In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces "the detailed introduction of Linux network packet grabbing tool tcpdump". In the daily operation, I believe many people have doubts about the detailed introduction of Linux network packet grabbing tool tcpdump. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "detailed introduction of Linux network packet grabbing tool tcpdump". Next, please follow the editor to study!
Brief introduction
Tcpdump is defined in simple words: dump the traffic on a network, a packet analysis tool that intercepts packets on the network according to the definition of the user. Tcpdump can completely intercept the "header" of packets transmitted in the network for analysis. It supports filtering against network layer, protocol, host, network or port, and provides and, or, not and other logic statements to help you get rid of useless information.
Practical command example
Start by default
The code is as follows:
Tcpdump
Normally, starting tcpdump directly will monitor all packets flowing on the first network interface.
Monitor packets for a specified network interface
The code is as follows:
Tcpdump-I eth2
If you do not specify a network card, the default tcpdump only monitors the first network interface, usually eth0. None of the following examples specify a network interface.
Monitor packets for specified hosts
Print all packets entering or leaving sundown.
The code is as follows:
Tcpdump host sundown
You can also specify ip, such as intercepting all packets received and sent by hosts of 210.27.48.1
The code is as follows:
Tcpdump host 210.27.48.1
Print packets for communication between helios and hot or with ace
The code is as follows:
Tcpdump host helios and\ (hot or ace\)
Intercept communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3
The code is as follows:
Tcpdump host 210.27.48.1 and\ (210.27.48.2 or 210.27.48.3)
Print IP packets for communication between ace and any other host, excluding packets with helios.
The code is as follows:
Tcpdump ip host ace and not helios
If you want to get the ip packets that host 210.27.48.1 communicates with all hosts except host 210.27.48.2, use the command:
The code is as follows:
Tcpdump ip host 210.27.48.1 and! 210.27.48.2
Intercept all data sent by the host hostname
The code is as follows:
Tcpdump-I eth0 src host hostname
Monitor all packets sent to the host hostname
The code is as follows:
Tcpdump-I eth0 dst host hostname
Monitor packets for specified hosts and ports
If you want to get the telnet packets received or sent by host 210.27.48.1, use the following command
The code is as follows:
Tcpdump tcp port 23 and host 210.27.48.1
Monitor the udp 123port of this machine. 123 is the service port of ntp.
The code is as follows:
Tcpdump udp port 123
Monitor packets for a specified network
Print all communication packets between the local host and the host on the Berkeley network (nt: ucb-ether, which can be understood here as the network address of the 'Berkeley network'. The original meaning of this expression can be expressed as: print all packets with a network address of ucb-ether)
The code is as follows:
Tcpdump net ucb-ether
Print all ftp packets that pass through the gateway snup (note that the expression is enclosed in single quotation marks, which prevents shell from incorrectly parsing the parentheses)
The code is as follows:
Tcpdump 'gateway snup and (port ftp or ftp-data)'
Print all IP packets whose source or destination address is the local host
If the local network is connected to another network through a gateway, the other network does not count as the local network. (nt: this sentence is translated with twists and turns, need to be added). Localnet should really be replaced with the name of the local network.)
The code is as follows:
Tcpdump ip and not net localnet
Monitor packets for specified protocols
Print the start and end packets in a TCP session, and the source or destination of the packet is not a host on the local network. (nt: localnet, actually replace it with the name of the local network)
The code is as follows:
Tcpdump'tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0 and not src and dst net localnet'
Print all source or destination ports are 80, the network layer protocol is IPv4, and contain data, rather than data-free packets such as SYN,FIN and ACK-only. (the ipv6 version of the expression can be practiced)
The code is as follows:
Tcpdump 'tcp port 80 and ((ip [2:2]-((ip [0] & 0xf) 2))! = 0)'
(nt: it can be understood that ip [2:2] represents the length of the entire ip packet, (ip [0] & 0xf) 4 represents the length of the 32bit header, and the unit of this field is also 32bit, which is converted to ((tcp [12] & 0xf0) > > 4) 2). (ip [2:2]-(ip [0] & 0xf) 2)! = 0 means: the length of the entire ip packet minus the length of the IP header Then subtract.
The length of the tcp header is not 0, which means that there is data in the ip packet. For the ipv6 version, you only need to consider the difference between the Payload Length' and the length of the ipv6 header, and the expression'ip [] 'needs to be replaced by' ip6 []'.)
Print IP packets with more than 576 bytes in length and the gateway address is snup
The code is as follows:
Tcpdump 'gateway snup and ip [2:2] > 576'
Print all IP layer broadcast or multicast packets, but not physical Ethernet layer broadcast or multicast datagrams
The code is as follows:
Tcpdump 'ether [0] & 1 = 0 and ip [16] > = 224'
Print ICMP packets other than 'echo request'' or 'echo reply'' (for example, this expression is used when you need to print packets generated by all non-ping programs.
(nt: two types of ICMP packets, 'echo reuqest' and' echo reply', are usually generated by ping programs))
The code is as follows:
Tcpdump'icmp [icmptype]! = icmp-echo and icmp [icmptype]! = icmp-echoreply'
Tcpdump and wireshark
Wireshark (formerly ethereal) is a very easy-to-use package grabbing tool under Windows. But it is difficult to find a good graphical bag grabbing tool under Linux.
It's a good thing there's Tcpdump. We can use the perfect combination of Tcpdump + Wireshark: grab the packet in Linux, and then analyze the package in Windows.
The code is as follows:
Tcpdump tcp-I eth2-t-s 0-c 100 and dst port! 22 and src net 192.168.1.0 Universe 24-w. / target.cap
(1) tcp: ip icmp arp rarp and tcp, udp, icmp and other options should be placed in the first parameter to filter the type of Datagram.
(2)-I eth2: only grab packets that pass through interface eth2
(3)-t: no timestamp is displayed
(4)-s 0: when fetching packets, the default crawling length is 68 bytes. After adding-S 0, you can catch the complete data packet.
(5)-c 100: only grab 100 packets
(6) dst port! 22: do not crawl packets whose destination port is 22
(7) src net 192.168.1.0 take 24: the source network address of the packet is 192.168.1.0 take 24
(8)-w. / target.cap: saved as a cap file to facilitate analysis with ethereal (i.e. wireshark)
Crawling HTTP packages using tcpdump
The code is as follows:
Tcpdump-XvvennSs 0-I eth0 tcp [20:2] = 0x4745 or tcp [20:2] = 0x4854
0x4745 is the first two letters of "GET"GE", and 0x4854 is the first two letters of "HTTP"HT".
Tcpdump does not decode the intercepted data thoroughly, and most of the contents of the packet are printed directly in hexadecimal form. Obviously, this is not conducive to the analysis of network faults, the usual solution is to use tcpdump with-w parameter to intercept the data and save it to a file, and then use other programs (such as Wireshark) for decoding and analysis. Of course, filtering rules should also be defined to prevent captured packets from filling the entire hard disk.
Meaning of output information
First of all, let's note that basically the general output format of tcpdump is: system time source host. Port > target host. Port packet parameters
The output format of tcpdump is related to the protocol. The following briefly describes most of the commonly used formats and related examples.
Link layer header
For FDDI networks,'- e' causes tcpdump to print out the 'frame control' domain, source and destination addresses, and packet length of the specified packet. (frame control domain
Controls the resolution of other fields in the package. General packets (such as those IP datagrams) are packets with 'async' (Asynchronous Flag) and have a priority of 0 to 7
For example, 'async4'' means that the packet is asynchronous and has a priority of 4. 5. It is generally believed that these packets will contain a LLC packet (logical link control packet); in this case, if the packet
If it is not an ISO datagram or so-called SNAP package, its LLC header will be printed (nt: it should refer to the header of the LLC package contained in this package).
For Token Ring networks (token ring networks),'- e' causes tcpdump to print out the 'frame control' and' access control' domains of the specified packet, as well as source and destination addresses
Add the length of the bag. Similar to FDDI networks, this packet usually contains LLC packets. Whether or not there is an'- e 'option. For 'source-routed' type packets on this network (nt:
If the source address is tracked, the specific meaning of the packet is unknown, and the source routing information of the packet will always be printed.
For 802.11 networks (WLAN, that is, wireless local area network),'- e' causes tcpdump to print out the 'frame control domain of the specified packet.
All addresses contained in the packet header, as well as the length of the packet. Similar to FDDI networks, this packet usually contains LLC packets.
Note: the following description assumes that you are familiar with the SLIP compression algorithm (nt:SLIP is Serial Line Internet Protocol.), which can be found in the
Relevant clues were found in RFC-1144.)
For SLIP networks (nt:SLIP links, it can be understood as a network, that is, a connection established through a serial line, and a simple connection can also be regarded as a network)
The packet's' direction indicator''('direction indicator') ("I" indicates in, "O" indicates), type and compression information will be printed. The package type will be printed first.
The types are ip, utcp and ctcp (nt: unknown, need to be added). For ip packages, connection information will not be printed (on nt:SLIP connections, connection information for ip packages may be useless or undefined.
Reconfirm). For TCP packets, the connection ID is printed immediately after the type representation. If the packet is compressed, its encoded header will be printed.
At this point, for a special compressed package, it will be shown as follows:
* nt or * SA+n, where n represents the increase or decrease in the number of packets (sequence number or (sequence number and answer number)) (nt | rt:S,SA mouthful, which needs to be retranslated).
For non-special compression packages, 0 or more 'changes' will be printed. Change'is printed in the following format:
'Flag'+ /-/ = n packet data length compressed header length.
The 'flag' can be taken as the following value:
U (for emergency pointer), W (for buffer window), A (reply), S (serial number), I (packet ID), while the incremental expression'= n 'indicates that a new value is given, and + /-indicates increase or decrease.
For example, the following shows the printing of an outgoing compressed TCP packet that implies a connection ID (connection identifier); the reply number is increased by 6
The sequence number increased by 49, the packet ID number increased by 6; the packet data length is 3 bytes (octect), and the compression header is 6 bytes. (nt: so this should not be a special compressed packet).
ARP/RARP packet
The output of tcpdump to Arp/rarp package contains the request type and the corresponding parameters of the request. The display format is simple and clear. Here is the 'rlogin' from the host rtsg to the host csam
Sample packets at the beginning of the process (Telnet):
Arp who-has csam tell rtsg
Arp reply csam is-at CSAM
The first line says: rtsg sent an arp packet (nt: sent to the entire network segment, arp packet) to ask for the Ethernet address of csam
Csam (nt: Csam, as you can see below) responded with her own Ethernet address (in this case, the Ethernet address is identified with an uppercase name, while internet
The address (i.e. ip address) is identified by all lowercase names.
If you use tcpdump-n, you can clearly see Ethernet and ip addresses instead of name identifiers:
The code is as follows:
Arp who-has 128.3.254.6 tell 128.3.254.68
Arp reply 128.3.254.6 is-at 02:07:01:00:01:c4
If we use tcpdump-e, we can clearly see that the first packet is network-wide, while the second packet is peer-to-peer:
The code is as follows:
RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM
The first packet indicates that the source Ethernet address of the arp packet is RTSG, the destination address is the all-Ethernet segment, and the value of the type domain is hexadecimal 0806 (indicating ETHER_ARP (type identification of the nt:arp packet)).
The total length of the packet is 64 bytes.
TCP packet
Note: the following will assume that you are familiar with the TCP described by RFC-793. If you are not familiar with it, the following description and tcpdump program may not help you very much. (nt: warnings can be ignored
Just continue to look, unfamiliar places can look back.).
Typically, tcpdump displays tcp packets in the following format:
The code is as follows:
Src > dst: flags data-seqno ack window urgent options
Src and dst are source and destination IP addresses and corresponding ports. The flags logo consists of S (SYN), F (FIN), P (PUSH, R (RST)).
W (ECN CWT (nt | rep: unknown, need to be added) or E (ECN-Echo (nt | rep: unknown, need to be supplemented))
A single'.' Indicates that there is no flags logo. The segment sequence number (Data-seqno) describes a location in the sequence number space corresponding to the data in this package (nt: the entire data is segmented
Each paragraph has a sequence number, and all the sequence numbers form a sequence number space (refer to the following example). Ack describes the same connection, the same direction, and the next local side should receive
The sequence number of the piece of data that the other party should send. Window is the size of the data receiving buffer available on the local side (it is also the size according to which the other party needs to organize data when sending data).
Urg (urgent) indicates that there is urgent data in the packet. Options describes some of the options for tcp, which are represented by angle brackets (e. G.).
The src, dst and flags fields are always displayed. Whether other fields are displayed or not depends on the information in the tcp protocol header.
This is the beginning of a rlogin application login from trsg to csam.
The code is as follows:
Rtsg.1023 > csam.login: s 768512 win 768512 (0)
Csam.login > rtsg.1023: s 947648 ack 947648 (0) win 4096
Rtsg.1023 > csam.login:. Ack 1 win 4096
Rtsg.1023 > csam.login: P 1:2 (1) ack 1 win 4096
Csam.login > rtsg.1023:. Ack 2 win 4096
Rtsg.1023 > csam.login: P 2:21 (19) ack 1 win 4096
Csam.login > rtsg.1023: P 1:2 (1) ack 21 win 4077
Csam.login > rtsg.1023: P 2:3 (1) ack 21 win 4077 urg 1
Csam.login > rtsg.1023: P 3:4 (1) ack 21 win 4077 urg 1
The first line indicates that a packet was sent from tcp port 1023 of the rtsg host to the tcp port login of the csam host (the port of the nt:udp protocol and the end of the tcp protocol
The mouth is two separate spaces, although the range of values is the same. S indicates that the SYN flag is set. The sequence number of the package is 768512 and does not contain data. (presentation format
Is: 'first:last (nbytes)', which means that the sequence number of the data in this package starts from first to the end of last, excluding last. And contains a total of nbytes's
User data'.) There is no piggyback reply (nt: from below, the second line is the packet with piggyback reply), the size of the available accept window is 4096bytes, and the rtsg
The maximum acceptable segment size is 1024 bytes (nt: this information is sent to the responder csam as a request for further negotiation).
Csam replies to rtsg with basically the same SYN packet, except for an extra 'piggy-backed ack' (nt: a piggyback ack reply, a SYN packet for rtsg).
Rtsg also replies with an ACK packet in response to csam's SYN packet. '.' It means that no flag is set in this package. Because there is no data in this response package,
There is also no segment sequence number in the package. A reminder! The sequence number of this ACK packet is only a small integer 1. It is explained as follows: for a session on a tcp connection, tcpdump prints only the
The sequence number of the initial packet, and then the corresponding packet prints only the difference from the initial packet sequence number. That is, the sequence number after the initial sequence number, which can be regarded as a piece of data currently transmitted on this session in the entire
The 'relative byte' position in the data to be transferred (nt: the first position of both sides is 1, that is, the starting number of the 'relative byte').'- S' will override this function.
So that the original sequence number of the packet is printed.
The sixth line means that rtsg sends 19 bytes of data to csam (byte numbers 2 to 20, direction rtsg to csam). The PUSH flag is set in the package. On line 7
Csam shouted that she had received less than 21 bytes from rtsg, excluding 21-numbered bytes. These bytes are stored in the receive buffer of csam's socket, accordingly
Csam's receive buffer window size is reduced by 19 bytes (nt: you can see the change in the value of the win attribute on lines 5 and 7). Csam also sent one to rtsg in the package on line 7.
Bytes. On lines 8 and 9, csam continues to send rtsg two packets containing only one byte, each with the PUSH flag.
If the captured tcp packet (nt: the snapshot here) is too small for tcpdump to get its header data completely, tcpdump will try to parse the incomplete header.
And display the rest of the unparsable parts as'[| tcp]'. If the header contains false attribute information (for example, its length attribute is actually longer or shorter than the actual length of the head), tcpdump will be the header
Display'[bad opt]'. If the length of the header tells us some options (nt | rt: from below, it refers to some options in the header of the tcp package for the ip package, turn back) will be in this package.
While the real IP (the packet is not long enough to accommodate these options, tcpdump will display'[bad hdr length]'.
Grab TCP packets with special logos (such as SYN-ACK logo, URG-ACK flag, etc.).
In the head of the TCP, 8 bits (bit) are used as the control bit area, with a value of:
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
(nt | rt: it can be inferred from the expression that these 8 bits are combined in the way of or, which can be translated later)
Now suppose we want to monitor the packets generated during the establishment of an TCP connection. It can be recalled as follows: TCP uses the three-way handshake protocol to establish a new connection; it uses the three-way handshake
The packets with corresponding TCP control flags corresponding to the connection order are as follows:
1) the connection initiator (nt:Caller) sends the packet of the SYN flag
2) the recipient (nt:Recipient) responds with a packet with SYN and ACK flags
3) after receiving the response from the receiver, the initiator sends a packet with the ACK flag to respond.
The code is as follows:
0 15 31
-
| | source port | destination port |
-
| | sequence number |
-
| | acknowledgment number |
-
| | HL | rsvd | C | E | U | A | P | R | S | F | window size |
-
| | TCP checksum | urgent pointer |
-
A TCP header usually takes up 20 bytes without option data (nt | rt:options is understood as option data, which needs to be translated back). The first line contains bytes numbered 0 to 3
The second line contains bytes numbered 4-7.
If the number starts at 0, the TCP control flag is at 13 bytes (nt: the left half of the fourth line).
The code is as follows:
0 7 | 15 | 23 | 31
-|-
| | HL | rsvd | C | E | U | A | P | R | S | F | window size |
-|-
| | 13th octet |
Let's take a closer look at the byte number 13:
The code is as follows:
| | |
|-|
| | C | E | U | A | P | R | S | F | |
|-|
| | 7 5 30 |
Here are the control marks that we are interested in. From right to left, these bits are numbered 0 to 7, so that PSH is on number 3 and URG on number 5.
Remind yourself that we just want to get a packet containing the SYN flag. Let's see if the SYN bit is set in the header of a packet
What happened in byte 13:
The code is as follows:
| | C | E | U | A | P | R | S | F | |
|-|
| | 0 000 0 0 1 0 |
|-|
| | 7 6 5 4 3 2 1 0 | |
In the data of the control segment, only bit 1 (bit number 1) is set.
Assume that the byte numbered 13 is an 8-bit unsigned character sorted by the network byte number (nt: for a byte, the network byte order is equivalent to the host byte order), with a binary value
As follows:
The code is as follows:
00000010
And its decimal value is:
The code is as follows:
0 * 2 ^ 7 + 0* 2 ^ 6 + 0* 2 ^ 5 + 0* 2 ^ 4 + 0* 2 ^ 3 + 0* 2 ^ 2 + 1 * 2 ^ 1 + 0* 2 ^ 0 = 2 (nt: 1 * 2 ^ 6 represents 1 times 2 to the 6th power, maybe it is more
To be clear, that is, the index 7 6 in the original expression. 0 moved to the following expression)
Close to the target, because we already know that if the SYN in the header of the packet is set, the value of the 13th byte in the header is 2 (nt: the most important byte in network order, that is, the big head.
In the front (in the front, that is, the actual memory address of this byte is relatively small, the most important byte, which refers to the high bit of the mathematical representation of the median, such as 3 in 356).
The relationship that tcpdump can understand is:
The code is as follows:
Tcp [13] 2
Thus, we can use this relationship as a filtering condition for tcpdump, and the goal is to monitor packets that contain only the SYN flag:
The code is as follows:
Tcpdump-I xl0 tcp [13] 2 (nt: xl0 refers to a network interface, such as eth0)
This expression says, "Let the 13th byte of the TCP packet have a value of 2." this is also the result we want.
Now, suppose we need to grab a packet with the SYN flag, ignoring whether it contains other flags. (nt: just SYN is what we want). Let's take a look at when a person contains
SYN-ACK packet (both nt:SYN and ACK flags), what happens when it arrives:
The code is as follows:
| | C | E | U | A | P | R | S | F | |
|-|
| | 0 000 1 0 0 1 0 | |
|-|
| | 7 6 5 4 3 2 1 0 | |
Bits 1 and 4 of byte 13 are set, and their binary values are:
The code is as follows:
00010010
The conversion to decimal system is:
The code is as follows:
0 * 2 ^ 7 + 0 * 2 ^ 6 + 0 * 2 ^ 5 + 1 * 2 ^ 4 + 0 * 2 ^ 3 + 0 * 2 ^ 2 + 1 * 2 ^ 1 + 0x 2 = 18 (nt: 1 * 2 ^ 6 means 1 times 2 to the 6th power, maybe it is more
To be clear, that is, the index 7 6 in the original expression. 0 moved to the following expression)
Now, you can't just use 'tcp [13] 18' as the filter expression for tcpdump, because this will cause only packets containing the SYN-ACK flag to be selected, and the rest will be discarded.
Remind ourselves that our goal is: as long as the package's SYN flag is set, we ignore other signs.
To achieve our goal, we need to AND the binary value of byte 13 with another number (nt: logic and) to get the value of the SYN bit. The goal is: as long as SYN is set
That's fine, so we compare her with the SYN value of byte 13 (nt: 00000010).
The code is as follows:
00010010 SYN-ACK 00000010 SYN
AND 00000010 (we want SYN) AND 00000010 (we want SYN)
--
= 00000010 = 00000010
We can find that the above AND operation will give us the same value regardless of whether the ACK or other flag of the package is set, and the decimal expression is 2 (binary is 00000010).
So we know that for packets with the SYN flag, the result of the following expression is always true (true):
The code is as follows:
((value of octet 13) AND (2)) (2) (nt: value of octet 13, the value of byte 13)
Inspiration follows, and we get the following filter expression for tcpdump
The code is as follows:
Tcpdump-I xl0 'tcp [13] & 22'
Note that single quotes or backslashes (nt: single quotes are used here) cannot be omitted, which prevents shell from interpreting or replacing &.
UDP packet
The display format of UDP packets can be explained by the packets generated by the specific application of rwho:
The code is as follows:
Actinide.who > broadcast.who: udp 84
Port who on the actinide host sends a udp packet to the port who on the broadcast host (nt: actinide and broadcast both refer to the Internet address).
