Home  >  Article  >  Operation and Maintenance  >  What is the use of the linux packet capture command tcpdump?

What is the use of the linux packet capture command tcpdump?

青灯夜游
青灯夜游Original
2020-11-03 11:14:379375browse

The Linux packet capture command tcpdump is used to dump network transmission data. It can completely intercept the "header" of the data packets transmitted in the network and provide analysis; it supports network layer, protocol, host, network or port. Filter and provide logical statements such as and, or, not to help you remove useless information.

What is the use of the linux packet capture command tcpdump?

Related recommendations: "Linux Video Tutorial"

Introduction

Linux tcpdump command is used to dump network transmission data.

Execute the tcpdump command to list the headers of packets passing through the specified network interface. In the Linux operating system, you must be a system administrator.

To define tcpdump in simple words, it is: dump the traffic on a network, a packet analysis tool that intercepts data packets on the network according to the user's definition. tcpdump can completely intercept the "headers" of data packets transmitted on the network and provide analysis. It supports filtering for network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information.

Practical command examples

Start by default

tcpdump

Normal situation Next, starting tcpdump directly will monitor all data packets flowing on the first network interface.

Monitor the data packets of the specified network interface

tcpdump -i eth1

If you do not specify a network card, by default tcpdump will only monitor the first network interface, usually eth0, none of the examples below specify a network interface.

Monitor the packets of the specified host

Print all packets entering or leaving sundown.

tcpdump host sundown

can also be specified ip, for example, intercept all data packets received and sent by all 210.27.48.1

tcpdump host 210.27.48.1

Print the data packets communicated between helios and hot or ace

tcpdump host helios and \( hot or ace \)

Interception of communication between host 210.27.48.1 and host 210.27.48.2 or 210.27.48.3

tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)

Print ace with any other host IP packets communicated between each other, but not including those with helios.

tcpdump ip host ace and not helios

If you want to get the host210.27.48.1In addition to the host210.27.48.2#ip packets communicated by all hosts other than ##, use the command:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2
Intercept all data sent by host

hostname

tcpdump -i eth0 src host hostname
Monitor all sent Data packets to host

hostname

tcpdump -i eth0 dst host hostname

Monitor the data packets of the specified host and port

If you want to get the host

210.27.48.1telnet packets received or sent, use the following command

tcpdump tcp port 23 and host 210.27.48.1
to monitor the

udp 123 port of this machine 123 Service port for ntp

tcpdump udp port 123

Monitor the packets of the specified network

Print local host and Berkeley All communication packets between hosts on the network (nt: ucb-ether, here can be understood as the network address of the 'Berkeley network'. The original meaning of this expression can be expressed as: Print the network address of ucb-ether All packets)

tcpdump net ucb-ether
Print all ftp packets passing through the gateway snup (note that the expression is enclosed in single quotes, which prevents the shell from incorrectly parsing the parentheses)

tcpdump 'gateway snup and (port ftp or ftp-data)'
Print all IP packets whose source address or destination address is the local host

(If the local network is connected to another network through a gateway, the other network cannot be counted as the local network. (nt: This sentence has a tortuous translation , need to be supplemented).localnet should be replaced with the name of the local network when actually used)

tcpdump ip and not net localnet

Monitor the data packets of the specified protocol

Print The start and end data packets in the TCP session, and the source or destination of the data packet is not a host on the local network. (nt: localnet, it must be replaced with the name of the local network when actually used))

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
Print all source or destination ports that are 80, the network layer protocol is IPv4, and contain data, instead of SYN, FIN and ACK-only packets that do not contain data. (The ipv6 version of the expression can be used as an exercise)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
(nt: can be understood as, ip[2:2] represents the length of the entire ip data packet, (ip[0]&0xf)<<2) represents the length of the ip data packet header (ip[0] &0xf represents the IHL field in the package, and the unit of this field is 32bit, which needs to be converted

成字节数需要乘以4, 即左移2. (tcp[12]&0xf0)>>4 表示tcp头的长度, 此域的单位也是32bit, 换算成比特数为 ((tcp[12]&0xf0) >> 4) << 2, 
即 ((tcp[12]&0xf0)>>2). ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0 表示: 整个ip数据包的长度减去ip头的长度,再减去
tcp头的长度不为0, 这就意味着, ip数据包中确实是有数据.对于ipv6版本只需考虑ipv6头中的'Payload Length' 与 'tcp头的长度'的差值, 并且其中表达方式'ip[]'需换成'ip6[]'.)

打印长度超过576字节, 并且网关地址是snup的IP数据包

tcpdump 'gateway snup and ip[2:2] > 576'

打印所有IP层广播或多播的数据包, 但不是物理以太网层的广播或多播数据报

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

打印除'echo request'或者'echo reply'类型以外的ICMP数据包( 比如,需要打印所有非ping 程序产生的数据包时可用到此表达式 .
(nt: 'echo reuqest' 与 'echo reply' 这两种类型的ICMP数据包通常由ping程序产生))

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

tcpdump 与wireshark

Wireshark(以前是ethereal)是Windows下非常简单易用的抓包工具。但在Linux下很难找到一个好用的图形化抓包工具。
还好有Tcpdump。我们可以用Tcpdump + Wireshark 的完美组合实现:在 Linux 里抓包,然后在Windows 里分析包。

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

(1)tcp: ip icmp arp rarp 和 tcp、udp、icmp这些选项等都要放到第一个参数的位置,用来过滤数据报的类型
(2)-i eth1 : 只抓经过接口eth1的包
(3)-t : 不显示时间戳
(4)-s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包
(5)-c 100 : 只抓取100个数据包
(6)dst port ! 22 : 不抓取目标端口是22的数据包
(7)src net 192.168.1.0/24 : 数据包的源网络地址为192.168.1.0/24
(8)-w ./target.cap : 保存成cap文件,方便用ethereal(即wireshark)分析

使用tcpdump抓取HTTP包

tcpdump  -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854

0x4745 为"GET"前两个字母"GE",0x4854 为"HTTP"前两个字母"HT"。

tcpdump 对截获的数据并没有进行彻底解码,数据包内的大部分内容是使用十六进制的形式直接打印输出的。显然这不利于分析网络故障,通常的解决办法是先使用带-w参数的tcpdump 截获数据并保存到文件中,然后再使用其他程序(如Wireshark)进行解码分析。当然也应该定义过滤规则,以避免捕获的数据包填满整个硬盘。

输出信息含义

首先我们注意一下,基本上tcpdump总的的输出格式为:系统时间 来源主机.端口 > 目标主机.端口 数据包参数

tcpdump 的输出格式与协议有关.以下简要描述了大部分常用的格式及相关例子.

链路层头

对于FDDI网络, '-e' 使tcpdump打印出指定数据包的'frame control' 域, 源和目的地址, 以及包的长度.(frame control域
控制对包中其他域的解析). 一般的包(比如那些IP datagrams)都是带有'async'(异步标志)的数据包,并且有取值0到7的优先级;
比如 'async4'就代表此包为异步数据包,并且优先级别为4. 通常认为,这些包们会内含一个 LLC包(逻辑链路控制包); 这时,如果此包
不是一个ISO datagram或所谓的SNAP包,其LLC头部将会被打印(nt:应该是指此包内含的 LLC包的包头).

对于Token Ring网络(令牌环网络), '-e' 使tcpdump打印出指定数据包的'frame control'和'access control'域, 以及源和目的地址,
外加包的长度. 与FDDI网络类似, 此数据包通常内含LLC数据包. 不管 是否有'-e'选项.对于此网络上的'source-routed'类型数据包(nt:
意译为:源地址被追踪的数据包,具体含义未知,需补充), 其包的源路由信息总会被打印.

对于802.11网络(WLAN,即wireless local area network), '-e' 使tcpdump打印出指定数据包的'frame control域,
包头中包含的所有地址, 以及包的长度.与FDDI网络类似, 此数据包通常内含LLC数据包.

(注意: 以下的描述会假设你熟悉SLIP压缩算法 (nt:SLIP为Serial Line Internet Protocol.), 这个算法可以在
RFC-1144中找到相关的蛛丝马迹.)

For SLIP network (nt: SLIP links, it can be understood as a network, that is, a connection established through a serial line, and a simple connection can also be regarded as a network),
The 'direction indicator' of the data packet ('Direction indicator') ("I" means in, "O" means out), type and compression information will be printed. The packet type will be printed first.

types are divided into ip, utcp and ctcp (nt: unknown, need to be supplemented). For ip packets, the connection information will not be printed (nt: SLIP connection, the connection information of the ip packet may be useless or undefined.
reconfirm). For TCP data packets, connection The identifier is printed next to the type indication. If the package is compressed, its encoded header will be printed.
At this time, for special compressed packages, it will be displayed as follows:
*S n or *SA n , where n represents the number of increases or decreases in (sequence number or (sequence number and response number)) of the package (nt | rt: S, SA is awkward and needs to be translated again).
For non-special compressed packages, 0 or more 'changes' will be printed. 'Changes' are printed in the following format:
'flag' /-/=n The length of the packet data and the compressed header length.
where 'flag' can Take the following values:
U (represents urgent pointer), W (referring to buffer window), A (response), S (sequence number), I (package ID), and the incremental expression '=n' means that a new The value, /- means increase or decrease.

For example, the following shows the printing of an outgoing compressed TCP packet. This packet contains a connection identifier; the response number is increased by 6 ,
The sequence number has increased by 49, the packet ID number has increased by 6; the packet data length is 3 bytes (octect), and the compressed header is 6 bytes. (nt: It seems that this should not be a special compressed data Package).

ARP/RARP packet

tcpdump’s output information for Arp/rarp package will include the request type and the parameters corresponding to the request. The display format is concise and clear. The following is from the host Data packet sample at the beginning of the 'rlogin'
(remote login) process from rtsg to host csam:
arp who-has csam tell rtsg
arp reply csam is-at CSAM
The first line Indicates: rtsg sent an arp packet (nt: sent to the entire network segment, arp packet) to query csam’s Ethernet address
Csam (nt: can be seen from below, it is Csam) with her own Ethernet The network address responded (in this example, the ethernet address is identified by an uppercase name, and the internet
address (i.e., the IP address) is identified by an all lowercase name).

If you use tcpdump -n , you can clearly see the Ethernet and IP addresses instead of name identifiers:
arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01: c4

If we use tcpdump -e, we can clearly see that the first data packet is broadcast across the entire network, and the second data packet is point-to-point:
RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM
The first data packet indicates: the source Ethernet address of the arp packet is RTSG, and the destination address is the full Ethernet segment, type The value of the field is hexadecimal 0806 (representing ETHER_ARP (nt: arp packet type identifier)),
The total length of the packet is 64 bytes.

TCP data packet

(Note: The following will assume that you are familiar with TCP as described in RFC-793. If you are not familiar with it, the following description and the tcpdump program may not be of much help to you. (nt: Warning may Ignore,
Just continue reading, go back and read if you are not familiar with it.).

Usually tcpdump displays tcp data packets in the following format:
src > dst: flags data-seqno ack window urgent options

src and dst are the source and destination IP addresses and corresponding ports. The flags flag consists of S(SYN), F(FIN), P(PUSH, R(RST),
W (ECN CWT (nt | rep: unknown, needs to be supplemented)) or E (ECN-Echo (nt | rep: unknown, needs to be supplemented))),
A single '.' means there is no flags identifier. Data segment sequence number (Data-seqno) describes a position in the sequence number space corresponding to the data in this packet (nt: the entire data is segmented,
Each segment has a sequence number, and all sequence numbers constitute a sequence number space) ( Please refer to the following example). Ack describes the same connection, the same direction, and the sequence number of the next
data fragment that the local end should receive (the other party should send). Window is the data receiving buffer available to the local end. The size of the data (the other party needs to organize the data according to this size when sending data).
Urg (urgent) indicates that there is urgent data in the data packet. options describes some options of tcp, these options are represented by angle brackets ( Such as ).

