博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
tcpdump
阅读量:6331 次
发布时间:2019-06-22

本文共 8381 字,大约阅读时间需要 27 分钟。

http://www.tcpdump.org/

 

[root@109-com1 asterisk]# man tcpdump 

OUTPUT FORMAT

The output of tcpdump is protocol dependent. The following gives a brief description and examples of most of the formats.
tcpdump的输出依赖于协议。下面给出一个简短的描述和多种格式的样例。
Link Level Headers
链路层头
If the '-e' option is given, the link level header is printed out.
如果给出-e选项,链路层头会被打出。
On Ethernets, the source and destination addresses, protocol, and packet length are printed.
在以太网络上,源和目的地址,协议,包长被打印。
On FDDI networks, the '-e' option causes tcpdump to print the `frame control' field, the source and destination addresses, and the packet length. (The `frame control' field governs the interpretation of the rest of the packet. Normal packets (such as those containing IP datagrams) are `async' packets, with a priority value between 0 and 7; for example, `async4'. Such packets are assumed to contain an 802.2 Logical Link Control (LLC) packet; the LLC header is printed if it is not an ISO datagram or a so-called SNAP packet.
在FDDI网络上,-e选项引起tcpdump打出帧控制字段,源和目的地址,和包长。
On Token Ring networks, the '-e' option causes tcpdump to print the `access control' and `frame control' fields, the source and destination addresses, and the packet length. As on FDDI networks, packets are assumed to contain an LLC packet. Regardless of whether the '-e' option is specified or not, the source routing information is printed for source-routed packets.
在令牌环网中,-e选项引起tcpdump打出访问控制和帧控制字段,源和目的地址,和包长。
On 802.11 networks, the '-e' option causes tcpdump to print the `frame control' fields, all of the addresses in the 802.11 header, and the packet length. As on FDDI networks, packets are assumed to contain an LLC packet.
在802.11网络上,-e选项引起tcpdump打出帧控制字段,
ARP/RARP Packets
Arp/rarp output shows the type of request and its arguments. The format is intended to be self explanatory. Here is a short sample taken from the start of an `rlogin' from host rtsg to host csam:
arp/rarp输出展示了请求类型和它的参数。格式意在自行解释。这是一个简短的样例,摘自从主机rtsg到主机csam的rlogin的开头:
    arp who-has csam tell rtsg
    arp reply csam is-at CSAM
The first line says that rtsg sent an arp packet asking for the Ethernet address of internet host csam. Csam replies with its Ethernet address (in this example, Ethernet addresses are in caps and internet addresses in lower case).
第一行说明主机rtsg发送一个arp包询问互联网主机csam的以太网地址。csam回复它的以太网地址。
This would look less redundant if we had done tcpdump -n:
这个看起来较为精简,假如使用tcpdump -n时:
    arp who-has 128.3.254.6 tell 128.3.254.68
    arp reply 128.3.254.6 is-at 02:07:01:00:01:c4
If we had done tcpdump -e, the fact that the first packet is broadcast and the second is point-to-point would be visible:
    RTSG Broadcast 0806  64: arp who-has csam tell rtsg
    CSAM RTSG 0806  64: arp reply csam is-at CSAM
For the first packet this says the Ethernet source address is RTSG, the destination is the Ethernet broadcast address, the type field contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.

TCP Packets

(N.B.:The following description assumes familiarity with the TCP protocol described in RFC-793. If you are not familiar with the protocol, neither this description nor tcpdump will be of much use to you.)
注意:下面描述假设你熟悉RFC-793中的tcp协议描述。如果你不熟悉协议,那么不管是这个描述还是tcpdump对你来说都将不会有太多用处。
The general format of a tcp protocol line is:
    src > dst: flags data-seqno ack window urgent options
Src and dst are the source and destination IP addresses and ports.
Flags are some combination of S (SYN), F (FIN), P (PUSH), R (RST), U (URG), W (ECN CWR), E (ECN-Echo) or `.' (ACK), or `none' if no flags are set.
标志是一些
Data-seqno describes the portion of sequence space covered by the data in this packet (see example below).
数据序列号描述在这个包里,数据所涵盖的部分顺序空间。
Ack is sequence number of the next data expected the other direction on this connection.
ack是本连接另一个方向上数据希望的下一次序列号。
Window is the number of bytes of receive buffer space available the other direction on this connection.
窗口是可用的接收缓冲区的字节数,在本连接另一个方向。
Urg indicates there is `urgent' data in the packet.
urg指示在包中有紧急数据。
Options are tcp options enclosed in angle brackets (e.g., <mss 1024>).
选项是用尖括号封闭的tcp选项。
Src, dst and flags are always present. The other fields depend on the contents of the packet's tcp protocol header and are output only if appropriate.
src,dst和flags总是存在。其它字段依赖包的tcp协议头内容,
Here is the opening portion of an rlogin from host rtsg to host csam.
这是从主机rtsg到csam的rlogin的打开部分。
Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
There are 8 bits in the control bits section of the TCP header:
    CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
Let's assume that we want to watch packets used in establishing a TCP connection.
我们假设想要观察建立一个tcp连接所需要的包。
Recall that TCP uses a 3-way handshake protocol when it initializes a new connection; the connection sequence with regard to the TCP control bits is
回想起tcp初始化一个新连接时使用3次握手协议;视tcp控制位的连接顺序是
    1) Caller sends SYN
呼叫方发送SYN
    2) Recipient responds with SYN, ACK
接收者应答syn,ack
    3) Caller sends ACK
呼叫方发送ACK
Now we're interested in capturing packets that have only the SYN bit set (Step 1). Note that we don't want packets from step 2 (SYN-ACK), just a plain initial SYN. What we need is a correct filter expression for tcpdump.
现在我们只对设置了syn位的捕获包感兴趣(即第一步)。注意我们不想要第二步中的包,只是一个初始SYN包。我们需要的是正确的tcpdump过滤表达式。
We're almost done, because now we know that if only SYN is set, the value of the 13th octet in the TCP header, when interpreted as a 8-bit unsigned integer in network byte order, must be exactly 2.
This relationship can be expressed as
    tcp[13] == 2
We can use this expression as the filter for tcpdump in order to watch packets which have only SYN set:
    tcpdump tcp [13] == 2  -nn  -c 10
The expression says "let the 13th octet of a TCP datagram have the decimal value 2", which is exactly what we want.

 

Now, let's assume that we need to capture SYN packets, but we don't care if ACK or any other TCP control bit is set at the same time. Let's see what happens to octet 13 when a TCP datagram with SYN-ACK set arrives:

Now we can't just use 'tcp[13] == 18' in the tcpdump filter expression, because that would select only those packets that have SYN-ACK set, but not those with only SYN set. Remember that we don't care if ACK or any other control bit is set as long as SYN is set.
This points us to the tcpdump filter expression
这指引我们tcpdump过滤表达式如下:
         tcpdump 'tcp[13] & 2 == 2' -nn -c 10
Some offsets and field values may be expressed as names rather than as numeric values. For example tcp[13] may be replaced with tcp[tcpflags].
一些偏移和字段值可以表达为名字而非一个数字值。例如tcp[13]可以被替换为tcp[tcpflags]。
The following TCP flag field values are also available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-act, tcp-urg.
一列tcp标志字段值同样可用:tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-act, tcp-urg。
This can be demonstrated as:
这个可以被展示为:
         tcpdump 'tcp[tcpflags] & tcp-push != 0'
Note that you should use single quotes or a backslash in the expression to hide the AND ('&') special character from the shell.

UDP Packets

UDP Name Server Requests
UDP Name Server Responses
Name server responses are formatted as
SMB/CIFS decoding
NFS Requests and Replies
AFS Requests and Replies

NBP (name binding protocol) and ATP (AppleTalk transaction protocol) packets have their contents interpreted. Other protocols just dump the protocol name (or number if no name is registered for the protocol) and packet size.

NBP和ATP包有它们的内容翻译。其它协议只转储协议名(或数字假如这个协议没有名字注册)和包大小。
NBP packets are formatted like the following examples:
ATP packet formatting is demonstrated by the following example:

IP Fragmentation

ip分片
Fragmented Internet datagrams are printed as
    (frag id:size@offset+)
    (frag id:size@offset)
(The first form indicates there are more fragments. The second indicates this is the last fragment.)
第一种形式指示有更多的分片。第二种指出这是最后一个分片。
A packet with the IP don't fragment flag is marked with a trailing (DF).
一个ip不分片的标志是标记为DF的包
一个包标记为DF,标志着ip不分片。

Timestamps

时间戳
By default, all output lines are preceded by a timestamp. The timestamp is the current clock time in the form
默认,所有输出行以一个时间戳开始。时间戳是当前时钟时间,形如:
    hh:mm:ss.frac
and is as accurate as the kernel's clock. The timestamp reflects the time the kernel first saw the packet.
并且和内核时钟一样精确。时间戳反映了内核第一次看到包的时间。
No attempt is made to account for the time lag between when the Ethernet interface removed the packet from the wire and when the kernel serviced the `new packet' interrupt.  
在当以太接口从线上移除包与当内核服务新包中断之间的时间延迟

转载于:https://www.cnblogs.com/createyuan/p/4444485.html

你可能感兴趣的文章
redis知识点整理
查看>>
Hello World
查看>>
Spring3全注解配置
查看>>
ThreadLocal真会内存泄露?
查看>>
IntelliJ IDEA
查看>>
低版本mybatis不能用PageHeper插件的时候用这个分页
查看>>
javaweb使用自定义id,快速编码与生成ID
查看>>
[leetcode] Add Two Numbers
查看>>
elasticsearch suggest 的几种使用-completion 的基本 使用
查看>>
04-【MongoDB入门教程】mongo命令行
查看>>
字符串与整数之间的转换
查看>>
断点传输HTTP和URL协议
查看>>
redis 数据类型详解 以及 redis适用场景场合
查看>>
mysql服务器的主从配置
查看>>
巧用AJAX技术,通过updatePanel控件实现局部刷新
查看>>
20140420技术交流活动总结
查看>>
SaltStack配置salt-api
查看>>
各种情况下block的类型
查看>>
ThinkPHP 3.2.x 集成极光推送指北
查看>>
js作用域链
查看>>