Linux network packet capture

Packet Capture analysis is usually required when debugging network programs. Tcpdump in Linux is good.

By default, Ubuntu has been installed. The following is an example.

For example, I have a C ++ program listening to the local port 8889, and another newlisp program communicating with it through TCP.

First, check several network interfaces.

root@dean-GA-MA790XT-UD4P:~# tcpdump -D1.eth02.any (Pseudo-device that captures on all interfaces)3.lo

Because it is run on the local machine, it uses the lo interface. Therefore,-I 3 is used for subsequent parameters.

-I 3 indicates monitoring the network interface lo. Start tcpdump now

tcpdump -i 3 tcp port 8889 -v -XX

-XX indicates that the network package data is displayed in hexadecimal format and ASCII text.

21:19:40.151304 IP (tos 0x0, ttl 64, id 37956, offset 0, flags [DF], proto TCP (6), length 56)    localhost.8889 > localhost.55131: Flags [P.], cksum 0xfe2c (incorrect -> 0x8dc0), seq 41:45, ack 117, win 342, options [nop,nop,TS val 728981 ecr 723761], length 40x0000:  0000 0000 0000 0000 0000 0000 0800 4500  ..............E.0x0010:  0038 9444 4000 4006 a879 7f00 0001 7f00  .8.D@.@..y......0x0020:  0001 22b9 d75b 5a53 9f4c d8c4 bded 8018  .."..[ZS.L......0x0030:  0156 fe2c 0000 0101 080a 000b 1f95 000b  .V.,............0x0040:  0b31 0100 3355  

First, the time is displayed, and then the data transmission direction is displayed, from the C ++-> newlisp program. You can also see that the number of bytes transmitted at the application layer is 4.

At last, we can see that 0100 3355 is the four bytes.

Many other bytes must be the data required by the TCP protocol. Do not go into details.

The last article demonstrates many good uses. You may need to flip the wall.

Http://www.thegeekstuff.com/2010/08/tcpdump-command-examples/