The three fields src, dst and flags will always be displayed. Whether other fields are displayed depends on the information in the tcp protocol header.

This is the beginning stage of an rlogin application login from trsg to csam.
rtsg.1023 > csam.login: S 768512:768512(0) win 4096
csam. login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096
rtsg.1023 > csam.login: . ack 1 win 4096
rtsg.1023 > csam. login: P 1:2(1) ack 1 win 4096
csam.login > rtsg.1023: . ack 2 win 4096
rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1
The first line indicates that a data packet is sent from the tcp port 1023 of the rtsg host to the tcp of the csam host On the port login (nt: the port of the udp protocol and the port of the tcp protocol are two separate spaces, although the value range is the same). S means that the SYN flag is set. The sequence number of the packet is 768512, and does not contain Data. (The representation format
is: 'first:last(nbytes)', which means 'the sequence number of the data in this package starts from first and ends with last, excluding last. And the total number of users containing nbytes is
Data'.) There is no piggyback response (nt: from the following, the second line is the data packet with piggyback response), the size of the available acceptance window is 4096bytes, and the maximum acceptable value of the request side (rtsg)
The data segment size is 1024 bytes (nt: This information is sent to the responding end csam as a request for further negotiation between the two parties).

Csam replied to rtsg with basically the same SYN data packet, the difference is just more A ' piggy-backed ack' (nt: piggy-backed ack response, for the SYN packet of rtsg).

rtsg also responded with an ACK packet as a response to the SYN packet of csam. '. ' means that no flag is set in this packet. Since this response packet does not contain data, there is no data segment sequence number in the

packet. Reminder! The sequence number of this ACK packet is just a small integer 1. Yes The following explanation: for a session on a tcp connection, tcpdump only prints the sequence number of the
initial packet at both ends of the session, and subsequent corresponding packets only print out the difference from the initial packet sequence number. That is, the sequence after the initial sequence number number, can be regarded as the 'relative byte' position of the currently transmitted data fragment on this session in the entire
data to be transmitted (nt: the first position of both sides is 1, that is, the 'relative byte' '-S' will override this function,
causing the original sequence number of the data packet to be printed.

The meaning of the sixth line is: rtsg sent 19 bytes to csam Data (bytes are numbered 2 to 20, transmission direction is rtsg to csam). The PUSH flag is set in the packet. In line 7,

csam shouts that she has received bytes below 21 from rtsg , but does not include the byte numbered 21. These bytes are stored in the receive buffer of csam's socket. Correspondingly,
the receive buffer window size of csam will be reduced by 19 bytes (nt: can be obtained from lines 5 and 5 You can see the change in the win attribute value on line 7). csam also sent a
byte to rtsg in the package on line 7. On lines 8 and 9, csam continued to send two bytes to rtsg respectively. Contains a one-byte data packet, and this data packet carries the PUSH flag.

If the captured tcp packet (nt: the snapshot here) is too small, tcpdump cannot fully obtain its header data , at this time, tcpdump will try to parse the incomplete header,

and display the remaining unparsable part as '[|tcp]'. If the header contains false attribute information (for example, its length attribute is actually longer than the header the actual length of the header is long or short), tcpdump will display '[bad opt]' for the header
. If the length of the header tells us some options (nt | rt: from the following, refers to the header of the tcp packet Some options for the ip package in the section, look back) will be in this package,
And the length of the real IP (data packet is not enough to accommodate these options, tcpdump will display '[bad hdr length]'.

Capture TCP packets with special flags (such as SYN-ACK flag, URG-ACK flag, etc.).

In the TCP header, there are 8 bits for control Bit area, its value is:

CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
(nt | rt: It can be inferred from the expression: these 8 bits are ORed To combine, you can go back and read)

Now suppose we want to monitor the data packets generated during the entire process of establishing a TCP connection. It can be recalled as follows: TCP uses the 3-way handshake protocol to establish a new connection. ; It corresponds to this three-way handshake

connection sequence, and the data packets with the corresponding TCP control flags are as follows:
1) The connection initiator (nt:Caller) sends the data packet with the SYN flag
2) Receive The party (nt:Recipient) responds with a data packet with the SYN and ACK flags
3) The initiator receives the response from the receiver and then sends a data packet with the ACK flag to respond

0 15 31
----------------------------------------- --------------------------
| source port | destination port |
------------- -------------------------------------------------- --
| sequence number |
----------------------------------------------- --------------------------
| acknowledgment number |
------------- -------------------------------------------------- --
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
------------------ --------------------------------------------------
| TCP checksum | urgent pointer |
---------------------------------------- --------------------------

A TCP header, usually occupies 20 bytes if it does not contain option data. (nt | rt:options is understood as option data and needs to be back translated). The first line contains bytes numbered 0 to 3,
The second line contains bytes numbered 4-7.

If The number starts from 0, and the TCP control flag is located at 13 bytes (nt: the left half of the fourth line).

0 7| 15| 23| 31
--------- -------|---------------|---------------|---------- ------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
-------------- --|---------------|---------------|--------------- -
| | 13th octet | | |

Let's take a closer look at octet number 13:

| -----|
|C|E|U|A|P|R|S|F|
|---------------|
| 7 5 3 0|

Here are the control flag bits we are interested in. From right to left, these bits are numbered from 0 to 7, so that the PSH bit is at number 3 and the URG bit is at number 5.

Remind yourself that we are only getting packets that contain the SYN flag. Let's look at what happens in

byte 13 of a packet header if the SYN bit is set:

|C|E|U|A|P|R|S|F|

|---------------|
|0 0 0 0 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|

Data in the control segment In , only bit 1 (bit number 1) is set.

Assume that the byte numbered 13 is an 8-bit unsigned character type, and is sorted according to the network byte number (nt: for a word section, network byte order is equivalent to host byte order), its binary value

is as follows:
00000010

and its decimal value is:

0*2^7 0*2^6 0*2^5 0*2^4 0*2^3 0*2^2 1*2^1 0*2^0 = 2(nt: 1 * 2^6 Expresses 1 times 2 raised to the 6th power. Perhaps this is more clear, that is, moving the exponent 7 6... 0 in the original expression below to express it)


is close to the goal, because we It is already known that if SYN in the header of the data packet is set, then the value of the 13th byte in the header is 2 (nt: in network order, that is, big header mode, the most important byte

is at the front ( At the front, that is, the actual memory address of the byte is relatively small, and the most important byte refers to the high bit of the number in the mathematical representation, such as 3) ) in 356.


is expressed as a relational expression that tcpdump can understand: :

tcp[13] 2


So we can use this relationship as the filter condition of tcpdump, the goal is to monitor data packets that only contain the SYN flag:

tcpdump -i xl0 tcp[13 ] 2 (nt: xl0 refers to the network interface, such as eth0)


This expression means "let the 13th byte of the TCP packet have the value 2", which is also the result we want.

Now, suppose we need to capture the packet with the SYN flag, regardless of whether it contains other flags. (nt: As long as it has SYN, that is what we want). Let us see what happens when a packet contains

SYN-ACK data packet (nt: SYN and ACK flags are both), what happened when it arrived:

|C|E|U|A|P|R|S|F|
|- ---------------|
|0 0 0 1 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|

Bits 1 and 4 of byte 13 are set, and its binary value is:

00010010


converted to The decimal number is:

0*2^7 0*2^6 0*2^5 1*2^4 0*2^3 0*2^2 1*2^1 0*2 = 18( nt: 1 * 2^6 means 1 times 2 raised to the 6th power. Maybe this is more clear, that is, the exponent 7 6... 0 in the original expression is moved to the bottom to express) #Now, you cannot just use 'tcp[13] 18' as the filter expression of tcpdump, because this will result in only selecting packets containing the SYN-ACK flag, and the others will be discarded.

Remind yourself, we The goal is: as long as the SYN flag of the packet is set, we ignore other flags.


In order to achieve our goal, we need to AND the binary value of byte 13 with another number (nt: logical AND) to get the value of the SYN bit. The goal is: as long as SYN is set

, so we combine it with the SYN value of byte 13 (nt: 00000010).


00010010 SYN-ACK 00000010 SYN

AND 00000010 (we want SYN) AND 00000010 (we want SYN)

-------- --------
= 00000010 = 00000010

We can find that regardless of whether the ACK or other flags of the packet are set, the above AND operation will give us the same value, and its decimal expression is 2 (the binary expression is 00000010).
So we Know that for packets with the SYN flag, the result of the following expression is always true:

( ( value of octet 13 ) AND ( 2 ) ) ( 2 ) (nt: value of octet 13, that is, the value of byte No. 13)

The inspiration came, and we got the following tcpdump filter expression
tcpdump -i xl0 'tcp[13] & 2 2'

Note that single quotes or backslashes (nt: single quotes are used here) cannot be omitted, which can prevent the shell from interpreting or replacing &.

UDP data packet

The display format of UDP data packet can be explained by the data packet generated by the specific application rwho:
actinide.who > broadcast.who: udp 84

The meaning is: the port who on the actinide host sent a udp packet to the port who on the broadcast host (nt: actinide and broadcast both refer to the Internet address).
This packet carries User data is 84 bytes.

Some UDP services can be identified from the source or destination port of the packet, or from the higher-layer protocol information displayed. For example, Domain Name service requests(DNS Requests,
in RFC-1034/1035), and Sun RPC calls to NFS (remote calls initiated to the NFS server (nt: Sun RPC), remote calls are described in RFC-1050).

UDP Name Service Request

(Note: The following description assumes that you are familiar with the Domain Service protocol (nt: described in RFC-103), otherwise you will find that the following description is a bible ( nt: Greek Bible,
Don’t pay attention to it, just keep reading if it scares you))

The name service request has the following format:
src > dst: id op? flags qtype qclass name (len)
(nt: From the following, the format should be src > dst: id op flags qtype qclass? name (len))
For example, one actually displays:
h2opolo.1538 > helios.domain: 3 A? ucbvax.berkeley.edu. (37)

Host h2opolo queries the name server running on helios for the address record of ucbvax.berkeley.edu (nt: qtype equals A). The id number of this query itself is '3'. The symbol
' ' means that the recursive query flag is set (nt: the dns server can query the higher-level dns server for address records that this server does not contain). This is ultimately passed through the IP packet The query request sent
has a data length of 37 bytes, which does not include the header data of the UDP and IP protocols. Because this query operation is the default value (nt | rt: normal one's understanding), the op field is omitted.
If the op field is not omitted, it will be displayed between '3' and ' '. Similarly, qclass is also the default value, C_IN, so it is not displayed. If it is not omitted, it will be displayed after 'A' .

Exception checking will show additional fields in square brackets: If a query also contains a response (nt: can be understood as a response to another previous request), and this response contains authoritative or additional Record segment,
ancount, nscout, arcount (nt: the specific field meaning needs to be supplemented) will be displayed as '[na]', '[nn]', '[nau]', where n represents the appropriate count. If The following
response bits in the packet (such as AA bit, RA bit, rcode bit), or any 'must be 0' bit in byte 2 or 3 is set (nt: set to 1), '[b2&3 ]=x' will be displayed, where x represents the value of
header byte 2 and byte 3 ANDed.

