tcpdump.man.ps

3 网卡驱动相关实例 这是和网卡NT KMD驱动程序有关的一些资料和例子。

(xpression is quoted to pre)-.15 F -.15(ve)-.25 G .225(nt the shell).15
F(from \(mis-\)interpreting the parentheses\):)108 112.8 Q F1
(tcpdump 'gateway snup and \(port ftp or ftp-data\)')144 124.8 Q F0
2.003 -.8(To p)108 141.6 T .403(rint traf).8 F .403
(\214c neither sourced from nor destined for local hosts \(if you g)-.25
F(ate)-.05 E -.1(wa)-.25 G 2.903(yt).1 G 2.903(oo)-2.903 G .404
(ne other net, this stuf)-2.903 F(f)-.25 E(should ne)108 153.6 Q -.15
(ve)-.25 G 2.5(rm).15 G(ak)-2.5 E 2.5(ei)-.1 G 2.5(to)-2.5 G
(nto your local net\).)-2.5 E F1(tcpdump ip and not net)144 165.6 Q F2
(localnet)2.5 E F0 1.67 -.8(To p)108 182.4 T .07
(rint the start and end pack).8 F .07(ets \(the SYN and FIN pack)-.1 F
.069(ets\) of each TCP con)-.1 F -.15(ve)-.4 G .069(rsation that in).15
F -.2(vo)-.4 G(lv).2 E .069(es a non-)-.15 F(local host.)108 194.4 Q F1
(tcpdump 'tcp[13] & 3 != 0 and not sr)144 206.4 Q 2.5(ca)-.18 G
(nd dst net)-2.5 E F2(localnet)2.5 E F1(')A F0 1.6 -.8(To p)108 223.2 T
(rint IP pack).8 E(ets longer than 576 bytes sent through g)-.1 E(ate)
-.05 E -.1(wa)-.25 G(y).1 E F2(snup)2.5 E F0(:)A F1
(tcpdump 'gateway snup and ip[2:2] > 576')144 235.2 Q F0 1.6 -.8(To p)
108 252 T(rint IP broadcast or multicast pack).8 E(ets that were)-.1 E
F2(not)2.5 E F0(sent via ethernet broadcast or multicast:)2.5 E F1
(tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224')144 264 Q F0 1.6 -.8(To p)
108 280.8 T(rint all ICMP pack).8 E
(ets that are not echo requests/replies \(i.e., not ping pack)-.1 E
(ets\):)-.1 E F1(tcpdump 'icmp[0] != 8 and icmp[0] != 0")144 292.8 Q/F3
9/Times-Bold@0 SF(OUTPUT FORMA)72 309.6 Q(T)-.855 E F0 1.431
(The output of)108 321.6 R F2(tcpdump)3.931 E F0 1.431
(is protocol dependent.)3.931 F 1.431(The follo)6.431 F 1.431(wing gi)
-.25 F -.15(ve)-.25 G -6.43 3.931(sa b).15 H 1.432
(rief description and e)-3.931 F 1.432(xamples of)-.15 F
(most of the formats.)108 333.6 Q F1(Link Le)108 363.6 Q -.1(ve)-.15 G
2.5(lH).1 G(eaders)-2.5 E F0 1.301(If the '-e' option is gi)108 380.4 R
-.15(ve)-.25 G 1.301(n, the link le).15 F -.15(ve)-.25 G 3.801(lh).15 G
1.301(eader is printed out.)-3.801 F 1.301
(On ethernets, the source and destination)6.301 F
(addresses, protocol, and pack)108 392.4 Q(et length are printed.)-.1 E
.275(On FDDI netw)108 409.2 R .275(orks, the)-.1 F .275
('-e' option causes)5.275 F F2(tcpdump)2.775 E F0 .275
(to print the `frame control' \214eld,)2.775 F .276
(the source and desti-)5.276 F .486(nation addresses, and the pack)108
421.2 R .486(et length.)-.1 F .486(\(The `frame control' \214eld go)
5.486 F -.15(ve)-.15 G .485(rns the interpretation of the rest of).15 F
1.196(the pack)108 433.2 R 3.696(et. Normal)-.1 F(pack)3.696 E 1.197
(ets \(such as those containing IP datagrams\) are `async' pack)-.1 F
1.197(ets, with a priority)-.1 F -.25(va)108 445.2 S .234
(lue between 0 and 7; for e).25 F .234(xample, `)-.15 F F1(async4)A F0
2.734('. Such)B(pack)2.734 E .233
(ets are assumed to contain an 802.2 Logical Link)-.1 F
(Control \(LLC\) pack)108 457.2 Q
(et; the LLC header is printed if it is)-.1 E F2(not)2.5 E F0
(an ISO datagram or a so-called SN)2.5 E(AP pack)-.35 E(et.)-.1 E F2
1.539(\(N.B.: The following description assumes familiarity with the SL\
IP compr)108 474 R 1.54(ession algorithm described in)-.37 F
(RFC-1144.\))108 486 Q F0 .917(On SLIP links, a direction indicator \(`)
108 502.8 R(`I')-.74 E 3.417('f)-.74 G .917(or inbound, `)-3.417 F(`O')
-.74 E 3.417('f)-.74 G .916(or outbound\), pack)-3.417 F .916
(et type, and compression)-.1 F .14(information are printed out.)108
514.8 R .14(The pack)5.14 F .14(et type is printed \214rst.)-.1 F .14
(The three types are)5.14 F F2(ip)2.64 E F0(,)A F2(utcp)2.64 E F0 2.64
(,a)C(nd)-2.64 E F2(ctcp)2.64 E F0 5.14(.N)C 2.64(of)-5.14 G(ur)-2.64 E
(-)-.2 E .217(ther link information is printed for)108 526.8 R F2(ip)
2.717 E F0(pack)2.717 E 2.717(ets. F)-.1 F .217(or TCP pack)-.15 F .217
(ets, the connection identi\214er is printed follo)-.1 F(w-)-.25 E .631
(ing the type.)108 538.8 R .631(If the pack)5.631 F .631
(et is compressed, its encoded header is printed out.)-.1 F .631
(The special cases are printed)5.631 F .763(out as)108 550.8 R F1(*S+)
3.263 E F2(n)A F0(and)3.263 E F1(*SA+)3.263 E F2(n)A F0 3.263(,w)C(here)
-3.263 E F2(n)3.263 E F0 .763
(is the amount by which the sequence number \(or sequence number and)
3.263 F .339(ack\) has changed.)108 562.8 R .339
(If it is not a special case, zero or more changes are printed.)5.339 F
2.839(Ac)5.339 G .339(hange is indicated by U)-2.839 F(\(ur)108 574.8 Q
.358(gent pointer\), W \(windo)-.18 F .357
(w\), A \(ack\), S \(sequence number\), and I \(pack)-.25 F .357
(et ID\), follo)-.1 F .357(wed by a delta \(+n or)-.25 F 1.724
(-n\), or a ne)108 586.8 R 4.224(wv)-.25 G 1.724(alue \(=n\).)-4.474 F
(Finally)6.724 E 4.224(,t)-.65 G 1.724(he amount of data in the pack)
-4.224 F 1.725(et and compressed header length are)-.1 F(printed.)108
598.8 Q -.15(Fo)108 615.6 S 3.424(re).15 G .924(xample, the follo)-3.574
F .924(wing line sho)-.25 F .924(ws an outbound compressed TCP pack)-.25
F .923(et, with an implicit connection)-.1 F .435(identi\214er; the ack\
 has changed by 6, the sequence number by 49, and the pack)108 627.6 R
.436(et ID by 6; there are 3 bytes)-.1 F
(of data and 6 bytes of compressed header:)108 639.6 Q F1 2.5(Oc)144
651.6 S(tcp * A+6 S+49 I+6 3 \(6\))-2.5 E(ARP/RARP P)108 681.6 Q(ack)-.1
E(ets)-.1 E F0 .227(Arp/rarp output sho)108 698.4 R .227
(ws the type of request and its ar)-.25 F 2.726(guments. The)-.18 F .226
(format is intended to be self e)2.726 F(xplanatory)-.15 E(.)-.65 E
(Here is a short sample tak)108 710.4 Q
(en from the start of an `rlogin' from host)-.1 E F2(rtsg)2.5 E F0
(to host)2.5 E F2(csam)2.5 E F0(:)A/F4 10/Courier@0 SF
(arp who-has csam tell rtsg)144 728.4 Q F0(30 June 1997)279.335 768 Q(6)
202.335 E EP
%%Page: 7 7
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R/F1 10
/Courier@0 SF(arp reply csam is-at CSAM)144 84 Q F0 .567
(The \214rst line says that rtsg sent an arp pack)108 102 R .568
(et asking for the ethernet address of internet host csam.)-.1 F(Csam)
5.568 E .922(replies with its ethernet address \(in this e)108 114 R
.921(xample, ethernet addresses are in caps and internet addresses in)
-.15 F(lo)108 126 Q(wer case\).)-.25 E(This w)108 142.8 Q
(ould look less redundant if we had done)-.1 E/F2 10/Times-Bold@0 SF
(tcpdump \255n)2.5 E F0(:)A F1
(arp who-has 128.3.254.6 tell 128.3.254.68)144 160.8 Q
(arp reply 128.3.254.6 is-at 02:07:01:00:01:c4)144 172.8 Q F0 1.46
(If we had done)108 189.6 R F2 1.46(tcpdump \255e)3.96 F F0 3.96(,t)C
1.46(he f)-3.96 F 1.46(act that the \214rst pack)-.1 F 1.46
(et is broadcast and the second is point-to-point)-.1 F -.1(wo)108 201.6
S(uld be visible:).1 E F1(RTSG Broadcast 0806)144 219.6 Q
(64: arp who-has csam tell rtsg)12 E(CSAM RTSG 0806)144 231.6 Q
(64: arp reply csam is-at CSAM)12 E F0 -.15(Fo)108 249.6 S 3.096(rt).15
G .596(he \214rst pack)-3.096 F .596
(et this says the ethernet source address is R)-.1 F .596
(TSG, the destination is the ethernet broadcast)-.6 F
(address, the type \214eld contained he)108 261.6 Q 2.5(x0)-.15 G
(806 \(type ETHER_ARP\) and the total length w)-2.5 E(as 64 bytes.)-.1 E
F2(TCP P)108 291.6 Q(ack)-.1 E(ets)-.1 E/F3 10/Times-Italic@0 SF .85
(\(N.B.:The following description assumes familiarity with the TCP pr)
108 308.4 R .85(otocol described in RFC-793.)-.45 F .85(If you)5.85 F
(ar)108 320.4 Q 2.5(en)-.37 G(ot familiar with the pr)-2.5 E
(otocol, neither this description nor tcpdump will be of muc)-.45 E 2.5
(hu)-.15 G(se to you.\))-2.5 E F0
(The general format of a tcp protocol line is:)108 337.2 Q F3(sr)144
355.2 Q 2.5(c>d)-.37 G(st: \215a)-2.5 E(gs data-seqno ac)-.1 E 2.5(kw)
-.2 G(indow ur)-2.5 E -.1(ge)-.37 G(nt options).1 E(Sr)108 373.2 Q(c)
-.37 E F0(and)2.688 E F3(dst)2.688 E F0 .187
(are the source and destination IP addresses and ports.)2.688 F F3(Fla)
5.187 E(gs)-.1 E F0 .187(are some combination of S \(SYN\),)2.687 F
3.764(F\()108 385.2 S 1.264
(FIN\), P \(PUSH\) or R \(RST\) or a single `.)-3.764 F 3.765('\()-.7 G
1.265(no \215ags\).)-3.765 F F3(Data-seqno)6.265 E F0 1.265
(describes the portion of sequence)3.765 F 1.169(space co)108 397.2 R
-.15(ve)-.15 G 1.169(red by the data in this pack).15 F 1.169
(et \(see e)-.1 F 1.169(xample belo)-.15 F(w\).)-.25 E F3(Ac)6.169 E(k)
-.2 E F0 1.169(is sequence number of the ne)3.669 F 1.168(xt data)-.15 F
-.15(ex)108 409.2 S 1.303
(pected the other direction on this connection.).15 F F3 -.55(Wi)6.304 G
(ndow).55 E F0 1.304(is the number of bytes of recei)3.804 F 1.604 -.15
(ve b)-.25 H(uf)-.05 E 1.304(fer space)-.25 F -.2(av)108 421.2 S .337
(ailable the other direction on this connection.)-.05 F F3(Ur)5.337 E(g)
-.37 E F0 .337(indicates there is `ur)2.837 F .337
(gent' data in the pack)-.18 F(et.)-.1 E F3(Options)5.336 E F0
(are tcp options enclosed in angle brack)108 433.2 Q
(ets \(e.g., <mss 1024>\).)-.1 E F3(Sr)108 450 Q .667(c, dst)-.37 F F0
(and)3.167 E F3<8d61>3.167 E(gs)-.1 E F0 .667(are al)3.167 F -.1(wa)-.1
G .667(ys present.).1 F .667
(The other \214elds depend on the contents of the pack)5.667 F(et')-.1 E
3.168(st)-.55 G .668(cp protocol)-3.168 F
(header and are output only if appropriate.)108 462 Q
(Here is the opening portion of an rlogin from host)108 478.8 Q F3(rtsg)
2.5 E F0(to host)2.5 E F3(csam)2.5 E F0(.)A/F4 8/Courier@0 SF
(rtsg.1023 > csam.login: S 768512:768512\(0\) win 4096 <mss 1024>)144
496.8 Q(csam.login > rtsg.1023: S 947648:947648\(0\) ack 768513 win 409\
6 <mss 1024>)144 508.8 Q(rtsg.1023 > csam.login: . ack 1 win 4096)144
520.8 Q(rtsg.1023 > csam.login: P 1:2\(1\) ack 1 win 4096)144 532.8 Q
(csam.login > rtsg.1023: . ack 2 win 4096)144 544.8 Q
(rtsg.1023 > csam.login: P 2:21\(19\) ack 1 win 4096)144 556.8 Q
(csam.login > rtsg.1023: P 1:2\(1\) ack 21 win 4077)144 568.8 Q
(csam.login > rtsg.1023: P 2:3\(1\) ack 21 win 4077 urg 1)144 580.8 Q
(csam.login > rtsg.1023: P 3:4\(1\) ack 21 win 4077 urg 1)144 592.8 Q F0
.683(The \214rst line says that tcp port 1023 on rtsg sent a pack)108
610.8 R .682(et to port)-.1 F F3(lo)3.182 E(gin)-.1 E F0 .682(on csam.)
3.182 F(The)5.682 E F2(S)3.182 E F0 .682(indicates that the)3.182 F F3
(SYN)108 622.8 Q F0 1.331(\215ag w)3.831 F 1.331(as set.)-.1 F 1.332
(The pack)6.331 F 1.332(et sequence number w)-.1 F 1.332
(as 768512 and it contained no data.)-.1 F 1.332(\(The notation is)6.332
F .656(`\214rst:last\(nbytes\)' which means `sequence numbers)108 634.8
R F3<8c72>3.156 E(st)-.1 E F0 .655(up to b)3.155 F .655
(ut not including)-.2 F F3(last)3.155 E F0 .655(which is)3.155 F F3
(nbytes)3.155 E F0(bytes)3.155 E .115(of user data'.\))108 646.8 R .115
(There w)5.115 F .115(as no piggy-back)-.1 F .115(ed ack, the a)-.1 F
-.25(va)-.2 G .115(ilable recei).25 F .415 -.15(ve w)-.25 H(indo).15 E
2.615(ww)-.25 G .116(as 4096 bytes and there w)-2.715 F(as)-.1 E 2.5(am)
108 658.8 S(ax-se)-2.5 E
(gment-size option requesting an mss of 1024 bytes.)-.15 E .877
(Csam replies with a similar pack)108 675.6 R .877(et e)-.1 F .877
(xcept it includes a piggy-back)-.15 F .877(ed ack for rtsg')-.1 F 3.377
(sS)-.55 G 3.377(YN. Rtsg)-3.377 F .877(then acks)3.377 F(csam')108
687.6 Q 3.149(sS)-.55 G 3.149(YN. The)-3.149 F(`.)3.149 E 3.149('m)-.7 G
.649(eans no \215ags were set.)-3.149 F .649(The pack)5.649 F .65
(et contained no data so there is no data sequence)-.1 F(number)108
699.6 Q 5.161(.N)-.55 G .161
(ote that the ack sequence number is a small inte)-5.161 F .16
(ger \(1\).)-.15 F .16(The \214rst time)5.16 F F2(tcpdump)2.66 E F0 .16
(sees a tcp `con-)2.66 F -.15(ve)108 711.6 S .624
(rsation', it prints the sequence number from the pack).15 F 3.125
(et. On)-.1 F .625(subsequent pack)3.125 F .625(ets of the con)-.1 F
-.15(ve)-.4 G .625(rsation, the).15 F(dif)108 723.6 Q .413
(ference between the current pack)-.25 F(et')-.1 E 2.913(ss)-.55 G .413
(equence number and this initial sequence number is printed.)-2.913 F
(This)5.412 E(30 June 1997)279.335 768 Q(7)202.335 E EP
%%Page: 8 8
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R 1.127(\
means that sequence numbers after the \214rst can be interpreted as rel\
ati)108 84 R 1.428 -.15(ve b)-.25 H 1.128(yte positions in the con).15 F
-.15(ve)-.4 G(rsa-).15 E(tion')108 96 Q 2.836(sd)-.55 G .336
(ata stream \(with the \214rst data byte each direction being `1'\).)
-2.836 F .336(`-S' will o)5.336 F -.15(ve)-.15 G .335
(rride this feature, causing).15 F
(the original sequence numbers to be output.)108 108 Q .152(On the 6th \
line, rtsg sends csam 19 bytes of data \(bytes 2 through 20 in the rtsg)
108 124.8 R/F1 10/Symbol SF<ae>2.652 E F0 .152(csam side of the con)
2.652 F -.15(ve)-.4 G -.2(r-).15 G 2.78(sation\). The)108 136.8 R .28
(PUSH \215ag is set in the pack)2.78 F 2.78(et. On)-.1 F .279
(the 7th line, csam says it')2.78 F 2.779(sr)-.55 G(ecei)-2.779 E -.15
(ve)-.25 G 2.779(dd).15 G .279(ata sent by rtsg up to)-2.779 F -.2(bu)
108 148.8 S 3.171(tn).2 G .671(ot including byte 21.)-3.171 F .671
(Most of this data is apparently sitting in the sock)5.671 F .671(et b)
-.1 F(uf)-.2 E .671(fer since csam')-.25 F 3.172(sr)-.55 G(ecei)-3.172 E
-.15(ve)-.25 G(windo)108 160.8 Q 3.286(wh)-.25 G .786
(as gotten 19 bytes smaller)-3.286 F 5.786(.C)-.55 G .785
(sam also sends one byte of data to rtsg in this pack)-5.786 F 3.285
(et. On)-.1 F .785(the 8th)3.285 F(and 9th lines, csam sends tw)108
172.8 Q 2.5(ob)-.1 G(ytes of ur)-2.5 E(gent, pushed data to rtsg.)-.18 E
.259(If the snapshot w)108 189.6 R .259(as small enough that)-.1 F/F2 10
/Times-Bold@0 SF(tcpdump)2.759 E F0(didn')2.759 E 2.759(tc)-.18 G .26
(apture the full TCP header)-2.759 F 2.76(,i)-.4 G 2.76(ti)-2.76 G .26
(nterprets as much of)-2.76 F 1.354
(the header as it can and then reports `)108 201.6 R(`[|)-.74 E/F3 10
/Times-Italic@0 SF(tcp)A F0(]')A 3.854('t)-.74 G 3.854(oi)-3.854 G 1.354
(ndicate the remainder could not be interpreted.)-3.854 F 1.353(If the)
6.353 F .497(header contains a bogus option \(one with a length that')
108 213.6 R 2.997(se)-.55 G .497(ither too small or be)-2.997 F .497
(yond the end of the header\),)-.15 F .952(tcpdump reports it as `)108
225.6 R(`[)-.74 E F3 .951(bad opt)B F0(]')A 3.451('a)-.74 G .951
(nd does not interpret an)-3.451 F 3.451(yf)-.15 G .951
(urther options \(since it')-3.451 F 3.451(si)-.55 G .951
(mpossible to tell)-3.451 F .566(where the)108 237.6 R 3.066(ys)-.15 G