This packet carries 84 bytes of user data.
Some UDP services can be identified from the source or destination port of the packet, or from the higher-level protocol information displayed. For example, Domain Name service requests (DNS request
In RFC-1034/1035), and Sun RPC calls to NFS (the remote call initiated by the NFS server (nt: that is, Sun RPC), which is described in RFC-1050.
UDP name service request
Note: the following description assumes that you have a description of Domain Service protoco (nt: described in RFC-103), otherwise you will find that the following description is the Book of Heaven (nt: Greek Book of Heaven)
Don't worry about it, it scares you, just keep looking.)
The name service request has the following format:
The code is as follows:
Src > dst: id op? Flags qtype qclass name (len)
(nt: from below, the format should be src > dst: id op flags qtype qclass? Name (len))
For example, one is actually displayed as:
The code is as follows:
H3opolo.1538 > helios.domain: 3 + A? Ucbvax.berkeley.edu. (37)
The host h3opolo queries the name server running on helios for the address record of ucbvax.berkeley.edu (nt: qtype equals A). The id number of the query itself is' 3numbers. Symbol
'+' means that the recursive query flag is set (nt: the dns server can query the higher-level dns server for address records that the server does not contain). This query request that is eventually sent through the IP packet
The length of the data is 37 bytes, excluding header data of UDP and IP protocols. Because this query operation is the default (nt | rt: understanding of normal one), the op field is omitted.
If the op field is not omitted, it will be displayed between'3' and'+'. Similarly, qclass is also the default value, C_IN, so it is not displayed, and if it is not ignored, it will be displayed after'A'.
Exception checking shows additional fields in square brackets: if a query also contains a response (nt: can be understood as a response to another previous request), and the response contains an authoritative or additional record segment,
Ancount, nscout, arcount (nt: specific field meaning needs to be added) will be displayed as'[na]','[nn]','[nau]', where n represents the appropriate count. If the following are in the package
The response bit (such as AA bit, RA bit, rcode bit), or any 'must be 0' bit in byte 2 or 3 is set (nt: set to 1),'[b2y3] = x 'will be displayed, where x represents
The value after the operation of header byte 2 and byte 3.
UDP name service reply
For packets answered by the name service, tcpdump will have the following display format
The code is as follows:
Src > dst: id op rcode flags a/n/au type class data (len)
For example, the specific display is as follows:
The code is as follows:
Helios.domain > h3opolo.1538: 3 3-3-7 A 128.32.137.3 (273)
Helios.domain > h3opolo.1537: 2 NXDomain* 0 Compact 1 Acer 0 (97)
The first line says that helios responded to the query request No. 3 sent by h3opolo with 3 response records (nt | rt: answer records) and 3 name server records.
And 7 additional records. The first answer record (nt: the first of the three answer records) is of type A (nt: indicates an address) and its data is the internet address 128.32.137.3.
This response UDP packet contains 273 bytes of data (excluding header data for UPD and IP). The op field and rcode field are ignored (the actual value of nt: op is Query, rcode, that is
The actual value of response code is NoError), and the class field is also ignored (nt | rt: its value is C_IN, which is also the default value for type A records)
The second line says: helios responds to query request No. 2 sent by h3opolo. In the response, the rcode is encoded as NXDomain (nt: indicates a domain that does not exist), and there is no answer record
However, it contains a name server record and no authoritative server record (nt | ck: from the above, the authority records here is the corresponding additional above.
Records). '*' indicates that the authoritative server reply flag is set (nt: so additional records means authority records).
Because there is no answer record, the type, class, data fields are ignored.
Other characters may appear in the flag field, such as'-'(nt: for recursive query, that is, the RA flag is not set),'|'(nt: indicates the truncated message, that is, the TC flag).
Be set up). If a reply (nt | ct: it can be understood as a UDP packet containing a name service reply, and tcpdump knows how to parse its data), an entry in the 'question' segment
Item (entry) does not contain (nt: the meaning of each entry, need to be added),'[nq] 'will be printed.
It is important to note that the amount of request and reply data from the name server is relatively large, and the default fetch length of 68 bytes (nt: snaplen, which can be understood as a setting option for tcpdump) may not be sufficient to fetch.
The whole contents of the data packet. If you really need to take a closer look at the load of the name server, you can increase the snaplen value by using the-s option of tcpdump.
SMB/CIFS decoding
Tcpdump has been able to decode the packet contents of SMB/CIFS/NBT-related applications (nt: 'Server Message Block Common',' Internet File System', respectively
The abbreviation of the network protocol NETBIOS implemented on TCP/IP. These services usually use UDP's 137 swap 138 and TCP's 139 ports). The original for IPX and NetBEUI SMB packets
Decoding capabilities can still be used (nt: NetBEUI is an enhanced version of NETBIOS).
By default, tcpdump only decodes the corresponding packets according to the most minimalist mode. If we want detailed decoding information, we can use its-v to start the selection. It is important to note that-v produces very detailed information.
For example, for a single SMB packet, one screen or more information will be generated, so this option is used only if necessary.
Information about the SMB packet format and the meaning of each domain can be found in the pub/samba/specs/ directory of the www.cifs.org or samba.org mirror site. SMB patch on linux
(nt | rt: patch) is provided by Andrew Tridgell (tridge@samba.org).
NFS request and response
Tcpdump has a printout in the following format for UDP packets requested and responded to by Sun NFS (Network File system):
The code is as follows:
Src.xid > dst.nfs: len op args
Src.nfs > dst.xid: reply stat len op results
The following is a specific set of output data
The code is as follows:
Sushi.6709 > wrl.nfs: 112 readlink fh 21 Magi 24Accorde 10.73165
Wrl.nfs > sushi.6709: reply ok 40 readlink ".. / var"
Sushi.201b > wrl.nfs:
144 lookup fh 9 74Compact 4096.6878 "xcolors"
Wrl.nfs > sushi.201b:
Reply ok 128 lookup fh 9,74/4134.3150
The first line of output shows that the host sushi sent a 'exchange request' (nt: transaction) to the host wrl with an id of 6709 (note that the host name is followed by a swap
Request the id number instead of the source port number. The request data is 112 bytes, excluding the length of UDP and IP headers. The operation type is readlink (nt: that is, this operation is a read symbolic link operation)
The operation parameter is fh 21 Magne24 handle 10.73165 (nt: it can be parsed according to the actual running environment. Fd represents the description of the file handle, and 21 Magi 24 indicates the corresponding setting of this handle.
Standby master / slave device number pair, 10 represents the I node number corresponding to this handle (nt: each file corresponds to an I node in the operating system, limited to unix systems)
73165 is a number (nt: can be understood as a random number identifying this request, the specific meaning should be added).
In the second line, wrl responds with 'ok'' and returns the actual directory of the symbolic link that sushi wants to read in the results field (nt: that is, the symbolic link that sushi requires is actually a directory).
The third line indicates that sushi once again asks wrl to look for the 'xcolors' file in the directory described in' fh 9 _ 74ther _ 4096.6878'. It is important to note that the meaning of the data displayed in each row depends on the
Type (nt: the meaning of args corresponding to different op is different). Its format follows NFS protocol and pursues conciseness.
If tcpdump's-v option (detailed print option) is set, additional information will be displayed. For example:
The code is as follows:
Sushi.1372a > wrl.nfs:
148 read fh 21 Magazine 11 bytes 12.195 8192 bytes @ 24576
Wrl.nfs > sushi.1372a:
Reply ok 1472 read REG 100664 ids 417/0 sz 29388
(the-v option usually also prints out the TTL, ID, length, and fragmentation fields of the IP header, but in this case, all of them are skipped (nt: deleted for brevity))
In the first line, sushi requests wrl to read 8192 bytes of data from file 21, Magazine 11, 12.195 (nt: format described above), starting at offset 24576 bytes.
The Wrl response was read successfully; since the second line is only the beginning of the echo request, it contains only 1472 bytes (the rest of the data will come in the following reply fragments, but these packets will no longer have NFS
Header, or even UDP header information is empty (nt: source and destination should have), which will cause these fragments to fail to meet the filtering criteria and therefore not be printed). The-v option not only displays file data information, but also displays
Additional display file attribute information: file type (file type,''REG'' for normal files), file mode (file access mode, represented by octal), uid and gid (nt: file owners and
Group owner), file size (file size).
If the-v flag is given repeatedly (nt: e. G.-vv), tcpdump will display more detailed information.
It must be noted that there is a lot of data in the NFS request packet, so if the snaplen (nt: grab length) of tcpdump is too short, it will not be able to display its details. Can be used
Add snaplen to'- s 192', which can be used to monitor the network load of NFS applications (nt: traffic).
NFS's response packet does not strictly follow the previous corresponding request packet (nt: RPC operation). Thus, tcpdump tracks a series of request packets that have recently been received, and then passes through its
The exchange sequence number (nt: transaction ID) matches the corresponding request packet. This may cause a problem if the response packet arrives too late and is beyond the scope of tcpdump's tracking of the corresponding request packet
The response package will not be parsed.
AFS request and response
AFS (nt: Andrew file system, Transarc, unknown, to be added) requests and responses are as follows
The code is as follows:
Src.sport > dst.dport: rx packet-type
Src.sport > dst.dport: rx packet-type service call call-name args
Src.sport > dst.dport: rx packet-type service reply call-name args
Elvis.7001 > pike.afsfs:
Rx data fs call rename old fid 536876964 Universe 1 ".newsrc.new"
New fid 536876964 Compact 1 ".newsrc"
Pike.afsfs > elvis.7001: rx data fs reply rename
On the first line, the host elvis sends an RX packet to pike.
This is a request packet for a file service (nt: RX data packet, sending a packet, which can be understood as sending a packet to request the other party's service), and this is also a RPC
The start of the call (nt: RPC, remote procedure call). This RPC requests the pike to perform the rename (nt: rename) operation and specifies the relevant parameters:
The original directory descriptor is 536876964, the original file is called '.newsrc.new', the new directory descriptor is 536876964, and the new file is called '.newsrc'.
The host pike responded to the RPC request for this rename operation (the response indicates that the rename operation was successful because it responded to a package containing data content rather than an exception package).
In general, all 'AFS RPC' requests are displayed with a name (nt: decode, decode), which is often the name of the operation of the RPC request.
In addition, when some of the parameters of these RPC requests are displayed, they will be given a name (nt | rt: that is, decode, which is decoded. Generally speaking, the name is also very direct, such as
An interesting parameter, when displayed, will directly be a 'interesting',' meaning mouthful, which needs to be translated again.
This display format is originally designed to be 'easy to read', but it may not be very good for people who are not familiar with the working principles of AFS and RX
Useful (nt: don't worry about it, write to scare you, just read on).
If the-v (detailed) flag is repeatedly given (nt: e. G.-vv), tcpdump will print out a confirmation packet (nt: a packet that is different from the reply packet) and additional header information.
(nt: it can be understood that all packages, rather than just confirming the additional header information of the package), for example, RX call ID (the ID of 'request invocation' in the request package)
Call number (number of 'request call'), sequence number (nt: package sequence number)
Serial number (nt | rt: can be understood as another cis signal related to the data in the package, the specific meaning needs to be added), request the identification of the packet. (nt: the next paragraph is a repetitive description
So omitted), in addition, the MTU negotiation information in the confirmation packet will also be printed (nt: the confirmation packet is the acknowledgement packet relative to the request packet, Maximum Transmission Unit, the maximum transmission unit).
If the-v option is repeated three times (nt: e.g.-vvv), then the 'security index'' and 'service index' of the AFS application type packet will be
It is printed.
For a packet that indicates an exception (nt: abort packet, which is understood to be used to notify the recipient that an exception has occurred), tcpdump prints an error number (error codes).
But for Ubik beacon packets (nt: Ubik lighthouse indication packet), Ubik can be understood as a special communication protocol, beacon packets, lighthouse packet, which can be understood as indicating communication.
The error number will not be printed, because for Ubik protocol, the exception packet does not indicate an error, on the contrary, it indicates an affirmative reply (nt: that is, yes vote).
AFS request has a large amount of data and many parameters, so the snaplen of tcpdump is required to be relatively large. Generally, you can increase the snaplen by setting the option'- s 256' when starting tcpdump
Monitor AFS application communication load.
The AFS response package does not identify which remote calls the RPC belongs to. Thus, tcpdump will track the request packet in the most recent period of time, and through call number (call number), service ID
(service index) to match the response packets received. If the response packet is not for a recent request packet, tcpdump will not be able to parse the packet.
KIP AppleTalk protocol
(nt | rt: DDP in UDP can be understood as DDP, The AppleTalk Data Delivery Protocol
It is equivalent to the network layer protocol that supports KIP AppleTalk protocol stack, and DDP itself is transmitted through UDP.
That is, the network layer implemented on UDP for other networks. KIP AppleTalk is a complete set of network protocol stacks developed by Apple.
The AppleTalk DDP packet is encapsulated in the UDP packet, and its de-encapsulation (nt: equivalent to decoding) and the dump of the corresponding information also follow the DDP packet rule.
Nt:encapsulate, encapsulation, equivalent to encoding, de-encapsulate, de-encapsulation, equivalent to decoding, dump, dump, usually refers to printing its information.
The / etc/atalk.names file contains the digital ID-to-name correspondence of AppleTalk networks and nodes. The file format is usually as follows:
The code is as follows:
Number name
1.254 ether
16.1 icsd-net
1.254.110 ace
The first two lines indicate that there are two AppleTalk networks. The third line shows the hosts on a specific network (a host is identified by 3 bytes
However, the identity of a network is usually only two bytes, which is the main difference between the two identities (nt: 1.254.110 can be understood as an ace host on an ether network).
The logo and its corresponding name must be separated by a blank space. In addition to the above, / etc/atalk.names also contains blank lines and comment lines (lines starting with'#').
The full network address of AppleTalk will be displayed in the following format:
The code is as follows:
Net.host.port
The following is a specific display:
The code is as follows:
144.1.209.2 > icsd-net.112.220
Office.2 > icsd-net.112.220
Jssmag.149.235 > icsd-net.2
If the / etc/atalk.names file does not exist, or if there is no entry for the corresponding AppleTalk host / network, the network address of the packet will be displayed as a number.
In the first line, node 209 on network 144.1 sends a NBP application packet to the 112nodes listening on port 220on the network icsd-net through port 2
(nt | rt: NBP, name binding protocol, name binding protocol. From the data point of view, the NBP server will provide this service on port 2.
'DDP port 2' can be understood as' DDP corresponds to port 2 in the transport layer. DDP itself does not have the concept of port, which is uncertain and needs to be added.
The second line is similar to the first line, except that all addresses of the source can be identified by 'office'.
The third line says: the 149nodes on the jssmag network send packets to port 2 (NBP port) of all nodes on the icsd-net network. (it should be noted that
In the AppleTalk network, if there is no node in the address, it represents the broadcast address, so the node ID and the network ID are preferably different in / etc/atalk.names.
Nt: otherwise, an identity x.port cannot determine whether x refers to the port port of all hosts on a network or the port port of the specified host x.
Tcpdump can parse NBP (name binding Protocol) and ATP (AppleTalk Transport Protocol) packets. For other application layer protocols, only the corresponding protocol names (
If the protocol does not register a common name, it will only print its protocol number) and the size of the packet.
The NBP packet is displayed in the following format:
The code is as follows:
Icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=: LaserWriter@*"
Jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
Techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186
The first line says: node 112 in the network icsd-net sends a name query request for 'LaserWriter' to port 2 of all nodes in the network jssmag (nt:
The name here can be understood as the name of a resource, such as a printer. The serial number of this query request is 190.
The second line says: node 209 in the network jssmag responds to port 220 of the icsd-net.112 node through port 2: I have a 'LaserWriter' resource whose resource name is
Provide the service of changing resources for 'RM1140', and port 250. The sequence number of this response is 190, which corresponds to the sequence number of the previous query.
The third line is also a response to the first line request: node techpit responds to port 220 of icsd-net.112 node through port 2: I have 'LaserWriter' resource whose resource name is
Provide resource modification service for 'techpit', and on port 186. The sequence number of this response is 190, which corresponds to the sequence number of the previous query.
ATP packets are displayed in the following format:
The code is as follows:
Jssmag.209.165 > helios.132: atp-req 12266 0xae030001
Helios.132 > jssmag.209.165: atp-resp 12266 atp-resp 0512 0xae040000
Helios.132 > jssmag.209.165: atp-resp 12266 0xae040000
Helios.132 > jssmag.209.165: atp-resp 12266 0xae040000
Helios.132 > jssmag.209.165: atp-resp 12266 0xae040000 3 (512)
Helios.132 > jssmag.209.165: atp-resp 12266 0xae040000 5 (512)
Helios.132 > jssmag.209.165: atp-resp 12266 0xae040000
Helios.132 > jssmag.209.165: atp-resp*12266:7 0xae040000
Jssmag.209.165 > helios.132: atp-req 12266 0xae030001
Helios.132 > jssmag.209.165: atp-resp 12266 0xae040000 3 (512)
Helios.132 > jssmag.209.165: atp-resp 12266 0xae040000 5 (512)
Jssmag.209.165 > helios.132: atp-rel 12266 0xae030001
Jssmag.209.133 > helios.132: atp-req* 12267 0xae030002
The first line indicates that node Jssmag.209 sends a request packet with session number 12266 to node helios, requesting helios
Respond to 8 packets (the sequence number of these 8 packets is 0-7 (nt: the sequence number is different from the session number, which is the number of a complete transmission
The former is the number of each packet in the transmission. Transaction, session, often referred to as transport). Hexadecimal numerical representation of the end of a line
The value of the 'userdata' field' in the request packet (nt: from below, this does not print out all the user data).
Helios responded to eight 512-byte packets. The number followed by the session number (nt: 12266) indicates the sequence number of the packet in the session.
The number in parentheses indicates the size of the data in the packet, excluding the header of the atp. There is a'* 'outside the sequence number 7 packet (line 8).
Indicates that the EOM flag of the packet is set. (nt: EOM, End Of Media, which means that the data response for a session has been completed).
The next line 9 says that Jssmag.209 makes another request to helios: packets with sequence numbers 3 and 5 should be retransmitted. Helios received this.
The two packets were re-sent after the request, and after receiving the two packets again, jssmag.209 actively terminated (release) the session.
On the last line, jssmag.209 sends helios a request packet to start the next session. The'*'in the request packet indicates that the XO flag of the package is not set.
(nt: XO, exactly once, which means that in this session, the packet is accurately processed by the recipient only once, even if the other party repeatedly transmits the packet
The receiver will only process it once, which requires a specially designed packet receiving and processing mechanism.
IP packet fragmentation
(nt: dividing an IP packet into multiple IP packets)
Fragmented IP packets (nt: small IP packets generated after a large IP packet is broken) can be displayed in the following two formats.
The code is as follows:
(frag id:size@offset+)
(frag id:size@offset)
The first format indicates that this fragment is followed by subsequent fragments. The second format indicates that this fragment is the last fragment.)
Id represents the fragmentation number (nt: from below, a fragmentation number is assigned to each large IP packet to be broken to distinguish whether each small fragment is caused by the same packet).
Size indicates the size of the fragment and does not contain fragment header data. Offset indicates the offset of the data contained in this fragment in the original entire IP package (nt: from below
An IP packet is broken as a whole, including headers and data, not just data.
Each fragment causes the tcpdump to produce a corresponding output print. The first fragment contains the header data of the high-level protocol (nt: from below, the corresponding tcp header in the fragmented IP packet and
The IP header is placed in the first fragment, so that tcpdump displays this information for the first fragment, and then displays information about the fragment itself. Some of the fragments that followed did not contain
High-level protocol header information so that only the information of the fragment itself is displayed after the source and destination are displayed. Here's an example: this is an arizona.edu to lbl-rtsg.arpa
A segment of ftp application communication via the CSNET network (nt: CSNET connection can be understood as a connection established on the CSNET network):
The code is as follows:
Arizona.ftp-data > rtsg.1170:. 1024frag 1332 (308) ack 1 win 4096 (frag 595a frag 3288 +)
Arizona > rtsg: (frag 595a:204@328)
Rtsg.1170 > arizona.ftp-data:. Ack 1536 win 2560
There are several points to note:
In the first and second lines of printing, there is no port number after the address.
This is because the TCP protocol information is placed in the first fragment, and when the second fragment is displayed, we cannot know the sequence number of the TCP packet corresponding to this fragment.
Second, from the first line of information, it can be found that arizona needs to send 308 bytes of user data to rtsg, but the fact is that the broken IP packet will generate a total of 512 bytes
Data (the first fragment contains 308 bytes of data, and the second fragment contains 204 bytes of data, which exceeds 308 bytes). If you are looking for the sequence number space of the packet
Some holes (nt: hole, the sequence numbers between index packets are not connected up and down), 512 is enough to confuse you for a while (nt: actually, just pay attention to 308.
Do not pay attention to the total amount of broken data.
A packet (nt | rt: refers to an IP packet) if it has a non-IP fragmentation flag, it will display'(DF)'at the end of the display. (nt: means that the IP packet has not been broken).
Time stamp
Timestamp information is included by default in all output print lines of tcpdump.
The timestamp information is displayed in the following format
Hh:mm:ss.frac (nt: hours: minutes: seconds. (nt: frac unknown, need to be added)
The accuracy of this timestamp is consistent with the kernel time precision, reflecting the time when the kernel saw the corresponding packet for the first time (nt: saw, you can manipulate the packet).
The time it takes for a packet to travel from the physical line to the kernel and the interrupt processing time spent by the kernel on the packet are not included.
Command u
Tcpdump uses the command line mode, and its command format is:
The code is as follows:
Tcpdump [- AdDeflLnNOpqRStuUvxX] [- c count]
[- C file_size] [- F file]
[- I interface] [- m module] [- M secret]
[- r file] [- s snaplen] [- T type] [- w file]
[- W filecount]
[- E spi@ipaddr algo:secret,...]
[- y datalinktype] [- Z user]
[expression]
Introduction to simple options for tcpdump
The code is as follows:
-A displays each packet in ASCII code (no link layer header information in the packet). When grabbing packets containing web data, you can easily view the data (nt: that is, Handy for capturing web pages).
-c count
Tcpdump will exit after receiving count packets.
-C file-size (nt: this option is used with the-w file option)
This option causes tcpdump to check whether the file size exceeds file-size. Exe before saving the original packet directly to the file. If it is exceeded, the file will be closed and another file will continue to be used for the record of the original packet. The newly created file name matches the file name specified by the-w option, but with an extra number after the file name. This number will increase with the number of newly created files starting at 1. File-size is measured in megabytes (nt: 1000000 bytes, not 1048576 bytes, which is calculated as 1024 bytes as 1k and 1024k bytes as 1m, that is, 1M=1024 * 1024 = 1048576).
-d prints the choreographed packet matching code on the standard output in an easy-to-read form, and then tcpdump stops. (nt | rt: human readable, which is easy to read, usually refers to printing some information in ascii code. Compiled, choreographed. Packet-matching code, package matching code, meaning unknown, need to add)
-dd prints the packet matching code in C language.
-ddd prints the packet matching code as a decimal number (preceded by an 'count' prefix).
The network interface on which all tcpdump can grab packets in a printing system. Each interface prints a number, a corresponding interface name, and a possible network interface description. The network interface name and number can be used in the-I flag option of tcpdump (nt: replace the name or number with flag) to specify the network interface on which the packet is to be grabbed.
This option is useful on systems that do not support interface list commands (nt: for example, Windows systems, or UNIX systems that lack ifconfig-a); interface numbers are useful in windows 2000 or later systems because the interface names on these systems are complex and difficult to use.
If the libpcap library on which tcpdump is compiled is too old, the-D option is not supported because of the lack of the pcap_findalldevs () function.
-e the printout of each line will include the data link layer header information of the packet
-E spi@ipaddr algo:secret,...
You can decrypt IPsec ESP packets through spi@ipaddr algo:secret (nt | rt:IPsec Encapsulating Security Payload,IPsec encapsulates the security payload. IPsec can be understood as a complete set of encryption protocols for ip packets. ESP is the encrypted data of the whole IP packet or the upper layer of the protocol. The working mode of the former is called tunnel mode, and the working mode of the latter is called transmission mode. The working principle needs to be added.
It is important to note that when the terminal starts tcpdump, you can set the key (secret) for IPv4 ESP packets.
The algorithms available for encryption include des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none (none). The default is des-cbc (nt: des, Data Encryption Standard, data encryption standard, the encryption algorithm is unknown and needs to be added). Secret is the key used for ESP and is expressed as an ASCII string. If it starts with 0x, the key will be read in hexadecimal.
The definition of ESP in this option follows RFC2406, not RFC1827. Also, this option is for debugging only, and it is not recommended to use it with a real key (secret), because it is not safe: the secret entered on the command line can be viewed by others through commands such as ps.
In addition to the above syntax format (nt: refers to spi@ipaddr algo:secret), you can also add a syntax input file name for tcpdump to use (nt: that is, spi@ipaddr algo:secret,... Medium. Replace it with a grammar file name. This file opens the file when it receives the first ESP package, so it's best to cancel some of the privileges given to tcpdump at this time (nt: it can be understood as a precaution, so that when the file is written maliciously, it won't cause too much damage).
-f when displaying an external IPv4 address (nt: foreign IPv4 addresses, which can be understood as a non-native ip address), use a number instead of a name. (this option is used to deal with the shortcomings of Sun's NIS server (nt: NIS, network information service, tcpdump uses her name service when displaying the names of external addresses): this NIS server often falls into an endless query cycle when querying non-local address names.
Because the test of the external (foreign) IPv4 address needs to use the local network interface (nt: the interface used in tcpdump packet capture) and its IPv4 address and network mask. If this address or network mask is not available, or if the interface does not have the corresponding network address and mask set at all (the 'any' network interface under nt: linux does not need to set the address and mask, but this' any' interface can receive packets from all interfaces in the system), this option will not work properly.
-F file
Use the file file as the input of the filter conditional expression, and the input on the command line will be ignored.
-I interface
Specify the interface that tcpdump needs to listen on. If not specified, tcpdump searches the list of system interfaces for the lowest configured interface (excluding the loopback interface). As soon as the first qualified interface is found, the search ends immediately.
On Linux operating systems with kernel version 2.2 or later, the virtual network interface 'any'' can be used to receive packets on all network interfaces (nt: this includes those destined for that network interface as well as those that are not intended for that network interface). It should be noted that if the real network interface does not work in 'hybrid' mode (promiscuous), its packets cannot be crawled on the virtual network interface 'any'.
If the-D flag is specified, tcpdump prints the interface number in the system, which can be used for the interface parameter here.
-l buffers the standard output lines (nt: causes the standard output device to print out the contents of the line immediately when it encounters a newline character). It is useful when you need to observe the package printing and save the bag record at the same time. For example, you can do this by combining the following commands:
``tcpdump-l | tee dat'' or ``tcpdump-l > dat & tail-f dat''. (nt: the former uses tee to put the output of tcpdump into both the file dat and standard output, while the latter puts the output of tcpdump into the dat file through the redirect operation'> 'and puts the contents of the dat file into standard output through tail)
-L lists the types of data link layers supported by the specified network interface and exits. (nt: specify the interface to be specified by-I)
-m module
Load SMI MIB module (nt: SMI,Structure of Management Information, management information structure MIB, Management Information Base, management information base) through file specified by module. It can be understood that both of them are used to crawl SNMP (Simple Network Management Protoco) protocol packets. The working principle of specific SNMP is unknown and needs to be added.
This option can be used multiple times to load different MIB modules for tcpdump.
-M secret if the TCP packet (TCP segments) has the TCP-MD5 option (described in RFC 2385), specify a public key secret for the authentication of its digest.
-n does not convert addresses (for example, host addresses, port numbers) from numeric representation to name representation.
-N does not print out the domain name portion of host. For example, if this check is set, tcpdump will print 'nic' instead of' nic.ddn.mil'.
-O does not enable the optimized code used for package matching. This option is useful when you suspect that some bug is caused by optimized code.
In general, the network interface is set to non-'hybrid' mode. However, it must be noted that under special circumstances, this network interface will still work in 'hybrid' mode; therefore, the setting of'- p 'cannot be used as a synonym for the following choices:' ether host {local-hw-add}'or 'ether broadcast' (the former indicates that only packets with Ethernet address host and the latter match packets with Ethernet address as broadcast address).
-Q fast (maybe 'quiet' is better?) Printout. That is, very little protocol-related information is printed, so the output lines are relatively short.
-R sets tcpdump to parse ESP/AH packets according to RFC1825 rather than RFC1829 (nt: AH, authentication header, ESP, security payload encapsulation, both of which will be used in the secure transmission mechanism of IP packets). If this option is set, tcpdump will not print out the 'disable relay' field (nt: relay prevention field). In addition, because the ESP/AH specification does not stipulate that ESP/AH packets must have a protocol version number domain, tcpdump cannot derive the protocol version number from the received ESP/AH packets.
-r file
Read the package data from the file file. If the file field is a'- 'symbol, tcpdump reads the packet data from the standard input.
-S prints the sequence number of a TCP packet using an absolute sequence number instead of a relative sequence number. (nt: the relative sequence number can be understood as the difference between the sequence number of the first TCP packet and the sequence number of the first TCP packet. For example, the absolute sequence number of the first packet received by the receiver is 1, and for the second packet received later, the tcpdump will print the sequence number as 1. 2 indicates that the gap between the first packet and the first packet is 1 and 2 respectively. If the-S option is set at this time, for the second packet received later, the third packet will print its absolute sequence number: 232324, 232325).
-s snaplen
Set the packet crawl length of tcpdump to snaplen, which will be 68 bytes by default if not set (and the default minimum value is 96 in SunOS series operating systems that support network interface taps (nt: NIT, described above, which can be found by searching for the 'network interface tap' keyword). 68 bytes for IP, ICMP (nt: Internet Control Message Protocol, Internet Control message Protocol) The messages of TCP and UDP protocols are sufficient, but for name services (nt: can be understood as dns, nis and other services), packet truncation will occur in packets related to NFS services. If packet truncation occurs, the'[| proto] 'flag appears in the corresponding printout line of the tcpdump (proto is actually displayed as the relevant protocol hierarchy of the truncated packet). It should be noted that using a long grab length (nt: snaplen is relatively large) will increase the processing time of packets and reduce the number of packets cached by tcpdump, which will lead to packet loss. Therefore, on the premise that we can grab the package we want, the smaller the grab length, the better. Setting snaplen to 0 means that tcpdump automatically chooses the appropriate length to grab the packet.
-T type
Forces tcpdump to analyze received packets according to the packet structure described by the protocol specified by type. The known preferable protocols for type are:
Aodv (Ad-hoc On-demand Distance Vector protocol, on-demand distance vector routing protocol, used in Ad hoc (point-to-point mode) networks)
Cnfp (Cisco NetFlow protocol), rpc (Remote Procedure Call), rtp (Real-Time Applications protocol)
Rtcp (Real-Time Applications con-trol protocol), snmp (Simple Network Management Protocol)
Tftp (Trivial File Transfer Protocol, shredded File Protocol), vat (Visual Audio Tool, can be used to make electricity on internet
Application layer protocol for video conferencing), and wb (distributed White Board, an application layer protocol that can be used for web conferencing).
-t does not print a timestamp in each line of output
-tt does not format the time of each line output (nt: this format may not see its meaning at a glance, such as a timestamp printed as 1261798315)
-when ttt tcpdump output, there is a delay (in milliseconds) between every two lines of printing
-tttt adds date printing before the timestamp of each line
-u prints out unencrypted NFS handles (nt: handle can be understood as a file handle used in NFS, which will include folders and files in folders)
-U makes the file write synchronize with the package save when tcpdump uses the-w option. (nt: when each packet is saved, it will be written to the file in time, rather than waiting for the file's output buffer to be full.)
The-U flag does not work on older versions of the libcap library (nt: the message capture library on which tcpdump depends) because of the lack of the pcap_cump_flush () function.
-v produces a detailed output when analyzed and printed. For example, the lifetime of the package, identification, total length, and some options for IP packages. This also turns on some additional packet integrity checks, such as a checksum for IP or ICMP packet headers.
-vv produces more detailed output than-v. For example, the additional fields in the NFS response packet will be printed and the SMB packet will be fully decoded.
-vvv produces more detailed output than-vv. For example, the SB and SE options used in telent will be printed, if telnet also uses a graphical interface
The corresponding graphics options will be printed in hexadecimal format (the SB,SE option of nt: telnet is unknown and needs to be added).
-w writes the packet data directly to the file without analysis and printout. The packet data can then be re-read, analyzed and printed with the-r option.