UDP name service response

Reply to the name service For data packets, tcpdump will have the following display format
src > dst: id op rcode flags a/n/au type class data (len)
For example, the specific display is as follows:
helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)

The first line indicates : helios responded to query request No. 3 sent by h2opolo with 3 answer records (nt | rt: answer records), 3 name server records,
, and 7 additional records. The first answer record (nt: The first of 3 answer records) type is A (nt: represents address), and its data is the internet address 128.32.137.3.
This response UDP packet contains 273 bytes of data (excluding UPD and IP header data). The op field and rcode field are ignored (nt: the actual value of op is Query, rcode, that is, the actual value of
response code is NoError), and the similarly ignored field is the class field (nt | rt: Its value is C_IN, which is also the default value for type A records)

The second line indicates: helios responded to query request No. 2 sent by h2opolo. In the response, rcode is encoded as NXDomain (nt: indicates a non-existent domain)), and there is no answer record,
but it contains a Name server records, excluding authoritative server records (nt | ck: From the above, the authority records here are the corresponding additional
records above). '*' indicates that the authoritative server answer flag is set (nt: Therefore, additional records represent authority records).
Since there is no answer record, the type, class, and data fields are ignored.

There may also be other characters in the flag field, such as '-'( nt: indicates recursive query, that is, the RA flag is not set), '|'(nt: indicates a truncated message, that is, the TC flag
is set). If the response (nt | ct: can be understood as, UDP packets containing name service responses, tcpdump knows how to parse the data of this type of packets)' 'question' section does not contain an entry
(nt: the meaning of each entry, needs to be added) ,'[nq]' will be printed.

It should be noted that the request and response data volume of the name server is relatively large, and the default capture length of 68 bytes (nt: snaplen, understandable A setting option for tcpdump) may not be enough to capture the entire contents of
packets. If you really need to take a closer look at the nameserver load, you can expand the snaplen value with tcpdump's -s option.

SMB/CIFS decoding

tcpdump can already decode the packet contents of SMB/CIFS/NBT related applications (nt: respectively 'Server Message Block Common ', 'Internet File System'
'Short for NETBIOS, a network protocol implemented on TCP/IP'. These services usually use UDP port 137/138 and TCP port 139). The original support for IPX and NetBEUI SMB The
decoding capability of data packets can still be used (nt: NetBEUI is an enhanced version of NETBIOS).

tcpdump only decodes the corresponding data packets in the simplest mode by default, if we want detailed decoding Information can be displayed using its -v startup option. It should be noted that -v will generate very detailed information,
For example, for a single SMB packet, a screen or more of information will be generated, so this option, Only use it if necessary.

For information about the SMB packet format and the meaning of each field, please refer to www.cifs.org or the pub/samba/specs/ directory of the samba.org mirror site. On linux The SMB patch
(nt | rt: patch) provided by Andrew Tridgell (tridge@samba.org).

NFS Requests and Responses

tcpdump for Sun NFS (Network File System) The request and response UDP packets have printout in the following format:
src.xid > dst.nfs: len op args
src.nfs > dst.xid: reply stat len ​​op results

The following is a specific set of output data
sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
wrl.nfs > sushi.6709: reply ok 40 readlink "../ var"
sushi.201b > wrl.nfs:
144 lookup fh 9,74/4096.6878 "xcolors"
wrl.nfs > sushi.201b:
reply ok 128 lookup fh 9, 74/4134.3150

The first line of output shows: The host sushi sent an 'exchange request' (nt: transaction) to the host wrl. The id of this request is 6709 (note that the host name is followed by exchange
Request id number, not source port number). This request data is 112 bytes, which does not include the length of UDP and IP headers. The operation type is readlink (nt: that is, this operation is a read symbolic link operation),
The operating parameter is fh 21,24/10.73165 (nt: It can be parsed as follows according to the actual operating environment, fd means that the description is a file handle, 21,24 means the master/slave device number pair of the device corresponding to this handle, 10 represents the i-node number corresponding to this handle (nt: each file will correspond to an i-node in the operating system, limited to unix-type systems),
73165 is a number (nt: can be understood as identifying this request A random number, the specific meaning needs to be added)).

In the second line, wrl responded with 'ok', and returned the real directory of the symbolic link that sushi wanted to read in the results field (nt : That is, the symbolic link that sushi requires to read is actually a directory).

The third line indicates: sushi requests wrl again to find the 'xcolors' file in the directory described by 'fh 9,74/4096.6878'. Required Note that the meaning of the data displayed in each line depends on the

type of the op field (nt: the meaning of args corresponding to different ops is different), and its format follows the NFS protocol, pursuing simplicity and clarity.

If the -v option (verbose print option) of tcpdump is set, additional information will be displayed. For example:

sushi.1372a > wrl.nfs:
148 read fh 21,11/12.195 8192 bytes @ 24576
wrl.nfs > sushi.1372a:
reply ok 1472 read REG 100664 ids 417/0 sz 29388

(-v option usually also prints out the TTL, ID, length, and fragmentation fields of the IP header, but in this example, they are all omitted (nt: can be understood as, deleted for the sake of brevity) ))
In the first line, sushi requests wrl to read 8192 bytes of data from file 21,11/12.195 (nt: the format is described above), starting at offset 24576 bytes.
Wrl response read successfully; since the second line is only the beginning fragment of the response request, it only contains 1472 bytes (other data will come in the subsequent reply fragments, but these packets will no longer have NFS
headers, Even the UDP header information is empty (nt: source and destination should be present), which will cause these fragments to fail to meet the filter conditions and thus not be printed). In addition to displaying file data information, the -v option also displays
additional Display file attribute information: file type (file type, ''REG'' means ordinary file), file mode (file access mode, octal representation), uid and gid (nt: file owner and
group owner), file size (file size).

If the -v flag is given multiple times (nt: such as -vv), tcpdump will display more detailed information.

Required It should be noted that there is a lot of data in the NFS request packet. If the snaplen (nt: capture length) of tcpdump is too short, its detailed information will not be displayed. You can use
'-s 192' to increase the snaplen, which can be used To monitor the network load of NFS applications (nt: traffic).

NFS response packets do not strictly follow the previous corresponding request packets (nt: RPC operation). Therefore, tcpdump will track the most recently received A series of request packets, and then matched with the corresponding request packet through its
exchange sequence number (nt: transaction ID). This may cause a problem, if the response packet comes too late, exceeding the tracking range of the corresponding request packet by tcpdump,
This response packet will not be analyzed.

AFS request and response

##AFS(nt: Andrew File System, Transarc, Unknown, Need to be added) The request and response have the following protocols

src.sport > dst.dport: rx packet-type

src.sport > dst.dport: rx packet-type service call call-name args
src.sport > dst.dport: rx packet-type service reply call-name args

elvis.7001 > pike.afsfs:

rx data fs call rename old fid 536876964/ 1/1 ".newsrc.new"
new fid 536876964/1/1 ".newsrc"
pike.afsfs > elvis.7001: rx data fs reply rename

on the first line , the host elvis sent an RX data packet to pike.

This is a request packet for file service (nt: RX data packet, sending a data packet can be understood as sending a packet to request the other party's service), This is also the beginning of an RPC
call (nt: RPC, remote procedure call). This RPC requests pike to perform a rename (nt: rename) operation, and specifies the relevant parameters:
The original directory descriptor is 536876964 /1/1, the original file name is '.newsrc.new', the new directory descriptor is 536876964/1/1, the new file name is '.newsrc'.
The host pike made an RPC request for this rename operation. Response (the response indicates that the rename operation is successful, because the response is a packet containing data content rather than an exception packet).

Generally speaking, all 'AFS RPC' requests will be given a name when they are displayed (nt: decode, decode), this name is often the operation name of the RPC request.

Moreover, some parameters of these RPC requests will also be given a name when displayed (nt | rt: decode, decode , generally speaking, naming is also very straightforward. For example,
an interesting parameter will be directly displayed as 'interesting'. The meaning is difficult to pronounce and needs to be translated again).

This display format The original intention of the design is to 'understand at a glance', but it may not be very

useful to people who are not familiar with the working principles of AFS and RX (nt: Don't worry about it, it will scare you in writing, just read on).

If the -v (verbose) flag is given repeatedly (nt: such as -vv), tcpdump will print out the confirmation packet (nt: understandable as a packet that is different from the response packet) and additional header information

(nt: can be understood as, all packets, not just the additional header information of the confirmation packet), for example, RX call ID (the ID of the 'request call' in the request packet),
call number ('request call' ' number), sequence number (nt: packet sequence number),
serial number (nt | rt: can be understood as another serial signal related to the data in the packet, the specific meaning needs to be supplemented), request packet identification. (nt: The next paragraph is a repetitive description, so
is omitted), in addition, the MTU negotiation information in the confirmation packet will also be printed (nt: the confirmation packet is a confirmation packet relative to the request packet, Maximum Transmission Unit, Maximum transmission unit).

If the -v option is repeated three times (nt: such as -vvv), then the 'security index' ('security index') and 'service index' ( 'service id') will

be printed.

For abnormal data packets (nt: abort packet, which can be understood as, this packet is used to notify the recipient that an exception has occurred), tcpdump will print out error codes.
But for Ubik beacon packets (nt: Ubik beacon indication packet, Ubik can be understood as a special communication protocol, beacon packets, lighthouse data packets, can be understood as some data packets indicating
key information in communication), the error number will not be printed , because for the Ubik protocol, the abnormal data packet does not indicate an error, but instead indicates a positive response (nt: that is, yes vote).

AFS requests a large amount of data and has many parameters, so tcpdump is required The snaplen is relatively large. You can generally increase the snaplen by setting the option '-s 256' when starting tcpdump to
monitor the AFS application communication load.

AFS response packets do not display the type of remote that identifies the RPC. Call. Therefore, tcpdump will track the request packets in the recent period and match the received response packets through call number (call number) and service ID
(service index). If the response packet is not for the recent period request packet, tcpdump will not be able to parse the packet.

KIP AppleTalk Protocol

(nt | rt: DDP in UDP can be understood as, DDP, The AppleTalk Data Delivery Protocol,
is equivalent to the network layer protocol that supports the KIP AppleTalk protocol stack, and DDP itself is transmitted through UDP,
is the network layer implemented on UDP for other networks , KIP AppleTalk is a complete set of network protocol stacks developed by Apple).

AppleTalk DDP packets are encapsulated in UDP packets, and their decapsulation (nt: equivalent to decoding) and the dump of corresponding information also follow DDP packet rules.
(nt:encapsulate, encapsulation, equivalent to encoding, de-encapsulate, decapsulation, equivalent to decoding, dump, dump, usually refers to printing its information).

The /etc/atalk.names file contains the correspondence between the numeric identifiers and names of AppleTalk networks and nodes. The file format usually looks like this:
number name

1.254 ether
16.1 icsd- net
1.254.110 ace

The first two lines indicate that there are two AppleTalk networks. The third line gives the hosts on the specific network (a host will be identified by 3 bytes,
The identifier of a network usually only has two bytes, which is also the main difference between the two identifiers) (nt: 1.254.110 can be understood as the ace host on the ether network).
There must be a gap between the identifier and its corresponding name Separate with whitespace. In addition to the above content, /etc/atalk.names also contains blank lines and comment lines (lines starting with '#').

AppleTalk complete network address will be displayed in the following format:
net.host.port

The following is a specific display:
144.1.209.2 > icsd-net.112.220
office.2 > icsd-net.112.220
jssmag.149.235 > icsd-net.2

(If the /etc/atalk.names file does not exist, or there is no entry for the corresponding AppleTalk host/network, the network address of the packet will be displayed in numeric form).

