📄 tcpdump.man
字号:
To print all ICMP packets that are not echo
requests/replies (i.e., not ping packets):
tcpdump 'icmp[0] != 8 and icmp[0] != 0"
OUTPUT FORMAT
The output of tcpdump is protocol dependent. The follow-
ing gives a brief description and examples of most of the
formats.
Link Level Headers
If the '-e' option is given, the link level header is
printed out. On ethernets, the source and destination
addresses, protocol, and packet length are printed.
On FDDI networks, the '-e' option causes tcpdump to print
the `frame control' field, the source and destination
addresses, and the packet length. (The `frame control'
field governs the interpretation of the rest of the
packet. Normal packets (such as those containing IP data-
grams) are `async' packets, with a priority value between
0 and 7; for example, `async4'. Such packets are assumed
to contain an 802.2 Logical Link Control (LLC) packet; the
LLC header is printed if it is not an ISO datagram or a
so-called SNAP packet.
(N.B.: The following description assumes familiarity with
the SLIP compression algorithm described in RFC-1144.)
On SLIP links, a direction indicator (``I'' for inbound,
``O'' for outbound), packet type, and compression informa-
tion are printed out. The packet type is printed first.
The three types are ip, utcp, and ctcp. No further link
information is printed for ip packets. For TCP packets,
the connection identifier is printed following the type.
If the packet is compressed, its encoded header is printed
out. The special cases are printed out as *S+n and *SA+n,
where n is the amount by which the sequence number (or
sequence number and ack) has changed. If it is not a spe-
cial case, zero or more changes are printed. A change is
indicated by U (urgent pointer), W (window), A (ack), S
(sequence number), and I (packet ID), followed by a delta
(+n or -n), or a new value (=n). Finally, the amount of
data in the packet and compressed header length are
printed.
For example, the following line shows an outbound com-
pressed TCP packet, with an implicit connection identi-
fier; the ack has changed by 6, the sequence number by 49,
and the packet ID by 6; there are 3 bytes of data and 6
bytes of compressed header:
O ctcp * A+6 S+49 I+6 3 (6)
ARP/RARP Packets
Arp/rarp output shows the type of request and its argu-
ments. The format is intended to be self explanatory.
Here is a short sample taken from the start of an `rlogin'
from host rtsg to host csam:
arp who-has csam tell rtsg
arp reply csam is-at CSAM
The first line says that rtsg sent an arp packet asking
for the ethernet address of internet host csam. Csam
replies with its ethernet address (in this example, ether-
net addresses are in caps and internet addresses in lower
case).
This would look less redundant if we had done tcpdump -n:
arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4
If we had done tcpdump -e, the fact that the first packet
is broadcast and the second is point-to-point would be
visible:
RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM
For the first packet this says the ethernet source address
is RTSG, the destination is the ethernet broadcast
address, the type field contained hex 0806 (type
ETHER_ARP) and the total length was 64 bytes.
TCP Packets
(N.B.:The following description assumes familiarity with
the TCP protocol described in RFC-793. If you are not
familiar with the protocol, neither this description nor
tcpdump will be of much use to you.)
The general format of a tcp protocol line is:
src > dst: flags data-seqno ack window urgent options
Src and dst are the source and destination IP addresses
and ports. Flags are some combination of S (SYN), F
(FIN), P (PUSH) or R (RST) or a single `.' (no flags).
Data-seqno describes the portion of sequence space covered
by the data in this packet (see example below). Ack is
sequence number of the next data expected the other direc-
tion on this connection. Window is the number of bytes of
receive buffer space available the other direction on this
connection. Urg indicates there is `urgent' data in the
packet. Options are tcp options enclosed in angle brack-
ets (e.g., <mss 1024>).
Src, dst and flags are always present. The other fields
depend on the contents of the packet's tcp protocol header
and are output only if appropriate.
Here is the opening portion of an rlogin from host rtsg to
host csam.
rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
rtsg.1023 > csam.login: . ack 1 win 4096
rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
csam.login > rtsg.1023: . ack 2 win 4096
rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1
The first line says that tcp port 1023 on rtsg sent a
packet to port login on csam. The S indicates that the
SYN flag was set. The packet sequence number was 768512
and it contained no data. (The notation is
`first:last(nbytes)' which means `sequence numbers first
up to but not including last which is nbytes bytes of user
data'.) There was no piggy-backed ack, the available
receive window was 4096 bytes and there was a max-segment-
size option requesting an mss of 1024 bytes.
Csam replies with a similar packet except it includes a
piggy-backed ack for rtsg's SYN. Rtsg then acks csam's
SYN. The `.' means no flags were set. The packet con-
tained no data so there is no data sequence number. Note
that the ack sequence number is a small integer (1). The
first time tcpdump sees a tcp `conversation', it prints
the sequence number from the packet. On subsequent pack-
ets of the conversation, the difference between the cur-
rent packet's sequence number and this initial sequence
number is printed. This means that sequence numbers after
the first can be interpreted as relative byte positions in
the conversation's data stream (with the first data byte
each direction being `1'). `-S' will override this fea-
ture, causing the original sequence numbers to be output.
On the 6th line, rtsg sends csam 19 bytes of data (bytes 2
through 20 in the rtsg -> csam side of the conversation).
The PUSH flag is set in the packet. On the 7th line, csam
says it's received data sent by rtsg up to but not includ-
ing byte 21. Most of this data is apparently sitting in
the socket buffer since csam's receive window has gotten
19 bytes smaller. Csam also sends one byte of data to
rtsg in this packet. On the 8th and 9th lines, csam sends
two bytes of urgent, pushed data to rtsg.
If the snapshot was small enough that tcpdump didn't cap-
ture the full TCP header, it interprets as much of the
header as it can and then reports ``[|tcp]'' to indicate
the remainder could not be interpreted. If the header
contains a bogus option (one with a length that's either
too small or beyond the end of the header), tcpdump
reports it as ``[bad opt]'' and does not interpret any
further options (since it's impossible to tell where they
start). If the header length indicates options are pre-
sent but the IP datagram length is not long enough for the
options to actually be there, tcpdump reports it as ``[bad
hdr length]''.
UDP Packets
UDP format is illustrated by this rwho packet:
actinide.who > broadcast.who: udp 84
This says that port who on host actinide sent a udp data-
gram to port who on host broadcast, the Internet broadcast
address. The packet contained 84 bytes of user data.
Some UDP services are recognized (from the source or des-
tination port number) and the higher level protocol infor-
mation printed. In particular, Domain Name service
requests (RFC-1034/1035) and Sun RPC calls (RFC-1050) to
NFS.
UDP Name Server Requests
(N.B.:The following description assumes familiarity with
the Domain Service protocol described in RFC-1035. If you
are not familiar with the protocol, the following descrip-
tion will appear to be written in greek.)
Name server requests are formatted as
src > dst: id op? flags qtype qclass name (len)
h2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)
Host h2opolo asked the domain server on helios for an
address record (qtype=A) associated with the name ucb-
vax.berkeley.edu. The query id was `3'. The `+' indi-
cates the recursion desired flag was set. The query
length was 37 bytes, not including the UDP and IP protocol
headers. The query operation was the normal one, Query,
so the op field was omitted. If the op had been anything
else, it would have been printed between the `3' and the
`+'. Similarly, the qclass was the normal one, C_IN, and
omitted. Any other qclass would have been printed immedi-
ately after the `A'.
A few anomalies are checked and may result in extra fields
enclosed in square brackets: If a query contains an
answer, name server or authority section, ancount,
nscount, or arcount are printed as `[na]', `[nn]' or
`[nau]' where n is the appropriate count. If any of the
response bits are set (AA, RA or rcode) or any of the
`must be zero' bits are set in bytes two and three,
`[b2&3=x]' is printed, where x is the hex value of header
bytes two and three.
UDP Name Server Responses
Name server responses are formatted as
src > dst: id op rcode flags a/n/au type class data (len)
helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)
In the first example, helios responds to query id 3 from
h2opolo with 3 answer records, 3 name server records and 7
authority records. The first answer record is type A
(address) and its data is internet address 128.32.137.3.
The total size of the response was 273 bytes, excluding
UDP and IP headers. The op (Query) and response code
(NoError) were omitted, as was the class (C_IN) of the A
record.
In the second example, helios responds to query 2 with a
response code of non-existent domain (NXDomain) with no
answers, one name server and no authority records. The
`*' indicates that the authoritative answer bit was set.
Since there were no answers, no type, class or data were
printed.
Other flag characters that might appear are `-' (recursion
available, RA, not set) and `|' (truncated message, TC,
set). If the `question' section doesn't contain exactly
one entry, `[nq]' is printed.
Note that name server requests and responses tend to be
large and the default snaplen of 68 bytes may not capture
enough of the packet to print. Use the -s flag to
increase the snaplen if you need to seriously investigate
name server traffic. `-s 128' has worked well for me.
NFS Requests and Replies
Sun NFS (Network File System) requests and replies are
printed as:
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -