also points out the protocol layer of the subscript operation. EXPR gives the offset of the byte unit, which is the specified protocol layer. Size is an option, pointing out The number of bytes of interest; it can be 1, 2, 4, default is 1 byte. The length operator given by the keyword LEN indicates the length of the packet. For example, `ether [0] & 1! = 0 Capture all multi-purpose transfer packets. Expression `IP [0] & 0xf! = 5 Capture all IP packets with optional domain. Expressions` IP [6: 2] & 0x1FFF = 0 Capture unseaped And the sub-offset of 0 reports. This check is implicit in TCP and UDP subscript operations. For example, TCP [0] must be the first byte of the TCP header, not one of the IP pieces One byte. The primitive can be used in conjunction with the following method: the original language and operators in the arc (the garden arc is dedicated in the shell, so it must escape). Reverse operation (`! Or` NOT) Connection operation (`&& or` and). Or operation (`|| or` or). The reverse operation has the highest priority. Or the operation and link operation There is the same priority, combined from left to right when the operation is calculated. Note The connection operation requires an explicit and operator instead of being placed in parallel. If the identifier is given, but not a keyword, then the keyword is closely used. For example, Not Host VS and ACE is used as Not Host VS and Host Ace Shorthand form, should not be confused with NOT (Host VS OR ACE). Expression parameters can be transmitted to TCPDUMP as a single parameter, or it can be used as a composite parameter, and the latter is more convenient. Generally, if the expression contains shell metabic characters (Metacharacter), passing a single parameter is easy. Composite parameters are connected with a space before being parsed. Sample (Examples) Show all enter Sundown's packets: TCPDump host sundown displays packets between Helios and host Hot, ACE: Tcpdump host helios and (hot or audice) Display ACE and IP packets of all hosts other than Helios: TCPDump IP Host Ace and NOT HELIOS Displays network data between hosts and Berkeley hosts: TCPDUMP NET UCB-Ether Displays all FTP packets through Gateway SNUP (note that this expression is enclosed by single quotes, preventing shell interpretation garden arc): TCPDump Gateway SNUP And (port ftp or ftp-data) is neither from a local host, nor network data to the local host (if you lead gateway to some other network, this practice will send data to your local network. ). Tcpdump ip and not net localnet displays the start and end packets of each TCP session (SYN and FIN packets), and there is a remote host in the conversation. TCPDump TCP [13] & 3! = 0 and NOT SRC AND DST NET localnet shows IP datagram that is greater than 576 bytes through gateway SNUP: TCPDUMP GATEWAY SNUP AND IP [2: 2]>
576 Displays the Dataset of IP broadcast or multi-purpose transmission, which is not transmitted by the broadcast or multi-purpose transfer form of Ethernet: tcpdump ether [0] & 1 = 0 and ip [16]> = 224 Show all ignore ICMP packets (that is, not ping packet): tcpdump ICMP [0]! = 8 and ICMP [0]! = 0 "Output Format TCPDUMP output format depends on the protocol. Description gives a brief description and example of most formats. Link Level Headers, if you give the -e option, display the link layer header. On Ethernet, display the source address, protocol, and report of the packet. Text length. On the FDDI network, the -e option causes TCPDUMP to display the frame control domain, source address, and packet length. (`Frame control domain is responsible for explaining the rest of the packet. Ordinary post (for example The IP Data Report is `Asynchronous packet, the priority is between 0 and 7; for example,` async4. These are considered to contain 802.2 logical link control (LLC) packets; if they are not ISO dataginary or so-called Snap packets show LLC header. (Note: In the following description, you are assumed to be familiar with the SLIP compression algorithm described in RFC-1144.) On the SLIP link, tcpdump shows the direction indication (`` I refers to Inbound, `` O Refers Outbound, packet type, and compressed information. The first display is the packet type. There are three types of IP, UTCP, and CTCP. For IP packets no longer display more link information. For TCP packets, in type The connection ID is displayed later. If the message is compressed, the encoded header is displayed. Special circumstances are displayed in the form of * S N and * SA N, where n is sequence number (or sequence number and its confirmation) The changes that have occurred. If it is not a special case, 0 or how many changes are displayed. Changes are specified by u (Urgent Pointer), W (Window), A (ACK), S (SEQUENCE NUMBER) and I (Packet ID), followed by One Change amount ( n or -n), or another value (= n). Finally, the sum of the data in the message is displayed, and the length of the compressed header. For example, the following line shows an outgoing compressed TCP message, There is an implicit connection ID; confirmation (ACK) change is 6, the sequence number is 49, the message ID is 6; there are three bytes of data and six bytes of compressed headers: o CTCP * a 6 S 49 I
