Linux Basic Tutorial 31-tcpdump command-3

? ? After the previous study, the use of tcpdump believe should be mastered, today we come to learn about tcpdump output content of learning and understanding. Let's take the first example to illustrate the following:

IP Protocol Packet Analysis

[[email protected] ~]# tcpdump-i ens5f1-nn-x ' Port '-c 1tcpdump:verbose output suppressed, use-v or-vv for F ULL protocol decodelistening on ENS5F1, Link-type EN10MB (Ethernet), capture size 262144 bytes22:34:11.334916 IP 192.168.8 .8.22 > 112.64.61.186.37035:flags [P.], seq 3341229570:3341229782, Ack 1999159071, win 31152, length 212 0x0000:4 510 00FC 7e99 4000 4006 44a8 c0a8 0808 [email protected]@.    D..... 0x0010:7040 3dba 0016 90ab c727 1e02 7728 bf1f [email protected]= ...]    W (..    0x0020:5018 79b0 7799 0000 0000 00b0 823d 4CF1 p.y.w........=l. 0x0030:1108 58fc 3686 2bd2 5220 fe37 85ab 74cc.. x.6.+. R..    7..t. 0X0040:BFB1 8831 7d1c 3b57 52ae aa91 28a2 67d8 ... 1}.; WR ...    (. G. 0X0050:08FB a257 7fc8 7186 39dc d266 3d32 Cce8 ... W.. q.9.    f=2. 0x0060:3eb7 130b a7d3 833b 59c9 bdf8 2141 6863 >......; Y...! AHC 0x0070:7cae 25ff 459e c94a a635 7098 6925 db48 |. %. E.. j.5p.i%. H 0x0080:a9b0 32ab 5393 737f cf8c f2ed b47a 7d8B..    2.S.S......Z}. 0x0090:346c 39df 3ecc d2b0 E0AD 5104 272d 6513 4l9.>    Q. '-E. 0x00a0:4b8d 5ee6 6c7d 9477 e40b 8637 996a bb5a k.^.l}.w ... 7.j.z 0x00b0:471a 2ac4 3335 266d 0485 2e52 b2c2 f6e8 g.*.35&m ...    R.... 0x00c0:0549 5ae0 9c7b ad45 da0a eef2 1CCB b2ac. IZ. {.    E........ 0X00D0:A4A2 0a96 cc5f 238c 9570 0d15 984e 6f58 ..... _#. P... NoX 0x00e0:d8ff 8034 1165 cf44 02e4 ed6b 631e 2548 ... 4.e.d...kc.%h 0x00f0:56fd 4c8a 664c e5ee d845 2e50 v.l.fl ... E.P1 Packet captured1 packet received by FILTER0 packets dropped by kernel

First line

tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes

Here is just a hint if you want to get and view more detailed commands you can try to add the parameters.

Second line

listening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes

tcpdump Monitor network device interface and link layer type (Ethernet) to grab packet size limit

Third line

22:34:11.334916 IP 192.168.8.8.22 > 112.64.61.186.37035: Flags [P.], seq 3341229570:3341229782, ack 1999159071, win 31152, length 212

• 22:34:11.334916: Time to grab the bag
• IP: Crawled packets are located at the network layer, i.e. IP packets
• 192.168.8.8.22: Fetch the source IP address and port of the package
• >: The direction of data transmission
• 112.64.61.186.37035: Crawled packet destination IP and port
• Flags and the following: Building three handshake messages

Line 4th to 16th

    0x0000:4510 00FC 7e99 4000 4006 44a8 c0a8 0808 [email protected]@.    D..... 0x0010:7040 3dba 0016 90ab c727 1e02 7728 bf1f [email protected]= ...]    W (..    0x0020:5018 79b0 7799 0000 0000 00b0 823d 4CF1 p.y.w........=l. 0x0030:1108 58fc 3686 2bd2 5220 fe37 85ab 74cc.. x.6.+. R..    7..t. 0X0040:BFB1 8831 7d1c 3b57 52ae aa91 28a2 67d8 ... 1}.; WR ...    (. G. 0X0050:08FB a257 7fc8 7186 39dc d266 3d32 Cce8 ... W.. q.9.    f=2. 0x0060:3eb7 130b a7d3 833b 59c9 bdf8 2141 6863 >......; Y...! AHC 0x0070:7cae 25ff 459e c94a a635 7098 6925 db48 |. %. E.. j.5p.i%. H 0x0080:a9b0 32ab 5393 737f cf8c f2ed b47a 7d8b.    2.S.S......Z}. 0x0090:346c 39df 3ecc d2b0 E0AD 5104 272d 6513 4l9.>    Q. '-E. 0x00a0:4b8d 5ee6 6c7d 9477 e40b 8637 996a bb5a k.^.l}.w ... 7.j.z 0x00b0:471a 2ac4 3335 266d 0485 2e52 b2c2 f6e8 g.*.35&m ...    R.... 0x00c0:0549 5ae0 9c7b ad45 da0a eef2 1CCB b2ac. IZ. {.    E........ 0X00D0:A4A2 0a96 cc5f 238c 9570 0d15 984E 6f58 ... _#. P... NoX 0x00e0:d8ff 8034 1165 cf44 02e4 ed6b 631e 2548 ... 4.e.d...kc.%h 0x00f0:56fd 4c8a 664c e5ee d845 2e50 v.l.fl ... E.p

These are the contents of the IP packet, the left side is 16, and the right side is the ASCII part. If you want to see these specific data, you need to look at the format of the TCP datagram in the previous issue.

• 4510
  4:ip version, represented here as IPv4
  5: Representing the first ministerial degree, represented here as 20B
  10: Service type representing the agreement
• 00fc
  Represents total data length, 00FC: Represents the total length of 252B
• 7e99
  Represents identity, if the size of the IP packet exceeds the MTU limit of the data link layer, the IP packet needs to be split, and the domain is used to indicate which packages are the same group before the split. The identity field here is 0x7e99
• 4
  Continue to look backwards, is the 3-bit flag bit, used to control the IP capture after reassembly, the lowest bit is MF (more Fragment), the median is df (Don ' t Fragment) can not be fragmented
• Mf=1: Indicates that there are shards behind
• Mf=0: Indicates that this is already the last of several shards
• Df=0: Allow sharding
• 000: Chip offset, this time there is no split package, so all 0
• 40:ttl (Time to life), the lifetime of the packet in the network. Here is 0x40, the binary is 64, indicating that if the middle of the routing node is exceeded, the destination is considered unreachable, the intermediate router will be discarded processing.
• 06: Refers to the previous layer protocol type, here is 0x06, you can see the protocol number 6, represented as the TCP protocol.
• 44A8: Represents the IP header checksum, here is the 0X44A8
• C0A8 0808:ip Source Address, here is 192.168.8.8
• 7040 3dba:ip Destination Address: Here is: 112.64.60.186
  Here, the data header has been fully explained and completed.

UDP Protocol Packet Analysis

? ? Let's start by crawling a UDP packet as follows:

[[email protected] ~]# tcpdump -i ens5f1 -nn -X ‘udp‘ -c 1tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens5f1, link-type EN10MB (Ethernet), capture size 262144 bytes18:18:12.499924 IP 192.168.8.101.137 > 192.168.8.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST    0x0000:  4500 004e 31ab 0000 8011 763f c0a8 0865  E..N1.....v?...e    0x0010:  c0a8 08ff 0089 0089 003a 1277 ddc1 0110  .........:.w....    0x0020:  0001 0000 0000 0000 2046 4b46 4545 4643  .........FKFEEFC    0x0030:  4e44 4344 4144 4244 4744 4144 4944 4144  NDCDADBDGDADIDAD    0x0040:  4245 4945 4645 4841 4100 0020 0001       BEIEFEHAA.....1 packet captured1 packet received by filter0 packets dropped by kernel

UDP packets are much simpler than IP packets, with a total of 8 bytes in the header. While UDP is in the transport layer, the IP packet-related header is also added to the natural front.

• 0089: The source port is 0x0089, i.e.: 137
• 0089: The destination port is 0x0089 i.e.: 137
• The total length of the 003A:UDP package, which is 58 bytes, removes the 8 bytes from the header, and only 50 bytes are really available for transmission.
• The 1277:UDP checksum. To 0x1277

This article is posted on the subscription number, such as your friends like my article, you can also follow my subscription number: Woaitest, or scan the following QR code to add attention:

Linux Basic Tutorial 31-tcpdump command-3