TCPDUMP Chinese manual (1)

Title: TCPDUMP Chinese manual (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Tcpdump-dump data streams on the network
Overview (SYNOPSIS)
Tcpdump [-adeflnNOpqStvx] [-c count] [-F file]
　　
[-I interface] [-r file] [-s snaplen]
　　
[-T type] [-w file] [expression]
　　
DESCRIPTION)
Tcpdump is printed on a network interface that matches the header of the Boolean expression.
　　
For the nit or bpf interface of SunOS: to run tcpdump, you must have read permission for/dev/nit or/dev/bpf.
　　
For Solaris dlpi, you must have the read permission for a network simulation device, such as/dev/le.
　　
For HP-UX dlpi: you must be the root, or install it as the root setting uid program. for IRIX snoop: you must be the root or install it as the root set uid program. for Linux: you must be the root user, or install it as the root user's uid setting program.
　　
For Ultrix and Digital UNIX: once the superuser opens the promiscuous operation mode (promiscuous-mode) using pfconfig (8), any user can run tcpdump.
　　
For BSD: you must have the read permission for/dev/bpf.
　　
　　
OPTIONS)
-
Try to convert the network and broadcast address into a name.
-C
Exit after receiving the count message.
-D
Translate the compiled packet matching template (packet-matching code) into readable form, pass it to the standard output, and exit.
-Dd
The packet-matching code is output in the form of a C program segment.
-Ddd
The packet-matching code is output in decimal format (the total number is added before ).
-E
Each line displays the link layer header.
-F
Display 'external 'Internet addresses in digital form, rather than the character format (this option is used to circumvent the SUN yellow page server with a bad brain shell-generally, it will be suspended for a long time when translating external network digital addresses ).
-F
Use the file content as a filter expression. ignore the expression on the command line.
-I
Listening interface. If no interface is specified, tcpdump is in the system interface list and finds the minimum number. the configured interface (except loopback) will interrupt the connection when selected.
-L
Row buffer standard output. it can be used to capture data and view data. for example,
''Tcpdump-l | tee dat ''or ''tcpdump-l> dat & tail-f dat ''.
-N
Do not convert the address to the name (that is, the host address, port number, and so on)
-N
The domain name section in the host name is not displayed. for example, if you use this option, tcpdump only displays ''nic ''instead of ''nic .ddn.mil ''.
-O
It is forbidden to run the optimizer of the message matching template. it is only useful when you suspect that the Optimizer has a bug.
-P
Do not set the interface to promiscuous mode. note that the interface may be in promiscuous mode for other reasons. Therefore, '-p' cannot be abbreviated as 'Ether host {local-hw-addr} or 'Ether broadcast.
-Q
Quick output: displays a small amount of protocol information, and the output line is a little shorter.
-R
Read the datagram from the file (the file was created using the-w option). If the file is ''-'', read the standard input.
-S
The snaplen data is intercepted from each packet, rather than the default value of 68 (for SunOS NIT, the minimum value is 96 ). the 68-byte protocol is applicable to IP, ICMP, TCP, and UDP, but the protocol information of the name server and NFS packet may be truncated (see the following ). if ''[| proto]'' is specified during output, tcpdump can indicate the datagram with a small volume of captured data. The proto here is the name of the protocol layer where the capture occurs. note that using a larger capture range not only increases the time for processing packets, but also reduces the number of packets buffered, which may lead to packet loss. you should set snaplen as small as possible, as long as it can accommodate the required protocol information.
　　
-T
The packets selected by expression are interpreted as the specified type. currently, known types include rpc (Remote Procedure Call), rtp (Real-Time Applications protocol ), rtcp (Real-Time Applications control protocol), vat (Visual Audio Tool), and wb (distributed whiteboard distributed White Board ).
-S
Display absolute, rather than relative TCP serial number.
-T
The timestamp flag cannot be displayed.
-Tt
Displays unformatted timestamp.
-V
(A little more) tedious output. for example, display the life cycle and service type in the IP datagram.
-Vv
More complex output. for example, display the additional domain of the NFS response message.
-W
Store the original packets in file instead of analysis and display. they can be displayed later using the-r option. if the file is ''-'', it is written to the standard output.
-X
Each packet is displayed in hexadecimal notation (after the link layer header is removed). a smaller complete packet is displayed. Otherwise, only snaplen bytes are displayed.
Expression
Select the datagram to be Dump. If no expression is specified, all packets of the network will be Dump. Otherwise, only the datagram with the relative expression 'true' will be dump.
Expression is composed of one or more primitive elements. A primitive is usually composed of an identifier (id, name, or number) and one or more modifiers before the identifier (qualifier. modifier has three different types:
　　
Type
The type modifier specifies the identifier name or number that represents the type. the available types include host, net, and port. for example, 'host Foo', 'net 128.3 ', 'Port 20 '. if the type modifier is not specified, the default host is used.
　　
Dir
The direction modifier specifies the transmission direction (whether the data is passed in or out) relative to the identifier ). the options are src, dst, src or dst, and src and dst. for example, 'src Foo', 'dst net 128.3 ', 'src or dst port ftp-data '. if you do not specify the direction modifier, use the default src or dst. for the 'null' link layer (that is, point-to-point protocols such as slip), use inbound and outbound to modify the child to specify the required transmission direction.
Proto
The protocol modifier must match the specified protocol. available protocols include ether, fddi, ip, arp, rarp, decnet, lat, sca, moprc, mopdl, tcp, and udp. for example, 'Ether src Foo', 'arp net 100', 'tcp port 21 '. if no protocol modifier is specified, all protocol types are used. for example, 'src Foo' refers to '(ip, arp, or rarp) src Foo' (note that the latter does not conform to the syntax), and 'Net bar' refers to' (ip, arp, or rarp) net bar ', 'Port 53' indicates' (tcp or udp) port 53 '.
['Fddi 'is actually the alias of 'Ether'. the analyzer regards them as the data link layer used on the specified network interface. the ''fddi header contains the source address similar to the Ethernet protocol and usually contains the packet type similar to the Ethernet protocol. Therefore, you can filter the FDDI domain, just like analyzing the Ethernet protocol. the FDDI header also contains other fields, but you cannot explicitly describe them in the filter expression.]
　　
　　
As a supplement, there are some special 'primitive 'keywords, which are different from the above pattern: gateway, broadcast, less, greater, and mathematical expressions. these are described later.
　　
More complex filter expressions can be formed through the and, or and not connection primitives. for example, 'host foo and not port ftp-data '. you can ignore the same modifier to minimize the number of mouse clicks. for example, 'tcp dst port ftp or ftp-data or domain 'is actually 'tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain '.
　　
Allowed primitives include:
　　
Dst host
If the IP address in the message is a host, the logic is true. host can be either an address or a host name.
Src host
If the source IP address of the packet is host, the logic is true.
Host
If the IP address source address domain or target address domain is host in the message, the logic is true. all the above host expressions can be prefixed with ip, arp, or rarp keywords, just like:
Ip host
　　
It is equivalent:
Ether proto \ ip and host
　　
If the host is a host name with multiple IP addresses, each of its addresses will be checked.
　　
Ether dst ehost
If the Ethernet destination address of the packet is ehost, the logic is true. the Ehost can be either a name (in/etc/ethers) or a number (for details about the number format, see ethers (3N )).
Ether src ehost
If the Ethernet source address of the packet is ehost, the logic is true.
Ether host ehost
If the Ethernet source address or destination address of the message is ehost, the logic is true.
Gateway host
If the message uses the host as the gateway, the logic is true. that is to say, the Ethernet source or destination address of the message is host, but the source and destination addresses of the IP are not host. the host must be a host name and must exist in/etc/hosts and/etc/ethers. (an equivalent expression is
Ether host ehost and not host
　　
For host/ehost, it can be either a name or a number .)
Dst net
If the IP address of the packet belongs to the network ID net, the logic is true. net can be a name (in/etc/networks) or a network number. (For details, see networks (4 )).
Src net
If the IP address of the packet belongs to the network ID net, the logic is true.
Net
If the source or destination IP address of the packet belongs to the network ID net, the logic is true.
Net mask
If the IP address matches the net of the specified netmask, the logic is true.