Introduction to tcpdump

In traditional local network analysis and testing technology, sniffer is the most common and important technology. Sniffer is designed for network analysis by network administrators and network programmers. Network administrators can keep abreast of the actual network conditions by using sniffer. when network performance drops sharply, they can use sniff in traditional network analysis and testing technologies, sniffer is the most common and important technology. Sniffer is designed for network analysis by network administrators and network programmers.
For network administrators, network operators can keep abreast of the actual network conditions. when network performance drops sharply, you can use the sniffer tool to analyze the causes and find out the source of network congestion. For network programmers, the sniffer tool is used to debug programs.
If you have used the local sniffer tool (for example, netxray and snifferpro software) on the windows platform, you may know that using the sniffer tool in a shared Lan can provide a clear view of all traffic in the network! The Sniffer tool is actually a local packet capture tool on the network. you can also analyze the local packets accordingly. In a shared-bandwidth network, information packets are broadcast to all the network interfaces of hosts in the network, but the sniffer tool is not used, the local network device determines whether the information package should be received, so that it will discard the information package that should not be received. the sniffer tool allows the local network device to receive all the information packets of arrival, this achieves the network listening effect.
When Linux is a network server, especially a router or gateway, data collection and analysis are essential. So today, let's take a look at the Linux Zhongqiang Earth network data collection and analysis tool ?? TcpDump.
Define in simple words TcpdumpDump the traffice on anetwork is used to analyze the captured packets on the network according to the caller's definition.
As a necessary tool for system administrators in classic locations on the Internet, tcpdump uses its powerful functions to flexibly intercept policies and becomes one of the essential locations for every senior system administrator to analyze networks and troubleshoot problems.
As the name suggests, TcpDump can completely intercept the local data packet header in the network for analysis. It supports filtering at the network layer, protocol, host, network, or port, and provides logical statements such as and, or, and not to help you remove the land-free information.
Tcpdump provides source code and open interfaces, so it has strong scalability and is a useful tool for network maintenance and intruders. Tcpdump exists in the FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute it to obtain information on the network. Therefore, there are network analysis tools in the system, which do not focus on local security threats, but on the security of other computers on the network.
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
-----------------------
Bash-2.02 # tcpdump
Tcpdump: listening on eth0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/Clen = 43
0000 0000 0080 0000 1007 cf08 0900 0000
0e80 0000 902b 4695 0980 8701 0014
000f 0000 902b 4695 0008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/Clen = 97
Ffff 0060 0004 ffff
0452 ffff 0000 e85b 6d85 4008 0002
0640 4d41 5354 4552 5f57 4542 0000 0000
00, 0000
^ C
------------------------
First of all, we should note that the output result above shows that basically the output format of tcpdump is: System time source host. Port> target host. Port data packet parameter.
Support for TcpDump geoparameterization
Tcpdump supports many different parameters. for example, you can use the-I parameter to specify the network interface of the tcpdump listener, which is quite useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify the number of data packets to be monitored to be written to the file for storage.
However, the tcpdump parameter is more complex to filter targets. this is because the traffic in the network is large. If no resolution is added, all data packets are intercepted, and the data volume is too large, instead, it is not easy to find the data packets that need to be sent. Using these parameter-defined filtering rules can intercept specific data packets to narrow down the target so as to better analyze the problems in the network. Tcpdump uses parameters to specify the data packet location type, address, port, and so on. based on specific network problems, making full use of these filtering rules can quickly locate the fault location. Use mantcpdump to view the specific usage of these filter rules.
Note: For the sake of security, network analysis software of this type should not be run on computers without network management purposes. to shield them, bpfilter pseudo devices in the kernel can be shielded. Generally, network hardware and TCP/IP stacks do not support receiving or sending data packets unrelated to the computer. to receive these data packets, you must use the Nic hybrid mode, and bypass the standard TCP/IP stack. In FreeBSD, the kernel must support bpfilter, a pseudo-device. Therefore, network analysis tools such as tcpdump can be shielded by canceling the support of bpfilter in the kernel.
When the NIC is set to the hybrid mode, the system will leave a record in the console and log files to remind the administrator to check whether the system is used as a springboard to attack other computers on the same network.
May 15 16:27:20 host1/kernel: fxp0: promiscuous mode enabled
Although the network analysis tool can record the data transmitted from the network, the data traffic in the network is quite large, how to analyze the data, classify statistics, and discover and report errors is more critical. Data packets in the network belong to different protocols, and the format of data packets in different protocols is also different. Therefore, decoding the captured data and displaying the information in the package as much as possible is more important for protocol analysis tools. The advantage of expensive commercial analysis tools is that they support many types of application layer protocols, not only tcp, udp and other low-layer protocols.
From the output of tcpdump above, we can see that tcpdump does not thoroughly decode the captured data. most of the content in the data packet's mainland is printed directly in hexadecimal format. This is not conducive to the analysis of network faults. The common solution is to use tcpdump with The-w parameter to capture data and save it to a file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to avoid capturing data packets to fill the entire hard disk.
TCP functions
Data Filtering
Without any parameters, TcpDump searches all the network interfaces in the system and displays all the data it intercepts. this data is not necessarily all required for us, and too much data is not conducive to analysis. Therefore, we should first think about the data we need. TcpDump provides the following parameters for us to choose the data:
-B selects the protocol on the data-link layer, including ip, arp, rarp, and ipx.
For example, tcpdump-B arp only displays arp in the network, that is, address translation protocol information.
-I select to filter the local network interface. if there are at least two network interfaces as a vro, you can use this option to filter only the data on the specified local interface. For example:
Tcpdump-I eth0 only displays all the headers on the eth0 interface.
The options src, dst, port, host, net, ether, and gateway include additional options such as src, dst, port, host, net, and ehost. They are used to identify the source and destination of data packets. src host192.168.0.1 specifies that the source host IP address is 192.168.0.1, and dst net192.168.0.0/24 specifies that the destination is 192.168.0.0. Similarly, the host is related to the specified host, whether it is the source or destination, net is related to the specified network, ether is followed by a physical address instead of an IP address, and gateway is used for the gateway host. It may be a bit complicated. let's see the following example:
Tcpdump src host 192.168.0.1 and dst net 192.168.0.0/24
The filter is the source host is 192.168.0.1 and the destination network is the 192.168.0.0 header.
Tcpdump ether src 00: 50: 04: BA: 9B and dst ......
Filter the physical address of the source host to the XXX header (why is there no host or net behind ether src? Of course, the physical address cannot have a network ).
Tcpdump src host 192.168.0.1 and dst port not telnet
Filter the source host 192.168.0.1 and destination ports not the telnet header.
Ip icmp arp rarp, tcp, udp, icmp, and other options must be placed in the first parameter location to filter the data source type.
For example:
Tcpdump ip src ......
Only filter data-the IP address header on the link layer.
Tcpdump udp and src host 192.168.0.1
Only filter all udp headers in the source host 192.168.0.1.
Data Display/input/output
TcpDump provides enough parameters for us to determine how to process the obtained data, as shown below:
-L can redirect data.
For example, tcpdump-l> tcpcap.txtwill be stored in the tcpcap.txt file.
-N does not convert the IP address to the host name.
If you do not use this option, if a host name exists in the system, TcpDump will convert the IP address to the host name, as shown in the following figure: eth0 <ntc9.1165> router.domain.net. telnet: eth0 <192.168.0.9.1165> 192.168.0.1.telnet.
-Nn does not perform port name conversion.
After applying-nn, the above information becomes: eth0 <ntc9.1165> router.domain.net. 23.
-N does not print the default domain name.
After N, it is eth0 <ntc9.1165> router. telnet.
-O does not optimize the matching code.
-T does not print the UNIX timestamp, that is, the time is not displayed.
-Tt prints the original and unformatted time.
-V is output in detail, which means that there is more TTL and service type than normal.
　
TCPDUMP installation
In linux, tcpdump is easy to install. Generally, there are two installation methods. One is to install it in the form of rpm package. In addition, it is installed as a source program.
1. rpm installation in the form of package
# Rpm-ivh tcpdump-3_4a5.rpm
In this way, tcpdump is successfully installed in your linux system. It's easy.