6 3 (6) ARP / RARP Packet ARP / RARP Packet Output Display Request Type and Parameters. The output format tends to be able to explain itself. Here is a simple example, from host RTSG to the host CSAM's RLogin start section: ARP WHO-HAS CSAM TELL RTSG ARP Reply CSAM IS-AT CSAM First Line Description RTSG Send an ARP Packet Ask the Internet Host CSAM Ethernet address. CSAM uses its Ethernet address (this example, the Ether address is uppercase If the Internet address is lowercase). If you look clear with tcpdump -n: ARP WHO-HAS 128.3.254.6 Tell 128.3.254.68 ARP Reply 128.3.254.6 IS-AT 02: 07: 01: 00: 01: C4 If With tcpdump -e, you can see that the first message is broadcast, the second message is point-to-point: RTSG Broadcast 0806 64: ARP WHO-HAS CSAM TELL RTSG CSAM RTSG 0806 64: ARP Reply CSAM IS -at csam Here the first message indicates that the Ethernet source address is RTSG, the destination address is the Ethernet broadcast address, the type field is 16-based 0806 (type ether_arp), the full length of the packet is 64 bytes. TCP packet ( Note: The following description is assumed to be familiar with the TCP protocol described in RFC-793. If you don't understand this agreement, whether this article or tcpdump is not big for you, it is not big to use. The output format of the TCP protocol is: SRC> DST : Flags Data-SEQNO ACK WINDOW Urgent Options SRC and DST are source IP addresses and ports. Flags is S (SYN), F (FIN), P (PUSH) or R (RST) or individual` (no sign) Or a combination thereof. Data-seqNo illustrates the location of the data in this packet in the flow sequence number (see example). ACK is the sequence number of the next received byte in this connection ( Sequence Number). w Indow is the byte size of this connection source machine receive buffer. URG indicates that the message is augmentation (Urgent) data. Options is TCP optional header, enclose (for example,). SRC, DST and Flags must exist. Other domains based on the TCP header content, only the necessary part. The following is the beginning of the host CSAM from the host RTSG Rlogin. RTSG.1023> CSAM.login: s 768512: 768512 (0 ) WIN 4096 CSAM.LOGIN> RTSG.1023: S 947648: 947648 (0) ACK 768513 WIN 4096 RTSG.1023> CSAM.Login:. ACK 1 WIN 4096 RTSG.1023> CSAM.Login: P 1: 2 (1) ACK 1 WIN 4096 CSAM.Login> RTSG.1023:. ACK 2 WIN 4096 RTSG.1023> CSAM.Login: P 2:21 (19) ACK 1 WIN 4096 CSAM.Login> RTSG.1023: P 1: 2 (1 ACK 21 WIN 4077 CSAM.Login> RTSG.1023: P 2: 3 (1) ACK 21 WIN 4077 URG 1 Csam.login>
RTSG.1023: P 3: 4 (1) ACK 21 WIN 4077 URG 1 The first line is to send a message from the RTSG's TCP port 1023 to the Login port of CSAM. S flag indicates that the SYN flag is set. It is 768512, no data. (This is written as `first (nbytes), meaningful from the flow number first to Last, not including the Last, a NBytes byte user data.) There is no belt confirmation (Piggy-Backed Ack) ), The effective receiving window is 4096 bytes, with a max-segment-size option, requests to set the MSS 1024 bytes. CSAM responded in a similar form, just adding a belt to RTSG SYN Confirm. Then RTSG confirms the syn. `.`. Means no settings. This message does not contain data, so there is no data number. Note that this confirmation sequence number is a small integer (1). When tcpdump first When a TCP session is discovered, it displays the flow number carrying the message. In the subsequent message, it displays the difference between the current packet and the original message number. This means from the first message Start, the future sequence number can understand the relative displacement as Relative Byte Positions in the data stream (with the first data byte each direction being `).` -S option can change this feature, directly display the original Sequence number. In the sixth line, RTSG is passed to CSAM 19 bytes of data (bytes 2 to 20). The push flag is set in the packet. The seventh line CSAM indicates that it receives RTSG data, the byte number is 21, but not including 21 bytes. Obviously most of the data is within the buffer of the socket, because the data received by the CSAM receives less than 19 bytes. At the same time, the CSAM sends a byte to the RTSG. The eight and the ninth line showed that the CSAM sent two bytes of emergency data to RTSG. If the capture area The setting is too small, so that TCPDUMP cannot capture the complete TCP header, TCPDUMP will translate the captured part as much as possible, then display the `` [| tcp], indicating that the remainder cannot be translated. If the header contains a forged option ( One with a longth Thats Either Too Small or Beyond The end of the header, tcpdump Display `` [Bad Opt] and no longer translating other options (because it is impossible to determine where start). If the length of the header indicates that there is an option However, the IP datagram is insufficient, and it is impossible to save the option. TCPDUMP will display `` [bad hdr length]. UDP packet UDP format is like this RWHO message display: actinide.Who>
Broadcast.Who: UDP 84 That is to say to the WHO port of a UDP datagram from host Actinide to the WHO port of the Broadcast, Internet broadcast address. The packet contains 84-bytes of user data. Some UDP services can be identified (from the source Total port number), thereby displaying a higher level of protocol information. In particular, the domain name service request (RFC-1034/1035) and NFS RPC call (RFC-1050). UDP Domain Server Requests (Note: In the following description, you are assumed to be familiar with the domain name service agreement illustrated by RFC-1035. If you are not familiar with this protocol, the following is like a book.) The format of the domain service request is SRC> DST: ID OP? Flags Qtype Qclass Name LEN) H2OPOLO.1538> Helios.domain: 3 a? ucbvax.berkeley.edu. (37) Host H2opolo Accesss domain name service on Helios, queries and ucbvax.berkeley.edu. associated address record (Qtype = a). The query number is `3.` indicates that the recursive request logo is set. The query length is 37 bytes, does not include UDP and IP headers. The query operation is a normal QUERY operation, so the OP domain can be ignored. If the op is set to other things? It should be displayed between `3 and` . Similar, qclass is an ordinary c_in type, which is also ignored. Other types of QCLASS should be displayed later. Tcpdump checks some irregularities, corresponding results As a supplementary domain in square brackets: If a query contains the answer, the name service, or the management part, display ancount, nscount, or arcount as `[na],` [nn] or `[nau], here n represents the corresponding quantity. If in the second and third bytes, any acknowledgment bit (AA, RA or RCODE) or any one must be set to zero, it is displayed` [B2 & 3 = x], The X here is the number of six second and third bytes. UDP name service Answers the format of the name service answer is SRC > DST: ID OP RCODE FLAGS A / N / AU TYPE CLASS DATA (LEN) Helios.domain> H2OPOLO.1538: 3 3/3/7 A 128.32.137.3 (273) Helios.domain> H2OPOLO.1537: 2 NXDOMAIN * 0/1/0 (97) In the first example, Helios answered the inquiry of H2opolo as 3, a total of 3 answers records, 3 name service records, and 7 management structure records. The first answer record The type is a (address), the data is the Internet address 128.32.137.3. The full length of the answer is 273 bytes, does not include the UDP and IP headers. Class (c_in) can be ignored to OP (inquiry) and RCODE (Noerror) In the second example, Helios makes an audiome that the domain name does not exist (NXDOMAIN) on the inquiry of the identifier, does not answer the record, a name service record, and there is no management structure. `* Indicates that the authority replied (Authoritative Answer) Since there is no answer, Type, Class and Data can not be displayed here. Other logo characters can be displayed as `- (no recursive valid (RA)) and` | (Setting Message Trunction (TC)). If `question Part is not effective, it is displayed`
[NQ] Note the inquiry and answer of the name service, the general saying is relatively large, 68-byte Snaplen may not capture enough packet content. If you are in the case of the name service, you can use the -s option to increase capture. Buffer. `-S 128 should have good effect. NFS request and response Sun NFS request and response display format is: src.xid> dst.nfs: len op args src.nfs> dst.xID: Reply Stat Len Op Results Sushi.6709> WRL.NFS: 112 Readlink FH 21, 24 / 10.73165 WRL.NFS> Sushi.6709: Reply OK 40 Readlink "../var" Sushi.201B> WRL.NFS: 144 Lookup FH 9,74 / 4096.6878 "Xcolors" WRL.NFS> Sushi.201b: Reply OK 128 Lookup FH 9, 74 / 4134.3150 In the first line, the host SUSHI sends the number 6709 to the WRL (note the number behind the source host is Trading number, not a port). This request is 112 bytes long, does not include UDP and IP headers. Rework is performed on the file handle (FH) 21, 24/10.731657119. (If your luck is good, In this case, the file handle can be translated into a primary and secondary device number, the I norm, and the content number (Generation number).) WRL answers the contents of the `OK and the connection. In the third line, Sushi request WRL in the directory file 9 04 / 4096.6878 Find the `xcolors. Note that the print format of the data depends on the type of operation. The format should be self-explained. Give the -v (Verbose) option to display additional information. For example: Sushi.1372a> Wrl.nfs: 148 Read FH 21, 11 / 12.195 8192 BYtes @ 24576 WRL.NFS> Sushi.1372a: Reply OK 1472 Read Reg 100664 IDS 417/0 SZ 29388 ( -v simultaneously displays the TTL, ID, and slice domains of the IP header, omitted them in this example.) At the first line, SUSHI requests WRL starting from the offset position 24576 of files 21 ,11 / 12.195, Read 8192 bytes. WRL Answer `OK; the second line displayed message is the first fragment of the response, so only 1472 bytes (the rest of the data is passed in subsequent fragmentation, but due to these slips Without NFS or even UDP headers, it may not be displayed depending on the filter expression used. The -v option also displays some file properties (they come back as the file data): file type (ordinary file `` REG), access mode (eight input), UID and GID, and file size. If you give a -V option (-VV), more details can be displayed. Note that the amount of data requested by NFS is very large, unless added Snaplen, otherwise many details cannot be displayed. Try a try` - S 192 option. NFS response packets do not clearly indicate RPC operations. So tcpdump retains ``
Recent request records, according to the transaction number matching the answer packet. If the answer packet does not have the corresponding request packet, it cannot be analyzed. Kip AppleTalk (DDP on UDP) AppleTalk DDP Packet in UDP Data News, Unpack After the DDP packet dump (that is, all UDP header information) is ignored. File /etc/atalk.names is used to translate the AppleTalk network and the node number into a name. This file's row format is Number Name 1.254 Ether 16.1 ICSD-NET 1.254.110 ACE two lines give AppleTalk's network name. The third line gives the name of a host (the host and network according to the third set of numbers - the network number must be two sets, the host number must be It is three sets of numbers.) Number and name Separate with blank characters (spaces or tab). /Etc/atalk.names file can include blank line or comment line (row starting with `#). AppleTalk Address Displays Net Press this format .host.port 144.1.209.2> ICSD-NET.112.220 Office.2> ICSD-NET.112.220 JSSMAG.149.235> ICSD-NET.2 (if there is no /etc/atalk.names, or lack a valid item inside, Digital form display address.) In the first example, the NBP (DDP port 2) of the 209 node of Network 144.1 transmits data to the 220 port of the network ICSD 112 node. Like the second line, just know the full name of the source node. (`office). The third line is broadcast from the network JSSMAG's 149-node 235 port broadcast to ICSD-NET's NBP port (Note Broadcast Address (255) is implied in the network name of an owned machine number - So in / etc / atalk .Names distinguished node name and network name in. Tcpdump can translate packet content of NBP (name connection protocol) and ATP (AppleTalk interactive protocol). Other protocols only dump the name of the protocol (or number, if you haven't given this Protocol registration name) and packet size. NBP packet output format is like The following example: ICSD-NET.112.220> JSSMAG.2: NBP-LKUP 190: "=: laserwriter @ *" jssmag.209.2> ICSD-NET.112.220: NBP-Reply 190: "RM1140: LaserWriter @ *" 250 Techpit .2> ICSD-NET.112.220: NBP-reply 190: "Techpit: laserwriter @ *" 186 The first line is the network ICSD 112 host broadcast on the network jssmag, making a name query request for the name LaserWriter. Name query request NBP identification number is 190. The second line shows an answer to this request (note that they have the same identification number), the host JSSMAG.209 indicates the resource of a LaserWriter in its 250 port, the name is "RM1140". The third line is the other answer of this request. The 186 port of the host Techpit has the "Techpit" registered by LaserWriter. The ATP packet format is shown in the following example: jssmag.209.165> Helios.132: ATP-REQ 12266 <0-7> 0xae030001 Helios.132> JSSMAG.209.165: ATP-RESP 12266: 0 (512) 0xae040000 Helios.132>
