tcpip协议分析tcpdump

“学、做”一体化教材？“理、实”一体化教材TCP/IP协议分析V1董忠dz0212@foxmail.com2014tcpdumpTCPDUMP(8)OpenBSDSystemManager'sManualTCPDUMP(8)NAMEtcpdump-dumptrafficonanetworkSYNOPSIStcpdump[-AadefILlNnOopqStvXx][-ccount][-Ddirection][-E[espalg:]espkey][-Ffile][-iinterface][-rfile][-ssnaplen][-Ttype][-wfile][-ydatalinktype][expression]DESCRIPTIONtcpdumpprintsouttheheadersofpacketsonanetworkinterfacethatmatchthebooleanexpression.Youmusthavereadaccessto/dev/bpf*.Theoptionsareasfollows:-APrinteachpacketinASCII.Ifthe-eoptionisalsospecified,thelink-levelheaderwillbeincluded.Thesmalleroftheentirepacketorsnaplenbyteswillbeprinted.-aAttempttoconvertnetworkandbroadcastaddressestonames.-ccountExitafterreceivingcountpackets.-DdirectionSelectpacketsflowinginthespecifieddirection.Validdirectionsare:inandout.Thedefaultistoacceptpacketsflowinginanydirection.-dDumpthecompiledpacket-matchingcodeinahumanreadableformtostandardoutputandstop.-ddDumppacket-matchingcodeasaCprogramfragment.-dddDumppacket-matchingcodeasdecimalnumbersprecededwithacount.-E[espalg:]espkeyTrytodecryptRFC4835ESP(EncapsulatingSecurityPayload)trafficusingthespecifiedhexkeyespkey.Supportedalgorithmsforespalgare:aes128,aes128-hmac96,blowfish,blowfish-hmac96,cast,cast-hmac96,des3,des3-hmac96,desanddes-hmac96.Thealgorithmdefaultstoaes128-hmac96.Thisoptionshouldbeusedfordebuggingonly,sincethekeywillshowupinps(1)output.-ePrintthelink-levelheaderoneachdumpline.-FfileUsefileasinputforthefilterexpression.Anyadditionalexpressionsgivenonthecommandlineareignored.-fPrint``foreign''internetaddressesnumericallyratherthansymbolically.ThisoptionisintendedtogetaroundseriousbraindamageinSun'sypserver--usuallyithangsforevertranslatingnon-localinternetnumbers.-IPrinttheinterfaceoneachdumpline.-iinterfaceListenoninterface.Ifunspecified,tcpdumpsearchesthesysteminterfacelistforthelowestnumbered,configured``up''interface(excludingloopback).Tiesarebrokenbychoosingtheearliestmatch.-LListthesupporteddatalinktypesfortheinterfaceandexit.-lMakestdoutlinebuffered.Usefulifyouwanttoseethedatawhilecapturingit.Forexample:#tcpdump-l|teedator#tcpdump-ldat&tail-fdat-NDonotprintdomainnamequalificationofhostnames.Forexample,ifyouspecifythisflagthentcpdumpwillprint``nic''insteadof``nic.ddn.mil''.-nDonotconvertaddresses(hostaddresses,portnumbers,etc.)tonames.-ODonotrunthepacket-matchingcodeoptimizer.Thisisusefulonlyifyoususpectabugintheoptimizer.-oPrintaguessofthepossibleoperatingsystem(s)ofhoststhatsentTCPSYNpackets.Seepf.os(5)foradescriptionofthepassiveoperatingsystemfingerprints.-pDonotputtheinterfaceintopromiscuousmode.Theinterfacemightbeinpromiscuousmodeforsomeotherreason;hence,-pcannotbeusedasanabbreviationfor``etherhost{local-hw-addr}''or``etherbroadcast''.-qQuick(quiet?)output.Printlessprotocolinformationsooutputlinesareshorter.-rfileReadpacketsfromafilewhichwascreatedwiththe-woption.Standardinputisusediffileis`-'.-SPrintabsolute,ratherthanrelative,TCPsequencenumbers.-ssnaplenAnalyzeatmostthefirstsnaplenbytesofdatafromeachpacketratherthanthedefaultof116.116bytesisadequateforIPv6,ICMP,TCP,andUDP,butmaytruncateprotocolinformationfromnameserverandNFSpackets(seebelow).Packetstruncatedbecauseofalimitedsnaplenareindicatedintheoutputwith``[|proto]'',whereprotoisthenameoftheprotocollevelatwhichthetruncationhasoccurred.Takinglargersnapshotsbothincreasestheamountoftimeittakestoprocesspacketsand,effectively,decreasestheamountofpacketbuffering.Thismaycausepacketstobelost.Youshouldlimitsnaplentothesmallestnumberthatwillcapturetheprotocolinformationyou'reinterestedin.-TtypeForcepacketsselectedbyexpressiontobeinterpretedasthespecifiedtype.Currentlyknowntypesarevrrp(VirtualRouterRedundancyprotocol),cnfp(CiscoNetFlowprotocol),rpc(RemoteProcedureCall),rtp(Real-TimeApplicationsprotocol),rtcp(Real-TimeApplicationscontrolprotocol),sack(RFC2018TCPSelectiveAcknowledgementsOptions),tcp(TransmissionControlProtocol),vat(VisualAudioTool),andwb(distributedWhiteBoard).-tDonotprintatimestamponeachdumpline.-ttPrintanunformattedtimestamponeachdumpline.-tttPrintdayandmonthintimestamp.-ttttPrinttimestampdifferencebetweenpackets.-tttttPrinttimestampdifferencesincethefirstpacket.-v(Slightlymore)verboseoutput.Forexample,thetimetolive(TTL)andtypeofservice(ToS)informationinanIPpacketareprinted.-vvEvenmoreverboseoutput.Forexample,additionalfieldsareprintedfromNFSreplypackets.-wfileWritetherawpacketstofileratherthanparsingandprintingthemout.Theycanbeanalyzedlaterwiththe-roption.Standardoutputisusediffileis`-'.-XPrinteachpacketinhexandASCII.Ifthe-eoptionisalsospecified,thelink-levelheaderwillbeincluded.Thesmalleroftheentirepacketorsnaplenbyteswillbeprinted.-xPrinteachpacketinhex.Ifthe-eoptionisalsospecified,thelink-levelheaderwillbeincluded.Thesmalleroftheentirepacketorsnaplenbyteswillbeprinted.-ydatalinktypeSetthedatalinktypetousewhilecapturingtodatalinktype.CommonlyusedtypesincludeEN10MB,IEEE802_11,andIEEE802_11_RADIO.Thechoicesapplicabletoaparticulardevicecanbelistedusing-L.expressionselectswhichpacketswillbedumped.Ifnoexpressionisgiven,allpacketsonthenetw