-W filecount
This option is used in conjunction with the-C option, which limits the number of files that can be opened, and when the file data exceeds the limit set here, the previous files are iterated in turn, which is equivalent to a file buffer pool with filecount files. At the same time, this option causes enough zeros at the beginning of each file name to occupy space, which makes it easier for these files to be sorted correctly.
-x when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal (but not the header of the connection layer). The total printed data size will not exceed the entire packet size and the minimum value in the snaplen. It must be noted that if the high-level protocol data is not as long as snaplen, and there is populated data in the data link layer (for example, Ethernet layer), the populated data will also be printed. (nt: so for link layers that pad, unable to connect to understanding and translation, need to be added)
Xx tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal, including the header of the data link layer.
-X when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format (but not the header of the connection layer). This is very convenient for analyzing the packets of some new protocols.
-XX when analyzing and printing, tcpdump prints the header data of each packet and prints the data of each packet in hexadecimal and ASCII format, including the header of the data link layer. This is very convenient for analyzing the packets of some new protocols.
-y datalinktype
Set tcpdump to capture only packets whose data link layer protocol type is datalinktype
-Z user
Make tcpdump relinquish its super privileges (if you start tcpdump as root, tcpdump will have superuser privileges), and set the user ID of the current tcpdump to user, and the group ID to the ID of the group to which user first belongs (nt: tcpdump can be understood here as the corresponding process after tcpdump runs)
This option can also be set to be turned on by default when compiling. (nt: the value of user is unknown at this time and needs to be added)
Tcpdump conditional expression
This expression is used to determine which packets will be printed. If no conditional expression is given, all packets captured on the network will be printed, otherwise, only packets that satisfy the conditional expression will be printed. (nt: all packets, which can be understood as all packets captured by a specified interface).
An expression consists of one or more expression elements (nt: primitive, which can be understood as the basic elements that make up the expression). An expression usually consists of one or more modifiers (qualifiers) followed by an id represented by a name or number (nt: that is, 'qualifiers id'). There are three different types of modifiers: type, dir, and proto.
The code is as follows:
The type modifier specifies the object type represented by the id, and the id can be a name or a number. The optional object types are: host, net, port and portrange (nt: host indicates that id represents a host, net indicates that id is a network, port indicates that id is the end, and portrange indicates that id is a port range). For example, 'host foo',' net 128.3, 'port 20,' portrange 6000-6008 (nt: represents host foo, network 128.3, port 20, port range 6000-6008, respectively). If you do not specify the type modifier, the default modifier for id is host.
The dir modifier describes the transmission direction corresponding to the id, that is, to send to id or receive from id (nt: what exactly id means depends on the type modifier in front of it). The preferred directions are: src, dst, src or dst, src and dst. (nt: respectively, id is the source of transmission, id is the destination of transmission, id is the source or destination of transmission, and id is the source and destination of transmission). For example, 'src foo','dst net 128.3 packets,' src or dst port ftp-data'. (nt: in qualified packets, the source host is foo, the destination network is 128.3, and the source or destination port is ftp-data). If you do not specify the dir modifier, the default modifier for id is src or dst. For link layer protocols, such as SLIP (nt: Serial Line InternetProtocol, tandem Line Internet Protocol), and specify 'any' device under linux, and specify' cooked' (nt | rt: cooked) crawl type, or other device types, you can use the 'inbound'' and 'outbount' modifiers to specify the desired transmission direction.
The proto modifier describes the protocol to which id belongs. Optional protocols are: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp and upd. (nt | rt: ether, fddi, tr. The specific meaning is unknown and needs to be added. It can be understood as physical Ethernet transport protocol, optical fiber distributed data network transmission protocol, and protocol for route tracking. Wlan, wireless local area network protocol; ip,ip6 is the ipv4 and ipv6 network layer protocol used in the usual TCP/IP protocol stack; arp, rarp is the address resolution protocol, reverse address resolution protocol; decnet, Digital Equipment Corporation, the earliest network protocol used for the interconnection of PDP-11 machines; tcp and udp, the two transport layer protocols in the usual TCP/IP protocol stack).
For example, `ether src foo', `arp net 128.3 packets, `tcp port 21packets, `udp portrange 7000-7009' means' packets from Ethernet address foo', 'arp protocol packets sent to or from 128.3 networks', 'tcp protocol packets sent or received at port 21', and 'udp protocol packets with port range of 7000-7009'.
If the proto modifier is not specified, it defaults to the modifier that matches the corresponding type. For example, 'src foo' means' (ip or arp or rarp) src foo' (nt: that is, ip/arp/rarp protocol packets from host foo, default type is host), `net bar' means `(ip or arp or rarp) net bar' (nt: that is, ip/arp/rarp protocol packets from or destined for bar networks), and `port 53' means` (tcp or udp) port 53' (nt: that is, Send or receive tcp/udp protocol packets with port 53). (nt: because tcpdump directly obtains network packets through BSD packet filter or DLPI (datalink provider interface, data link layer provider interface) at the data link layer, the crawable packets can cover a variety of upper protocols, including arp, rarp, icmp (Internet Control message Protocol), ip, ip6, tcp, udp. Sctp (Stream Control transfer Protocol).
As for the format of the modifier followed by id, it can be understood that type id is the most basic filtering condition for packets: that is, restrictions on hosts, networks, and ports related to packets; dir indicates restrictions on the direction of delivery of packets; proto represents protocol restrictions related to packets)
Fddi' (nt: Fiber Distributed Data Interface) actually means the same thing as ether': tcpdump treats them as a data link layer protocol on a specified network interface. Like ehter (Ethernet), the header of FDDI usually has source, destination, and packet type, so that these fields can be filtered like ether packets. In addition, there are other fields in the FDDI header, but they cannot be put into expressions to filter
Similarly, 'tr'' and 'wlan'' have the same meaning as' ether', 'and the description of fddi in the previous paragraph also applies to the heads of tr (Token Ring) and wlan (802.11 wireless LAN). For the header of the 802.11 protocol packet, the destination domain is called DA, the source domain is called SA;, and the BSSID, RA, TA domains (nt | rt: specific meaning needs to be added) will not be detected (nt: cannot be used in packet worry expressions).
In addition to the 'primitive'' described above, there are other forms of expressions, which are different from those described above. For example: gateway, broadcast, less, greater and arithmetic expressions (nt: each of which is a new expression). These expressions will be explained below.
Expressions can also be connected by the keywords and, or and not to form more complex conditional expressions. For example, `host foo and not port ftp and not port ftp-data' (nt: the filtering condition can be understood as: the host of the packet is foo, and the port is not ftp (port 21) and ftp-data (port 20, the corresponding common ports and names can be found in the / etc/service file in the linux system).
For convenience, the same modifier can be omitted, such as' tcp dst port ftp or ftp-data or domain' has the same meaning as the following expression 'tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. (nt: the filter condition can be understood as that the protocol of the packet is tcp, and the destination port is ftp or ftp-data or domain (port 53).
With the help of parentheses and corresponding operators, expressive elements can be combined and used together (because parentheses are special characters of shell, parentheses must be escaped when used in shell scripts or terminals, that is,'('and') 'need to be expressed as'\ 'and'\ 'respectively).
Valid operators are:
The code is as follows:
Negative operation (`!' Or `not')
And operation (`& &'or `and')
Or operation (`| |'or `or')
The negative operator has the highest priority. It is the same as the operation and or operation priority, and the combination order of the two is from left to right. It is important to note that when expressing 'and operation'
You need to explicitly write the 'and' operator, rather than just placing the front and back expressions side by side (nt: the' and' operator between the two cannot be omitted).
If there is no keyword before an identifier, the most recently used keyword in the parsing of the expression (often the one closest to the identifier from left to right) will be used. such as,
Not host vs and ace
It is a simplification of the following expressions:
Not host vs and host ace
Instead of not (host vs or ace). (nt: the first two indicate that the required packet is not from or destined for host vs, but from or to ace. The latter means that as long as the packet is not from or sent to vs or ac, it meets the requirements)
The whole conditional expression can be passed into tcpdump as a single string parameter or as multiple parameters of space division, which is more convenient. In general, if the expression contains metacharacters (nt: for example,'*','.'in regular expressions. And the characters in shell, such as'('), are best passed in a separate string. At this point, the entire expression needs to be enclosed in single quotation marks. In the multi-parameter input mode, all parameters are eventually concatenated by spaces and parsed as a string.
Appendix: the expression element of tcpdump
(nt: True in the following description means that the corresponding conditional expression contains only one specific expressive element listed below, when the expression is true, that is, the condition is satisfied.)
Dst host host
If the destination domain of the IPv4/v6 packet is host, the corresponding conditional expression is true. Host can be an ip address or a host name.
Src host host
If the source domain of the IPv4/v6 packet is host, the corresponding conditional expression is true.
Host can be an ip address or a host name.
Host host
If the source or destination address of the IPv4/v6 packet is host, the corresponding conditional expression is true. The following keywords can be added before the above host expressions: ip, arp, rarp, and ip6. For example:
Ip host host
It can also be expressed as:
Ether proto\ ip and host host (nt: this expression is explained below, in which ip needs to be escaped with\, because ip is already a keyword for tcpdump.)
If host is a host with multiple IP, then any address will be used for packet matching (nt: the destination address of a packet destined for host can be any of these IP, and the source address of a packet received from host can be any of these IP).
Ether dst ehost
If the Ethernet destination address of the packet (nt: refers to the packet that can be crawled by tcpdump, including ip packet, tcp packet) is ehost, then the corresponding conditional expression is true. Ehost can be a name or a numeric address in the / etc/ethers file (nt: a description of the / etc/ethers file can be seen through man ethers, which is used in the sample)
Ether src ehost
If the Ethernet source address of the packet is ehost, the corresponding conditional expression is true.
Ether host ehost
If the Ethernet source or destination address of the packet is ehost, the corresponding conditional expression is true.
Gateway host
If the gateway address of the packet is host, the corresponding conditional expression is true. It should be noted that the gateway address here refers to the Ethernet address, not the IP address (nt | rt: I.E., for example, it can be understood as' attention'. The Ethernet source or destination address, Ethernet source and destination addresses, which can be understood as referring to the 'gateway address' in the previous sentence). Host must be a name, not a number And there must be entries in the machine's' host name-ip address' and 'host name-Ethernet address' mapping relationship (the former mapping relationship can be obtained through / etc/hosts file, DNS or NIS, and the latter mapping relationship can be obtained through / etc/ethers file. Nt: / etc/ethers does not necessarily exist, you can see its data format through man ethers, how to create the file, unknown, need to add). In other words, host means ether host ehost rather than host host, and ehost must be a name rather than a number.
Currently, this option does not work in a configuration environment that supports IPv6 address format (nt: configuration, which can be understood as the network configuration of both sides of the communication).
Dst net net
If the network number field of the destination address (IPv4 or IPv6 format) of the packet is net, the corresponding conditional expression is true.
Net can be a name from a network database file / etc/networks, or a network number in numeric form.
A numeric IPv4 network number will be expressed as a dot quad (for example, 192.168.1.0), or a dot triple (for example, 192.168.1), or a dot binary (for example, 172.16), or a single unit (for example, 10).
The network masks corresponding to these four cases are: quad: 255.255.255.255 (which also means that the matching of net is like the matching of host address (host): all four parts of the address are used), triple: 255.255.255.0, binary: 255.255.0.0, unary: 255.0.0.0.
For the IPv6 address format, the network number must be fully written (all 8 parts must be written out), and the corresponding network mask is:
Ff:ff:ff:ff:ff:ff:ff:ff, so the network matching of IPv6 is really 'host'' matching (nt | rt | rc: all 8 parts of the address are used. Fill in 0 for bytes that do not belong to the network, which needs to be added next), but at the same time a network mask length parameter is needed to specify how many of the first bytes are the network mask (nt: can be specified through the following net net/len)
Src net net
If the network number field of the source address (IPv4 or IPv6 format) of the packet is net, the corresponding conditional expression is true.
Net net
If the network number field of the source or destination address of the packet (in IPv4 or IPv6 format) is net, the corresponding conditional expression is true.
Net netmask netmask
If the network mask of the source or destination address of the packet (in IPv4 or IPv6 format) matches netmask, the corresponding conditional expression is true. This option can also be used with src and dst to match source or destination network addresses (nt: for example, src net net mask 255.255.255.0). This option is not valid for ipv6 network addresses.
Net net/len
If the network number field of the source or destination address of the packet (in IPv4 or IPv6 format) has the same number of bits as len, the corresponding conditional expression is true. This option can also be used with src and dst to match the source or destination network address (nt | rt | tt: src net net/24, indicating a packet with a 24-bit network number that needs to be matched).
Dst port port
If the destination port of the packet (including ip/tcp, ip/udp, ip6/tcp or ip6/udp protocols) is port, the corresponding conditional expression is true. Port can be a number or a name (the corresponding name can be found in / etc/services, or related description information can be obtained through man tcp and man udp). If a name is used, the port number corresponding to the name and the corresponding protocol used are checked. If only a digital port number is used, only the corresponding port number will be checked (for example, dst port 513 will cause tcpdump to grab login service packets of tcp protocol and who service packets of udp protocol, while port domain will make tcpdump grab domain service packets of tcp protocol and domain packets of udp protocol) (nt | rt: ambiguous name is used is incomprehensible and needs to be added).
Src port port
If the source port of the packet is port, the corresponding conditional expression is true.
Port port
If the source or destination port of the packet is port, the corresponding conditional expression is true.
Dst portrange port1-port2
If the destination port of the packet (including ip/tcp, ip/udp, ip6/tcp or ip6/udp protocols) belongs to the port range from port1 to port2 (including port1, port2), then the corresponding conditional expression is true. The parsing of port1 and port2 by tcpdump is consistent with that of port (nt: described in the description of the dst port port option).
Src portrange port1-port2
If the source port of the packet belongs to the port range from port1 to port2 (including port1, port2), the corresponding conditional expression is true.
Portrange port1-port2
If the source port or destination port of the packet belongs to the port range from port1 to port2 (including port1, port2), the corresponding conditional expression is true.
The above options for port can be preceded by keywords: tcp or udp, such as:
Tcp src port port
This will cause tcpdump to grab only tcp packets whose source port is port.
Less length
If the length of the packet is less than length or equal to length, the corresponding conditional expression is true. This is consistent with the meaning of 'len = length''.
Ip proto protocol
If the packet is an ipv4 packet and its protocol type is protocol, the corresponding conditional expression is true.
Protocol can be a number or a name, such as: icmp6, igmp, igrp (nt: Interior Gateway Routing Protocol, Interior Gateway routing Protocol), pim (Protocol Independent Multicast, Independent Multicast Protocol, for Multicast routers), ah, esp (nt: ah, Authentication header, esp Security payload Encapsulation, both of which are used in the secure transmission mechanism of IP packets), vrrp (Virtual Router Redundancy Protocol, Virtual Router redundancy Protocol), udp, or tcp. Since tcp, udp, and icmp are keywords of tcpdump, they must be escaped with\ before these protocol names (if they need to be escaped in C-shell). Note that this expression element does not print out all the protocol header contents in the protocol header chain in the packet (nt: in fact, only some header information of the specified protocol can be printed. For example, if you can use tcpdump-I eth0'ip proto\ tcp and host 192.168.3.144packets, only the information contained in the tcp header in the packet sent or received by host 192.168.3.144 will be printed).
Ip6 proto protocol
If the packet is an ipv6 packet and its protocol type is protocol, the corresponding conditional expression is true.
Note that this expression element does not print out all the protocol headers in the protocol header chain in the packet.
Ip6 protochain protocol
If the packet is an ipv6 packet and its protocol chain contains a type of protocol protocol header, the corresponding conditional expression is true. such as,
Ip6 protochain 6
The IPv6 packet with the TCP protocol header in its protocol header chain will be matched. There may also be an authentication header, routing header, or hop-by-hop routing header between the IPv6 header and the TCP header of this packet.
The corresponding BPF (Berkeley Packets Filter, which can be understood as a mechanism for packet filtering at the data link layer) triggered by this is cumbersome.
And the BPF optimization code fails to take care of this part, so the package matching triggered by this option may be slow.
Ip protochain protocol
It has the same meaning as ip6 protochain protocol, but this is used in IPv4 packets.
Ether broadcast
If the packet is an Ethernet broadcast packet, the corresponding conditional expression is true. The ether keyword is optional.
Ip broadcast
If the packet is an IPv4 broadcast packet, the corresponding conditional expression is true. This will cause tcpdump to check whether the broadcast address meets some of the conventions of all-zero and all-one, and look for the network mask of the network interface (the network interface is the network interface on which the packet was grabbed at that time).
If the network mask of the network interface where the packet is grabbed is illegal, or the corresponding network address and network are not set at all, or if the packet is grabbed on the any' network interface under linux (this any' interface can receive packets from more than one interface in the system (nt: in fact, it can be understood as all the available interfaces in the system), the network mask check cannot be carried out normally.
Ether multicast
If the packet is an Ethernet multicast packet (nt: multicast, which can be understood as sending a message to a set of destination addresses at the same time, rather than all the addresses in the network, which can be called broadcast), then the corresponding conditional expression is true. The keyword ether can be omitted. The meaning of this option is consistent with the following conditional expression: `ether [0] & 1! = 0' (nt: it can be understood that the lowest bit of the 0th byte in an Ethernet packet is 1, which means that this is a multicast packet).
Ip multicast
If the packet is an ipv4 multicast packet, the corresponding conditional expression is true.
Ip6 multicast
If the packet is an ipv6 multicast packet, the corresponding conditional expression is true.
Ether proto protocol
If the packet belongs to the following Ethernet protocol type, the corresponding conditional expression is true.
Protocol (protocol) field, which can be a number or the following listed names: ip, ip6, arp, rarp, atalk (AppleTalk Network Protocol)
Aarp (nt: AppleTalk Address Resolution Protocol, address resolution protocol for AppleTalk networks)
Decnet (nt: a network protocol stack provided by DEC), sca (nt: unknown, need to be added)
Lat (Local Area Transport, area transfer protocol, Ethernet host interconnection protocol developed by DEC)
Mopdl, moprc, iso (nt: unknown, need to be added), stp (Spanning tree protocol, spanning Tree Protocol, which can be used to prevent link loops in the network)
Ipx (nt: Internetwork Packet Exchange, the network layer protocol used in Novell networks), or
Netbeui (nt: NetBIOS Extended User Interface, which can be understood as the extension of the network basic input and output system interface).
The protocol field can be a number or one of the following protocol names: ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat
Mopdl, moprc, iso, stp, ipx, or netbeui.
It must be noted that identifiers are also keywords, so they must be escaped through'\'.
(SNAP: subnet access Protocol (SubNetwork Access Protocol))
In the optical fiber distributed data network interface (its expression element form can be 'fddi protocol arp'), token ring network (its expression element form can be' tr protocol arp')
And in IEEE 802.11 wireless local area network (whose meta-form can be 'wlan protocol arp''), protocol
The identifier comes from the 802.2 logical link control layer header
This logical link control layer header is included in the FDDI, Token Ring, or 802.1 header.
When filtering on the corresponding protocol identifiers on these networks, tcpdump simply checks the LLC header with 0x000000 as the constituent unit identifier (OUI, 0x000000
Identifies the protocol ID domain in a segment of 'SNAP format structure' of an internal Ethernet), regardless of whether there is a segment of OUI in 0x000000 'SNAP format in the packet
Structure'(nt: SNAP, SubNetwork Access Protocol, subnet access protocol). The following exceptions:
Iso tcpdump checks the DSAP domain (Destination service Access Point, target service access point) and the LLC header
SSAP domain (source service access point). (nt: iso protocol unknown, need to be supplemented)
Stp and netbeui
Tcpdump will check the target service access point (Destination service Access Point) in the LLC header
Atalk
Tcpdump will check the SNAP format structure identified by 0x080007 as OUI in the LLC header and check the AppleTalk etype domain.
(nt: whether AppleTalk etype is in SNAP format structure, unknown, need to be added).
In addition, in Ethernet, for the ether proto protocol option, tcpdump checks the protocol specified by protocol
Ethernet type domain (the Ethernet type field), except for the following protocols:
Iso, stp, and netbeui
Tcpdump will check the 802.3 physical frame and the LLC header (these two checks are consistent with the corresponding checks in FDDI, TR, 802.11 networks)
(nt: 802.3, understood as IEEE 802.3, which is a collection of IEEE standards. This collection defines the physical layer and data in a wired Ethernet network.
The media access control sublayer of the link layer. Stp has been described above)
Atalk
Tcpdump will examine the AppleTalk etype domain in the Ethernet physical frame, as well as the 'SNAP format structure' in the LLC header in the packet
(these two checks are consistent with the corresponding checks in FDDI, TR, 802.11 networks)
Aarp tcpdump will examine the AppleTalk ARP etype domain, which exists either in the Ethernet physical frame or in the LLC (defined by 802.2)
In 'SNAP format structure', when the latter is the latter, the OUI of the 'SNAP format structure' is identified as 0x000000
(nt: 802.2, can be understood as IEEE802.2, in which the logical link control layer (LLC) is defined, which corresponds to the upper part of the data link layer in the OSI network model.
The LLC layer provides a unified interface for users using the data link layer (usually the network layer). Below the LLC layer is the media access control layer (nt: MAC layer
Corresponds to the lower part of the data link layer). The implementation and operation of this layer will vary according to different physical transmission media (for example, Ethernet, token Ring Network).
Optical fiber distributed data interface (nt: actually understood as an optical fiber network), wireless local area network (802.11), etc.)
Ipx tcpdump will examine the IPX etype domain in the physical Ethernet frame, the IPX DSAP domain in the LLC header, the 802.3 frame without the LLC header and encapsulating the IPX
And the IPX etype field (nt | rt: SNAP frame) in the SNAP format structure of the LLC header, which can be understood as the SNAP format structure in the LLC header.
The meaning belongs to the stage of preliminary understanding and needs to be added.
Decnet src host
If the DECNET source address in the packet is host, the corresponding conditional expression is true.
(nt:decnet, developed by Digital Equipment Corporation, the earliest network protocol for the interconnection of PDP-11 machines)
Decnet dst host
If the DECNET destination address in the packet is host, the corresponding conditional expression is true.
(nt: decnet has been explained above)
Decnet host host
If the DECNET destination address or DECNET source address in the packet is host, the corresponding conditional expression is true.
(nt: decnet has been explained above)
Ifname interface
If the packet has been marked as received from the specified network interface, the corresponding conditional expression is true.
(this option applies only to packages marked by pf programs in OpenBSD (nt: pf, packet filter, which can be understood as firewall programs in OpenBSD))
On interface
It has the same meaning as ifname interface.
Rnr num
If the packet has been marked to match the rule of PF, the corresponding conditional expression is true.
(this option applies only to packages marked by pf programs in OpenBSD (nt: pf, packet filter, which can be understood as firewall programs in OpenBSD))
Rulenum num
It has the same meaning as rulenum num.
Reason code
If the packet has been marked as containing the matching result code of PF, the corresponding conditional expression is true. Valid result codes are: match, bad-offset
Fragment, short, normalize, and memory.
(this option applies only to packages marked by pf programs in OpenBSD (nt: pf, packet filter, which can be understood as firewall programs in OpenBSD))
Rset name
If the packet has been marked to match the specified rule set, the corresponding conditional expression is true.
(this option applies only to packages marked by pf programs in OpenBSD (nt: pf, packet filter, which can be understood as firewall programs in OpenBSD))
Ruleset name
It has the same meaning as rset name.
Srnr num
If the packet has been marked to match a specific rule in the specified rule set (nt: specified PF rule number, a specific rule number, that is, a specific rule)
Then the corresponding conditional expression is true. (this option applies only to packages marked by pf programs in OpenBSD (nt: pf, packet filter, which can be understood as
Firewall programs in OpenBSD))
Subrulenum num
It has the same meaning as srnr.
Action act
If PF performs the action specified by act when the packet is recorded, the corresponding conditional expression is true. Valid actions are: pass, block.
(this option applies only to packages marked by pf programs in OpenBSD (nt: pf, packet filter, which can be understood as firewall programs in OpenBSD))
Ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
It is consistent with the following meta-meanings:
Ether proto p
P is one of the above agreements.
Lat, moprc, mopdl
It is consistent with the following meta-meanings:
Ether proto p
P is one of the above agreements. It must be noted that tcpdump is not yet able to analyze these protocols.
Vlan [vlan_id]
If the packet is an IEEE802.1Q VLAN packet, the corresponding conditional expression is true.
Nt: IEEE802.1Q VLAN, or IEEE802.1Q virtual network protocol, which is used for the interconnection of different networks.
If [vlan_id] is specified, only the data contains the specified virtual network id (vlan_id), then the corresponding conditional expression is true.
Note that for VLAN packets, the first vlan keyword encountered in the expression changes the data in the packet corresponding to the next keyword in the expression
Start position (that is, decoding offset). The vlan [vlan_id] expression can be used multiple times when filtering packets in VLAN network architecture. The keyword vlan increases every time it appears.
4 byte filter offset (nt: filter offset, which can be understood as the decoding offset above).
For example:
Vlan 100 & & vlan 200
Filter packets encapsulated on the VLAN200 network in VLAN100
Another example is:
Vlan & & vlan 300 & & ip
Filter the IPv4 packets encapsulated in the VLAN300 network, while the VLAN300 network is encapsulated by the outer VLAN
Mpls [label_num]
If the packet is a MPLS packet, the corresponding conditional expression is true.
Nt: MPLS, Multi-Protocol Label Switch, Multiprotocol label switching, a technology that uses tags to guide data transmission over open communication networks.
If [label_num] is specified, only the data contains the specified label id (label_num), and the corresponding conditional expression is true.
Note that for IP packets containing MPLS information (that is, MPLS packets), the first MPLS keyword encountered in the expression changes the data in the packet corresponding to the next keyword in the expression
Start position (that is, decoding offset). The mpls [label_num] expression can be used multiple times when filtering packets in MPLS network architecture. The keyword mpls increases every time it appears.
4 byte filter offset (nt: filter offset, which can be understood as the decoding offset above).
For example:
Mpls 100000 & & mpls 1024
Indicates that packets with outer layer label 100000 and layer label 1024 are filtered
Another example is:
Mpls & & mpls 1024 & & host 192.9.200.1
Filter packets destined for or from 192.9.200.1 with an inner label of 1024 and an outer label.
Pppoed
If the packet is a PPP-over-Ethernet server to explore the packet (nt: Discovery packet
Its ethernet type is 0x8863), then the corresponding conditional expression is true.
(nt: PPP-over-Ethernet, the point-to-point Ethernet bearer protocol, whose point-to-point connection establishment is divided into Discovery phase (address discovery) and
In the PPPoE session establishment phase, the discovery packet is the packet sent out in the first stage. Ethernet type
Is a field in an Ethernet frame that indicates the protocol applied to the frame data field)
Pppoes
If the packet is a PPP-over-Ethernet session packet (nt: ethernet type is 0x8864, PPP-over-Ethernet has already explained above, you can search
If the keyword 'PPP-over-Ethernet' finds its description), the corresponding conditional expression is true.
Note that for PPP-over-Ethernet session packets, the first pppoes keyword encountered in the expression changes the data in the packet corresponding to the next keyword in the expression
Start position (that is, decoding offset).
For example:
Pppoes & & ip
Filter ipv4 packets embedded in PPPoE packets
Tcp, udp, icmp
It is consistent with the following meta-meanings:
Ip proto p or ip6 proto p
Where p is one of the above protocols (meaning: if the packet is an ipv4 or ipv6 packet and its protocol type is tcp,udp, or icmp
The conditional expression should be true)
Iso proto protocol
If the protocol type of the packet is the protocol protocol in the iso-osi protocol stack, the corresponding conditional expression is true. (nt: [preliminary solution] every in the iso-osi network model
The specific protocol of the layer is different from that adopted by the corresponding layer of tcp/ip. The specific protocols in each layer of iso-osi need to be added.
Protocol can be a numeric number or one of the following names:
Clnp, esis, or isis.
(nt: clnp, Connectionless Network Protocol, this is the network layer protocol in the OSI network model. Esis and isis are unknown and need to be added)
Clnp, esis, isis
Is an abbreviation for the following expression
Iso proto p
Where p is one of the above protocols
L1, l2, iih, lsp, snp, csnp, psnp
Is an abbreviation for IS-IS PDU type.
(nt: IS-IS PDU, Intermediate system to intermediate system Protocol Data Unit, intermediate system to
The protocol data unit of the intermediate system. OSI (Open Systems Interconnection) network is composed of terminal system and intermediate system.
The end system refers to the router, while the end system refers to the user equipment. The local groups formed by routers are called Area and multiple areas form a Domain.
IS-IS provides intra-domain or intra-area routing. L1, L2, iih, lsp, snp, csnp, psnp indicate the type of PDU, and the specific meaning needs to be added.
Vpi n
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system
If the packet is an ATM packet and its virtual path is identified as n, the corresponding conditional expression is true.
(nt: ATM, Asychronous Transfer Mode, in fact, can be understood as a comparison between ITU-T (International Telecommunication Union Telecommunication Standardization Department) and
A series of protocols with the same function of IP layer in TCP/IP, and the specific protocol layer needs to be supplemented.
Vci n
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system
If the packet is an ATM packet and its virtual channel is identified as n, the corresponding conditional expression is true.
(nt: ATM, described above)
Lane
If the packet is an ATM LANE packet, the corresponding conditional expression is true. It is important to note that if it is an LANE packet that simulates Ethernet or
LANE logical unit control package, the first lane keyword in the expression changes the test of the subsequent condition in the expression. If not,
Specify the lane keyword, and the conditional test will be carried out according to the ATM packet containing LLC (logical Link layer) in the packet.
Llc
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system
If the packet is an ATM packet and contains LLC, the corresponding conditional expression is true
Oamf4s
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And is a Segment OAM F 4 cell (VPI=0 and VCI=3), then the corresponding conditional expression is true.
(nt: OAM, Operation Administration and Maintenance, operation management and maintenance, which can be understood as: used in ATM network
Manage the classification of generated ATM cells.
In an ATM network, the transmission unit is a cell, and the data to be transmitted will eventually be divided into cells of fixed length (53 bytes).
Initial understanding: a physical line can be reused to form a virtual path (virtual path). A virtual path is reused to form a virtual channel (virtual channel).
The addressing methods of both sides of the communication are: virtual path number (VPI) / virtual channel number (VCI).
OAM F4 flow cells can be divided into segment class and end-to-end class, but the difference is unknown and needs to be added.
Oamf4e
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And is an end-to-end OAM F 4 cell (VPI=0 and VCI=4), then the corresponding conditional expression is true.
(nt: OAM and end-to-end OAM F4 have been described above, you can search 'oamf4s' to locate)
Oamf4
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
If it is an end-to-end or segment OAM F4 cell (VPI=0 and VCI=3 or VCI=4), then the corresponding conditional expression is true.
(nt: OAM and end-to-end OAM F4 have been described above, you can search 'oamf4s' to locate)
Oam
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
If it is an end-to-end or segment OAM F4 cell (VPI=0 and VCI=3 or VCI=4), then the corresponding conditional expression is true.
(nt: this option is repeated with oamf4, need to be confirmed)
Metac
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And it comes from 'meta signaling line' (nt: VPI=0 and VCI=1, 'meta signaling line', meta signaling circuit, the specific meaning is unknown and needs to be added)
Then the corresponding conditional expression is true.
Bcc
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And it comes from 'broadcast signaling line' (nt: VPI=0 and VCI=2, 'broadcast signaling line', broadcast signaling circuit, the specific meaning is unknown and needs to be added)
Then the corresponding conditional expression is true.
Sc
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And it comes from 'signaling line' (nt: VPI=0 and VCI=5, 'signaling line', signaling circuit, the specific meaning is unknown and needs to be added)
Then the corresponding conditional expression is true.
Ilmic
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And it comes from the 'ILMI line' (nt: VPI=0 and VCI=16, 'ILMI', Interim Local Management Interface, which can be understood as
Interface for network management based on SNMP (simple Network Management Protocol)
Then the corresponding conditional expression is true.
Connectmsg
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And it is from the 'signaling line' and is the following messages specified in Q.2931 protocol: Setup, Calling Proceeding, Connect
Connect Ack, Release, or Release Done. Then the corresponding conditional expression is true.
(nt: Q.2931 signaling protocol for ITU (International Telecommunication Union). It stipulates the establishment, maintenance and cancellation of the user interface layer of the broadband integrated services digital network.
Steps related to network connection.)
Metaconnect
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
And it is from the 'meta signaling line' and the following messages specified in Q.2931 protocol: Setup, Calling Proceeding, Connect
Connect Ack, Release, or Release Done. Then the corresponding conditional expression is true.
Expr relop expr
If the operands (expr) on both sides of the relop satisfy the relation specified by relop, the corresponding conditional expression is true.
Relop can be one of the following relational operators: >
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
