📄 tcpdump.man
字号:
always means the first byte of the TCP _h_e_a_d_e_r, and never means the first byte of an intervening fragment. Primitives may be combined using: A parenthesized group of primitives and operators (parentheses are special to the Shell and must be escaped). Negation (`!!' or `nnoott'). Concatenation (`&&&&' or `aanndd'). Alternation (`||||' or `oorr'). Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right. Note that explicit aanndd tokens, not juxtaposition, are now required for concatenation. 30 June 1997 8TCPDUMP(1) TCPDUMP(1) If an identifier is given without a keyword, the most recent keyword is assumed. For example, nnoott hhoosstt vvss aanndd aaccee is short for nnoott hhoosstt vvss aanndd hhoosstt aaccee which should not be confused with nnoott (( hhoosstt vvss oorr aaccee )) Expression arguments can be passed to tcpdump as either a single argument or as multiple arguments, whichever is more convenient. Generally, if the expression contains Shell metacharacters, it is easier to pass it as a single, quoted argument. Multiple arguments are concatenated with spaces before being parsed.EEXXAAMMPPLLEESS To print all packets arriving at or departing from _s_u_n_- _d_o_w_n: ttccppdduummpp hhoosstt ssuunnddoowwnn To print traffic between _h_e_l_i_o_s and either _h_o_t or _a_c_e: ttccppdduummpp hhoosstt hheelliiooss aanndd \\(( hhoott oorr aaccee \\)) To print all IP packets between _a_c_e and any host except _h_e_l_i_o_s: ttccppdduummpp iipp hhoosstt aaccee aanndd nnoott hheelliiooss To print all traffic between local hosts and hosts at Berkeley: ttccppdduummpp nneett uuccbb--eetthheerr To print all ftp traffic through internet gateway _s_n_u_p: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses): ttccppdduummpp ''ggaatteewwaayy ssnnuupp aanndd ((ppoorrtt ffttpp oorr ffttpp--ddaattaa))'' To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net). ttccppdduummpp iipp aanndd nnoott nneett _l_o_c_a_l_n_e_t To print the start and end packets (the SYN and FIN pack- ets) of each TCP conversation that involves a non-local host. ttccppdduummpp ''ttccpp[[1133]] && 33 !!== 00 aanndd nnoott ssrrcc aanndd ddsstt nneett _l_o_c_a_l_n_e_t'' To print IP packets longer than 576 bytes sent through gateway _s_n_u_p: ttccppdduummpp ''ggaatteewwaayy ssnnuupp aanndd iipp[[22::22]] >> 557766'' To print IP broadcast or multicast packets that were _n_o_t sent via ethernet broadcast or multicast: ttccppdduummpp ''eetthheerr[[00]] && 11 == 00 aanndd iipp[[1166]] >>== 222244'' 30 June 1997 9TCPDUMP(1) TCPDUMP(1) To print all ICMP packets that are not echo requests/replies (i.e., not ping packets): ttccppdduummpp ''iiccmmpp[[00]] !!== 88 aanndd iiccmmpp[[00]] !!== 00""OOUUTTPPUUTT FFOORRMMAATT The output of _t_c_p_d_u_m_p is protocol dependent. The follow- ing gives a brief description and examples of most of the formats. LLiinnkk LLeevveell HHeeaaddeerrss If the '-e' option is given, the link level header is printed out. On ethernets, the source and destination addresses, protocol, and packet length are printed. On FDDI networks, the '-e' option causes _t_c_p_d_u_m_p to print the `frame control' field, the source and destination addresses, and the packet length. (The `frame control' field governs the interpretation of the rest of the packet. Normal packets (such as those containing IP data- grams) are `async' packets, with a priority value between 0 and 7; for example, `aassyynncc44'. Such packets are assumed to contain an 802.2 Logical Link Control (LLC) packet; the LLC header is printed if it is _n_o_t an ISO datagram or a so-called SNAP packet. _(_N_._B_._: _T_h_e _f_o_l_l_o_w_i_n_g _d_e_s_c_r_i_p_t_i_o_n _a_s_s_u_m_e_s _f_a_m_i_l_i_a_r_i_t_y _w_i_t_h _t_h_e _S_L_I_P _c_o_m_p_r_e_s_s_i_o_n _a_l_g_o_r_i_t_h_m _d_e_s_c_r_i_b_e_d _i_n _R_F_C_-_1_1_4_4_._) On SLIP links, a direction indicator (``I'' for inbound, ``O'' for outbound), packet type, and compression informa- tion are printed out. The packet type is printed first. The three types are _i_p, _u_t_c_p, and _c_t_c_p. No further link information is printed for _i_p packets. For TCP packets, the connection identifier is printed following the type. If the packet is compressed, its encoded header is printed out. The special cases are printed out as **SS++_n and **SSAA++_n, where _n is the amount by which the sequence number (or sequence number and ack) has changed. If it is not a spe- cial case, zero or more changes are printed. A change is indicated by U (urgent pointer), W (window), A (ack), S (sequence number), and I (packet ID), followed by a delta (+n or -n), or a new value (=n). Finally, the amount of data in the packet and compressed header length are printed. For example, the following line shows an outbound com- pressed TCP packet, with an implicit connection identi- fier; the ack has changed by 6, the sequence number by 49, and the packet ID by 6; there are 3 bytes of data and 6 bytes of compressed header: OO ccttccpp ** AA++66 SS++4499 II++66 33 ((66)) AARRPP//RRAARRPP PPaacckkeettss 30 June 1997 10TCPDUMP(1) TCPDUMP(1) Arp/rarp output shows the type of request and its argu- ments. The format is intended to be self explanatory. Here is a short sample taken from the start of an `rlogin' from host _r_t_s_g to host _c_s_a_m: arp who-has csam tell rtsg arp reply csam is-at CSAM _T_h_e _f_i_r_s_t _l_i_n_e _s_a_y_s _t_h_a_t _r_t_s_g _s_e_n_t _a_n _a_r_p _p_a_c_k_e_t _a_s_k_i_n_g _f_o_r _t_h_e _e_t_h_e_r_n_e_t _a_d_d_r_e_s_s _o_f _i_n_t_e_r_n_e_t _h_o_s_t _c_s_a_m_. _C_s_a_m _r_e_p_l_i_e_s _w_i_t_h _i_t_s _e_t_h_e_r_n_e_t _a_d_d_r_e_s_s _(_i_n _t_h_i_s _e_x_a_m_p_l_e_, _e_t_h_e_r_- _n_e_t _a_d_d_r_e_s_s_e_s _a_r_e _i_n _c_a_p_s _a_n_d _i_n_t_e_r_n_e_t _a_d_d_r_e_s_s_e_s _i_n _l_o_w_e_r _c_a_s_e_)_. This would look less redundant if we had done ttccppdduummpp --nn: arp who-has 128.3.254.6 tell 128.3.254.68 arp reply 128.3.254.6 is-at 02:07:01:00:01:c4 If we had done ttccppdduummpp --ee, the fact that the first packet is broadcast and the second is point-to-point would be visible: RTSG Broadcast 0806 64: arp who-has csam tell rtsg CSAM RTSG 0806 64: arp reply csam is-at CSAM FFoorr tthhee ffiirrsstt ppaacckkeett tthhiiss ssaayyss tthhee eetthheerrnneett ssoouurrccee aaddddrreessss iiss RRTTSSGG,, tthhee ddeessttiinnaattiioonn iiss tthhee eetthheerrnneett bbrrooaaddccaasstt aaddddrreessss,, tthhee ttyyppee ffiieelldd ccoonnttaaiinneedd hheexx 00880066 ((ttyyppee EETTHHEERR__AARRPP)) aanndd tthhee ttoottaall lleennggtthh wwaass 6644 bbyytteess.. TTCCPP PPaacckkeettss _(_N_._B_._:_T_h_e _f_o_l_l_o_w_i_n_g _d_e_s_c_r_i_p_t_i_o_n _a_s_s_u_m_e_s _f_a_m_i_l_i_a_r_i_t_y _w_i_t_h _t_h_e _T_C_P _p_r_o_t_o_c_o_l _d_e_s_c_r_i_b_e_d _i_n _R_F_C_-_7_9_3_. _I_f _y_o_u _a_r_e _n_o_t _f_a_m_i_l_i_a_r _w_i_t_h _t_h_e _p_r_o_t_o_c_o_l_, _n_e_i_t_h_e_r _t_h_i_s _d_e_s_c_r_i_p_t_i_o_n _n_o_r _t_c_p_d_u_m_p _w_i_l_l _b_e _o_f _m_u_c_h _u_s_e _t_o _y_o_u_._) The general format of a tcp protocol line is: _s_r_c _> _d_s_t_: _f_l_a_g_s _d_a_t_a_-_s_e_q_n_o _a_c_k _w_i_n_d_o_w _u_r_g_e_n_t _o_p_t_i_o_n_s _S_r_c and _d_s_t are the source and destination IP addresses and ports. _F_l_a_g_s are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags). _D_a_t_a_-_s_e_q_n_o describes the portion of sequence space covered by the data in this packet (see example below). _A_c_k is sequence number of the next data expected the other direc- tion on this connection. _W_i_n_d_o_w is the number of bytes of receive buffer space available the other direction on this connection. _U_r_g indicates there is `urgent' data in the packet. _O_p_t_i_o_n_s are tcp options enclosed in angle brack- ets (e.g., <mss 1024>). _S_r_c_, _d_s_t and _f_l_a_g_s are always present. The other fields depend on the contents of the packet's tcp protocol header and are output only if appropriate. Here is the opening portion of an rlogin from host _r_t_s_g to host _c_s_a_m. rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024> 30 June 1997 11TCPDUMP(1) TCPDUMP(1) csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024> rtsg.1023 > csam.login: . ack 1 win 4096 rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096 csam.login > rtsg.1023: . ack 2 win 4096 rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096 csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077 csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1 csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1 _T_h_e _f_i_r_s_t _l_i_n_e _s_a_y_s _t_h_a_t _t_c_p _p_o_r_t _1_0_2_3 _o_n _r_t_s_g _s_e_n_t _a _p_a_c_k_e_t _t_o _p_o_r_t _l_o_g_i_n _o_n _c_s_a_m_. _T_h_e SS _i_n_d_i_c_a_t_e_s _t_h_a_t _t_h_e _S_Y_N _f_l_a_g _w_a_s _s_e_t_. _T_h_e _p_a_c_k_e_t _s_e_q_u_e_n_c_e _n_u_m_b_e_r _w_a_s _7_6_8_5_1_2 _a_n_d _i_t _c_o_n_t_a_i_n_e_d _n_o _d_a_t_a_. _(_T_h_e _n_o_t_a_t_i_o_n _i_s _`_f_i_r_s_t_:_l_a_s_t_(_n_b_y_t_e_s_)_' _w_h_i_c_h _m_e_a_n_s _`_s_e_q_u_e_n_c_e _n_u_m_b_e_r_s _f_i_r_s_t _u_p _t_o _b_u_t _n_o_t _i_n_c_l_u_d_i_n_g _l_a_s_t _w_h_i_c_h _i_s _n_b_y_t_e_s _b_y_t_e_s _o_f _u_s_e_r _d_a_t_a_'_._) _T_h_e_r_e _w_a_s _n_o _p_i_g_g_y_-_b_a_c_k_e_d _a_c_k_, _t_h_e _a_v_a_i_l_a_b_l_e _r_e_c_e_i_v_e _w_i_n_d_o_w _w_a_s _4_0_9_6 _b_y_t_e_s _a_n_d _t_h_e_r_e _w_a_s _a _m_a_x_-_s_e_g_m_e_n_t_- _s_i_z_e _o_p_t_i_o_n _r_e_q_u_e_s_t_i_n_g _a_n _m_s_s _o_f _1_0_2_4 _b_y_t_e_s_. Csam replies with a similar packet except it includes a piggy-backed ack for rtsg's SYN. Rtsg then acks csam's SYN. The `.' means no flags were set. The packet con-⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -