Shulou(Shulou.com)06/01 Report--

LINUX tcpdump command which, many novices are not very clear, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

For the use of tcpdump, most administrators fall into two categories. There are administrators who are familiar with tcpdump and all the tags in it, and administrators who only know the basics of how to use it and do the rest with the help of a reference manual. The reason for this is that tcpdump is a fairly advanced command that requires a fairly in-depth understanding of how the network works.

In today's article, I want to provide a quick but quite practical tcpdump reference. I'll talk about basic and some advanced usage. I'm sure I'll ignore some pretty cool commands. You're welcome to add them in the comments section.

Before we delve into it, the most important thing is to understand what tcpdump is for. The tcpdump command is used to save and record network traffic. You can use it to observe what is happening on the network, and can be used to solve a variety of problems, including problems that have nothing to do with network communication. In addition to network problems, I often use tcpdump to solve application problems. If you find that the two applications don't work well, you can use tcpdump to observe what's wrong. Tcpdump can be used to crawl and read packets, especially if the communication is not encrypted.

Basic knowledge

To understand tcpdump, you first need to know the flag used in tcpdump. In this chapter, I will cover a lot of basic tags that will be used in many situations.

Do not convert hostname, port number, etc.

# tcpdump-n

Typically, tcpdump attempts to find and translate hostnames and port numbers.

# tcpdump

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

1615 IP blog.ssh 05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553 seq 2546456749, ack 1824683693, win 355, options [nop,nop,TS val 620879437 ecr 620879348], length 196

You can turn off this function with the-n flag. Personally, I always use this tag because I like to use IP addresses instead of hostnames, and the translation of hostnames and port numbers is often troublesome. However, it is useful to know whether to convert with or without tcpdump, especially when it is important to know which server the source traffic (source traffic) comes from.

# tcpdump-n

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

IP 47.934665 IP 10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], seq 2546457621virtual 2546457817, ack 1824684201, win 355, options [nop,nop,TS val 621010158 ecr 621010055], length 196

Add more details

# tcpdump-v

Add a simple-v flag, and the output will contain more information, such as the lifetime of an IP package (ttl, time to live), length, and other options.

# tcpdump

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

1615 IP blog.ssh 05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553 seq 2546456749, ack 1824683693, win 355, options [nop,nop,TS val 620879437 ecr 620879348], length 196

There are three levels of detail for tcpdump, and you can get more information by increasing the number of v tags on the command line. Usually when I use tcpmdump, I always use the highest level of detail, because I want to see all the information so that I don't need it later.

# tcpdump-vvv-c 1

Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

16RV 36R 13.873456 IP (tos 0x10, ttl 64, id 121, offset 0, flags [DF], proto TCP (6), length 184)

Blog.ssh > 10.0.3.1.32855: Flags [P.], cksum 0x1ba1 (incorrect-> 0x0dfd), seq 2546458841 cksum 0x1ba1 2546458973, ack 1824684869, win 355, options [nop,nop,TS val 621196643 ecr 621196379], length 132

Specify network interfac

# tcpdump-I eth0

In general, if you do not specify a network interface, tcpdump will choose the lowest numbered network interface at run time, usually eth0, although it may vary from system to system.

# tcpdump

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

1615 IP blog.ssh 05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553 seq 2546456749, ack 1824683693, win 355, options [nop,nop,TS val 620879437 ecr 620879348], length 196

You can use the-I flag to specify the network interface. On most Linux systems, the specific network interface name any is used to allow tcpdump to listen on all interfaces. I find this particularly useful in troubleshooting servers (with multiple network interfaces), especially when routing is involved.

# tcpdump-I any

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2547763641 seq 2547763837, ack 1824693949, win 355, options [nop,nop,TS val 621343002 ecr 621342962], length 196

Write to a file

# tcpdump-w / path/to/file

The results of the tcpdump run are output on the screen.

# tcpdump

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

1615 IP blog.ssh 05.051896 IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2546456553 seq 2546456749, ack 1824683693, win 355, options [nop,nop,TS val 620879437 ecr 620879348], length 196

But most of the time, you want to save the tcpdump output in a file, and the easiest way is to use the-w flag. This is especially useful if you check the network data later. The advantage of saving this data as a file is that you can read the saved file multiple times and use other tags or filters on this snapshot of network traffic (which we'll discuss later).

# tcpdump-w / var/tmp/tcpdata.pcap

Tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

1 packet captured

2 packets received by filter

0 packets dropped by kernel

Usually this data is cached without being written to the file until you end the tcpdump command with CTRL+C.

Read a file

# tcpdump-r / path/to/file

Once you save the output to a file, you must read the file. To do this, you just need to specify the path where the file is stored after the-r flag.

# tcpdump-r / var/tmp/tcpdata.pcap

Reading from file / var/tmp/tcpdata.pcap, link-type EN10MB (Ethernet)

IP blog.ssh > 10.0.3.1.32855: Flags [P.], seq 2547766673 seq 2547766705, ack 1824696181, win 355, options [nop,nop,TS val 621493577 ecr 621493478], length 132

As a reminder, if you are familiar with network diagnostic tools such as wireshark, you can also use them to read files saved by tcpdump.

Specify grab bag size

# tcpdump-s 100

Newer versions of tcpdump can usually intercept 65535 bytes, but in some cases you don't need to intercept packets of the default size. When running tcpdump, you can specify the snapshot length with the-s flag.

Specify the number of packages to capture

# tcpdump-c 10

Tcpdump will run until you use CTRL+C to let it out.

# tcpdump host google.com

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^ C

0 packets captured

4 packets received by filter

0 packets dropped by kernel

You can also stop tcpdump from operating after catching a certain number of packets by adding the number of packets after the-c flag. You want to use this tag when you don't want to see tcpdump output appear so much on the screen that you can't read it. Of course, it is usually better to intercept specific traffic with the help of filters.

Summary of basic knowledge

# tcpdump-nvvv-I any-c 100-s 100

You can combine these basic tags to get tcpdump to provide the information you need.

Filter

After introducing the basic tags, it's time to introduce filters. Tcpdump can filter intercepted or output data through a variety of expressions. I will give some simple examples in this article so that you can understand the grammar rules. You can check the pcap-filter section of the tcpdump help for more detailed information.

Find traffic for a specific host

# tcpdump-nvvv-I any-c 3 host 10.0.3.1

Run the above command and tcpdump will output the results to the screen as before, but only packets with source IP or destination IP address 10.0.3.1 will be displayed. By adding the host 10.0.3.1 parameter, we can have tcpdump filter out packets whose source and destination addresses are not 10.0.3.1.

# tcpdump-nvvv-I any-c 3 host 10.0.3.1

Tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

17 ttl 54 IP 15.067496 (tos 0x10, ttl 64, id 5502, offset 0, flags [DF], proto TCP (6), length 184)

10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1ba1 (incorrect-> 0x9f75), seq 2547785621 0x9f75 2547785753, ack 1824705637, win 355, options [nop,nop,TS val 622366941 ecr 622366923], length 132

17 ttl 54 IP 15.067613 (tos 0x10, ttl 64, id 52315, offset 0, flags [DF], proto TCP (6), length 52)

10.0.3.1.32855 > 10.0.3.246.22: Flags [.], cksum 0x1b1d (incorrect-> 0x7c34), seq 1, ack 132, win 540, options [nop,nop,TS val 622366941 ecr 622366941], length 0

17 ttl 54 IP 15.075230 IP (tos 0x10, ttl 64, id 5503, offset 0, flags [DF], proto TCP (6), length 648)

10.0.3.246.22 > 10.0.3.1.32855: Flags [P.], cksum 0x1d71 (incorrect-> 0x3443), seq 132 0x3443 728, ack 1, win 355, options [nop,nop,TS val 622366943 ecr 622366941], length 596

Show only traffic whose source address is a specific host

# tcpdump-nvvv-I any-c 3 src host 10.0.3.1

The previous example shows traffic with a source and destination address of 10.0.3.1, while the above command shows only traffic with a packet source address of 10.0.3.1. This is achieved by adding the src parameter before host. This extra filter tells tcpdump to look for a specific source address. Conversely, through the dst filter, you can specify the destination address.

Filter source and destination ports

# tcpdump-nvvv-I any-c 3 port 22 and port 60738

With a similar and operator, you can use a more complex filter description on tcpdump. This is similar to the if sentence, so think of it this way. In this example, we use the and operator to tell tcpdump to output only packets with port numbers 22 and 60738. This is useful when analyzing network problems because it is a way to focus on packets for a particular session (session).

You can express the and operator in two ways, either and or & &. I personally prefer to use both, especially to remember to enclose expressions in single or double quotes when using & &. In BASH, you can use & & to run a command that succeeds before executing the following command. In general, it is best to wrap the expression in quotation marks to avoid unexpected results, especially if there are some special characters in the filter.

Find traffic with two port numbers

# tcpdump-nvvv-I any-c 20 'port 80 or port 443'

You can use the or or the | | operator to filter the results. In this example, we use the or operator to intercept data streams with send and receive ports 80 or 443. This is particularly useful on Web servers because the server usually has two open ports, with port number 80 for http connection and 443 for https.

Find two specific ports and data flow from a specific host

# tcpdump-nvvv-I any-c 20'(port 80 or port 443) and host 10.0.3.169'

The previous example is very effective in troubleshooting multi-port protocol problems. If the Web server has a considerable amount of data traffic, the output of the tcpdump may be a bit confusing. We can further limit the output by adding the host parameter. In this case, we maintain the or description by placing the or expression in parentheses.

You can use parentheses multiple times in a filter. In the following example, the following command restricts the interception of packets if the sending or receiving port number is 80 or 443, the host is from 10.0.3.169 or 10.0.3.1, and the destination address is 10.0.3.246.

Understand the output result

It is quite difficult to turn on all the options of tcpdump to intercept network traffic, but once you have the data, you have to interpret it. In this chapter, we will cover how to determine the source / destination IP address, the source / destination port number, and the TCP protocol type of packet. Of course, these are pretty basic, and you get a lot more information from tcpdump. However, this article is mainly a rough introduction, we will focus on these basics. I suggest you get more detailed information through the help page.

Determine the source and destination addresses

Determining the source and destination addresses and port numbers is fairly simple.

From the output above, we can see that the source IP address is 10.0.3.246, the source port number is 56894, the destination IP address is 192.168.0.92, and the port number is 22. Once you understand the tcpdump format, this information is easy to judge. If you haven't guessed the format yet, you can analyze it in the format src-ip.src-port > dest-ip.dest-port: Flags [S]. The source address comes before >, followed by the destination address. You can think of > as an arrow symbol pointing to the destination address.

Determine the packet type

10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect-> 0x0388), seq 682725222, win 29200, options [mss 1460 ecr sackOKLIT TS val 619989005 ecr 0recitation WScale 7], length 0

From the example above, we can tell that this packet is an SYN packet. We draw this conclusion from the [S] tag field in the tcpdump output, and different types of packets have different types of tags. Without an in-depth understanding of the packet types in the TCP protocol, you can determine it from the following quick look-up table.

[s]-SYN (start connection)

[.]-No mark

[P]-PSH (data push)

[F]-FIN (end connection)

[r]-RST (restart connection)

In this version of the tcpdump output, [S.] The tag indicates that the packet is a SYN-ACK packet.

A bad example

1515 IP 43.323412 IP (tos 0x0, ttl 64, id 51051, offset 0, flags [DF], proto TCP (6), length 60)

10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect-> 0x0388), seq 682725222, win 29200, options [mss 1460 ecr sackOKLIT TS val 619989005 ecr 0recitation WScale 7], length 0

1515 IP 44.321444 IP (tos 0x0, ttl 64, id 51052, offset 0, flags [DF], proto TCP (6), length 60)

10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect-> 0x028e), seq 682725222, win 29200, options [mss 1460 ecr sackOKLIT TS val 619989255 ecr 0recitation WScale 7], length 0

1515 IP 46.321610 IP (tos 0x0, ttl 64, id 51053, offset 0, flags [DF], proto TCP (6), length 60)

10.0.3.246.56894 > 192.168.0.92.22: Flags [S], cksum 0xcf28 (incorrect-> 0x009a), seq 682725222, win 29200, options [mss 1460 ecr sackOKLIT TS val 619989755 ecr 0recitation WScale 7], length 0

The above shows an example of a bad communication, in which "bad" means that the communication is not established. We can see that 10.0.3.246 sends a SYN packet to host 192.168.0.92, but the host does not reply.

Good example.

1518 IP 25.716453 IP (tos 0x10, ttl 64, id 53344, offset 0, flags [DF], proto TCP (6), length 60)

10.0.3.246.34908 > 192.168.0.110.22: Flags [S], cksum 0xcf3a (incorrect-> 0xc838), seq 1943877315, win 29200, options [mss 1460 ecr sackOKLIT TS val 620029603 ecr 0meme WScale 7], length 0

1518 IP 25.716777 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 60)

192.168.0.110.22 > 10.0.3.246.34908: Flags [S.], cksum 0x594a (correct), seq 4001145915, ack 1943877316, win 5792, options [mss 1460 ecr 620029603], length 0

1518 IP 25.716899 IP (tos 0x10, ttl 64, id 53345, offset 0, flags [DF], proto TCP (6), length 52)

10.0.3.246.34908 > 192.168.0.110.22: Flags [.], cksum 0xcf32 (incorrect-> 0x9dcc), ack 1, win 229, options [nop,nop,TS val 620029603 ecr 18495104], length 0

A good example should look like this. We see a typical TCP 3-way handshake. The first packet is the SYN packet, which is sent from host 10.0.3.246 to host 192.168.0.110, the second packet is SYN-ACK packet, and host 192.168.0.110 responds to SYN packet. The last package is an ACK or SYN-ACK-ACK package, and the host 10.0.3.246 responds to receiving the SYN-ACK package. From above, you can see that a TCP/IP connection has been successfully established.

Packet inspection

Print packets with hexadecimal and ASCII codes

# tcpdump-nvvv-I any-c 1-XX 'port 80 and host 10.0.3.1'

A common practice for troubleshooting application network problems is to print packets in hexadecimal and ASCII format with the-XX flag of tcpdump. This is a very useful command that allows you to see the source address, destination address, packet type, and the packet itself. But I'm not a fan of this command output. I think it's too hard to read.

# tcpdump-nvvv-I any-c 1-XX 'port 80 and host 10.0.3.1'

Tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

19 ttl 51 IP 15.697640 (tos 0x0, ttl 64, id 54313, offset 0, flags [DF], proto TCP (6), length 483)

10.0.3.1.45732 > 10.0.3.246.80: Flags [P.], cksum 0x1ccc (incorrect-> 0x2ce8), seq 3920159713 0x2ce8 3920160144, ack 969855140, win 245, options [nop,nop,TS val 624122099 ecr 624117334], length 431

0x0000: 0000 0001 0006 fe0a e2d1 8785 0000 0800.

0x0010: 4500 01e3 d429 4000 4006 49f5 0a00 0301 E.) @. I.

0x0020: 0a00 03f6 b2a4 0050 e9a8 e3e1 39ce d0a4 .P....9...

0x0030: 8018 00f5 1ccc 0000 0101 080a 2533 58f3.% 3X.

0x0040: 2533 4656 4745 5420 2f73 6f6d 6570 6167 3FVGET./somepag

0x0050: 6520 4854 5450 2f31 2e31 0d0a 486f 7374 e.HTTP/1.1..Host

0x0060: 3a20 3130 2e30 2e33 2e32 3436 0d0a 436f:. 10.0.3.246..Co

0x0070: 6e6e 6563 7469 6f6e 3a20 6b65 6570 2d61 nnection:.keep-a

0x0080: 6c69 7665 0d0a 4361 6368 652d 436f 6e74 live..Cache-Cont

0x0090: 726f 6c3a 206d 6178 2d61 6765 3d30 0d0a rol:.max-age=0..

0x00a0: 4163 6365 7074 3a20 7465 7874 2f68 746d Accept:.text/htm

0x00b0: 6c2c 6170 706c 6963 6174 696f 6e2f 7868 l,application/xh

0x00c0: 746d 6c2b 786d 6c2c 6170 706c 6963 6174 tml+xml,applicat

0x00d0: 696f 6e2f 786d 6c3b 713d 302e 392c 696d ion/xml;q=0.9,im

0x00e0: 6167 652f 7765 6270 2c2a 2f2a 3b71 3d30 age/webp,*/*;q=0

0x00f0: 2e38 0d0a 5573 6572 2d41 6765 6e74 3a20. 8.

0x0100: 4d6f 7a69 6c6c 612f 352e 3020 284d 6163 Mozilla/5.0. (Mac

0x0110: 696e 746f 7368 3b20 496e 7465 6c20 4d61 intosh;.Intel.Ma

0x0120: 6320 4f53 2058 2031 305f 395f 3529 2041 c.OS.X.10_9_5). A

0x0130: 7070 6c65 5765 624b 6974 2f35 3337 2e33 ppleWebKit/537.3

0x0140: 3620 284b 4854 4d4c 2c20 6c69 6b65 2047 6. (KHTML,.like.G

0x0150: 6563 6b6f 2920 4368 726f 6d65 2f33 382e ecko). Chrome/38.

0x0160: 302e 3231 3235 2e31 3031 2053 6166 6172 0.2125.101.Safar

0x0170: 692f 3533 372e 3336 0d0a 4163 6365 7074 i/537.36..Accept

0x0180: 2d45 6e63 6f64 696e 673a 2067 7a69 702c-Encoding:.gzip

0x0190: 6465 666c 6174 652c 7364 6368 0d0a 4163 deflate,sdch..Ac

0x01a0: 6365 7074 2d4c 616e 6775 6167 653a 2065 cept-Language:.e

0x01b0: 6e2d 5553 2c65 6e3b 713d 302e 380d 0a49 nRouse USMagnetiveEntincture QTH 0.8..

0x01c0: 662d 4d6f 6469 6669 6564 2d53 696e 6365 f-Modified-Since

0x01d0: 3a20 5375 6e2c 2031 3220 4f63 7420 3230: .Sun,. 12.Oct.20

0x01e0: 3134 2031 393a 3430 3a32 3020 474d 540d 14.19:40:20.GMT.

0x01f0: 0a0d 0a...

Only print packets in ASCII format

# tcpdump-nvvv-I any-c 1-A 'port 80 and host 10.0.3.1'

I tend to print only data in ASCII format, which helps me quickly locate what is sent in the packet, which is correct and which is wrong. You can do this with the-A flag.

# tcpdump-nvvv-I any-c 1-A 'port 80 and host 10.0.3.1'

Tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

52.011337 IP (tos 0x0, ttl 64, id 53757, offset 0, flags [DF], proto TCP (6), length 406)

10.0.3.1.46172 > 10.0.3.246.80: Flags [P.], cksum 0x1c7f (incorrect-> 0xead1), seq 1552520173Groupe 1552520527, ack 428165415, win 237, options [nop,nop,TS val 624251177 ecr 624247749], length 354

E.@.@.Ln

...

.\ .P\ I'.

5Q) 5C.GET / newpage HTTP/1.1

Host: 10.0.3.246

Connection: keep-alive

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 109.5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

From the output above, you can see that we have successfully obtained a GET request package for http. If the network communication is not encrypted, typing the data in the packet in a human-readable format is very helpful to solve the problems of the application. If you troubleshoot a problem where network traffic is encrypted, printing the data in the package is not very useful. But if you have a certificate, you can still use ssldump or wireshark.

Non-TCP data stream

Although this article mainly uses TCP transmission to explain tcpdump, tcpdump is definitely not just about grabbing TCP packets. It can also be used to obtain other types of packets, such as ICMP, UDP, and ARP packets. Here are some simple examples of how tcpdump can intercept non-TCP packets.

ICMP packet

# tcpdump-nvvv-I any-c 2 icmp

Tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

20 ttl 11 ttl 24.627824 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)

10.0.3.169 > 10.0.3.246: ICMP echo request, id 15683, seq 1, length 64

20 ttl 11 ttl 24.627926 IP (tos 0x0, ttl 64, id 31312, offset 0, flags [none], proto ICMP (1), length 84)

10.0.3.246 > 10.0.3.169: ICMP echo reply, id 15683, seq 1, length 64

UDP packet

# tcpdump-nvvv-I any-c 2 udp

Tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

20 ttl 12 IP 41.726355 (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76)

10.0.3.246.123 > 198.55.111.50.123: [bad udp cksum 0x43a9-> 0x7043!] NTPv4, length 48

Client, Leap indicator: clock unsynchronized (192), Stratum 2 (secondary reference), poll 6 (64s), precision-22

Root Delay: 0.085678, Root dispersion: 57.141830, Reference-ID: 199.102.46.75

Reference Timestamp: 3622133515.811991035 (20:11:55 on 2014-10-12)

Originator Timestamp: 3622133553.828614115 (20:12:33 on 2014-10-12)

Receive Timestamp: 3622133496.748308420 (20:11:36 on 2014-10-12)

Transmit Timestamp: 3622133561.726278364 (20:12:41 on 2014-10-12)

Originator-Receive Timestamp:-57.080305658

Originator-Transmit Timestamp: + 7.897664248

20 ttl 12 IP 41.748948 (tos 0x0, ttl 54, id 9285, offset 0, flags [none], proto UDP (17), length 76)

198.55.111.50.123 > 10.0.3.246.123: [udp sum ok] NTPv4, length 48

Server, Leap indicator: (0), Stratum 3 (secondary reference), poll 6 (64s), precision-20

Root Delay: 0.054077, Root dispersion: 0.058944, Reference-ID: 216.229.0.50

Reference Timestamp: 3622132887.136984840 (20:01:27 on 2014-10-12)

Originator Timestamp: 3622133561.726278364 (20:12:41 on 2014-10-12)

Receive Timestamp: 3622133618.830113530 (20:13:38 on 2014-10-12)

Transmit Timestamp: 3622133618.830129086 (20:13:38 on 2014-10-12)

Originator-Receive Timestamp: + 57.103835195

Originator-Transmit Timestamp: + 57.103850722

If you think there is a good example to further illustrate the tcpdump command, please add it in the comments.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.