一、用法
二、描述
三、选项
-A
将每个包(减去它的链路层首部)都用ASCⅡ的形式打印出来。Handy for capturing web pages
-b
Print the AS number in BGP packets in ASDOT notation rather than ASPLAIN notation.
-B buffer_size --buffer_size=buffer_size
Set the operating system capture buffer size to buffer_size, in units of KiB (1024 bytes).
-c count --count
Print only on stderr the packet count when reading capture file(s) instead of parsing/printing the packets. If a filter is specified on the command line, tcpdump counts only packets that were matched by the filter expression.
-C file_size
Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes).
-d
Dump the compiled packet-matching code in a human readable form to standard output and stop.
Please mind that although code compilation is always DLT-specific, typically it is impossible (and unnecessary) to specify which DLT to use for the dump because tcpdump uses either the DLT of the input pcap file specified with -r, or the default DLT of the network interface specified with -i, or the particular DLT of the network interface specified with -y and -i respectively. In these cases the dump shows the same exact code that would filter the input file or the network interface without -d.
However, when neither -r nor -i is specified, specifying -d prevents tcpdump from guessing a suitable network interface (see -i). In this case the DLT defaults to EN10MB and can be set to another valid value manually with -y.
-dd
Dump packet-matching code as a C program fragment.
-ddd
Dump packet-matching code as decimal numbers (preceded with a count).
-D
Print the list of the network interfaces available on the system and on which tcpdump can capture packets. For each network interface, a number and an interface name, possibly followed by a text description of the interface, are printed. The interface name or the number can be supplied to the -i flag to specify an interface on which to capture.
This can be useful on systems that don’t have a command to list them (e.g., Windows systems, or UNIX systems lacking ifconfig -a); the number can be useful on Windows 2000 and later systems, where the interface name is a somewhat complex string.
The -D flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_findalldevs(3PCAP) function.
-e
Print the link-level header on each dump line. This can be used, for example, to print MAC layer addresses for protocols such as Ethernet and IEEE 802.11.
-E
Use spi@ipaddr algo:secret for decrypting IPsec ESP packets that are addressed to addr and contain Security Parameter Index value spi. This combination may be repeated with comma or newline separation.
Note that setting the secret for IPv4 ESP packets is supported at this time.
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled.
secret is the ASCII text for ESP secret key. If preceded by 0x, then a hex value will be read.
The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging purposes, and the use of this option with a true `secret’ key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions.
In addition to the above syntax, the syntax file name may be used to have tcpdump read the provided file in. The file is opened upon receiving the first ESP packet, so any special permissions that tcpdump may have been given should already have been given up.
-f
Print foreign' IPv4 addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's NIS server --- usually it hangs forever translating non-local internet numbers). The test forforeign’ IPv4 addresses is done using the IPv4 address and netmask of the interface on which capture is being done. If that address or netmask are not available, available, either because the interface on which capture is being done has no address or netmask or because the capture is being done on the Linux “any” interface, which can capture on more than one interface, this option will not work correctly.
-F file
Use file as input for the filter expression. An additional expression given on the command line is ignored.
-G rotate_seconds
If specified, rotates the dump file specified with the -w option every rotate_seconds seconds. Savefiles will have the name specified by -w which should include a time format as defined by strftime(3). If no time format is specified, each new file will overwrite the previous. Whenever a generated filename is not unique, tcpdump will overwrite the pre-existing data; providing a time specification that is coarser than the capture period is therefore not advised.
If used in conjunction with the -C option, filenames will take the form of `file’.
-h --help
Print the tcpdump and libpcap version strings, print a usage message, and exit.
–version
Print the tcpdump and libpcap version strings and exit.
-H
Attempt to detect 802.11s draft mesh headers.
-i interface --interface=interface
Listen, report the list of link-layer types, report the list of time stamp types, or report the results of compiling a filter expression on interface. If unspecified and if the -d flag is not given, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback), which may turn out to be, for example, eth0''. On Linux systems with 2.2 or later kernels, an interface argument ofany’’ can be used to capture packets from all interfaces. Note that captures on the ``any’’ device will not be done in promiscuous mode.
