tcpdump.man.ps

3 网卡驱动相关实例 这是和网卡NT KMD驱动程序有关的一些资料和例子。

3.066(tart\). If)-3.066 F .567
(the header length indicates options are present b)3.066 F .567
(ut the IP datagram length is not long)-.2 F
(enough for the options to actually be there, tcpdump reports it as `)
108 249.6 Q(`[)-.74 E F3(bad hdr length)A F0(]')A('.)-.74 E F2(UDP P)108
279.6 Q(ack)-.1 E(ets)-.1 E F0
(UDP format is illustrated by this rwho pack)108 296.4 Q(et:)-.1 E/F4 10
/Courier@0 SF(actinide.who > broadcast.who: udp 84)144 314.4 Q F0 .92
(This says that port)108 332.4 R F3(who)3.42 E F0 .92(on host)3.42 F F3
(actinide)3.42 E F0 .919(sent a udp datagram to port)3.42 F F3(who)3.419
E F0 .919(on host)3.419 F F3(br)3.419 E(oadcast)-.45 E F0 3.419(,t)C
.919(he Internet)-3.419 F(broadcast address.)108 344.4 Q(The pack)5 E
(et contained 84 bytes of user data.)-.1 E .121(Some UDP services are r\
ecognized \(from the source or destination port number\) and the higher\
 le)108 361.2 R -.15(ve)-.25 G 2.622(lp).15 G(roto-)-2.622 E .146
(col information printed.)108 373.2 R .146(In particular)5.146 F 2.646
(,D)-.4 G .145
(omain Name service requests \(RFC-1034/1035\) and Sun RPC calls)-2.646
F(\(RFC-1050\) to NFS.)108 385.2 Q F2(UDP Name Ser)108 415.2 Q -.1(ve)
-.1 G 2.5(rR).1 G(equests)-2.5 E F3 3.228(\(N.B.:The following descript\
ion assumes familiarity with the Domain Service pr)108 432 R 3.229
(otocol described in)-.45 F 2.893(RFC-1035. If)108 444 R .393(you ar)
2.893 F 2.893(en)-.37 G .393(ot familiar with the pr)-2.893 F .393
(otocol, the following description will appear to be written in)-.45 F
(gr)108 456 Q(eek.\))-.37 E F0(Name serv)108 472.8 Q
(er requests are formatted as)-.15 E F3(sr)144 490.8 Q 2.5(c>d)-.37 G
(st: id op? \215a)-2.5 E(gs qtype qclass name \(len\))-.1 E F4
(h2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. \(37\))144
508.8 Q F0(Host)108 526.8 Q F3(h2opolo)2.883 E F0(ask)2.883 E .383
(ed the domain serv)-.1 F .384(er on)-.15 F F3(helios)2.884 E F0 .384
(for an address record \(qtype=A\) associated with the name)2.884 F F3
(ucbvax.berk)108 538.8 Q(ele)-.1 E -.55(y.)-.3 G(edu.).55 E F0 .043
(The query id w)5.043 F .043(as `3'.)-.1 F .043(The `+' indicates the)
5.043 F F3 -.37(re)2.542 G(cur).37 E .042(sion desir)-.1 F(ed)-.37 E F0
.042(\215ag w)2.542 F .042(as set.)-.1 F .042(The query)5.042 F .492
(length w)108 550.8 R .492
(as 37 bytes, not including the UDP and IP protocol headers.)-.1 F .493
(The query operation w)5.493 F .493(as the normal)-.1 F(one,)108 562.8 Q
F3(Query)4.02 E F0 4.02(,s)C 4.02(ot)-4.02 G 1.52(he op \214eld w)-4.02
F 1.52(as omitted.)-.1 F 1.519(If the op had been an)6.52 F 1.519
(ything else, it w)-.15 F 1.519(ould ha)-.1 F 1.819 -.15(ve b)-.2 H
1.519(een printed).15 F .051(between the `3' and the `+'.)108 574.8 R
(Similarly)5.051 E 2.552(,t)-.65 G .052(he qclass w)-2.552 F .052
(as the normal one,)-.1 F F3(C_IN)2.552 E F0 2.552(,a)C .052
(nd omitted.)-2.552 F(An)5.052 E 2.552(yo)-.15 G .052(ther qclass)-2.552
F -.1(wo)108 586.8 S(uld ha).1 E .3 -.15(ve b)-.2 H
(een printed immediately after the `).15 E -1.11(A')-.8 G(.)1.11 E 2.605
(Af)108 603.6 S .605 -.25(ew a)-2.605 H .105(nomalies are check).25 F
.105(ed and may result in e)-.1 F .104
(xtra \214elds enclosed in square brack)-.15 F 2.604(ets: If)-.1 F 2.604
(aq)2.604 G .104(uery contains)-2.604 F 1.024(an answer)108 615.6 R
3.524(,n)-.4 G 1.024(ame serv)-3.524 F 1.024(er or authority section,)
-.15 F F3(ancount)3.524 E F0(,).68 E F3(nscount)3.524 E F0 3.524(,o).68
G(r)-3.524 E F3(ar)3.524 E(count)-.37 E F0 1.025(are printed as `[)3.525
F F3(n)A F0 1.025(a]', `[)B F3(n)A F0 1.025(n]' or)B(`[)108 627.6 Q F3
(n)A F0 .123(au]' where)B F3(n)2.623 E F0 .123
(is the appropriate count.)2.623 F .123(If an)5.123 F 2.623(yo)-.15 G
2.623(ft)-2.623 G .123
(he response bits are set \(AA, RA or rcode\) or an)-2.623 F 2.622(yo)
-.15 G 2.622(ft)-2.622 G(he)-2.622 E .292
(`must be zero' bits are set in bytes tw)108 639.6 R 2.792(oa)-.1 G .292
(nd three, `[b2&3=)-2.792 F F3(x)A F0 .292(]' is printed, where)B F3(x)
2.792 E F0 .292(is the he)2.792 F 2.792(xv)-.15 G .292(alue of header)
-3.042 F(bytes tw)108 651.6 Q 2.5(oa)-.1 G(nd three.)-2.5 E F2
(UDP Name Ser)108 681.6 Q -.1(ve)-.1 G 2.5(rR).1 G(esponses)-2.5 E F0
(Name serv)108 698.4 Q(er responses are formatted as)-.15 E F3(sr)144
716.4 Q 2.5(c>d)-.37 G 2.5(st: id)-2.5 F(op r)2.5 E(code \215a)-.37 E
(gs a/n/au type class data \(len\))-.1 E F0(30 June 1997)279.335 768 Q
(8)202.335 E EP
%%Page: 9 9
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R/F1 10
/Courier@0 SF
(helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 \(273\))144 84 Q
(helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 \(97\))144 96 Q F0
1.428(In the \214rst e)108 114 R(xample,)-.15 E/F2 10/Times-Italic@0 SF
(helios)3.928 E F0 1.428(responds to query id 3 from)3.928 F F2(h2opolo)
3.928 E F0 1.427(with 3 answer records, 3 name serv)3.928 F(er)-.15 E
.394(records and 7 authority records.)108 126 R .395(The \214rst answer\
 record is type A \(address\) and its data is internet address)5.394 F
4.52(128.32.137.3. The)108 138 R 2.02(total size of the response w)4.52
F 2.019(as 273 bytes, e)-.1 F 2.019(xcluding UDP and IP headers.)-.15 F
2.019(The op)7.019 F
(\(Query\) and response code \(NoError\) were omitted, as w)108 150 Q
(as the class \(C_IN\) of the A record.)-.1 E .964(In the second e)108
166.8 R(xample,)-.15 E F2(helios)3.464 E F0 .964
(responds to query 2 with a response code of non-e)3.464 F .965
(xistent domain \(NXDo-)-.15 F .573
(main\) with no answers, one name serv)108 178.8 R .573
(er and no authority records.)-.15 F .573(The `*' indicates that the)
5.573 F F2(authoritative)3.073 E(answer)108 190.8 Q F0(bit w)2.5 E
(as set.)-.1 E
(Since there were no answers, no type, class or data were printed.)5 E
.117(Other \215ag characters that might appear are `\255' \(recursion a)
108 207.6 R -.25(va)-.2 G .118(ilable, RA,).25 F F2(not)2.618 E F0 .118
(set\) and `|' \(truncated message,)2.618 F(TC, set\).)108 219.6 Q
(If the `question' section doesn')5 E 2.5(tc)-.18 G(ontain e)-2.5 E
(xactly one entry)-.15 E 2.5(,`)-.65 G([)-2.5 E F2(n)A F0
(q]' is printed.)A .469(Note that name serv)108 236.4 R .469
(er requests and responses tend to be lar)-.15 F .468(ge and the def)
-.18 F(ault)-.1 E F2(snaplen)2.968 E F0 .468(of 68 bytes may not)2.968 F
.073(capture enough of the pack)108 248.4 R .073(et to print.)-.1 F .073
(Use the)5.073 F/F3 10/Times-Bold@0 SF<ad73>2.573 E F0 .074
(\215ag to increase the snaplen if you need to seriously in)2.573 F -.15
(ve)-.4 G(s-).15 E(tig)108 260.4 Q(ate name serv)-.05 E(er traf)-.15 E
2.5(\214c. `)-.25 F F3(\255s 128)A F0 2.5('h)C(as w)-2.5 E(ork)-.1 E
(ed well for me.)-.1 E F3(NFS Requests and Replies)108 302.4 Q F0
(Sun NFS \(Netw)108 319.2 Q
(ork File System\) requests and replies are printed as:)-.1 E F2(sr)144
337.2 Q(c.xid > dst.nfs: len op ar)-.37 E(gs)-.37 E(sr)144 349.2 Q
(c.nfs > dst.xid: r)-.37 E(eply stat len op r)-.37 E(esults)-.37 E F1
(sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165)144 379.2 Q
(wrl.nfs > sushi.6709: reply ok 40 readlink "../var")144 391.2 Q
(sushi.201b > wrl.nfs:)144 403.2 Q
(144 lookup fh 9,74/4096.6878 "xcolors")180 415.2 Q
(wrl.nfs > sushi.201b:)144 427.2 Q
(reply ok 128 lookup fh 9,74/4134.3150)180 439.2 Q F0 .655
(In the \214rst line, host)108 469.2 R F2(sushi)3.155 E F0 .655
(sends a transaction with id)3.155 F F2(6709)3.155 E F0(to)3.155 E F2
(wrl)3.155 E F0 .655(\(note that the number follo)3.155 F .655
(wing the src)-.25 F .034(host is a transaction id,)108 481.2 R F2(not)
2.534 E F0 .034(the source port\).)2.534 F .034(The request w)5.034 F
.034(as 112 bytes, e)-.1 F .035(xcluding the UDP and IP headers.)-.15 F
.191(The operation w)108 493.2 R .191(as a)-.1 F F2 -.37(re)2.691 G
(adlink).37 E F0 .191(\(read symbolic link\) on \214le handle \()2.691 F
F2(fh)A F0 2.69(\)2)C 2.69(1,24/10.731657119. \(If)-2.69 F .19
(one is luck)2.69 F -.65(y,)-.15 G .002
(as in this case, the \214le handle can be interpreted as a major)108
505.2 R .003(,minor de)-.4 F .003(vice number pair)-.25 F 2.503(,f)-.4 G
(ollo)-2.503 E .003(wed by the inode)-.25 F
(number and generation number)108 517.2 Q(.\))-.55 E F2(Wrl)5 E F0
(replies `ok' with the contents of the link.)2.5 E .134
(In the third line,)108 534 R F2(sushi)2.634 E F0(asks)2.634 E F2(wrl)
2.634 E F0 .133(to lookup the name `)2.633 F F2(xcolor)A(s)-.1 E F0
2.633('i)C 2.633(nd)-2.633 G .133(irectory \214le 9,74/4096.6878.)-2.633
F .133(Note that the)5.133 F .895
(data printed depends on the operation type.)108 546 R .896
(The format is intended to be self e)5.895 F .896
(xplanatory if read in con-)-.15 F(junction with an NFS protocol spec.)
108 558 Q(If the \255v \(v)108 574.8 Q(erbose\) \215ag is gi)-.15 E -.15
(ve)-.25 G(n, additional information is printed.).15 E -.15(Fo)5 G 2.5
(re).15 G(xample:)-2.65 E F1(sushi.1372a > wrl.nfs:)144 604.8 Q
(148 read fh 21,11/12.195 8192 bytes @ 24576)180 616.8 Q
(wrl.nfs > sushi.1372a:)144 628.8 Q
(reply ok 1472 read REG 100664 ids 417/0 sz 29388)180 640.8 Q F0 .538(\
\(\255v also prints the IP header TTL, ID, and fragmentation \214elds, \
which ha)108 670.8 R .838 -.15(ve b)-.2 H .538(een omitted from this e)
.15 F(xam-)-.15 E 3.218(ple.\) In)108 682.8 R .719(the \214rst line,)
3.219 F F2(sushi)3.219 E F0(asks)3.219 E F2(wrl)3.219 E F0 .719
(to read 8192 bytes from \214le 21,11/12.195, at byte of)3.219 F .719
(fset 24576.)-.25 F F2(Wrl)5.719 E F0 .556(replies `ok'; the pack)108
694.8 R .556(et sho)-.1 F .556
(wn on the second line is the \214rst fragment of the reply)-.25 F 3.056
(,a)-.65 G .556(nd hence is only 1472)-3.056 F .951
(bytes long \(the other bytes will follo)108 706.8 R 3.451(wi)-.25 G
3.451(ns)-3.451 G .951(ubsequent fragments, b)-3.451 F .951
(ut these fragments do not ha)-.2 F 1.252 -.15(ve N)-.2 H .952(FS or).15
F -2.15 -.25(ev e)108 718.8 T 3.238(nU).25 G .737
(DP headers and so might not be printed, depending on the \214lter e)
-3.238 F .737(xpression used\).)-.15 F .737(Because the \255v)5.737 F
.48(\215ag is gi)108 730.8 R -.15(ve)-.25 G .48
(n, some of the \214le attrib).15 F .48(utes \(which are returned in ad\
dition to the \214le data\) are printed: the \214le)-.2 F(30 June 1997)
279.335 768 Q(9)202.335 E EP
%%Page: 10 10
%%BeginPageSetup
BP
%%EndPageSetup
/F0 10/Times-Roman@0 SF 347.72(TCPDUMP\(1\) TCPDUMP\(1\))72 48 R
(type \(`)108 84 Q(`REG')-.74 E(', for re)-.74 E(gular \214le\), the \
\214le mode \(in octal\), the uid and gid, and the \214le size.)-.15 E
(If the \255v \215ag is gi)108 100.8 Q -.15(ve)-.25 G 2.5(nm).15 G
(ore than once, e)-2.5 E -.15(ve)-.25 G 2.5(nm).15 G
(ore details are printed.)-2.5 E .474(Note that NFS requests are v)108
117.6 R .474(ery lar)-.15 F .473(ge and much of the detail w)-.18 F(on')
-.1 E 2.973(tb)-.18 G 2.973(ep)-2.973 G .473(rinted unless)-2.973 F/F1
10/Times-Italic@0 SF(snaplen)2.973 E F0 .473(is increased.)2.973 F -.35
(Tr)108 129.6 S 2.5(yu).35 G(sing `)-2.5 E/F2 10/Times-Bold@0 SF
(\255s 192)A F0 2.5('t)C 2.5(ow)-2.5 G(atch NFS traf)-2.6 E(\214c.)-.25
E .482(NFS reply pack)108 146.4 R .482(ets do not e)-.1 F .482
(xplicitly identify the RPC operation.)-.15 F(Instead,)5.482 E F1
(tcpdump)2.982 E F0 -.1(ke)2.982 G .482(eps track of `).1 F(`recent')
-.74 E(')-.74 E .854
(requests, and matches them to the replies using the transaction ID.)108
158.4 R .854(If a reply does not closely follo)5.854 F 3.353(wt)-.25 G
(he)-3.353 E(corresponding request, it might not be parsable.)108 170.4
Q F2(KIP A)108 200.4 Q(ppletalk \(DDP in UDP\))-.25 E F0 .625
(Appletalk DDP pack)108 217.2 R .625(ets encapsulated in UDP datagrams \
are de-encapsulated and dumped as DDP pack)-.1 F(ets)-.1 E .675
(\(i.e., all the UDP header information is discarded\).)108 229.2 R .675
(The \214le)5.675 F F1(/etc/atalk.names)3.175 E F0 .674
(is used to translate appletalk)3.174 F(net and node numbers to names.)
108 241.2 Q(Lines in this \214le ha)5 E .3 -.15(ve t)-.2 H(he form).15 E
F1 2.95(number name)144 259.2 R/F3 10/Courier@0 SF 36(1.254 ether)144
283.2 R 42(16.1 icsd-net)144 295.2 R 12(1.254.110 ace)144 307.2 R F0
.351(The \214rst tw)108 325.2 R 2.851(ol)-.1 G .351(ines gi)-2.851 F
.651 -.15(ve t)-.25 H .351(he names of appletalk netw).15 F 2.851
(orks. The)-.1 F .351(third line gi)2.851 F -.15(ve)-.25 G 2.851(st).15
G .351(he name of a particular host)-2.851 F .045(\(a host is distingui\
shed from a net by the 3rd octet in the number \255 a net number)108
337.2 R F1(must)2.545 E F0(ha)2.544 E .344 -.15(ve t)-.2 H .244 -.1
(wo o).15 H .044(ctets and a).1 F .465(host number)108 349.2 R F1(must)
2.965 E F0(ha)2.965 E .765 -.15(ve t)-.2 H .465(hree octets.\)).15 F
.465(The number and name should be separated by whitespace \(blanks or)
5.465 F 2.5(tabs\). The)108 361.2 R F1(/etc/atalk.names)2.5 E F0(\214le\
 may contain blank lines or comment lines \(lines starting with a `#'\)\
.)2.5 E(Appletalk addresses are printed in the form)108 378 Q F1
(net.host.port)144 396 Q F3(144.1.209.2 > icsd-net.112.220)144 420 Q
(office.2 > icsd-net.112.220)144 432 Q(jssmag.149.235 > icsd-net.2)144
444 Q F0 2.197(\(If the)108 462 R F1(/etc/atalk.names)4.697 E F0(doesn')
4.697 E 4.697(te)-.18 G 2.197(xist or doesn')-4.847 F 4.696(tc)-.18 G
2.196(ontain an entry for some appletalk host/net number)-4.696 F(,)-.4
E .628(addresses are printed in numeric form.\))108 474 R .628
(In the \214rst e)5.628 F .628
(xample, NBP \(DDP port 2\) on net 144.1 node 209 is)-.15 F .63
(sending to whate)108 486 R -.15(ve)-.25 G 3.13(ri).15 G 3.13(sl)-3.13 G
.63(istening on port 220 of net icsd node 112.)-3.13 F .63
(The second line is the same e)5.63 F .63(xcept the)-.15 F .214
(full name of the source node is kno)108 498 R .215(wn \(`of)-.25 F
2.715(\214ce'\). The)-.25 F .215
(third line is a send from port 235 on net jssmag node)2.715 F .241(149\
 to broadcast on the icsd-net NBP port \(note that the broadcast addres\
s \(255\) is indicated by a net name)108 510 R 1.741
(with no host number \255 for this reason it')108 522 R 4.241(sag)-.55 G
1.742(ood idea to k)-4.241 F 1.742
(eep node names and net names distinct in)-.1 F(/etc/atalk.names\).)108
534 Q .829(NBP \(name binding protoco