Shulou(Shulou.com)06/02 Report--

Common usage at work

1. Common usage of tcpdump:

1furoi specifies the common options of network port-vnn, displays detailed information and does not parse IP, port

Grab messages sent to or from an IP on a certain network port

Tcpdump-i ethX host 192.168.1.100-vnn

2. You can connect multiple filter conditions with or or and. The tcp before port represents tcp protocol or udp.

Grab messages sent to or from an IP on a network port and on a designated port

Tcpdump-i ethX host 192.168.1.100 and tcp port 22 (port number)-vnn

3,-c specifies the number of fetched messages, and writes the crawled packets to the file with-w

Grab 50 packets from a network port and write them to dump.cap (why .cap? Because wireshark recognizes this extension) file:

Tcpdump-I ethX-c 50-w / root/dump.cap

4. You can use the keyword src or dst to indicate the source or destination

Fetch the message with the source port number 22 (tcp protocol)

Tcpdump-i ethX tcp src port 22 (port number)-vnn

The above are commonly used and can be flexibly combined according to the actual situation.

2. Wireshark analysis message:

1. Lavender packets are normal packets, including packets and ACK packets

2. Black is an abnormal packet, including lost ACK, retransmission, etc.

The Packet Size limited during capture flag indicates that the packet has not been fully captured, but only partially captured. Most of this is caused by packet grabbing. In some systems, tcpdump only grabs the first 96 bytes of each frame. We can specify the number of bytes we want with the "- s" parameter. 2.2 in the process of TCP previous segment not captured TCP transmission, the data sent by the same host should be continuous, that is, the Sequence of the latter packet should wait for the sequence+len of the previous packet. If the packet captured later does not conform to this rule, that is, the sequence is larger than the sequence+len of the previous packet, we can assume that the intermediate packet has not been caught. The reason why this packet does not arrive on time may be out of order or packet loss. 2.3 TCP ACKed unseen segment when WireShark finds that the package of ACK has not been caught, it will prompt [TCP ACKed unseen segment]. There is generally no problem with this prompt, but WireShark missed it. 2.4 TCP Dup ACK when there is disorder or packet loss, the packets that should have been received are not received, but some packets with larger Sequence numbers are received. At this time, the client will reply to a packet that ACK,ACK should have received but has not received. If the packet that is not expected is followed, the client will reply an ACK for every other packet received. Because these ACK are duplicated, [TCP Dup ACK] is prompted. 2.5 during TCP Out-of-Order TCP transmission, the Sequence number of packets should be continuously increasing, that is, there should be only one Len data difference between each packet, but in the process of transmission, if a larger Sequence packet arrives earlier than a smaller Sequence packet, [TCP Previous Segment not cpatured] will be triggered, and then if a "late" packet is received later, it will be marked [TCP Out-of-order]. 2.6 TCP Fast Retransmission when the server receives 3 or more [TCP Dup ACK], it will determine that the ACK packet is lost, even if it does not exceed the timer, it will immediately resend it, and the client will mark it as [TCP fast retransmission] after receiving it. TCP Retransmission generally speaking, if a packet is lost and there are not enough subsequent packets to trigger [TCP Fast Retransmission], timeout retransmission will be triggered after the timer is exceeded, and the packet received by the client will be marked [TCP Retransmission]. TCP Zerowindow in the TCP packet, the XX in the "win=XX" in the Info column represents the size of the receiving window, and represents how much data the host at the source address of this message can receive, or how much space is left in the cache. When win=0, the corresponding ACK will be marked with [TCP Zerowindow] to tell the sender that I have no data to receive. 2.9 TCP window full when this flag appears, it proves that the packets that have been sent by the sender but have not been acknowledged have reached the upper limit of the receiver's receiving window, that is, the sender will stop sending data instead of waiting for the receiver to reply [TCP Zerowindow]. So [TCP window full] means that the sender is unable to send data, while [TCP Zerowindow] means that the receiver is unable to receive data, and no matter which case occurs, the transmission of data will be interrupted until there is new space in the cache to store the data.

3. The label of the packet from left to right is:

Packet number-time-source address-destination address-protocol type-length-total length-packet sequence number-next packet sequence number-ACK number-identification code-RTT--- some window parameters

4. After clicking on a message, we can see more detailed information at the lower end of WireShark:

Corresponding to the OSI seven-layer model, data link layer, network layer, transport layer, application layer

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.