If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument, if no interface on the system has that number as a name.
-I --monitor-mode
Put the interface in “monitor mode”; this is supported only on IEEE 802.11 Wi-Fi interfaces, and supported only on some operating systems.
Note that in monitor mode the adapter might disassociate from the network with which it’s associated, so that you will not be able to use any wireless networks with that adapter. This could prevent accessing files on a network server, or resolving host names or network addresses, if you are capturing in monitor mode and are not connected to another network with another adapter.
This flag will affect the output of the -L flag. If -I isn’t specified, only those link-layer types available when not in monitor mode will be shown; if -I is specified, only those link-layer types available when in monitor mode will be shown.
–immediate-mode
Capture in “immediate mode”. In this mode, packets are delivered to tcpdump as soon as they arrive, rather than being buffered for efficiency. This is the default when printing packets rather than saving packets to a ``savefile’’ if the packets are being printed to a terminal rather than to a file or pipe.
-j tstamp_type --time-stamp-type=tstamp_type
Set the time stamp type for the capture to tstamp_type. The names to use for the time stamp types are given in pcap-tstamp(7); not all the types listed there will necessarily be valid for any given interface.
-J --list-time-stamp-types
List the supported time stamp types for the interface and exit. If the time stamp type cannot be set for the interface, no time stamp types are listed.
–time-stamp-precision=tstamp_precision
When capturing, set the time stamp precision for the capture to tstamp_precision. Note that availability of high precision time stamps (nanoseconds) and their actual accuracy is platform and hardware dependent. Also note that when writing captures made with nanosecond accuracy to a savefile, the time stamps are written with nanosecond resolution, and the file is written with a different magic number, to indicate that the time stamps are in seconds and nanoseconds; not all programs that read pcap savefiles will be able to read those captures.
When reading a savefile, convert time stamps to the precision specified by timestamp_precision, and display them with that resolution. If the precision specified is less than the precision of time stamps in the file, the conversion will lose precision.
The supported values for timestamp_precision are micro for microsecond resolution and nano for nanosecond resolution. The default is microsecond resolution.
–micro --nano
Shorthands for --time-stamp-precision=micro or --time-stamp-precision=nano, adjusting the time stamp precision accordingly. When reading packets from a savefile, using --micro truncates time stamps if the savefile was created with nanosecond precision. In contrast, a savefile created with microsecond precision will have trailing zeroes added to the time stamp when --nano is used.
-K --dont-verify-checksums
Don’t attempt to verify IP, TCP, or UDP checksums. This is useful for interfaces that perform some or all of those checksum calculation in hardware; otherwise, all outgoing TCP checksums will be flagged as bad.
-l
Make stdout line buffered. Useful if you want to see the data while capturing it. E.g.,
tcpdump -l | tee dat
or
tcpdump -l > dat & tail -f dat
Note that on Windows,line buffered'' meansunbuffered’’, so that WinDump will write each character individually if -l is specified.
-U is similar to -l in its behavior, but it will cause output to be ``packet-buffered’’, so that the output is written to stdout at the end of each packet rather than at the end of each line; this is buffered on all platforms, including Windows.
-L --list-data-link-types
List the known data link types for the interface, in the specified mode, and exit. The list of known data link types may be dependent on the specified mode; for example, on some platforms, a Wi-Fi interface might support one set of data link types when not in monitor mode (for example, it might support only fake Ethernet headers, or might support 802.11 headers but not support 802.11 headers with radio information) and another set of data link types when in monitor mode (for example, it might support 802.11 headers, or 802.11 headers with radio information, only in monitor mode).
-m module
Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump.
-M secret
Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present.
-n
Don’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
-N
Don’t print domain name qualification of host names. E.g., if you give this flag then tcpdump will print nic'' instead ofnic.ddn.mil’’.
-#
–number
Print an optional packet number at the beginning of the line.
-O
–no-optimize
Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer.
-p
–no-promiscuous-mode
Don’t put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, -p' cannot be used as an abbreviation forether host {local-hw-addr} or ether broadcast’.
–print
Print parsed packet output, even if the raw packets are being saved to a file with the -w flag.
-Q direction
–direction=direction
Choose send/receive direction direction for which packets should be captured. Possible values are in',out’ and inout'. Not available on all platforms. -q Quick (quiet?) output. Print less protocol information so output lines are shorter. -r file Read packets from file (which was created with the -w option or by other tools that write pcap or pcapng files). Standard input is used if file is ``-''. -S --absolute-tcp-sequence-numbers Print absolute, rather than relative, TCP sequence numbers. -s snaplen --snapshot-length=snaplen Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. Note also that taking smaller snapshots will discard data from protocols above the transport layer, which loses information that may be important. NFS and AFS requests and replies, for example, are very large, and much of the detail won't be available if a too-short snapshot length is selected. If you need to reduce the snapshot size below the default, you should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 sets it to the default of 262144, for backwards compatibility with recent older versions of tcpdump. -T type Force packets selected by "expression" to be interpreted the specified type. Currently known types are aodv (Ad-hoc On-demand Distance Vector protocol), carp (Common Address Redundancy Protocol), cnfp (Cisco NetFlow protocol), domain (Domain Name System), lmp (Link Management Protocol), pgm (Pragmatic General Multicast), pgm_zmtp1 (ZMTP/1.0 inside PGM/EPGM), ptp (Precision Time Protocol), radius (RADIUS), resp (REdis Serialization Protocol), rpc (Remote Procedure Call), rtcp (Real-Time Applications control protocol), rtp (Real-Time Applications protocol), snmp (Simple Network Management Protocol), someip (SOME/IP), tftp (Trivial File Transfer Protocol), vat (Visual Audio Tool), vxlan (Virtual eXtensible Local Area Network), wb (distributed White Board) and zmtp1 (ZeroMQ Message Transport Protocol 1.0). Note that the pgm type above affects UDP interpretation only, the native PGM is always recognised as IP protocol 113 regardless. UDP-encapsulated PGM is often called "EPGM" or "PGM/UDP". Note that the pgm_zmtp1 type above affects interpretation of both native PGM and UDP at once. During the native PGM decoding the application data of an ODATA/RDATA packet would be decoded as a ZeroMQ datagram with ZMTP/1.0 frames. During the UDP decoding in addition to that any UDP packet would be treated as an encapsulated PGM packet. -t Don't print a timestamp on each dump line. -tt Print the timestamp, as seconds since January 1, 1970, 00:00:00, UTC, and fractions of a second since that time, on each dump line. -ttt Print a delta (microsecond or nanosecond resolution depending on the --time-stamp-precision option) between current and previous line on each dump line. The default is microsecond resolution. -tttt Print a timestamp, as hours, minutes, seconds, and fractions of a second since midnight, preceded by the date, on each dump line. -ttttt Print a delta (microsecond or nanosecond resolution depending on the --time-stamp-precision option) between current and first line on each dump line. The default is microsecond resolution. -u Print undecoded NFS handles. -U --packet-buffered If the -w option is not specified, or if it is specified but the --print flag is also specified, make the printed packet output ``packet-buffered''; i.e., as the description of the contents of each packet is printed, it will be written to the standard output, rather than, when not writing to a terminal, being written only when the output buffer fills. If the -w option is specified, make the saved raw packet output ``packet-buffered''; i.e., as each packet is saved, it will be written to the output file, rather than being written only when the output buffer fills. The -U flag will not be supported if tcpdump was built with an older version of libpcap that lacks the pcap_dump_flush(3PCAP) function. -v When parsing and printing, produce (slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum. When writing to a file with the -w option and at the same time not reading from a file with the -r option, report to stderr, once per second, the number of packets captured. In Solaris, FreeBSD and possibly other operating systems this periodic update currently can cause loss of captured packets on their way from the kernel to tcpdump. -vv Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded. -vvv Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X Telnet options are printed in hex as well. -V file Read a list of filenames from file. Standard input is used if file is ``-''. -w file Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''. This output will be buffered if written to a file or pipe, so a program reading from the file or pipe may not see packets for an arbitrary amount of time after they are received. Use the -U flag to cause packets to be written as soon as they are received. The MIME type application/vnd.tcpdump.pcap has been registered with IANA for pcap files. The filename extension .pcap appears to be the most commonly used along with .cap and .dmp. Tcpdump itself doesn't check the extension when reading capture files and doesn't add an extension when writing them (it uses magic numbers in the file header instead). However, many operating systems and applications will use the extension if it is present and adding one (e.g. .pcap) is recommended. See pcap-savefile(5) for a description of the file format. -W filecount Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a 'rotating' buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly. Used in conjunction with the -G option, this will limit the number of rotated dump files that get created, exiting with status 0 when reaching the limit. If used in conjunction with both -C and -G, the -W option will currently be ignored, and will only affect the file name. -x When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet), the padding bytes will also be printed when the higher layer packet is shorter than the required padding. In the current implementation this flag may have the same effect as -xx if the packet is truncated. -xx When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex. -X When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analysing new protocols. In the current implementation this flag may have the same effect as -XX if the packet is truncated. -XX When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII. -y datalinktype --linktype=datalinktype Set the data link type to use while capturing packets (see -L) or just compiling and dumping packet-matching code (see -d) to datalinktype. -z postrotate-command Used in conjunction with the -C or -G options, this will make tcpdump run " postrotate-command file " where file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2. Note that tcpdump will run the command in parallel to the capture, using the lowest priority so that this doesn't disturb the capture process. And in case you would like to use a command that itself takes flags or different arguments, you can always write a shell script that will take the savefile name as the only argument, make the flags & arguments arrangements and execute the command that you want. -Z user --relinquish-privileges=user If tcpdump is running as root, after opening the capture device or input savefile, but before opening any savefiles for output, change the user ID to user and the group ID to the primary group of user. This behavior can also be enabled by default at compile time. expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expression istrue’ will be dumped.
For the expression syntax, see pcap-filter(7).
The expression argument can be passed to tcpdump as either a single Shell argument, or as multiple Shell arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, such as backslashes used to escape protocol names, it is easier to pass it as a single, quoted argument rather than to escape the Shell metacharacters. Multiple arguments are concatenated with spaces before being parsed.
四、使用例子
打印出所有到达或从sundown发出的包:
tcpdump host sundown
五、输出格式
tcpdump的输出是与协议无关的。下面给出了对于输出格式的简短介绍以及几个例子。
Timestamps
默认情况下,输出的最前方是时间戳,它用如下格式表示当前时间:
hh:mm:ss.frac
它的精确程度和内核的时钟一样。timestamp反映了内核对包生成的时间戳。这个时间戳没有考虑到网络层完成从网络中接收到包的动作到内核对包生成时间戳之间的时间间隔。这个时间间隔包括了两个延迟,第一个延迟是网络层接口完成接收包到内核收到一个interrupt并去读这个包间的延迟,第二个延迟是从内核处理“新包”的interrupt到它将时间戳附到新包之间的时间延迟。
Link Level Headers
如果设置了-e选项,那么此时会打印出链路层首部。On Ethernets, the source and destination addresses, protocol, and packet length are printed.
On FDDI networks, the ‘-e’ option causes tcpdump to print the frame control' field, the source and destination addresses, and the packet length. (Theframe control’ field governs the interpretation of the rest of the packet. Normal packets (such as those containing IP datagrams) are async' packets, with a priority value between 0 and 7; for example,async4’. Such packets are assumed to contain an 802.2 Logical Link Control (LLC) packet; the LLC header is printed if it is not an ISO datagram or a so-called SNAP packet.
On Token Ring networks, the ‘-e’ option causes tcpdump to print the access control' andframe control’ fields, the source and destination addresses, and the packet length. As on FDDI networks, packets are assumed to contain an LLC packet. Regardless of whether the ‘-e’ option is specified or not, the source routing information is printed for source-routed packets.
On 802.11 networks, the ‘-e’ option causes tcpdump to print the `frame control’ fields, all of the addresses in the 802.11 header, and the packet length. As on FDDI networks, packets are assumed to contain an LLC packet.
(N.B.: The following description assumes familiarity with the SLIP compression algorithm described in RFC-1144.)
On SLIP links, a direction indicator (I'' for inbound,O’’ for outbound), packet type, and compression information are printed out. The packet type is printed first. The three types are ip, utcp, and ctcp. No further link information is printed for ip packets. For TCP packets, the connection identifier is printed following the type. If the packet is compressed, its encoded header is printed out. The special cases are printed out as *S+n and *SA+n, where n is the amount by which the sequence number (or sequence number and ack) has changed. If it is not a special case, zero or more changes are printed. A change is indicated by U (urgent pointer), W (window), A (ack), S (sequence number), and I (packet ID), followed by a delta (+n or -n), or a new value (=n). Finally, the amount of data in the packet and compressed header length are printed.
For example, the following line shows an outbound compressed TCP packet, with an implicit connection identifier; the ack has changed by 6, the sequence number by 49, and the packet ID by 6; there are 3 bytes of data and 6 bytes of compressed header:
O ctcp * A+6 S+49 I+6 3 (6)
ARP/RARP包
ARP/RARP output shows the type of request and its arguments. The format is intended to be self explanatory. Here is a short sample taken from the start of an `rlogin’ from host rtsg to host csam:
arp who-has csam tell rtsg
arp reply csam is-at CSAM
The first line says that rtsg sent an ARP packet asking for the Ethernet address of internet host csam. Csam replies with its Ethernet address (in this example, Ethernet addresses are in caps and internet addresses in lower case).
This would look less redundant if we had done tcpdump -n:
arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4
If we had done tcpdump -e, the fact that the first packet is broadcast and the second is point-to-point would be visible:
RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM
For the first packet this says the Ethernet source address is RTSG, the destination is the Ethernet broadcast address, the type field contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
IPv4包
如果没有打印出链路层首部,那么对于IPv4包来说,IP会在时间戳之后打印出来。
如果指定了-v选项,那么IPv4首部信息会在IP(或链路层首部)后的括号显示出来,其通用格式如下:
tos tos, ttl ttl, id id, offset offset, flags [flags], proto proto, length length, options (options)
- tos是type of service域,if the ECN bits are non-zero, those are reported as ECT(1), ECT(0), or CE
- ttl是time-to-live,如果它的值是0那么不会显示出来
- id是IP identification域
- offset显示了分片的偏移量,it is printed whether this is part of a fragmented datagram or not
- flags指MF和DF标志位,+ is reported if MF is set, and DF is reported if F is set. If neither are set, . is reported
- proto指代protocol ID域
- length指代total length域
- options are the IP options, if any
接下来,如果这个包是TCP或者UDP包,那么会打印出源IP和目的IP地址以及端口号,其中源IP和目的IP使用>进行区分。对于其他的协议,地址也会被打印,同样使用>进行区分。如果存在高层协议信息,那么会在这之后被打印出来。
For fragmented IP datagrams, the first fragment contains the higher level protocol header; fragments after the first contain no higher level protocol header. Fragmentation information will be printed only with the -v flag, in the IP header information, as described above.
TCP包
一个描述TCP的通用格式是:
src > dst: Flags [tcpflags], seq data-seqno, ack ackno, win window, urg urgent, options [opts], length len
- src和des是源IP端口号以及目的IP端口号
- tcpflags是一些标志位的组合,包括S(SYN)、F(FIN)、P(PUSH)、U(URG)、W(ECN CWR)、E(ECN-Echo)、
.(ACK),如果没有任何一个标志位置位,那么这里填none。 - data-seqno描述了这个包中的数据所覆盖的sequence number空间(参见下面的例子)
- Ackno描述了所期望的连接的另一个方向下次发送的sequence number
- Window描述了连接的另一个方向上可用的接收缓存还有多少字节
- Urg指示了包中存在“紧急”数据
- Opts指示了TCP选项(e.g., mss 1024)
- Len指代有效负载数据的大小
下面的示例介绍了从主机rtsg使用rlogin到主机csam的开启过程:
1 IP rtsg.1023 > csam.login: Flags [S], seq 768512:768512, win 4096, opts [mss 1024]
2 IP csam.login > rtsg.1023: Flags [S.], seq, 947648:947648, ack 768513, win 4096, opts [mss 1024]
3 IP rtsg.1023 > csam.login: Flags [.], ack 1, win 4096
4 IP rtsg.1023 > csam.login: Flags [P.], seq 1:2, ack 1, win 4096, length 1
5 IP csam.login > rtsg.1023: Flags [.], ack 2, win 4096
6 IP rtsg.1023 > csam.login: Flags [P.], seq 2:21, ack 1, win 4096, length 19
7 IP csam.login > rtsg.1023: Flags [P.], seq 1:2, ack 21, win 4077, length 1
8 IP csam.login > rtsg.1023: Flags [P.], seq 2:3, ack 21, win 4077, urg 1, length 1
9 IP csam.login > rtsg.1023: Flags [P.], seq 3:4, ack 21, win 4077, urg 1, length 1
第一行表明了位于rtsg的端口号1023上的TCP向位于scam的端口号login发送了一个包。S表明这个包的SYN标志位置位。这个包的sequence number为768512且它并不包含数据(这里的标注方式是first:last这表示sequence number从first开始但不包括last)。这个包内并不承载ACK,接收窗口大小为4096字节,并且最大段大小选项指明了MSS为1024字节。
Csam用一个类似的包进行了回应,但是这个包内包含了回应rtsg SYN的ACK。rtsg接下来ACK了csam的SYN。.代表ACK标志位置位。这些包不包含数据,所以不存在数据的sequence number或者长度。注意下一行的ACK sequence number是一个很小的整数(1)。这是因为当tcpdump第一次遇到一个TCP对话时,它会打印出报文中的sequence number。在这个对话的后续报文中,仅会打印当前数据包的序列号和初始序列号之间的差异。这意味这个值可以解释为会话数据流中的相对字节位置(第一个字节是“1”)。-S选项可以跳过这个特征,输出初始序列号。
在第6行,rtsg向csam发送19字节的数据(rtsg→ csam回话中的字节2到20部分。数据报中PUSH标志位置位。在第7行,csam表示它接收到的数据是由rtsg发送的,已经到了第21字节,但不包括21字节。由于csam的接收窗口变小了19字节,所以大部分数据显然都放在了套接字缓冲区中。Csam还将此数据包中的一个字节的数据发送给rtsg。在第8行和第9行,csam向rtsg发送两个字节的紧急推送数据。
如果snapshot太小以至于tcpdump没有捕获完整的TCP首部,则它将尽可能多地解释首部,然后报告[|tcp]以指示无法解释其余部分。如果首部包含伪造选项(长度太小或超出首部末尾),tcpdump将其报告为[bad opt],并且不解释任何其他选项(因为无法判断它们从何处开始)。如果首部长度指示存在选项,但IP数据报长度不够长,无法实际存在选项,tcpdump将其报告为[bad hdr length]。
5.1 捕获特定标志位置位的TCP包
TCP首部总共有8个控制位:
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
Let’s assume that we want to watch packets used in establishing a TCP connection. Recall that TCP uses a 3-way handshake protocol when it initializes a new connection; the connection sequence with regard to the TCP control bits is
- Caller sends SYN
- Recipient responds with SYN, ACK
- Caller sends ACK
Now we’re interested in capturing packets that have only the SYN bit set (Step 1). Note that we don’t want packets from step 2 (SYN-ACK), just a plain initial SYN. What we need is a correct filter expression for tcpdump.
Recall the structure of a TCP header without options:
0 15 31
-----------------------------------------------------------------
| source port | destination port |
-----------------------------------------------------------------
| sequence number |
-----------------------------------------------------------------
| acknowledgment number |
-----------------------------------------------------------------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
-----------------------------------------------------------------
| TCP checksum | urgent pointer |
-----------------------------------------------------------------
A TCP header usually holds 20 octets of data, unless options are present. The first line of the graph contains octets 0 - 3, the second line shows octets 4 - 7 etc.
Starting to count with 0, the relevant TCP control bits are contained in octet 13:
0 7| 15| 23| 31
----------------|---------------|---------------|----------------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
----------------|---------------|---------------|----------------
| | 13th octet | | |
Let’s have a closer look at octet no. 13:
| |
|---------------|
|C|E|U|A|P|R|S|F|
|---------------|
|7 5 3 0|
These are the TCP control bits we are interested in. We have numbered the bits in this octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is number 5.
Recall that we want to capture packets with only SYN set. Let’s see what happens to octet 13 if a TCP datagram arrives with the SYN bit set in its header:
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 0 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|
Looking at the control bits section we see that only bit number 1 (SYN) is set.
Assuming that octet number 13 is an 8-bit unsigned integer in network byte order, the binary value of this octet is
00000010
and its decimal representation is
7 6 5 4 3 2 1 0
0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2
We’re almost done, because now we know that if only SYN is set, the value of the 13th octet in the TCP header, when interpreted as a 8-bit unsigned integer in network byte order, must be exactly 2.
This relationship can be expressed as
tcp[13] == 2
We can use this expression as the filter for tcpdump in order to watch packets which have only SYN set:
tcpdump -i xl0 tcp[13] == 2
The expression says “let the 13th octet of a TCP datagram have the decimal value 2”, which is exactly what we want.
Now, let’s assume that we need to capture SYN packets, but we don’t care if ACK or any other TCP control bit is set at the same time. Let’s see what happens to octet 13 when a TCP datagram with SYN-ACK set arrives:
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 1 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|
Now bits 1 and 4 are set in the 13th octet. The binary value of octet 13 is
00010010
which translates to decimal
7 6 5 4 3 2 1 0
0*2 + 0*2 + 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2 = 18
Now we can’t just use ‘tcp[13] == 18’ in the tcpdump filter expression, because that would select only those packets that have SYN-ACK set, but not those with only SYN set. Remember that we don’t care if ACK or any other control bit is set as long as SYN is set.
In order to achieve our goal, we need to logically AND the binary value of octet 13 with some other value to preserve the SYN bit. We know that we want SYN to be set in any case, so we’ll logically AND the value in the 13th octet with the binary value of a SYN:
00010010 SYN-ACK 00000010 SYN
AND 00000010 (we want SYN) AND 00000010 (we want SYN)
-------- --------
= 00000010 = 00000010
We see that this AND operation delivers the same result regardless whether ACK or another TCP control bit is set. The decimal representation of the AND value as well as the result of this operation is 2 (binary 00000010), so we know that for packets with SYN set the following relation must hold true:
( ( value of octet 13 ) AND ( 2 ) ) == ( 2 )
This points us to the tcpdump filter expression
tcpdump -i xl0 'tcp[13] & 2 == 2'
Some offsets and field values may be expressed as names rather than as numeric values. For example tcp[13] may be replaced with tcp[tcpflags]. The following TCP flag field values are also available: tcp-fin, tcp-syn, tcp-rst, tcp-push, tcp-ack, tcp-urg.
This can be demonstrated as:
tcpdump -i xl0 'tcp[tcpflags] & tcp-push != 0'
Note that you should use single quotes or a backslash in the expression to hide the AND (’&’) special character from the shell.
1718
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
