TCPDUMP Chinese manual (2)

Title: TCPDUMP Chinese manual (2 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
It only matches TCP packets whose source port is port.
Less length
If the length of a message is less than or equal to length, the logic is true. it is equivalent:
Len <= length.
　　
Greater length
If the length of a message is greater than or equal to length, the logic is true. it is equivalent:
Len> = length.
　　
Ip proto protocol
If the packet is an IP datagram (see ip (4 P) and the protocol type of its content is protocol, the logic is true. protocol can be a number or one of the following names: icmp, igrp, udp, nd, or tcp. note that the identifiers tcp, udp, and icmp are also keywords, so they must be escaped using a backslash (\). in C-shell, they should be \\.
Ether broadcast
If the message is an Ethernet broadcast message, the logic is true. the keyword ether is optional.
Ip broadcast
If the packet is an IP broadcast packet, the logic is true. Tcpdump checks all 0 and all 1 broadcast conventions, and checks the local subnet mask.
Ether multicast
If the message is a multi-object message (multicast), the logic is true. the keyword ether is optional. this is actually 'Ether [0] & 1! = 0.
Ip multicast
The logic is true if the IP address sends messages to multiple targets.
Ether proto protocol
If the message protocol belongs to an Ethernet protocol, the logic is true. protocol can be a number or name, such as ip, arp, or rarp. note that these identifiers are also keywords, so they must be escaped using a backslash. [for FDDI (for example, 'fddi protocol arp '), the protocol identity comes from the 802.2 Logical Link Control (LLC) header, which is usually located at the top layer of the fddi header. when a packet is filtered based on the protocol identifier, Tcpdump assumes that all FDDI packets contain the LLC header, and the LLC header uses the SNAP format.]
　　
Decnet src host
If the source address of DECNET is host, the logic is true. the host address format may be ''10. 123 '', or the DECNET host name. [only the Ultrix system configured to run DECNET supports the DECNET host name.]
Decnet dst host
If the DECNET destination address is host, the logic is true.
Decnet host
If the source address or destination address of DECNET is host, the logic is true.
Ip, arp, rarp, decnet
Yes:
Ether proto p
　　
In short, where p is one of the above protocols.
Lat, moprc, mopdl
Yes:
Ether proto p
　　
In short, p is one of the above protocols. Note that tcpdump currently does not know how to analyze these protocols.
Tcp, udp, icmp
Yes:
Ip proto p
　　
In short, where p is one of the above protocols.
Expr relop expr
If the relationship is true, the logic is true. the relop is >,<,>=, <=, = ,! =, Expr is a mathematical expression consisting of a constant integer (Standard C syntax form), a common binary operator [+,-, *,/, &, |], a length operator, and the specified packet data access operator. to access the data in a message, use the following syntax:
Proto [expr: size]
　　
Proto is one of ether, fddi, ip, arp, rarp, tcp, udp, or icmp, and also indicates the protocol layer for subscript operations. expr returns the offset of the byte unit relative to the specified protocol layer. size indicates the number of bytes of interest. it can be 1, 2, 4, and the default value is 1 byte. the length operator given by the keyword len indicates the length of the message.
For example, 'Ether [0] & 1! = 0' capture all multi-object transmission packets. expression 'IP [0] & 0xf! = 5' capture all IP packets with optional domains. the expression 'IP [] & 0x1fff = 0' captures only the data packets with no fragments and the offset of the slices. this check is implicit in the tcp and udp subscript operations. for example, tcp [0] must be the first byte of the TCP header, rather than the first byte of an IP segment.
　　
The primitive can be used in combination with the following methods:
　　
Primitive and operator enclosed in garden brackets (garden brackets are dedicated in Shell, so they must be escaped ).
Reverse operation ('! 'Or 'not ').
Link operation ('&' or 'and ').
Or operation ('|' or ').
The inverse operation has the highest priority. or the operation and the link operation have the same priority. The operation is performed from left to right. Note that the link operation requires an explicit and operator instead of being placed in parallel.
　　
If an identifier is provided but no keyword is provided, it indicates the recently used keyword. for example,
　　
Not host vs and ace
　　
As
Not host vs and host ace
　　
Cannot be the same
Not (host vs or ace)
　　
Obfuscation.
Expression Parameters can be passed to tcpdump as a single parameter or composite parameter, which is more convenient. generally, if the expression contains the Shell metacharacter, it is easier to pass a single enclosed parameter. composite parameters are joined with spaces before being parsed.
　　
　　
Example (EXAMPLES)
Display all incoming and outgoing sundown packets:
　　
Tcpdump host sundown
　　
Display the message transmission between helios and host hot and ace:
　　
Tcpdump host helios and \ (hot or ace \)
　　
Display the IP packets of ace and all hosts except helios:
　　
Tcpdump ip host ace and not helios
　　
Displays network data between the local host and the Berkeley host:
　　
Tcpdump net ucb-ether
　　
Display All ftp messages sent through the Gateway snup (note that this expression is enclosed in single quotes to prevent shell from interpreting the garden arc ):
　　
Tcpdump 'gateway snup and (port ftp or ftp-data )'
　　
Displays network data neither from the local host nor to the local host (if you direct the gateway to another network, the data will not be sent to your local network ).
　　
Tcpdump ip and not net localnet
　　
The start and end packets (SYN and FIN packets) of each TCP session are displayed, and the session side has a remote host.
　　
Tcpdump 'tcp [13] & 3! = 0 and not src and dst net localnet'
　　
Displays IP datagram greater than 576 bytes in the Gateway snup:
　　
Tcpdump 'gateway snup and ip [2]> 100'
　　
Displays IP broadcast or Multi-View transmitted datagram. these packets are not transmitted through Ethernet broadcast or multi-view transmission:
　　
Tcpdump 'Ether [0] & 1 = 0 and ip [16]> = 100'
　　
Display All ICMP packets that are not responding to requests/responses (that is, not ping packets ):
　　
Tcpdump 'icmp [0]! = 8 and icmp [0]! = 0"
　　
OUTPUT FORMAT)
The output format of tcpdump depends on the protocol. The following describes brief descriptions and examples of most formats.
　　
Link Level Headers)
　　
If the '-E' option is provided, the link layer header is displayed. the source address, protocol, and length of the message are displayed on the Ethernet.
　　
On the FDDI network, the '-E' option causes tcpdump to display the 'frame control' domain, source object address, and message length. (The 'frame control' domain is responsible for interpreting other packets. A common packet (for example, containing an IP datagram) is an asynchronous packet with a priority ranging from 0 to 7. for example, 'async4 '. these are considered to contain 802.2 Logical Link Control (LLC) packets. if they are not ISO datagram or so-called SNAP packets, the LLC header is displayed.
　　
(Note: The following description assumes that you are familiar with the SLIP compression algorithm described in the RFC-1144 .)