2. installation of source code
# Tar xvfz tcpdump-3_4a5.tar.Z
Run the following command to install the rpm local package:
# Rpm-ivh tcpdump-3_4a5.src.rpm
In this way, extract the tcpdump source code to the/usr/src/redhat/SOURCES Directory.
Step 2 Prepare the source program for compilation
Before compiling the source program, it is best to determine that the library file libpcap has been installed. this library file is the library file required by tcpdump software. Similarly, you also need a standard C language compiler. In linux, the standard c language compiler is generally gcc. In the tcpdump source program directory. One file is Makefile. in. the configure command automatically generates the Makefile file from the Makefile. in file. In the Makefile. in file, you can modify the BINDEST and MANDEST macro definitions according to the system configuration. the default value is
BINDEST = @ sbindir @
MANDEST = @ mandir @
　
The first macro value indicates the path name of the binary file where tcpdump is installed, and the second macro value indicates the path name of the tcpdump man help page. you can modify them to meet the requirements of the system.
Step 3 compile the source program
　
The configure script in the source program directory is used to read various required properties from the system. The Makefile file is automatically generated based on the Makefile. in file, so that the. make command can be used to compile the tcpdump local Source program according to the rules in the Makefile file. Use the makeinstall command to install and compile tcpdump binary files.
　
Summary:
　
# Tar xvfz tcpdump-3_4a5.tar.Z
# Vi Makefile. in
#./Configure
# Make
# Make install
For more information about tcpdump, see Man tcpdump.
Introduction to Network data collection and analysis tool TcpDump
As the name suggests, TcpDump can completely intercept the local data packet header in the network for analysis. It supports filtering at the network layer, protocol, host, network, or port, and provides logical statements such as and, or, and not to help you remove the land-free information. Tcpdump is a free network analysis tool that provides source code and exposes interfaces. Therefore, tcpdump is highly scalable and useful for network maintenance and intruders. Tcpdump exists in the FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute it to obtain information on the network. Therefore, there are network analysis tools in the system, which do not focus on local security threats, but on the security of other computers on the network.
Tcpdump is defined as simple as possible, namely: dump the traffice on anetwork. this is an analysis tool used to analyze captured packets on the network according to the definition of the caller. As a necessary tool for system administrators in classic locations on the Internet, tcpdump uses its powerful functions to flexibly intercept policies and becomes one of the essential tasks for every senior system administrator to analyze networks and troubleshoot problems. Tcpdump provides source code and open interfaces, so it has strong scalability and is a useful tool for network maintenance and intruders. Tcpdump exists in the FreeBSD System. because it needs to set the network interface to the mixed mode, normal users cannot execute normally, however, users with root permissions can directly execute it to obtain information on the network. Therefore, there are network analysis tools in the system, which do not focus on local security threats, but on the security of other computers on the network.
Network data collection and analysis tool TcpDump installation
In linux, tcpdump is easy to install. Generally, there are two installation methods. One is to install it in the form of rpm package. In addition, it is installed as a source program.
Rpm installation in package mode: This mode is the simplest installation method. The rpm package is to compile the software and package it into a binary format. you can directly install it using the rpm command, you do not need to modify anything. Use the following command to log on as a super user:
# Rpm-ivh tcpdump-3_4a5.rpm
In this way, tcpdump is successfully installed in your linux system. It's easy.
SOURCE program installation: Since rpm Package installation is very simple, why should we adopt complicated source program installation? In fact, one of the most attractive aspects of linux is that there are a lot of software on it that provides the source program. people can modify the source program to meet their special needs. So I especially recommend that you use this method to install the source program.
Rpm distribution package (tcpdump-3_4a5.src.rpm ). The two types of content are similar. different types of content are compressed local files. you can use the following command to solve the problem:
# Tar xvfz tcpdump-3_4a5.tar.Z
Run the following command to install the rpm local package:
# Rpm-ivh tcpdump-3_4a5.src.rpm
In this way, extract the tcpdump source code to the/usr/src/redhat/SOURCES Directory.
Step 2 Prepare the source program for compilation
Before compiling the source program, it is best to determine that the library file libpcap has been installed. this library file is the library file required by tcpdump software. Similarly, you also need a standard C language compiler. In linux, the C language compiler is generally gcc. In the tcpdump source program directory. One file is Makefile. in. the configure command automatically generates the Makefile file from the Makefile. in file. In the Makefile. in file, you can modify the BINDEST and MANDEST macro definitions according to the system configuration. the default value is
BINDEST = @ sbindir @
MANDEST = @ mandir @
The first macro value indicates the path name of the binary file where tcpdump is installed, and the second macro value indicates the path name of the tcpdump man help page. you can modify them to meet the requirements of the system.
Step 3 compile the source program
The configure script in the source program directory is used to read various required properties from the system. The Makefile file is automatically generated based on the Makefile. in file, so that the. make command can be used to compile the tcpdump local Source program according to the rules in the Makefile file. Use the makeinstall command to install and compile tcpdump binary files.
Summary:
# Tar xvfz tcpdump-3_4a5.tar.Z
# Vi Makefile. in
#./Configure
# Make
# Make install
Use network data collection and analysis tools TcpDump
Under normal circumstances, directly starting tcpdump will monitor all the data packets flowing through the first network interface.
# Tcpdump
Tcpdump: listening on fxp0
11:58:47. 873028 202.102.245.40.netbios-ns> 202.102.245.127.netbios-ns: udp 50
11:58:47. 974331 0: 10: 7b: 8: 3a: 56> 1: 80: c2: 0: 0: 0 802.1d ui/Clen = 43
0000 0000 0080 00001007 cf08 0900 0000
0e80 0000 902b 46950980 8701 0014 0002
000f 0000 902b 46950008 00
11:58:48. 373134 0: 0: e8: 5b: 6d: 85> Broadcast sap e0 ui/Clen = 97
Ffff 0060 0004 ffffffff ffff
0452 ffff rje85b 6d85 4008 0002
0640 4d41 5354 45525f57 4542 0000 0000
00, 0000
^ C
Tcpdump supports many different parameters. for example, you can use the-I parameter to specify the network interface of the tcpdump listener, which is quite useful when the computer has multiple network interfaces, use the-c parameter to specify the number of data packets to be monitored, and use the-w parameter to specify the number of data packets to be monitored to be written to the file for storage.
However, the tcpdump parameter is more complex to filter targets. this is because the traffic in the network is large. If no resolution is added, all data packets are intercepted, and the data volume is too large, instead, it is not easy to find the data packets that need to be sent. Using these parameter-defined filtering rules can intercept specific data packets to narrow down the target so as to better analyze the problems in the network. Tcpdump uses parameters to specify the data packet location type, address, port, and so on. based on specific network problems, making full use of these filtering rules can quickly locate the fault location. Use mantcpdump to view the specific usage of these filter rules.
Note: For the sake of security, network analysis software of this type should not be run on computers without network management purposes. to shield them, bpfilter pseudo devices in the kernel can be shielded. Generally, network hardware and TCP/IP stacks do not support receiving or sending data packets unrelated to the computer. to receive these data packets, you must use the Nic hybrid mode, and bypass the standard TCP/IP stack. In FreeBSD, the kernel must support bpfilter, a pseudo-device. Therefore, network analysis tools such as tcpdump can be shielded by canceling the support of bpfilter in the kernel.
When the NIC is set to the hybrid mode, the system will leave a record in the console and log files to remind the administrator to check whether the system is used as a springboard to attack other computers on the same network.
May 15 16:27:20 host1/kernel: fxp0: promiscuous mode enabled
Although the network analysis tool can record the data transmitted from the network, the data traffic in the network is quite large, how to analyze the data, classify statistics, and discover and report errors is more critical. Data packets in the network belong to different protocols, and the format of data packets in different protocols is also different. Therefore, decoding the captured data and displaying the information in the package as much as possible is more important for protocol analysis tools. The advantage of expensive commercial analysis tools is that they support many types of application layer protocols, not only tcp, udp and other low-layer protocols.
From the output of tcpdump above, we can see that tcpdump does not thoroughly decode the captured data. most of the content in the data packet's mainland is printed directly in hexadecimal format. This is not conducive to the analysis of network faults. The common solution is to use tcpdump with The-w parameter to capture data and save it to a file, and then use other programs for decoding and analysis. Of course, filter rules should also be defined to avoid capturing data packets to fill the entire hard disk. FreeBSD provides a valid decoding program named tcpshow, which can be installed through PackagesCollection.
# Pkg_add/cdrom/packages/security/tcpshow *
# Tcpdump-c 3-w tcpdump. out
Tcpdump: listening on fxp0
# Tcpshow 01: 80: C2: 00: 00: 00 type = 0026
---------------------------------------------------------------------------
Packet 2
TIME: 12: 01: 01.074513 (1.089684)
LINK: 00: A0: C9: AB: 3CF-> FF: FF type = ARP
ARP: htype = Ethernet ptype = IP hlen = 6 plen = 4 op = request
Sender-MAC-addr = 00: A0: C9: AB: 3CF sender-IP-address = 202.102.245.3
Target-MAC-addr = 00: 00: 00: 00: 00target-IP-address = 202.102.245.3
---------------------------------------------------------------------------
Packet 3
TIME: 12: 01:01.98 5023 (0.910510)
LINK: 00: 10: 7B: 08: 3A: 56-> 01: 80: C2: 00: 00: 00 type = 0026
Tcpshow can decode data packets in different ways and display the decoded data in different ways. the caller can select the most appropriate parameter based on the manual to analyze the intercepted data packets. As shown in the above example, tcpshow does not support many local protocols and cannot be decoded if it does not support local protocols.
In addition to tcpdump, FreeBSD PackagesCollecion provides two network analysis tools: Ethereal and Sniffit, and a few other security tools based on network analysis. Here, Ethereal runs in X Window and has a good graphic interface. Sniffit uses the character Window form and is also easy to operate. However, since tcpdump provides more powerful support for filtering rules, system administrators still prefer to use it. For experienced network administrators, using these network analysis tools can not only be used to understand how the network runs, where the fault occurs, but also effectively collect statistics, for example, the protocol occupies a key position in traffic generation, where the host is the busiest, and where the network bottleneck is. Therefore, the network analysis tool is a valuable system tool for network management. To prevent interception of network analysis tools where data is abused, the key is to solve the problem in the physical structure of the network. The commonly used method is to use a switch or bridge to separate a trusted network from a untrusted network, which can prevent external network segments from eavesdropping on internal data transmission, however, data security issues still cannot be solved when the internal network and the external network communicate with each other. If you do not have sufficient funds to upgrade the internet shared hub to an Ethernet switch, you can use the FreeBSD system to execute the bridge task. This requires you to use the optionBRIDGE compilation option to re-customize the kernel, and then use the bridge command to start the bridge function.
Tcpdump adopts the command line method. the command format is:
Tcpdump [-adeflnNOpqStvx] [-c quantity] [-F file name]
[-I network interface] [-r file name] [-s snaplen]
[-T type] [-w file name] [expression]
(1) Introduction to tcpdump options
-A converts a network address and broadcast address into a name;
-D. package the matching information in a compilation format that people can understand;
-Dd provides the matching information package code in the format of C program segments;
-Ddd provides the matching information in decimal format;
-E prints the data link layer header information in the output line;
-F print the external Internet address in numbers;
-L changes the standard output to the buffer row format;
-N does not convert the network address into a name;
-T no timestamp is printed on each line in the output location;
-V outputs a slightly detailed information. for example, the IP package can contain ttl and service type information;
-Vv outputs detailed packet information;
-C. after receiving the specified number of packages, tcpdump stops;
-F read the expression from the specified location file and ignore other location expressions;
-I indicates the network interface of the listener;
-R reads packages from a specified object (these packages are generally generated using the-w option );
-W directly writes the package into the file and does not analyze or print it out;
-T directly interpret the monitored local packet as a specified local packet. Common types include rpc (remote process call) and snmp (Simple Network Management Protocol ;)
(2) Introduction to tcpdump local expressions
The expression is a regular expression. tcpdump uses it as the condition for filtering packets. if a packet meets the condition of expression location, the packet will be captured. If no conditions are provided, all the information packages on the network will be intercepted. The following types of keywords are generally used in expressions.
The first type is the type keyword, which focuses on host, net, port, for example host 210.27.48.2. it indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.
The second type is the key words determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dstnet 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src ordst keyword is used by default.
The third type is the protocol keyword, which focuses on fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates the local network protocol on FDDI (distributed optical fiber data interface network). In fact, it is an alias for "ether". fddi and ether have similar ground source addresses and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether local package. The other keywords indicate the content of the local packet protocol. If no protocol is specified, tcpdump listens to all protocol location information packages.
In addition to the three types of keywords, other key keywords are as follows: gateway, broadcast, less, greater, and three logical operations, which are not considered as 'not ''! ', And operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination of conditions to meet people's needs. The following are several examples to illustrate
A wants to intercept all data packets received and sent from the 210.27.48.1 host:
# Tcpdump host 210.27.48.1
B wants to intercept the communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3, use the command: (when brackets are applied in the command line, be sure
# Tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \)
C if you want to obtain the IP address package for all hosts except 210.27.48.1 and 210.27.48.2, run the following command:
# Tcpdump ip host 210.27.48.1 and! 210.27.48.2
D. to obtain the local telnet packet received or sent by the host 210.27.48.1, run the following command:
# Tcpdump tcp port 23 host 210.27.48.1
(3) tcpdump output results
The following describes the output information of some typical tcpdump commands.
A. data link layer header information
Use commands
# Tcpdump -- e host ice
Ice is a linux-based host. its MAC address is 0: 90: 27: 58: AF: 1A.
H219 is a SUN workstation with a SOLARIC. its MAC address is 8: 0: 20: 79: 5B: 46. the output result of the previous command is as follows:
21:50:12. 847509 eth0 ice. telne
T 0: 0 (0) ack 22535 win 8760 (DF)
Analysis: 21: 50: 12 indicates the display time, 847509 indicates the ID number, eth0 indicates to send data packets from the network interface device, 8: 0: 20: 79: 5b: 46 is the MAC address of the host H219, which indicates that the data packet is sent from the source address H219. 0: 90: 27: 58: af: 1a is the MAC address of the host's ICE location, indicating that the data packet location address is ICE. ip indicates that the data packet is an IP data packet, and 60 indicates the location length of the data packet, h219.33357> ice. telnet indicates that the packet is sent from Port 33357 of host H219 to Port TELNET (23) of host ICE. ack 22535 indicates that the serial number is 222535. win 8760 indicates that the size of the sending window is 8760.
B. output information of TCPDUMP in ARP packets
Use commands
# Tcpdump arp
The output result is as follows:
22:32:42. 802509 eth0> arp who-has route tell ice (0: 90: 27: 58: af: 1a)
22:32:42. 802902 eth0
Analysis: 22:32:42 is the timestamp, 802509 is the ID number, eth0> indicates that the packet is sent from the host, arp indicates that the packet is an ARP Request packet, who-has route tell ice indicates that the host ICE requests the host's route mac address. 0: 90: 27: 58: af: 1a is the MAC address of the host's ICE location.
C. TCP local output information
The common output information of TCP packet location captured with TCPDUMP is:
Src> dst: flags data-seqno ack window urgent options
Src> dst: indicates the address from the source address to the destination address. flags indicates the information in the TCP packet, S indicates the SYN mark, F (FIN), P (PUSH), R (RST )". "(not marked); data-seqno indicates the data sequence number in the data packet, ack indicates the expected sequence number next time, and window indicates the size of the received cache window. urgent indicates whether there is an emergency pointer in the data packet. options is an option.
D. UDP packet output information
The output of UDP packet location captured with TCPDUMP is:
Route. port1> ice. port2: udp lenth
UDP is very simple. the output line above indicates that a UDP packet is sent from the host ROUTE Port 1 to the host ICE port2 Port. the type is UDP, and the package length is lenth.