In the first line, node 209 on network 144.1 sends an NBP application packet through port 2 to node 112 on the network icsd-net listening on port 220
(nt | rt: NBP, name binding protocol, name binding protocol. From the data point of view, the NBP server will provide this service on port 2.
'DDP port 2' can be understood as 'DDP corresponding transport layer port 2', DDP itself has no concept of port , this point is not determined and needs to be supplemented).

The second line is similar to the first line, except that all addresses of the source can be identified by 'office'.
The third line indicates: 149 on the jssmag network The node sent a data packet through 235 to port 2 (NBP port) of all nodes on the icsd-net network. (It should be noted that
In the AppleTalk network, if there is no node in the address, it means the broadcast address, so the node It is best to distinguish the identifier and the network identifier in /etc/atalk.names.
nt: Otherwise, for an identifier x.port, it is impossible to determine whether x refers to the port of all hosts on the network or the port of the specified host x).

tcpdump can parse NBP (Name Binding Protocol) and ATP (AppleTalk Transport Protocol) data packets. For other application layer protocols, only the corresponding protocol name will be printed out (
If this protocol does not register a Common name, only its protocol number will be printed) and the size of the data packet.

NBP data packet will be displayed in the following format:
icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
techpit.2 > icsd-net.112.220: nbp- reply 190: "techpit:LaserWriter@*" 186

The first line indicates: Node 112 in the network icsd-net sent the name of 'LaserWriter' through port 220 to port 2 of all nodes in the network jssmag Query request (nt:
The name here can be understood as the name of a resource, such as a printer). The sequence number of this query request is 190.

The second line indicates: Node 209 in the network jssmag responded to port 220 of the icsd-net.112 node through port 2: I have a 'LaserWriter' resource, and its resource name
is 'RM1140', and Provides resource modification services on port 250. The sequence number of this response is 190, which corresponds to the sequence number queried previously.

The third line is also the response to the request in the first line: Node techpit requests icsd through port 2 The port 220 of the -net.112 node responded: I have the 'LaserWriter' resource, its resource name
is 'techpit', and the resource modification service is provided on port 186. The sequence number of this response is 190, corresponding to The previously queried sequence number.

The ATP packet display format is as follows:
jssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
helios.132 > p- Resp 12266: 2 (512) 0xae040000
helios.132 & gt; jssmag.209.165: at-resp 12266: 3 (512) 0xae04000000000000
stelios.132 & gt; jssmag.209.165: ATP-Resp 12 266: 5 (512 ) 0xae040000
helios.132 & gt; jssmag.209.165: ATP-Resp 12266: 6 (512) 0xae040040000
helios.132 & gt; jssmag.209.165: ATP-Resp*12266: 7 (512) 0x 0X ae040000
jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
helios.132 > jssmag .209.165: atp-resp 12266:5 (512) 0xae040000
jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
jssmag.209.133 > helios.132: atp -req * 12267<0-7> 0xae030002

The first line indicates that node Jssmag.209 sent a request packet with session number 12266 to node helios, requesting helios
to respond with 8 data packets (these 8 The sequence number of the data packet is 0-7 (nt: The sequence number is different from the session number, the latter is the number of a complete transmission,
the former is the number of each data packet in the transmission. transaction, session, are usually also It's called transmission)). The hexadecimal number at the end of the line represents the value of the 'userdata' field in the request packet (nt: from the following, this does not print out all the user data).

Helios responded with 8 512-byte data packets. The number following the session number (nt: 12266) indicates the sequence number of the data packet in the session.

The number in brackets indicates the sequence number of the data packet. The size of the data, which does not include the atp header. There is an '*' sign outside the packet with sequence number 7 (line 8),
indicates that the EOM flag of the packet is set. (nt: EOM, End Of Media, can be understood as indicating that the data response of a session is completed).

The next line 9 indicates that Jssmag.209 made another request to helios: sequence numbers 3 and 5 Please resend the data packet. Helios resent the two data packets after receiving this

request. After jssmag.209 received these two data packets again, it actively ended (release) the session.

In the last line, jssmag.209 sends a request packet to start the next session to helios. The '*' in the request packet indicates that the XO flag of the packet has not been set.

(nt: XO, exactly once, can It is understood that in this session, the data packet is only processed exactly once by the receiving party. Even if the other party repeatedly transmits the data packet,
the receiving party will only process it once. This requires the use of specially designed data packet reception and Processing mechanism).

IP packet fragmentation

(nt: refers to dividing an IP packet into multiple IP packets)

Fragmented IP data packets (nt: small IP data packets generated after a large IP data packet is broken) have the following two display formats.

(frag id:size@offset)
(frag id:size@offset)
(The first format indicates that there are subsequent fragments after this fragment. The second format indicates that this fragment is the last fragment.)

id represents the fragmentation number (nt : As seen below, each large IP packet to be fragmented will be assigned a fragmentation number in order to distinguish whether each small fragment is fragmented from the same data packet).

size indicates the size of this fragment, excluding fragments Header data. offset represents the offset of the data contained in this fragment in the original entire IP packet ((nt: From the following point of view,
An IP data packet is fragmented as a whole, including header and data, and Not just the data is split).

每个碎片都会使tcpdump产生相应的输出打印. 第一个碎片包含了高层协议的头数据(nt:从下文来看, 被破碎IP数据包中相应tcp头以及
IP头都放在了第一个碎片中 ), 从而tcpdump会针对第一个碎片显示这些信息, 并接着显示此碎片本身的信息. 其后的一些碎片并不包含高层协议头信息, 从而只会在显示源和目的之后显示碎片本身的信息. 以下有一个例子: 这是一个从arizona.edu 到lbl-rtsg.arpa途经CSNET网络(nt: CSNET connection 可理解为建立在CSNET 网络上的连接)的ftp应用通信片段:
arizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
arizona > rtsg: (frag 595a:204@328)
rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560

有几点值得注意:
第一, 第二行的打印中, 地址后面没有端口号.
这是因为TCP协议信息都放到了第一个碎片中, 当显示第二个碎片时, 我们无法知道此碎片所对应TCP包的顺序号.

第二, 从第一行的信息中, 可以发现arizona需要向rtsg发送308字节的用户数据, 而事实是, 相应IP包经破碎后会总共产生512字节
数据(第一个碎片包含308字节的数据, 第二个碎片包含204个字节的数据, 这超过了308字节). 如果你在查找数据包的顺序号空间中的
一些空洞(nt: hole,空洞, 指数据包之间的顺序号没有上下衔接上), 512这个数据就足够使你迷茫一阵(nt: 其实只要关注308就行,
不必关注破碎后的数据总量).

一个数据包(nt | rt: 指IP数据包)如果带有非IP破碎标志, 则显示时会在最后显示'(DF)'.(nt: 意味着此IP包没有被破碎过).

时间戳

tcpdump的所有输出打印行中都会默认包含时间戳信息.
时间戳信息的显示格式如下
hh:mm:ss.frac (nt: 小时:分钟:秒.(nt: frac未知, 需补充))
此时间戳的精度与内核时间精度一致, 反映的是内核第一次看到对应数据包的时间(nt: saw, 即可对该数据包进行操作). 
而数据包从物理线路传递到内核的时间, 以及内核花费在此包上的中断处理时间都没有算进来.

命令使用

tcpdump采用命令行方式,它的命令格式为:

tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
           [ -C file_size ] [ -F file ]
           [ -i  ] [ -m module ] [ -M secret ]
           [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
           [ -W filecount ]
           [ -E spi@ipaddr algo:secret,...  ]
           [ -y datalinktype ] [ -Z user ]
           [ expression ]

tcpdump的简单选项介绍

-A  以ASCII码方式显示每一个数据包(不会显示数据包中链路层头部信息). 在抓取包含网页数据的数据包时, 可方便查看数据(nt: 即Handy  capturing web pages).

-c  count
    tcpdump将在接受到count个数据包后退出.

-C  file-size (nt: 此选项用于配合-w file 选项使用)
    该选项使得tcpdump 在把原始数据包直接保存到文件中之前, 检查此文件大小是否超过file-size. 如果超过了, 将关闭此文件,另创一个文件继续用于原始数据包的记录. 新创建的文件名与-w 选项指定的文件名一致, 但文件名后多了一个数字.该数字会从1开始随着新创建文件的增多而增加. file-size的单位是百万字节(nt: 这里指1,,000个字节,并非1,,576个字节, 后者是以1024字节为1k, 1024k字节为1M计算所得, 即1M= *  = ,,)

-d  以容易阅读的形式,在标准输出上打印出编排过的包匹配码, 随后tcpdump停止.(nt | rt: human readable, 容易阅读的,通常是指以ascii码来打印一些信息. compiled, 编排过的. packet-matching code, 包匹配码,含义未知, 需补充)

-dd 以C语言的形式打印出包匹配码.

-ddd 以十进制数的形式打印出包匹配码(会在包匹配码之前有一个附加的前缀).

-D  打印系统中所有tcpdump可以在其上进行抓包的网络接口. 每一个接口会打印出数字编号, 相应的接口名字, 以及可能的一个网络接口描述. 其中网络接口名字和数字编号可以用在tcpdump 的-i flag 选项(nt: 把名字或数字代替flag), 来指定要在其上抓包的网络接口.

    此选项在不支持接口列表命令的系统上很有用(nt: 比如, Windows 系统, 或缺乏 ifconfig -a 的UNIX系统); 接口的数字编号在windows  或其后的系统中很有用, 因为这些系统上的接口名字比较复杂, 而不易使用.

    如果tcpdump编译时所依赖的libpcap库太老,-D 选项不会被支持, 因为其中缺乏 pcap_findalldevs()函数.

-e  每行的打印输出中将包括数据包的数据链路层头部信息

-E  spi@ipaddr algo:secret,...

    可通过spi@ipaddr algo:secret 来解密IPsec ESP包(nt | rt:IPsec Encapsulating Security Payload,IPsec 封装安全负载, IPsec可理解为, 一整套对ip数据包的加密协议, ESP 为整个IP 数据包或其中上层协议部分被加密后的数据,前者的工作模式称为隧道模式; 后者的工作模式称为传输模式 . 工作原理, 另需补充).

    需要注意的是, 在终端启动tcpdump 时, 可以为IPv4 ESP packets 设置密钥(secret).

    可用于加密的算法包括des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, 或者没有(none).默认的是des-cbc(nt: des, Data Encryption Standard, 数据加密标准, 加密算法未知, 另需补充).secret 为用于ESP 的密钥, 使用ASCII 字符串方式表达. 如果以 0x 开头, 该密钥将以16进制方式读入.

    该选项中ESP 的定义遵循RFC2406, 而不是 RFC1827. 并且, 此选项只是用来调试的, 不推荐以真实密钥(secret)来使用该选项, 因为这样不安全: 在命令行中输入的secret 可以被其他人通过ps 等命令查看到.

    除了以上的语法格式(nt: 指spi@ipaddr algo:secret), 还可以在后面添加一个语法输入文件名字供tcpdump 使用(nt:即把spi@ipaddr algo:secret,... 中...换成一个语法文件名). 此文件在接受到第一个ESP 包时会打开此文件, 所以最好此时把赋予tcpdump 的一些特权取消(nt: 可理解为, 这样防范之后, 当该文件为恶意编写时,不至于造成过大损害).

-f  显示外部的IPv4 地址时(nt: foreign IPv4 addresses, 可理解为, 非本机ip地址), 采用数字方式而不是名字.(此选项是用来对付Sun公司的NIS服务器的缺陷(nt: NIS, 网络信息服务, tcpdump 显示外部地址的名字时会用到她提供的名称服务): 此NIS服务器在查询非本地地址名字时,常常会陷入无尽的查询循环).

    由于对外部(foreign)IPv4地址的测试需要用到本地网络接口(nt: tcpdump 抓包时用到的接口)及其IPv4 地址和网络掩码. 如果此地址或网络掩码不可用, 或者此接口根本就没有设置相应网络地址和网络掩码(nt: linux 下的  网络接口就不需要设置地址和掩码, 不过此接口可以收到系统中所有接口的数据包), 该选项不能正常工作.

-F  file
    使用file 文件作为过滤条件表达式的输入, 此时命令行上的输入将被忽略.

-i  

    指定tcpdump 需要监听的接口.  如果没有指定, tcpdump 会从系统接口列表中搜寻编号最小的已配置好的接口(不包括 loopback 接口).一但找到第一个符合条件的接口, 搜寻马上结束.

    在采用2.2版本或之后版本内核的Linux 操作系统上,  这个虚拟网络接口可被用来接收所有网络接口上的数据包(nt: 这会包括目的是该网络接口的, 也包括目的不是该网络接口的). 需要注意的是如果真实网络接口不能工作在模式(promiscuous)下,则无法在这个虚拟的网络接口上抓取其数据包.

    如果 -D 标志被指定, tcpdump会打印系统中的接口编号,而该编号就可用于此处的interface 参数.

-l  对标准输出进行行缓冲(nt: 使标准输出设备遇到一个换行符就马上把这行的内容打印出来).在需要同时观察抓包打印以及保存抓包记录的时候很有用. 比如, 可通过以下命令组合来达到此目的:
    ``tcpdump  -l  |  tee dat 或者 ``tcpdump  -l   > dat  &  tail  -f  dat.(nt: 前者使用tee来把tcpdump 的输出同时放到文件dat和标准输出中, 而后者通过重定向操作, 把tcpdump的输出放到dat 文件中, 同时通过tail把dat文件中的内容放到标准输出中)

-L  列出指定网络接口所支持的数据链路层的类型后退出.(nt: 指定接口通过-i 来指定)

-m  module
    通过module 指定的file 装载SMI MIB 模块(nt: SMI,Structure of Management Information, 管理信息结构MIB, Management Information Base, 管理信息库. 可理解为, 这两者用于SNMP(Simple Network Management Protoco)协议数据包的抓取. 具体SNMP 的工作原理未知, 另需补充).

    此选项可多次使用, 从而为tcpdump 装载不同的MIB 模块.

-M  secret  如果TCP 数据包(TCP segments)有TCP-MD5选项(在RFC 2385有相关描述), 则为其摘要的验证指定一个公共的密钥secret.

-n  不对地址(比如, 主机地址, 端口号)进行数字表示到名字表示的转换.

-N  不打印出host 的域名部分. 比如, 如果设置了此选现, tcpdump 将会打印 而不是 .

-O  不启用进行包匹配时所用的优化代码. 当怀疑某些bug是由优化代码引起的, 此选项将很有用.

-p  一般情况下, 把网络接口设置为非模式. 但必须注意 , 在特殊情况下此网络接口还是会以模式来工作; 从而,  的设与不设, 不能当做以下选现的代名词: 或  (nt: 前者表示只匹配以太网地址为host 的包, 后者表示匹配以太网地址为广播地址的数据包).

-q  快速(也许用更好?)打印输出. 即打印很少的协议相关信息, 从而输出行都比较简短.

-R  设定tcpdump 对 ESP/AH 数据包的解析按照 RFC1825而不是RFC1829(nt: AH, 认证头, ESP, 安全负载封装, 这两者会用在IP包的安全传输机制中). 如果此选项被设置, tcpdump 将不会打印出域(nt: relay prevention field). 另外,由于ESP/AH规范中没有规定ESP/AH数据包必须拥有协议版本号域,所以tcpdump不能从收到的ESP/AH数据包中推导出协议版本号.

-r  file
    从文件file 中读取包数据. 如果file 字段为  符号, 则tcpdump 会从标准输入中读取包数据.

-S  打印TCP 数据包的顺序号时, 使用绝对的顺序号, 而不是相对的顺序号.(nt: 相对顺序号可理解为, 相对第一个TCP 包顺序号的差距,比如, 接受方收到第一个数据包的绝对顺序号为232323, 对于后来接收到的第2个,第3个数据包, tcpdump会打印其序列号为1, 2分别表示与第一个数据包的差距为1 和 . 而如果此时-S 选项被设置, 对于后来接收到的第2个, 第3个数据包会打印出其绝对顺序号:, ).

-s  snaplen
    设置tcpdump的数据包抓取长度为snaplen, 如果不设置默认将会是68字节(而支持网络接口分接头(nt: NIT, 上文已有描述,可搜索关键字找到那里)的SunOS系列操作系统中默认的也是最小值是96).68字节对于IP, ICMP(nt: Internet Control Message Protocol,因特网控制报文协议), TCP 以及 UDP 协议的报文已足够, 但对于名称服务(nt: 可理解为dns, nis等服务), NFS服务相关的数据包会产生包截短. 如果产生包截短这种情况, tcpdump的相应打印输出行中会出现[|proto]的标志(proto 实际会显示为被截短的数据包的相关协议层次). 需要注意的是, 采用长的抓取长度(nt: snaplen比较大), 会增加包的处理时间, 并且会减少tcpdump 可缓存的数据包的数量, 从而会导致数据包的丢失. 所以, 在能抓取我们想要的包的前提下, 抓取长度越小越好.把snaplen 设置为0 意味着让tcpdump自动选择合适的长度来抓取数据包.

-T  type
    强制tcpdump按type指定的协议所描述的包结构来分析收到的数据包.  目前已知的type 可取的协议为:
    aodv (Ad-hoc On-demand Distance Vector protocol, 按需距离向量路由协议, 在Ad hoc(点对点模式)网络中使用),
    cnfp (Cisco  NetFlow  protocol),  rpc(Remote Procedure Call), rtp (Real-Time Applications protocol),
    rtcp (Real-Time Applications con-trol protocol), snmp (Simple Network Management Protocol),
    tftp (Trivial File Transfer Protocol, 碎文件协议), vat (Visual Audio Tool, 可用于在internet 上进行电
    视电话会议的应用层协议), 以及wb (distributed White Board, 可用于网络会议的应用层协议).

-t     在每行输出中不打印时间戳

-tt    不对每行输出的时间进行格式处理(nt: 这种格式一眼可能看不出其含义, 如时间戳打印成1261798315)

-ttt   tcpdump 输出时, 每两行打印之间会延迟一个段时间(以毫秒为单位)

-tttt  在每行打印的时间戳之前添加日期的打印

-u     打印出未加密的NFS 句柄(nt: handle可理解为NFS 中使用的文件句柄, 这将包括文件夹和文件夹中的文件)

-U    使得当tcpdump在使用-w 选项时, 其文件写入与包的保存同步.(nt: 即, 当每个数据包被保存时, 它将及时被写入文件中,而不是等文件的输出缓冲已满时才真正写入此文件)

      -U 标志在老版本的libcap库(nt: tcpdump 所依赖的报文捕获库)上不起作用, 因为其中缺乏pcap_cump_flush()函数.

-v    当分析和打印的时候, 产生详细的输出. 比如, 包的生存时间, 标识, 总长度以及IP包的一些选项. 这也会打开一些附加的包完整性检测, 比如对IP或ICMP包头部的校验和.

-vv   产生比-v更详细的输出. 比如, NFS回应包中的附加域将会被打印, SMB数据包也会被完全解码.

-vvv  产生比-vv更详细的输出. 比如, telent 时所使用的SB, SE 选项将会被打印, 如果telnet同时使用的是图形界面,
      其相应的图形选项将会以16进制的方式打印出来(nt: telnet 的SB,SE选项含义未知, 另需补充).

-w    把包数据直接写入文件而不进行分析和打印输出. 这些包数据可在随后通过-r 选项来重新读入并进行分析和打印.

-W    filecount
      此选项与-C 选项配合使用, 这将限制可打开的文件数目, 并且当文件数据超过这里设置的限制时, 依次循环替代之前的文件, 这相当于一个拥有filecount 个文件的文件缓冲池. 同时, 该选项会使得每个文件名的开头会出现足够多并用来占位的0, 这可以方便这些文件被正确的排序.

-x    当分析和打印时, tcpdump 会打印每个包的头部数据, 同时会以16进制打印出每个包的数据(但不包括连接层的头部).总共打印的数据大小不会超过整个数据包的大小与snaplen 中的最小值. 必须要注意的是, 如果高层协议数据没有snaplen 这么长,并且数据链路层(比如, Ethernet层)有填充数据, 则这些填充数据也会被打印.(nt: so  link  layers  that pad, 未能衔接理解和翻译, 需补充 )

-xx   tcpdump 会打印每个包的头部数据, 同时会以16进制打印出每个包的数据, 其中包括数据链路层的头部.

-X    当分析和打印时, tcpdump 会打印每个包的头部数据, 同时会以16进制和ASCII码形式打印出每个包的数据(但不包括连接层的头部).这对于分析一些新协议的数据包很方便.

-XX   当分析和打印时, tcpdump 会打印每个包的头部数据, 同时会以16进制和ASCII码形式打印出每个包的数据, 其中包括数据链路层的头部.这对于分析一些新协议的数据包很方便.

-y    datalinktype
      设置tcpdump 只捕获数据链路层协议类型是datalinktype的数据包

-Z    user
      使tcpdump 放弃自己的超级权限(如果以root用户启动tcpdump, tcpdump将会有超级用户权限), 并把当前tcpdump的用户ID设置为user, 组ID设置为user首要所属组的ID(nt: tcpdump 此处可理解为tcpdump 运行之后对应的进程)

      此选项也可在编译的时候被设置为默认打开.(nt: 此时user 的取值未知, 需补充)

tcpdump条件表达式

  该表达式用于决定哪些数据包将被打印. 如果不给定条件表达式, 网络上所有被捕获的包都会被打印,否则, 只有满足条件表达式的数据包被打印.(nt: all packets, 可理解为, 所有被指定接口捕获的数据包).

  表达式由一个或多个'表达元'组成(nt: primitive, 表达元, 可理解为组成表达式的基本元素). 一个表达元通常由一个或多个修饰符(qualifiers)后跟一个名字或数字表示的id组成(nt: 即, 'qualifiers id').有三种不同类型的修饰符:type, dir以及 proto.

type 修饰符指定id 所代表的对象类型, id可以是名字也可以是数字. 可选的对象类型有: host, net, port 以及portrange(nt: host 表明id表示主机, net 表明id是网络, port 表明id是端而portrange 表明id 是一个端口范围).  如, 'host foo', 'net 128.3', 'port 20', 'portrange 6000-6008'(nt: 分别表示主机 foo,网络 128.3, 端口 20, 端口范围 6000-6008). 如果不指定type 修饰符, id默认的修饰符为host.

dir 修饰符描述id 所对应的传输方向, 即发往id 还是从id 接收(nt: 而id 到底指什么需要看其前面的type 修饰符).可取的方向为: src, dst, src 或 dst, src并且dst.(nt:分别表示, id是传输源, id是传输目的, id是传输源或者传输目的, id是传输源并且是传输目的). 例如, 'src foo','dst net 128.3', 'src or dst port ftp-data'.(nt: 分别表示符合条件的数据包中, 源主机是foo, 目的网络是128.3, 源或目的端口为 ftp-data).如果不指定dir修饰符, id 默认的修饰符为src 或 dst.对于链路层的协议,比如SLIP(nt: Serial Line InternetProtocol, 串联线路网际网络协议), 以及linux下指定'any' 设备, 并指定'cooked'(nt | rt: cooked 含义未知, 需补充) 抓取类型, 或其他设备类型,可以用'inbound' 和 'outbount' 修饰符来指定想要的传输方向.

proto 修饰符描述id 所属的协议. 可选的协议有: ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp以及 upd.(nt | rt: ether, fddi, tr, 具体含义未知, 需补充. 可理解为物理以太网传输协议, 光纤分布数据网传输协议,以及用于路由跟踪的协议.  wlan, 无线局域网协议; ip,ip6 即通常的TCP/IP协议栈中所使用的ipv4以及ipv6网络层协议;arp, rarp 即地址解析协议,反向地址解析协议; decnet, Digital Equipment Corporation开发的, 最早用于PDP-11 机器互联的网络协议; tcp and udp, 即通常TCP/IP协议栈中的两个传输层协议).

    例如, `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange 7000-7009'分别表示 '从以太网地址foo 来的数据包','发往或来自128.3网络的arp协议数据包', '发送或接收端口为21的tcp协议数据包', '发送或接收端口范围为7000-7009的udp协议数据包'.

    如果不指定proto 修饰符, 则默认为与相应type匹配的修饰符. 例如, 'src foo' 含义是 '(ip or arp or rarp) src foo' (nt: 即, 来自主机foo的ip/arp/rarp协议数据包, 默认type为host),`net bar' 含义是`(ip  or  arp  or rarp) net bar'(nt: 即, 来自或发往bar网络的ip/arp/rarp协议数据包),`port 53' 含义是 `(tcp or udp) port 53'(nt: 即, 发送或接收端口为53的tcp/udp协议数据包).(nt: 由于tcpdump 直接通过数据链路层的 BSD 数据包过滤器或 DLPI(datalink provider interface, 数据链层提供者接口)来直接获得网络数据包, 其可抓取的数据包可涵盖上层的各种协议, 包括arp, rarp, icmp(因特网控制报文协议),ip, ip6, tcp, udp, sctp(流控制传输协议).

    对于修饰符后跟id 的格式,可理解为, type id 是对包最基本的过滤条件: 即对包相关的主机, 网络, 端口的限制;dir 表示对包的传送方向的限制; proto表示对包相关的协议限制)

    'fddi'(nt: Fiber Distributed Data Interface) 实际上与'ether' 含义一样: tcpdump 会把他们当作一种''指定网络接口上的数据链路层协议''. 如同ehter网(以太网), FDDI 的头部通常也会有源, 目的, 以及包类型, 从而可以像ether网数据包一样对这些域进行过滤. 此外, FDDI 头部还有其他的域, 但不能被放到表达式中用来过滤

    同样, 'tr' 和 'wlan' 也和 'ether' 含义一致, 上一段对fddi 的描述同样适用于tr(Token Ring) 和wlan(802.11 wireless LAN)的头部. 对于802.11 协议数据包的头部, 目的域称为DA, 源域称为 SA;而其中的 BSSID, RA, TA 域(nt | rt: 具体含义需补充)不会被检测(nt: 不能被用于包过虑表达式中).

  除以上所描述的表达元('primitive'), 还有其他形式的表达元, 并且与上述表达元格式不同. 比如: gateway, broadcast, less, greater以及算术表达式(nt: 其中每一个都算一种新的表达元). 下面将会对这些表达元进行说明.

  表达元之间还可以通过关键字and, or 以及 not 进行连接, 从而可组成比较复杂的条件表达式. 比如,`host foo and not port ftp and not port ftp-data'(nt: 其过滤条件可理解为, 数据包的主机为foo,并且端口不是ftp(端口21) 和ftp-data(端口20, 常用端口和名字的对应可在linux 系统中的/etc/service 文件中找到)).

  为了表示方便, 同样的修饰符可以被省略, 如'tcp dst port ftp or ftp-data or domain' 与以下的表达式含义相同'tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.(nt: 其过滤条件可理解为,包的协议为tcp, 目的端口为ftp 或 ftp-data 或 domain(端口53) ).

  借助括号以及相应操作符,可把表达元组合在一起使用(由于括号是shell的特殊字符, 所以在shell脚本或终端中使用时必须对括号进行转义, 即'(' 与')'需要分别表达成'\(' 与 '\)').

  有效的操作符有:

 否定操作 (`!' 或 `not')
 与操作(`&&' 或 `and')
 或操作(`||' 或 `or')

  否定操作符的优先级别最高. 与操作和或操作优先级别相同, 并且二者的结合顺序是从左到右. 要注意的是, 表达'与操作'时,

It is necessary to write the 'and' operator explicitly, instead of just placing the front and rear expression elements side by side (nt: the 'and' operator between the two cannot be omitted).

If an identifier precedes If there is no keyword, the most recently used keyword during expression parsing (usually the keyword closest to the identifier from left to right) will be used. For example,
not host vs and ace
is Simplification of the following expression:
not host vs and host ace
instead of not (host vs or ace).(nt: The first two indicate that the required data packet is not from or sent to host vs, but from Or sent to ace. The latter means that the data packet meets the requirements as long as it is not from or sent to vs or ac)

The entire conditional expression can be treated as a separate string parameter or can be separated by spaces. It is more convenient to pass multiple parameters into tcpdump. Usually, if the expression contains metacharacters (nt: such as '*', '.' in regular expressions and '(' in shell), It is best to pass it in as a separate string. At this time, the entire expression needs to be enclosed in single quotes. In the way of passing in multiple parameters, all parameters are eventually concatenated by spaces and parsed as a string.

Appendix: Expression elements of tcpdump

(nt: True means in the following description: the corresponding conditional expression only contains the following A specific expression element of the column, when the expression is true, that is, the condition is met)

dst host host
If the destination domain of the IPv4/v6 packet is host, then the corresponding conditional expression The formula is true. host can be an IP address or a host name.
src host host
If the source domain of the IPv4/v6 packet is host, the corresponding conditional expression is true.
host can be an ip address or a host name.
host host

If the source or destination address of the IPv4/v6 packet is host, then the corresponding conditional expression is true. The following keywords can be added before the above host expressions: ip, arp, rarp, and ip6. For example:
ip host host
can also be expressed as:
ether proto \ip and host host (nt: This expression is explained below, where ip needs to be escaped with \, because ip is already a keyword for tcpdump.)

If host is a host with multiple A host with an IP address, then any address will be used for packet matching (nt: that is, the destination address of the data packet sent to the host can be any of these IPs, and the source address of the data packet received from the host can also be Is any of these IPs).

ether dst ehost
If the data packet (nt: refers to the data packets that tcpdump can capture, including ip data packets, tcp data packets) Ethernet If the target address is ehost, then the corresponding conditional expression is true. Ehost can be the name in the /etc/ethers file or a numeric address (nt: You can see the description of the /etc/ethers file through man ethers, like this The example uses a numeric address)

ether src ehost
If the Ethernet source address of the data packet is ehost, the corresponding conditional expression is true.

ether host ehost
If the Ethernet source address or destination address of the data packet is ehost, then the corresponding conditional expression is true.

gateway host
If the gateway address of the data packet is host, then The corresponding conditional expression is true. It should be noted that the gateway address here refers to the Ethernet address, not the IP address (nt | rt: I.e., for example, it can be understood as 'Note'.the Ethernet source or destination address, the Ethernet source and destination address, can be understood as referring to the 'gateway address# in the previous sentence ##' ).host must be a name, not a number, and must be in the 'hostname-ip address of the machine'and 'Hostname-Ethernet address'There are entries in the two major mapping relationships (the former mapping relationship can be obtained through the /etc/hosts file, DNS or NIS , and the latter mapping relationship can be obtained through the /etc/ethers file. nt: /etc/ethers does not necessarily exist, and its data format can be seen through man ethers. How to create this file is unknown and needs to be supplemented). In other words, host The meaning is ether host ehost instead of host host, and ehost must be a name rather than a number.Currently, this option does not work in a configuration environment that supports IPv6 address format (nt: configuration, configuration environment, which can be understood as , the network configuration of both communicating parties).

dst net net

If the network number field of the destination address (IPv4 or IPv6 format) of the data packet is net, then the corresponding conditional expression is true.
net can be a name from the network database file /etc/networks, or it can be a numeric network number.

A numeric IPv4 network number will be a dotted quad (e.g., 192.168.1.0), or a dotted triple (e.g., 192.168.1 ), or dotted tuples (for example, 172.16), or single unit groups (for example, 10) to express;

The network masks corresponding to these four situations are: four-tuple: 255.255.255.255 (This also means that the matching of net is the same as the matching of host address (host ) matching: all four parts of the address are used), triplet: 255.255.255.0, tuple: 255.255.0.0 , one-tuple:255.0.0.0.

For the IPv6 address format, the network number must be written out in full (all 8 parts must be written out) ; The corresponding network mask is:
ff:ff:ff:ff:ff:ff:ff:ff, so the IPv6 network matching is the real 'host' matching (nt | rt | rc: all 8 parts of the address will be used, fill in 0 for bytes that do not belong to the network, need to be added next), but at the same time a network mask length parameter is required. Specifically specify the first number of bytes as the network mask (nt: can be specified through the following net net/len)

src net net
If the source address of the data packet (IPv4 or IPv6 format) is the network If the number field is net, then the corresponding conditional expression is true.

net net
If the network number field of the source or destination address (IPv4 or IPv6 format) of the data packet is net, then the same as This corresponding conditional expression is true.

net net mask netmask
If the network mask of the source or destination address (IPv4 or IPv6 format) of the data packet matches netmask, then the corresponding condition The expression is true. This option can also be used with src and dst to match the source network address or destination network address (nt: such as src net net mask 255.255.255.0). This option Invalid for ipv6 network addresses.

net net/len
If the number of bits in the network number field of the source or destination address (IPv4 or IPv6 format) of the data packet is the same as len, then the corresponding condition The expression is true. This option can also be used with src and dst to match the source network address or the destination network address (nt | rt | tt: src net net/24, indicating that the network number of the source address needs to be matched There are 24-bit data packets).

dst port port
If the destination port of the data packet (including ip/tcp, ip/udp, ip6/tcp or ip6/udp protocol) is port, then it is the same as This corresponding conditional expression is true. port can be a number or a name (the corresponding name can be found in /etc/services, or you can get the relevant description information through man tcp and man udp). If you use name, the port number corresponding to the name and the corresponding protocol used will be checked. If only a numeric port number is used, only the corresponding port number will be checked (for example, dst port 513 will cause tcpdump to capture Get the login service packet of the tcp protocol and the who service packet of the udp protocol, and the port domain will cause tcpdump to capture the domain service packet of the tcp protocol, and the domain packet of the udp protocol) (nt | rt: ambiguous name is used is not understandable and needs to be supplemented).

src port port
If the source port of the data packet is port, the corresponding conditional expression is true.

port port
If the source or destination port of the data packet is port, the corresponding conditional expression is true.

dst portrange port1-port2
If the data packet (including ip/tcp, ip/udp, ip6/tcp or ip6/udp protocol) the destination port belongs to the port range from port1 to port2 (including port1, port2), then the corresponding conditional expression is true. tcpdump parses port1 and port2 and port The parsing is consistent (nt: explained in the description of the dst port port option).

src portrange port1-port2
If the source port of the data packet belongs to the port range from port1 to port2 (including port1, port2 ), then the corresponding conditional expression is true.

portrange port1-port2
If the source port or destination port of the data packet belongs to the port range from port1 to port2 (including port1, port2), then The corresponding conditional expression is true.

The above port options can be preceded by the keyword: tcp or udp, for example:

tcp src port port
This Will make tcpdump only capture tcp data packets whose source port is port.

less length
If the length of the data packet is less than length or equal to length, the corresponding conditional expression is true. This Consistent with the meaning of 'len <= length'.

greater length
If the length of the data packet is greater than length or equal to length, the corresponding conditional expression is true. This is the same as 'len >= length' has the same meaning.

ip proto protocol
If the data packet is an ipv4 data packet and its protocol type is protocol, the corresponding conditional expression is true.
Protocol can be a number or a name, such as: icmp6, igmp, igrp (nt: Interior Gateway Routing Protocol, interior gateway routing protocol), pim (Protocol Independent Multicast, independent multicast protocol, applied to multicast routers) ,ah, esp (nt: ah, authentication header, esp security payload encapsulation, both of which will be used in the secure transmission mechanism of IP packets), vrrp (Virtual Router Redundancy Protocol, virtual router redundancy protocol), udp, or tcp . Since tcp, udp and icmp are keywords of tcpdump, you must use \ to escape before these protocol names (if you need to use \\ to escape in C-shell). Note that this expression element will not Print out all the protocol header contents in the protocol header chain in the data packet (nt: In fact, only some header information of the specified protocol will be printed. For example, you can use tcpdump -i eth0 'ip proto \tcp and host 192.168.3.144', then only the tcp protocol header in the data packet sent or received by host 192.168.3.144 will be printed. Information included)

ip6 proto protocol
If the data packet is an ipv6 data packet and its protocol type is protocol, the corresponding conditional expression is true.
Note that this expression element will not Print out all the protocol header contents in the protocol header chain in the data packet

ip6 protochain protocol
If the data packet is an ipv6 data packet and its protocol chain contains a protocol header of type protocol, then this corresponds to The conditional expression is true. For example,

ip6 protochain 6
will match an IPv6 packet that has a TCP protocol header in its protocol header chain. The IPv6 header of this packet and The TCP headers may also contain verification headers, routing headers, or hop-by-hop routing option headers.
The corresponding BPF (Berkeley Packets Filter) triggered by this can be understood as providing packet filtering at the data link layer. (a mechanism) code is relatively cumbersome,
and the BPF optimization code fails to take care of this part, so the packet matching triggered by this option may be slower.

ip protochain protocol
and The meaning of ip6 protochain protocol is the same, but this is used for IPv4 data packets.

ether broadcast
If the data packet is an Ethernet broadcast data packet, the corresponding conditional expression is true. The ether keyword is Optional.

ip broadcast
If the packet is an IPv4 broadcast packet, the corresponding conditional expression is true. This will cause tcpdump to check whether the broadcast address matches all 0s and all 1s Some conventions, and look for the network mask of the network interface (the network interface is the network interface on which the packet is captured at that time).

If the network mask of the network interface where the packet is captured is illegal, or the interface is simply not The corresponding network address and network are not set, or packets are captured on the 'any' network interface under Linux (this' any'The interface can receive data packets from more than one interface in the system (nt: actually, it can be understood as all available interfaces in the system)), and the network mask check cannot Proceed normally.

ether multicast
If the data packet is an Ethernet multicast packet (nt: multicast, it can be understood as delivering the message to a group of destination addresses at the same time, rather than in the network For all addresses (the latter can be called broadcast), the corresponding conditional expression is true. The keyword ether can be omitted. The meaning of this option is consistent with the meaning of the following conditional expression: `ether[ 0] & 1 != 0'(nt: can be understood as the 0th byte in the Ethernet data packet The lowest bit is 1, which means this is a multicast packet).

ip multicast
If the packet is an ipv4 multicast packet, the corresponding conditional expression Is true.

ip6 multicast
If the data packet is an ipv6 multicast data packet, the corresponding conditional expression is true.

ether proto protocol
If the data packet belongs to the following Ethernet protocol type, the corresponding conditional expression is true.
Protocol field, which can be a number or a name listed below: ip , ip6, arp, rarp, atalk (AppleTalk network protocol),
aarp (nt: AppleTalk Address Resolution Protocol, the address resolution protocol of the AppleTalk network),
decnet (nt: a network protocol provided by DEC stack), sca(nt: unknown, need to be supplemented),
lat(Local Area Transport, regional transport protocol, Ethernet host interconnection protocol developed by DEC),
mopdl, moprc, iso(nt: unknown , need to be added), stp (Spanning tree protocol, spanning tree protocol, can be used to prevent link loops in the network),
ipx (nt: Internetwork Packet Exchange, network layer protocol used in Novell networks), or
netbeui (nt: NetBIOS Extended User Interface, which can be understood as, Network Basic Input and Output System Interface Extension).

The protocol field can be a number or one of the following protocol names: ip, ip6, arp, rarp, atalk , aarp, decnet, sca, lat,
mopdl, moprc, iso, stp, ipx, or netbeui.
It must be noted that identifiers are also keywords, so they must be passed'\' to escape.

(SNAP: SubNetwork Access Protocol)

In the optical fiber distributed data network interface (its expression meta form It can be 'fddi protocol arp'), token ring network (its expression element form can be 'tr protocol arp'),
and IEEE 802.11 wireless LAN (its expression element form can be 'wlan protocol arp '), the protocol
identifier comes from the 802.2 logical link control layer header,
in FDDI, Token Ring or 802. 1 header will contain this logical link control layer header.

When the corresponding protocol identifiers on these networks are used as filter conditions, tcpdump only checks the LLC header with 0x000000 as the component unit identifier (OUI , 0x000000
identifies an internal Ethernet) segment of the protocol ID field in the 'SNAP format structure ', instead of It will check whether there is a section in the package with an OUI of 0x000000'SNAP format
structure'(nt: SNAP , SubNetwork Access Protocol, subnet access protocol). The following exceptions:

iso tcpdump will check the DSAP field (Destination service Access Point, target service access point) and ## in the LLC header. # SSAP domain (source service access point). (nt: iso protocol is unknown, needs to be supplemented)

stp and netbeui

tcpdump will check the destination service access point (Destination service) in the LLC header Access Point);

atalk

tcpdump will check the
'SNAP format structure'## in the LLC header with 0x080007 as the OUI identifier. #, and will check the AppleTalk etype field. (nt: Whether AppleTalk etype is located in the SNAP format structure, unknown, needs to be supplemented).
In addition, in Ethernet, for the ether proto protocol option, tcpdump The Ethernet type field will be checked for the protocol specified by protocol, except for the following protocols:

iso, stp, and netbeui
tcpdump will check 802.
3
Physical frame and LLC header (these two checks are consistent with the corresponding checks in FDDI, TR,
802.11 network); (nt: 802.3, understood as IEEE
802.3, which is a collection of IEEE standards. This collection defines the physical layer and the media access control sublayer of the data link layer in the wired Ethernet network. stp Described above) atalk
tcpdump will check the AppleTalk etype field in the Ethernet physical frame, and will also check the

'

in the LLC header of the data packet.
SNAP format structure' (These two checks are consistent with the corresponding checks in FDDI, TR, 802.11 networks)

aarp tcpdump will check the AppleTalk ARP etype field, which either exists in the Ethernet physical frame or exists in the ' of LLC (defined by 802.
2) SNAP format structure', when it is the latter, the 'SNAP format structure'## The OUI identifier of # is 0x000000; (nt:
802.2, which can be understood as, IEEE802.2, which defines the logical link control layer (LLC), which corresponds to It is the upper part of the data link layer in the OSI network model. The LLC layer provides a unified interface for users using the data link layer (usually the user is the network layer). Below the LLC layer is the media access control layer ( nt: MAC layer,
corresponds to the lower part of the data link layer). The implementation and working mode of this layer will vary according to different physical transmission media (for example, Ethernet, Token Ring,
Optical fiber distribution data interface (nt: actually can be understood as a fiber optic network), wireless LAN (
802.11), etc.)

ipx tcpdump will check the physical Ethernet frame IPX etype field, IPX DSAP field in LLC header, 802.3 frame without LLC header and IPX encapsulated,

and LLC header
'SNAP format structure# The IPX etype field in ##' (nt | rt: SNAP frame, can be understood as, the 'SNAP format structure in the LLC header' . This meaning is in the preliminary understanding stage and needs to be supplemented).
decnet src host

If the DECNET source address in the data packet is host, the corresponding conditional expression is true.

(nt:decnet, developed by Digital Equipment Corporation, a network protocol first used for PDP-
11
machine interconnection)decnet dst host

If the DECNET destination address in the data packet is host, then the corresponding conditional expression is true.

(nt: decnet has been explained above)

decnet host host

If the DECNET destination address or DECNET source address in the data packet is host, then the corresponding conditional expression is true.

(nt: decnet has been explained above)

ifname

interface

If the data packet has been Marked as received from the specified network interface, the corresponding conditional expression is true.(This option only applies to packets that have been marked by the pf program in OpenBSD (nt: pf, packet filter, can Understood as the firewall program in OpenBSD))

on

interface

has the same meaning as ifname interface
.rnr num

if If the packet has been marked as matching the PF rule, the corresponding conditional expression is true.

(This option is only applicable to packets marked by the pf program in OpenBSD (nt: pf, packet filter, available Understood as the firewall program in OpenBSD))

rulenum num

has the same meaning as rulenum num.


reason code

If the packet has been marked as containing the matching result code of PF , then the corresponding conditional expression is true. Valid result codes are: match, bad-offset,

fragment,
short
, normalize, and memory.(This option is only applicable For packets marked by the pf program in OpenBSD (nt: pf, packet filter, which can be understood as the firewall program in OpenBSD))
rset name

If the packet has been marked as matching the specified rule set, then the corresponding conditional expression is true.

(This option is only applicable to packets marked by the pf program in OpenBSD (nt: pf, packet filter, which can be understood as the firewall program in OpenBSD) )

ruleset name

The same meaning as rset name.


srnr num

If the packet has been marked to match a specific rule in the specified rule set (nt: specified PF rule number, a specific rule number, that is, a specific rule),

means the corresponding conditional expression is true. (This option is only applicable to packets marked by the pf program in OpenBSD (nt: pf, packet filter, available Understood as the firewall program in
OpenBSD))

subrulenum num

has the same meaning as srnr.


action act

If the packet is recorded, PF will execute the act specified action, the corresponding conditional expression is true. Valid actions are: pass, block.

(This option is only applicable to packets marked by the pf program in OpenBSD (nt: pf, packet filter, can Understood as the firewall program in OpenBSD))

ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui

has the same meaning as the following expression:

ether proto p
p is one of the above protocols.

lat, moprc, mopdl

has the same meaning as the following expression:

ether proto p
p is one of the above protocols . It must be noted that tcpdump cannot currently analyze these protocols.

vlan [vlan_id]
If the data packet is an IEEE802.1Q VLAN data packet, the corresponding conditional expression is true.
(nt: IEEE802.1Q VLAN, that is, IEEE802.1Q virtual network protocol , this protocol is used for interconnection between different networks).
If [vlan_id] is specified, then only the data contains the specified virtual network id (vlan_id), and the corresponding conditional expression is true.
It should be noted that for VLAN packets, the first vlan keyword encountered in the expression will change the
starting position of the data in the packet corresponding to the next keyword in the expression (i.e. the decoding bias ). When filtering packets in a VLAN network system, the vlan [vlan_id] expression can be used multiple times. Each time the keyword vlan appears, it will increase the
4 byte filter offset (nt: filter offset, which can Understood as the above decoding offset).

For example:
vlan 100 && vlan 200
means: filter the VLAN200 network encapsulated in VLAN100 The data packet
on the other example:
vlan && vlan 300 && ip
means: filter the IPv4 data packets encapsulated in the VLAN300 network, and the VLAN300 network is in turn blocked by the outer layer VLAN encapsulation

mpls [label_num]
If the data packet is an MPLS data packet, the corresponding conditional expression is true.
(nt: MPLS, Multi-Protocol Label Switch, Multi-Protocol Label exchange, a technology that uses labels to guide data transmission on open communication networks).

If [label_num] is specified, then only the data contains the specified label id (label_num), then the corresponding The conditional expression is true.
It should be noted that for IP data packets containing MPLS information (that is, MPLS data packets), the first MPLS keyword encountered in the expression will change the subsequent ones in the expression. The
starting position of the data in the data packet corresponding to the keyword (that is, the decoding offset). When filtering data packets in the MPLS network system, the mpls [label_num] expression can be used multiple times. Each time the keyword mpls appears, it will Add
4 bytes filter offset (nt: filter offset, which can be understood as the above decoding offset).

For example:
mpls 100000 && mpls 1024
means: filter packets with outer label 100000 and layer label 1024

Another example:
mpls && mpls 1024 && host 192.9.200.1
means: filter the data packets sent to or from 192.9.200.1. The inner label of the data packet is 1024 and has An outer label.

pppoed
If the data packet is a PPP-over-Ethernet server discovery packet (nt: Discovery packet,
its ethernet type is 0x8863), then the corresponding The conditional expression is true.
(nt: PPP-over-Ethernet, point-to-point Ethernet bearer protocol, the point-to-point connection establishment is divided into the Discovery phase (address discovery) and the
PPPoE session establishment phase, the discovery packet is Packets sent in the first phase. ethernet type
is a field in the Ethernet frame used to indicate the protocol applied to the frame data field)

pppoes
If the data packet is PPP-over- Ethernet session data packet (nt: ethernet type is 0x8864, PPP-over-Ethernet has been explained above, you can search for
keyword'PPP-over-Ethernet'Find its description), then the corresponding conditional expression is true.

It should be noted that for the PPP-over-Ethernet session data packet, the conditional expression encountered in the expression The first pppoes keyword will change the
starting position of the data in the data packet corresponding to the next keyword in the expression (i.e., the decoding offset).

For example:
pppoes && ip
means: filter ipv4 data packets embedded in PPPoE data packets

tcp, udp, icmp
has the same meaning as the following expressions:
ip proto p or ip6 proto p
where p Is one of the above protocols (the meaning is: if the data packet is an ipv4 or ipv6 data packet and its protocol type is tcp, udp, or icmp, the corresponding conditional expression
is true)

iso proto protocol
If the protocol type of the data packet is the protocol protocol in the iso-osi protocol stack, the corresponding conditional expression is true. (nt: [Initial solution] Every ## in the iso-osi network model #The specific protocol of the layer is different from the protocol used by the corresponding layer of tcp/ip. The specific protocol in each layer of iso-osi needs to be supplemented)

protocol can be a numeric number, or one of the following names:

clnp, esis, or isis.
(nt: clnp, Connectionless Network Protocol, this is the network layer protocol in the OSI network model, esis, isis is unknown and needs to be supplemented)

clnp, esis, isis

is the abbreviation of the following expression
iso proto p
where p is one of the above protocols

l1, l2, iih, lsp, snp, csnp, psnp
is the abbreviation of IS-IS PDU type.
(nt: IS-IS PDU, Intermediate system to intermediate system Protocol Data Unit, intermediate system The protocol data unit to the
intermediate system. The OSI (Open Systems Interconnection) network is composed of end systems and intermediate systems.
The end system refers to the router, and the end system refers to the user equipment. The local group formed by the router is called 'Area' (Area) and multiple areas form a 'domain' (Domain).
IS-IS provides intra-domain or intra-area routing. l1, l2, iih, lsp, snp, csnp, psnp indicate the type of PDU, the specific meaning needs to be supplemented)

vpi n
If the data packet is an ATM data packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system,
If the data packet is an ATM data packet, and its virtual path identifier is n, Then the corresponding conditional expression is true.
(nt: ATM, Asychronous Transfer Mode, which can actually be understood as a TCP/IP protocol proposed by ITU-T (International Telecommunications Union Telecommunications Standardization Sector) A series of protocols with equivalent functions in the IP layer, the specific protocol level needs to be supplemented)

vci n

If the data packet is an ATM data packet, the corresponding conditional expression is true. For Solaris operations SunATM device on the system,
If the data packet is an ATM packet, and its virtual channel identifier is n, then the corresponding conditional expression is true.
(nt: ATM, has been described above )

lane

If the data packet is an ATM LANE data packet, the corresponding conditional expression is true. It should be noted that if it is a simulated Ethernet LANE data packet or
LANE Logical unit control packet, the first lane keyword in the expression will change the test of subsequent conditions in the expression. If no
specifies the lane keyword, the conditional test will be based on the LLC (Logical Link Layer) contained in the data packet ATM packet.

llc

If the data packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system,
If the data packet is an ATM data packet, and contains LLC, the corresponding conditional expression is true

oamf4s

If the data packet is an ATM data packet, the corresponding conditional expression is true. For Solaris For SunATM devices on the operating system, if the packet is ATM packet
and is a Segment OAM F4 cell (VPI=
0 and VCI=3), this corresponds to The conditional expression is true.

(nt: OAM, Operation Administration and Maintenance, operation management and maintenance, which can be understood as: the classification of ATM cells generated for network

management in the ATM network Method.

The transmission unit in the ATM network is a cell, and the data to be transmitted will eventually be divided into cells of a fixed length (53 bytes).

(Initial understanding: A physical line can be duplicated Used to form a virtual path (
virtual path). And a virtual path is reused again to form a virtual channel (virtual channel)).The addressing method of both communicating parties is :Virtual path number (VPI)/virtual channel number (VCI)).

OAM F4 flow cells can be divided into segment class and end-to-end class. The difference is unknown and needs to be supplemented.)

oamf4e

If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
and is end -to-end OAM F4 cell (VPI=
0 and VCI=4), then the corresponding conditional expression is true.(nt: OAM and end -to-end OAM F4 has been described above, you can search for
'oamf4s' to locate)

oamf4

if If the data packet is an ATM data packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the data packet is an ATM data packet
and is an end-to-end or segment OAM F4 cell (VPI=
0 and VCI=3 or VCI=4), then the corresponding conditional expression is true.(nt: OAM End-to-end OAM F4 has been described above, you can search
'oamf4s' to locate)

oam

If the data packet is an ATM data packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the data packet is an ATM data packet
and is end-to-end or segment OAM F4 Cell (VPI=
0 and VCI=3 or VCI=4), then the corresponding conditional expression is true.(nt : This option is duplicated with oamf4, need to confirm)

metac
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
and is from 'Meta-signaling line'(nt: VPI=0 and VCI=1, 'Meta signaling circuit', meta signaling circuit, the specific meaning is unknown and needs to be supplemented),
then the corresponding conditional expression is true.

bcc
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
and is from 'Broadcast signaling line'(nt: VPI=0 and VCI=2, 'Broadcast signaling circuit', broadcast signaling circuit, the specific meaning is unknown and needs to be supplemented),
then the corresponding conditional expression is true.

sc
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
and is from ' Signaling line'(nt: VPI=0 and VCI=5, 'Signaling circuit', signaling circuit, the specific meaning is unknown and needs to be supplemented),
then the corresponding conditional expression is true.

ilmic
If the data packet is an ATM data packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the data packet is an ATM data packet
and comes from 'ILMI line'(nt: VPI=0 and VCI=16, 'ILMI', Interim Local Management Interface, can be understood as
Interface for network management based on SNMP (Simple Network Management Protocol))
The corresponding conditional expression is true.

connectmsg
If the packet is an ATM packet, the corresponding conditional expression is true. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
and is From the ' signaling line' and are the following messages specified in the Q.2931 protocol: Setup, Calling Proceeding, Connect,
Connect Ack , Release, or Release Done. The corresponding conditional expression is true.
(nt: Q.2931 is a signaling protocol developed by the ITU (International Telecommunications Union). It stipulates that The user interface layer of the broadband integrated services digital network establishes, maintains, and cancels the related steps of
network connection.)

metaconnect
If the data packet is an ATM data packet, then the corresponding conditional expression True. For SunATM devices on the Solaris operating system, if the packet is an ATM packet
and is from the 'meta-signaling line' and It is the following messages specified in the Q.2931 protocol: Setup, Calling Proceeding, Connect,
Connect Ack, Release, or Release Done. The corresponding conditional expression is true.

expr relop expr
If the operands (expr) on both sides of relop satisfy the relationship specified by relop, the corresponding conditional expression is true.
relop can be one of the following relational operators: >, < , <=, =, !=.
expr is an arithmetic expression. Integer constants (expressed in the same way as in standard C), binary operators ( , -, *, /, can be used in this expression &, |,
<<, >>), length operators, and reference operators for data in a specific packet. Note that all comparison operations default to unsigned operands ,
For example, 0x80000000 and 0xffffffff are both greater than 0 (nt: For signed comparison, follow the complement rule, 0xffffffff
will be less than 0). If you want to quote the data in the data packet, you can use the following expression:
proto [expr : size]

The value of proto can be one of the following values: ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp,
tcp, udp, icmp, ip6 or radio. This specifies The protocol layer corresponding to the reference operation. (ether, fddi, wlan,
tr, ppp, slip and link correspond to the data link layer, radio corresponds to 802.11(wlan, wireless LAN) The
"radio" header attached to some data packets (nt: which describes the baud rate, data encryption and other information) ).
It should be noted that upper-layer protocols such as tcp and udp can currently only be applied to networks whose network layer adopts IPv4 or IPv6 protocols (this restriction will be modified in future versions of tcpdump
). For specified protocols The required data, its offset byte in the packet data is specified by expr.

The size in the above expression is optional, used to indicate the length of the part of the data segment we are concerned about (nt: usually This piece of data
is a field of the data packet), its length can be 1, 2, or 4 bytes. If size is not given, the default is 1 byte. Length operator The keyword is len,
This code is the length of the entire data packet.

For example, 'ether[0] & 1 != 0 ' will cause tcpdump to capture all multicast packets. (nt: The lowest bit of ether[0] byte is 1, indicating that the destination address of the
packet is the multicast address ). 'ip[0] & 0xf != 5' corresponding to capture all
IPv4 packets with options. ' ip[6:2] & 0x1fff = 0'corresponds to capturing IPv4 packets that have not been fragmented or
fragmented IPv4 whose fragment number is 0 Data packet. This data checking method also applies to tcp and udp data references,
that is, tcp[0] corresponds to the first byte in the TCP header, rather than to any intermediate Bytes.

Some offsets and field values ​​can be expressed by names as well as numbers. The following are the names of some of the available fields (fields in the protocol header): icmptype (referring to the ICMP protocol header)
type field), icmpcode (referring to the ICMP protocol header code field), and tcpflags (referring to the flags field of the TCP protocol header)

The following are the available values ​​for the type field in the ICMP protocol header:
icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timx-ceed, icmp-paraamprob, icmp-tstamp, icmp-tstampreply,
icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.

The following are the available values ​​for the flags field in the TCP protocol header: tcp-fin, tcp-syn, tcp-rst, tcp-push,
tcp-ack, tcp-urg.

For more programming-related knowledge, please visit: Programming Learning Course! !

The above is the detailed content of What is the use of the linux packet capture command tcpdump?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn