tcpdump.man

3 网卡驱动相关实例 这是和网卡NT KMD驱动程序有关的一些资料和例子。

       tained  no data so there is no data sequence number.  Note
       that the ack sequence number is a small integer (1).   The
       first  time  ttccppdduummpp  sees a tcp `conversation', it prints
       the sequence number from the packet.  On subsequent  pack-
       ets  of  the conversation, the difference between the cur-
       rent packet's sequence number and  this  initial  sequence
       number is printed.  This means that sequence numbers after
       the first can be interpreted as relative byte positions in
       the  conversation's  data stream (with the first data byte
       each direction being `1').  `-S' will override  this  fea-
       ture,  causing the original sequence numbers to be output.

       On the 6th line, rtsg sends csam 19 bytes of data (bytes 2
       through  20 in the rtsg -> csam side of the conversation).
       The PUSH flag is set in the packet.  On the 7th line, csam
       says it's received data sent by rtsg up to but not includ-
       ing byte 21.  Most of this data is apparently  sitting  in
       the  socket  buffer since csam's receive window has gotten
       19 bytes smaller.  Csam also sends one  byte  of  data  to
       rtsg in this packet.  On the 8th and 9th lines, csam sends
       two bytes of urgent, pushed data to rtsg.

       If the snapshot was small enough that ttccppdduummpp didn't  cap-
       ture  the  full  TCP  header, it interprets as much of the
       header as it can and then reports ``[|_t_c_p]''  to  indicate
       the  remainder  could  not  be interpreted.  If the header
       contains a bogus option (one with a length  that's  either
       too  small  or  beyond  the  end  of  the header), tcpdump
       reports it as ``[_b_a_d _o_p_t]'' and  does  not  interpret  any
       further  options (since it's impossible to tell where they
       start).  If the header length indicates options  are  pre-
       sent but the IP datagram length is not long enough for the
       options to actually be there, tcpdump reports it as ``[_b_a_d



                           30 June 1997                        12





TCPDUMP(1)                                             TCPDUMP(1)


       _h_d_r _l_e_n_g_t_h]''.

       UUDDPP PPaacckkeettss

       UDP format is illustrated by this rwho packet:
              actinide.who > broadcast.who: udp 84
       This  says that port _w_h_o on host _a_c_t_i_n_i_d_e sent a udp data-
       gram to port _w_h_o on host _b_r_o_a_d_c_a_s_t, the Internet broadcast
       address.  The packet contained 84 bytes of user data.

       Some  UDP services are recognized (from the source or des-
       tination port number) and the higher level protocol infor-
       mation   printed.   In  particular,  Domain  Name  service
       requests (RFC-1034/1035) and Sun RPC calls  (RFC-1050)  to
       NFS.

       UUDDPP NNaammee SSeerrvveerr RReeqquueessttss

       _(_N_._B_._:_T_h_e  _f_o_l_l_o_w_i_n_g  _d_e_s_c_r_i_p_t_i_o_n _a_s_s_u_m_e_s _f_a_m_i_l_i_a_r_i_t_y _w_i_t_h
       _t_h_e _D_o_m_a_i_n _S_e_r_v_i_c_e _p_r_o_t_o_c_o_l _d_e_s_c_r_i_b_e_d _i_n _R_F_C_-_1_0_3_5_.  _I_f _y_o_u
       _a_r_e _n_o_t _f_a_m_i_l_i_a_r _w_i_t_h _t_h_e _p_r_o_t_o_c_o_l_, _t_h_e _f_o_l_l_o_w_i_n_g _d_e_s_c_r_i_p_-
       _t_i_o_n _w_i_l_l _a_p_p_e_a_r _t_o _b_e _w_r_i_t_t_e_n _i_n _g_r_e_e_k_._)

       Name server requests are formatted as
              _s_r_c _> _d_s_t_: _i_d _o_p_? _f_l_a_g_s _q_t_y_p_e _q_c_l_a_s_s _n_a_m_e _(_l_e_n_)
              h2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)
       _H_o_s_t _h_2_o_p_o_l_o _a_s_k_e_d _t_h_e _d_o_m_a_i_n  _s_e_r_v_e_r  _o_n  _h_e_l_i_o_s  _f_o_r  _a_n
       _a_d_d_r_e_s_s  _r_e_c_o_r_d  _(_q_t_y_p_e_=_A_)  _a_s_s_o_c_i_a_t_e_d  _w_i_t_h _t_h_e _n_a_m_e _u_c_b_-
       _v_a_x_._b_e_r_k_e_l_e_y_._e_d_u_.  _T_h_e _q_u_e_r_y _i_d _w_a_s _`_3_'_.   _T_h_e  _`_+_'  _i_n_d_i_-
       _c_a_t_e_s  _t_h_e  _r_e_c_u_r_s_i_o_n  _d_e_s_i_r_e_d  _f_l_a_g  _w_a_s  _s_e_t_.  _T_h_e _q_u_e_r_y
       _l_e_n_g_t_h _w_a_s _3_7 _b_y_t_e_s_, _n_o_t _i_n_c_l_u_d_i_n_g _t_h_e _U_D_P _a_n_d _I_P _p_r_o_t_o_c_o_l
       _h_e_a_d_e_r_s_.   _T_h_e  _q_u_e_r_y _o_p_e_r_a_t_i_o_n _w_a_s _t_h_e _n_o_r_m_a_l _o_n_e_, _Q_u_e_r_y_,
       _s_o _t_h_e _o_p _f_i_e_l_d _w_a_s _o_m_i_t_t_e_d_.  _I_f _t_h_e _o_p _h_a_d _b_e_e_n  _a_n_y_t_h_i_n_g
       _e_l_s_e_,  _i_t  _w_o_u_l_d _h_a_v_e _b_e_e_n _p_r_i_n_t_e_d _b_e_t_w_e_e_n _t_h_e _`_3_' _a_n_d _t_h_e
       _`_+_'_.  _S_i_m_i_l_a_r_l_y_, _t_h_e _q_c_l_a_s_s _w_a_s _t_h_e _n_o_r_m_a_l _o_n_e_, _C___I_N_,  _a_n_d
       _o_m_i_t_t_e_d_.  _A_n_y _o_t_h_e_r _q_c_l_a_s_s _w_o_u_l_d _h_a_v_e _b_e_e_n _p_r_i_n_t_e_d _i_m_m_e_d_i_-
       _a_t_e_l_y _a_f_t_e_r _t_h_e _`_A_'_.

       A few anomalies are checked and may result in extra fields
       enclosed  in  square  brackets:   If  a  query contains an
       answer,  name  server  or  authority   section,   _a_n_c_o_u_n_t,
       _n_s_c_o_u_n_t,  or  _a_r_c_o_u_n_t  are  printed  as  `[_na]', `[_nn]' or
       `[_nau]' where _n is the appropriate count.  If any  of  the
       response  bits  are  set  (AA,  RA or rcode) or any of the
       `must be zero' bits  are  set  in  bytes  two  and  three,
       `[b2&3=_x]'  is printed, where _x is the hex value of header
       bytes two and three.

       UUDDPP NNaammee SSeerrvveerr RReessppoonnsseess

       Name server responses are formatted as
              _s_r_c _> _d_s_t_:  _i_d _o_p _r_c_o_d_e _f_l_a_g_s _a_/_n_/_a_u _t_y_p_e _c_l_a_s_s _d_a_t_a _(_l_e_n_)
              helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
              helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)



                           30 June 1997                        13





TCPDUMP(1)                                             TCPDUMP(1)


       _I_n _t_h_e _f_i_r_s_t _e_x_a_m_p_l_e_, _h_e_l_i_o_s _r_e_s_p_o_n_d_s _t_o _q_u_e_r_y _i_d  _3  _f_r_o_m
       _h_2_o_p_o_l_o _w_i_t_h _3 _a_n_s_w_e_r _r_e_c_o_r_d_s_, _3 _n_a_m_e _s_e_r_v_e_r _r_e_c_o_r_d_s _a_n_d _7
       _a_u_t_h_o_r_i_t_y _r_e_c_o_r_d_s_.  _T_h_e _f_i_r_s_t  _a_n_s_w_e_r  _r_e_c_o_r_d  _i_s  _t_y_p_e  _A
       _(_a_d_d_r_e_s_s_)  _a_n_d  _i_t_s _d_a_t_a _i_s _i_n_t_e_r_n_e_t _a_d_d_r_e_s_s _1_2_8_._3_2_._1_3_7_._3_.
       _T_h_e _t_o_t_a_l _s_i_z_e _o_f _t_h_e _r_e_s_p_o_n_s_e _w_a_s  _2_7_3  _b_y_t_e_s_,  _e_x_c_l_u_d_i_n_g
       _U_D_P  _a_n_d  _I_P  _h_e_a_d_e_r_s_.   _T_h_e  _o_p _(_Q_u_e_r_y_) _a_n_d _r_e_s_p_o_n_s_e _c_o_d_e
       _(_N_o_E_r_r_o_r_) _w_e_r_e _o_m_i_t_t_e_d_, _a_s _w_a_s _t_h_e _c_l_a_s_s _(_C___I_N_) _o_f  _t_h_e  _A
       _r_e_c_o_r_d_.

       In  the  second example, _h_e_l_i_o_s responds to query 2 with a
       response code of non-existent domain  (NXDomain)  with  no
       answers,  one  name  server and no authority records.  The
       `*' indicates that the _a_u_t_h_o_r_i_t_a_t_i_v_e _a_n_s_w_e_r bit  was  set.
       Since  there  were no answers, no type, class or data were
       printed.

       Other flag characters that might appear are `-' (recursion
       available,  RA,  _n_o_t  set) and `|' (truncated message, TC,
       set).  If the `question' section doesn't  contain  exactly
       one entry, `[_nq]' is printed.

       Note  that  name  server requests and responses tend to be
       large and the default _s_n_a_p_l_e_n of 68 bytes may not  capture
       enough  of  the  packet  to  print.   Use  the  --ss flag to
       increase the snaplen if you need to seriously  investigate
       name server traffic.  `--ss 112288' has worked well for me.


       NNFFSS RReeqquueessttss aanndd RReepplliieess

       Sun  NFS  (Network  File  System) requests and replies are
       printed as:
              _s_r_c_._x_i_d _> _d_s_t_._n_f_s_: _l_e_n _o_p _a_r_g_s
              _s_r_c_._n_f_s _> _d_s_t_._x_i_d_: _r_e_p_l_y _s_t_a_t _l_e_n _o_p _r_e_s_u_l_t_s

              sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
              wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
              sushi.201b > wrl.nfs:
                   144 lookup fh 9,74/4096.6878 "xcolors"
              wrl.nfs > sushi.201b:
                   reply ok 128 lookup fh 9,74/4134.3150

       _I_n _t_h_e _f_i_r_s_t _l_i_n_e_, _h_o_s_t _s_u_s_h_i _s_e_n_d_s _a _t_r_a_n_s_a_c_t_i_o_n _w_i_t_h  _i_d
       _6_7_0_9  _t_o  _w_r_l _(_n_o_t_e _t_h_a_t _t_h_e _n_u_m_b_e_r _f_o_l_l_o_w_i_n_g _t_h_e _s_r_c _h_o_s_t
       _i_s _a _t_r_a_n_s_a_c_t_i_o_n _i_d_, _n_o_t _t_h_e _s_o_u_r_c_e  _p_o_r_t_)_.   _T_h_e  _r_e_q_u_e_s_t
       _w_a_s  _1_1_2  _b_y_t_e_s_,  _e_x_c_l_u_d_i_n_g  _t_h_e  _U_D_P _a_n_d _I_P _h_e_a_d_e_r_s_.  _T_h_e
       _o_p_e_r_a_t_i_o_n _w_a_s _a _r_e_a_d_l_i_n_k _(_r_e_a_d _s_y_m_b_o_l_i_c _l_i_n_k_) _o_n _f_i_l_e _h_a_n_-
       _d_l_e _(_f_h_) _2_1_,_2_4_/_1_0_._7_3_1_6_5_7_1_1_9_.  _(_I_f _o_n_e _i_s _l_u_c_k_y_, _a_s _i_n _t_h_i_s
       _c_a_s_e_, _t_h_e _f_i_l_e _h_a_n_d_l_e _c_a_n _b_e _i_n_t_e_r_p_r_e_t_e_d _a_s _a  _m_a_j_o_r_,_m_i_n_o_r
       _d_e_v_i_c_e  _n_u_m_b_e_r _p_a_i_r_, _f_o_l_l_o_w_e_d _b_y _t_h_e _i_n_o_d_e _n_u_m_b_e_r _a_n_d _g_e_n_-
       _e_r_a_t_i_o_n _n_u_m_b_e_r_._)  _W_r_l _r_e_p_l_i_e_s _`_o_k_' _w_i_t_h  _t_h_e  _c_o_n_t_e_n_t_s  _o_f
       _t_h_e _l_i_n_k_.

       In  the  third  line,  _s_u_s_h_i  asks  _w_r_l to lookup the name



                           30 June 1997                        14





TCPDUMP(1)                                             TCPDUMP(1)


       `_x_c_o_l_o_r_s' in directory file 9,74/4096.6878.  Note that the
       data printed depends on the operation type.  The format is
       intended to be self explanatory  if  read  in  conjunction
       with an NFS protocol spec.

       If  the -v (verbose) flag is given, additional information
       is printed.  For example:

              sushi.1372a > wrl.nfs:
                   148 read fh 21,11/12.195 8192 bytes @ 24576
              wrl.nfs > sushi.1372a:
                   reply ok 1472 read REG 100664 ids 417/0 sz 29388

       (-v also prints the IP header TTL, ID,  and  fragmentation
       fields,  which  have  been omitted from this example.)  In
       the first line, _s_u_s_h_i asks _w_r_l to  read  8192  bytes  from
       file  21,11/12.195,  at  byte  offset  24576.  _W_r_l replies
       `ok'; the packet shown on the second  line  is  the  first
       fragment  of  the reply, and hence is only 1472 bytes long
       (the other bytes will follow in subsequent fragments,  but
       these fragments do not have NFS or even UDP headers and so
       might not be printed, depending on the  filter  expression
       used).   Because  the  -v  flag is given, some of the file
       attributes (which are returned in  addition  to  the  file
       data)  are  printed:  the  file type (``REG'', for regular
       file), the file mode (in octal), the uid and gid, and  the
       file size.

       If  the -v flag is given more than once, even more details
       are printed.

       Note that NFS requests are very  large  and  much  of  the
       detail  won't be printed unless _s_n_a_p_l_e_n is increased.  Try
       using `--ss 119922' to watch NFS traffic.

       NFS reply packets do not explicitly identify the RPC oper-
       ation.    Instead,   _t_c_p_d_u_m_p  keeps  track  of  ``recent''
       requests, and matches them to the replies using the trans-
       action  ID.  If a reply does not closely follow the corre-
       sponding request, it might not be parsable.

       KKIIPP AApppplleettaallkk ((DDDDPP iinn UUDDPP))

       Appletalk DDP packets encapsulated in  UDP  datagrams  are
       de-encapsulated  and  dumped as DDP packets (i.e., all the
       UDP  header   information   is   discarded).    The   file
       _/_e_t_c_/_a_t_a_l_k_._n_a_m_e_s  is  used  to translate appletalk net and
       node numbers to names.  Lines in this file have the form
              _n_u_m_b_e_r    _n_a_m_e

              1.254          ether
              16.1      icsd-net
              1.254.110 ace
       _T_h_e _f_i_r_s_t _t_w_o _l_i_n_e_s _g_i_v_e _t_h_e _n_a_m_e_s _o_f _a_p_p_l_e_t_a_l_k  _n_e_t_w_o_r_k_s_.



                           30 June 1997                        15





TCPDUMP(1)                                             TCPDUMP(1)


       _T_h_e _t_h_i_r_d _l_i_n_e _g_i_v_e_s _t_h_e _n_a_m_e _o_f _a _p_a_r_t_i_c_u_l_a_r _h_o_s_t _(_a _h_o_s_t
       _i_s _d_i_s_t_i_n_g_u_i_s_h_e_d _f_r_o_m _a _n_e_t _b_y _t_h_e _3_r_d _o_c_t_e_t _i_n _t_h_e _n_u_m_b_e_r
       _- _a _n_e_t _n_u_m_b_e_r _m_u_s_t _h_a_v_e _t_w_o _o_c_t_e_t_s _a_n_d _a _h_o_s_t _n_u_m_b_e_r _m_u_s_t
       _h_a_v_e _t_h_r_e_e _o_c_t_e_t_s_._)  _T_h_e _n_u_m_b_e_r _a_n_d _n_a_m_e _s_h_o_u_l_d  _b_e  _s_e_p_a_-
       _r_a_t_e_d    _b_y    _w_h_i_t_e_s_p_a_c_e    _(_b_l_a_n_k_s    _o_r   _t_a_b_s_)_.    _T_h_e
       _/_e_t_c_/_a_t_a_l_k_._n_a_m_e_s file may contain blank lines  or  comment
       lines (lines starting with a `#').