tcpdump.1

Windump3.6.2源代码

\f(CWarp who-has csam tell rtsg
arp reply csam is-at CSAM\fR
.sp .5
.fi
.RE
The first line says that rtsg sent an arp packet asking
for the ethernet address of internet host csam.  Csam
replies with its ethernet address (in this example, ethernet addresses
are in caps and internet addresses in lower case).
.LP
This would look less redundant if we had done \fBtcpdump \-n\fP:
.RS
.nf
.sp .5
\f(CWarp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4\fP
.fi
.RE
.LP
If we had done \fBtcpdump \-e\fP, the fact that the first packet is
broadcast and the second is point-to-point would be visible:
.RS
.nf
.sp .5
\f(CWRTSG Broadcast 0806  64: arp who-has csam tell rtsg
CSAM RTSG 0806  64: arp reply csam is-at CSAM\fR
.sp .5
.fi
.RE
For the first packet this says the ethernet source address is RTSG, the
destination is the ethernet broadcast address, the type field
contained hex 0806 (type ETHER_ARP) and the total length was 64 bytes.
.HD
TCP Packets
.LP
\fI(N.B.:The following description assumes familiarity with
the TCP protocol described in RFC-793.  If you are not familiar
with the protocol, neither this description nor \fItcpdump\fP will
be of much use to you.)\fP
.LP
The general format of a tcp protocol line is:
.RS
.nf
.sp .5
\fIsrc > dst: flags data-seqno ack window urgent options\fP
.sp .5
.fi
.RE
\fISrc\fP and \fIdst\fP are the source and destination IP
addresses and ports.  \fIFlags\fP are some combination of S (SYN),
F (FIN), P (PUSH) or R (RST) or a single `.' (no flags).
\fIData-seqno\fP describes the portion of sequence space covered
by the data in this packet (see example below).
\fIAck\fP is sequence number of the next data expected the other
direction on this connection.
\fIWindow\fP is the number of bytes of receive buffer space available
the other direction on this connection.
\fIUrg\fP indicates there is `urgent' data in the packet.
\fIOptions\fP are tcp options enclosed in angle brackets (e.g., <mss 1024>).
.LP
\fISrc, dst\fP and \fIflags\fP are always present.  The other fields
depend on the contents of the packet's tcp protocol header and
are output only if appropriate.
.LP
Here is the opening portion of an rlogin from host \fIrtsg\fP to
host \fIcsam\fP.
.RS
.nf
.sp .5
\s-2\f(CWrtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
rtsg.1023 > csam.login: . ack 1 win 4096
rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
csam.login > rtsg.1023: . ack 2 win 4096
rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1\fR\s+2
.sp .5
.fi
.RE
The first line says that tcp port 1023 on rtsg sent a packet
to port \fIlogin\fP
on csam.  The \fBS\fP indicates that the \fISYN\fP flag was set.
The packet sequence number was 768512 and it contained no data.
(The notation is `first:last(nbytes)' which means `sequence
numbers \fIfirst\fP
up to but not including \fIlast\fP which is \fInbytes\fP bytes of user data'.)
There was no piggy-backed ack, the available receive window was 4096
bytes and there was a max-segment-size option requesting an mss of
1024 bytes.
.LP
Csam replies with a similar packet except it includes a piggy-backed
ack for rtsg's SYN.  Rtsg then acks csam's SYN.  The `.' means no
flags were set.
The packet contained no data so there is no data sequence number.
Note that the ack sequence
number is a small integer (1).  The first time \fItcpdump\fP sees a
tcp `conversation', it prints the sequence number from the packet.
On subsequent packets of the conversation, the difference between
the current packet's sequence number and this initial sequence number
is printed.  This means that sequence numbers after the
first can be interpreted
as relative byte positions in the conversation's data stream (with the
first data byte each direction being `1').  `-S' will override this
feature, causing the original sequence numbers to be output.
.LP
On the 6th line, rtsg sends csam 19 bytes of data (bytes 2 through 20
in the rtsg \(-> csam side of the conversation).
The PUSH flag is set in the packet.
On the 7th line, csam says it's received data sent by rtsg up to
but not including byte 21.  Most of this data is apparently sitting in the
socket buffer since csam's receive window has gotten 19 bytes smaller.
Csam also sends one byte of data to rtsg in this packet.
On the 8th and 9th lines,
csam sends two bytes of urgent, pushed data to rtsg.
.LP
If the snapshot was small enough that \fItcpdump\fP didn't capture
the full TCP header, it interprets as much of the header as it can
and then reports ``[|\fItcp\fP]'' to indicate the remainder could not
be interpreted.  If the header contains a bogus option (one with a length
that's either too small or beyond the end of the header), \fItcpdump\fP
reports it as ``[\fIbad opt\fP]'' and does not interpret any further
options (since it's impossible to tell where they start).  If the header
length indicates options are present but the IP datagram length is not
long enough for the options to actually be there, \fItcpdump\fP reports
it as ``[\fIbad hdr length\fP]''.
.HD
.B Capturing TCP packets with particular flag combinations (SYN-ACK, URG-ACK, etc.)
.PP
There are 6 bits in the control bits section of the TCP header:
.IP
.I URG | ACK | PSH | RST | SYN | FIN
.PP
Let's assume that we want to watch packets used in establishing
a TCP connection. Recall that TCP uses a 3-way handshake protocol
when it initializes a new connection; the connection sequence with
regard to the TCP control bits is
.PP
.RS
1) Caller sends SYN
.RE
.RS
2) Recipient responds with SYN, ACK
.RE
.RS
3) Caller sends ACK
.RE
.PP
Now we're interested in capturing packets that have only the
SYN bit set (Step 1). Note that we don't want packets from step 2
(SYN-ACK), just a plain initial SYN. What we need is a correct filter
expression for \fItcpdump\fP.
.PP
Recall the structure of a TCP header without options:
.PP
.nf
 0                            15                              31
-----------------------------------------------------------------
|          source port          |       destination port        |
-----------------------------------------------------------------
|                        sequence number                        |
-----------------------------------------------------------------
|                     acknowledgment number                     |
-----------------------------------------------------------------
|  HL   | reserved  |U|A|P|R|S|F|        window size            |
-----------------------------------------------------------------
|         TCP checksum          |       urgent pointer          |
-----------------------------------------------------------------
.fi
.PP
A TCP header usually holds 20 octets of data, unless options are
present.  The fist line of the graph contains octets 0 - 3, the
second line shows octets 4 - 7 etc.
.PP
Starting to count with 0, the relevant TCP control bits are contained
in octet 13:
.PP
.nf
 0             7|             15|             23|             31
----------------|---------------|---------------|----------------
|  HL   | reserved  |U|A|P|R|S|F|        window size            |
----------------|---------------|---------------|----------------
|               |  13th octet   |               |               |
.fi
.PP
Let's have a closer look at octet no. 13:
.PP
.nf
                |               |
                |---------------|
                |   |U|A|P|R|S|F|
                |---------------|
                |7   5   3     0|
.fi
.PP
We see that this octet contains 2 bytes from the reserved field.
According to RFC 793 this field is reserved for future use and must
be 0. The remaining 6 bits are the TCP control bits we are interested
in. We have numbered the bits in this octet from 0 to 7, right to
left, so the PSH bit is bit number 3, while the URG bit is number 5.
.PP
Recall that we want to capture packets with only SYN set.
Let's see what happens to octet 13 if a TCP datagram arrives
with the SYN bit set in its header:
.PP
.nf
                |   |U|A|P|R|S|F|
                |---------------|
                |0 0 0 0 0 0 1 0|
                |---------------|
                |7 6 5 4 3 2 1 0|
.fi
.PP
We already mentioned that bits number 7 and 6 belong to the
reserved field, so they must must be 0. Looking at the
control bits section we see that only bit number 1 (SYN) is set.
.PP
Assuming that octet number 13 is an 8-bit unsigned integer in
network byte order, the binary value of this octet is
.IP
00000010
.PP
and its decimal representation is
.PP
.nf
   7     6     5     4     3     2     1     0
0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2  =  2
.fi
.PP
We're almost done, because now we know that if only SYN is set,
the value of the 13th octet in the TCP header, when interpreted
as a 8-bit unsigned integer in network byte order, must be exactly 2.
.PP
This relationship can be expressed as
.RS
.B
tcp[13] == 2
.RE
.PP
We can use this expression as the filter for \fItcpdump\fP in order
to watch packets which have only SYN set:
.RS
.B
tcpdump -i xl0 tcp[13] == 2
.RE
.PP
The expression says "let the 13th octet of a TCP datagram have
the decimal value 2", which is exactly what we want.
.PP
Now, let's assume that we need to capture SYN packets, but we
don't care if ACK or any other TCP control bit is set at the
same time. Let's see what happens to octet 13 when a TCP datagram
with SYN-ACK set arrives:
.PP
.nf
     |   |U|A|P|R|S|F|
     |---------------|
     |0 0 0 1 0 0 1 0|
     |---------------|
     |7 6 5 4 3 2 1 0|
.fi
.PP
Now bits 1 and 4 are set in the 13th octet. The binary value of
octet 13 is
.IP
     00010010
.PP
which translates to decimal
.PP
.nf
   7     6     5     4     3     2     1     0
0*2 + 0*2 + 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2   = 18
.fi
.PP
Now we can't just use 'tcp[13] == 18' in the \fItcpdump\fP filter
expression, because that would select only those packets that have
SYN-ACK set, but not those with only SYN set. Remember that we don't care
if ACK or any other control bit is set as long as SYN is set.
.PP
In order to achieve our goal, we need to logically AND the
binary value of octet 13 with some other value to preserve
the SYN bit. We know that we want SYN to be set in any case,
so we'll logically AND the value in the 13th octet with
the binary value of a SYN:
.PP
.nf

          00010010 SYN-ACK              00000010 SYN
     AND  00000010 (we want SYN)   AND  00000010 (we want SYN)
          --------                      --------
     =    00000010                 =    00000010
.fi
.PP
We see that this AND operation delivers the same result
regardless whether ACK or another TCP control bit is set.
The decimal representation of the AND value as well as
the result of this operation is 2 (binary 00000010),
so we know that for packets with SYN set the following
relation must hold true:
.IP
( ( value of octet 13 ) AND ( 2 ) ) == ( 2 )
.PP
This points us to the \fItcpdump\fP filter expression
.RS
.B
     tcpdump -i xl0 'tcp[13] & 2 == 2'
.RE
.PP
Note that you should use single quotes or a backslash
in the expression to hide the AND ('&') special character
from the shell.
.HD
.B
UDP Packets
.LP
UDP format is illustrated by this rwho packet:
.RS
.nf
.sp .5
\f(CWactinide.who > broadcast.who: udp 84\fP
.sp .5
.fi
.RE
This says that port \fIwho\fP on host \fIactinide\fP sent a udp
datagram to port \fIwho\fP on host \fIbroadcast\fP, the Internet
broadcast address.  The packet contained 84 bytes of user data.
.LP
Some UDP services are recognized (from the source or destination
port number) and the higher level protocol information printed.
In particular, Domain Name service requests (RFC-1034/1035) and Sun
RPC calls (RFC-1050) to NFS.
.HD
UDP Name Server Requests
.LP
\fI(N.B.:The following description assumes familiarity with
the Domain Service protocol described in RFC-1035.  If you are not familiar
with the protocol, the following description will appear to be written
in greek.)\fP
.LP
Name server requests are formatted as
.RS
.nf
.sp .5
\fIsrc > dst: id op? flags qtype qclass name (len)\fP
.sp .5
\f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fR
.sp .5
.fi
.RE
Host \fIh2opolo\fP asked the domain server on \fIhelios\fP for an
address record (qtype=A) associated with the name \fIucbvax.berkeley.edu.\fP
The query id was `3'.  The `+' indicates the \fIrecursion desired\fP flag
was set.  The query length was 37 bytes, not including the UDP and
IP protocol headers.  The query operation was the normal one, \fIQuery\fP,
so the op field was omitted.  If the op had been anything else, it would
have been printed between the `3' and the `+'.
Similarly, the qclass was the normal one,
\fIC_IN\fP, and omitted.  Any other qclass would have been printed
immediately after the `A'.
.LP
A few anomalies are checked and may result in extra fields enclosed in
square brackets:  If a query contains an answer, name server or
authority section,
.IR ancount ,
.IR nscount ,
or
.I arcount
are printed as `[\fIn\fPa]', `[\fIn\fPn]' or  `[\fIn\fPau]' where \fIn\fP
is the appropriate count.
If any of the response bits are set (AA, RA or rcode) or any of the
`must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]'
is printed, where \fIx\fP is the hex value of header bytes two and three.
.HD
UDP Name Server Responses
.LP
Name server responses are formatted as
.RS
.nf
.sp .5
\fIsrc > dst:  id op rcode flags a/n/au type class data (len)\fP
.sp .5
\f(CWhelios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fR
.sp .5
.fi
.RE
In the first example, \fIhelios\fP responds to query id 3 from \fIh2opolo\fP
with 3 answer records, 3 name server records and 7 authority records.
The first answer record is type A (address) and its data is internet
address 128.32.137.3.  The total size of the response was 273 bytes,
excluding UDP and IP headers.  The op (Query) and response code
(NoError) were omitted, as was the class (C_IN) of the A record.
.LP
In the second example, \fIhelios\fP responds to query 2 with a
response code of non-existent domain (NXDomain) with no answers,
one name server and no authority records.  The `*' indicates that
the \fIauthoritative answer\fP bit was set.  Since there were no
answers, no type, class or data were printed.
.LP
Other flag characters that might appear are `\-' (recursion available,
RA, \fInot\fP set) and `|' (truncated message, TC, set).  If the
`question' section doesn't contain exactly one entry, `[\fIn\fPq]'
is printed.
.LP
Note that name server requests and responses tend to be large and the
default \fIsnaplen\fP of 68 bytes may not capture enough of the packet
to print.  Use the \fB\-s\fP flag to increase the snaplen if you
need to seriously investigate name server traffic.  `\fB\-s 128\fP'
has worked well for me.

.HD
SMB/CIFS decoding
.LP
\fItcpdump\fP now includes fairly extensive SMB/CIFS/NBT decoding for data
on UDP/137, UDP/138 and TCP/139. Some primitive decoding of IPX and
NetBEUI SMB data is also done.