Title: TCPDUMP Chinese manual (4 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
The host h2opolo accesses the domain name service on helios and asks about it and ucbvax.berkeley.edu. the associated address record (qtype = ). the query number is '3 '. '+' indicates that the recursive request flag is set. the query length is 37 bytes, excluding UDP and IP headers. the Query operation is a common Query operation, so the op field can be ignored. if op is set to something else, it should be displayed between '3' and '+. similarly, qclass is a common C_IN type and is ignored. other types of qclass should be displayed after 'a.
Tcpdump checks some irregular situations and the corresponding results are placed in square brackets as the supplementary domain. if a query contains an answer, name service, or administrative organization, the ancount, nscount, or arcount is displayed as '[na]', '[nn]', or '[nau]'. here, n represents the corresponding number. if in the second and third bytes, any one of the answer bits (AA, RA, or rcode) or any one of the bits must be zero, '[ b2 & 3 = x] 'is displayed. Here, x is the hexadecimal number of the second and third bytes of the header.
UDP name service answer
The answer format of the name service is
Src> dst: id op rcode flags a/n/au type class data (len)
In the first example, helios answered the question marked as 3 issued by h2opolo, which contains three answer records, three name service records, and seven management structure records. the type of the first answer record is A (address), and the data is internet address 128.32.137.3. the answer is 273 bytes in length, excluding UDP and IP header. class (C_IN) as A record can ignore op (query) and rcode (NoError ).
In the second example, helios answers a query marked as 2 with a domain name that does not exist (NXDomain), no answer record, a name service record, and no management structure.
'*' Indicates that authoritative answer is set. because there is no answer record, type, class, and data are not displayed here.
Other flag characters can be '-' (no recursive valid (RA) and '|' (set message truncation (TC )). if the question section does not have valid content, '[ nq] 'is displayed.
Note that the query and Answer of the name service are generally large, and the 68-byte snaplen may not be able to capture enough message content. if you are studying the name service, you can use the-s option to increase the capture buffer. '-s 128' should have a good effect.
NFS request and response
The request and response display formats of Sun NFS (network file system) are:
Src. xid> dst. nfs: len op args
Src. nfs> dst. xid: reply stat len op results
In the first line, the host sushi sends the transaction number 6709 to wrl (note that the number following the source host is the transaction number, not the port ). this request is 112 bytes long and does not include UDP and IP header. execute the readlink (read symbolic connection) operation on the file handle (fh) 10.731657119. (If you are lucky, in this case, the file handle can be translated into the primary and secondary device numbers, I node numbers, and event numbers (generation number) in turn ).) wrl answers 'OK' and the connection content.
In the third row, sushi requests wrl to search for 'xcolor' in the directory files 9, 74/4096.6878. Note that the print format of the data depends on the operation type. the format should be self-explanatory.
The-v (verbose) option is provided to display additional information. for example:
(-V also enables it to display the TTL, ID, and Shard fields of the IP header. In this example, they are omitted .) in the first line, the wrl request for sushi reads 12.195 bytes from the offset position of file 24576, 8192, and. wrl answers 'OK'. The message displayed in the second line is the first part of the response, so it only contains 1472 bytes (the rest of the data is transmitted in subsequent parts, however, because these fragments do not contain NFS or even UDP headers, they may not be displayed according to the filter expression used ). the-v option also displays some file attributes (which are passed back as an additional part of the file data): file type (common file ''reg ''), access mode (eight bytes ), uid, gid, and file size.
If you give the-v option (-vv), more details will be displayed.
Note that the volume of NFS requests is very large. unless snaplen is added, many details cannot be displayed. Try '-s 192.
The RPC operation is not explicitly indicated in the NFS response message. therefore, tcpdump retains ''Recent ''request records and matches the response message according to the transaction number. if the response packet does not have the corresponding request packet, it cannot be analyzed.
KIP Appletalk (DDP on UDP)
The Appletalk DDP packet is encapsulated in the UDP datagram. after the packet is unwrapped, it is dumped by the DDP packet (that is, all UDP header information is ignored ). file/etc/atalk. names is used to translate appletalk networks and node numbers into names. the row format of this file is
Number name
1.254 ether
16.1 icsd-net
1.254.110 ace
The network name of appletalk is given in the first two lines. the third line shows the name of a host (the host and network are distinguished by the third group of numbers-the network number must be two groups of numbers, and the host number must be three groups of numbers .) the numbers and names are separated by spaces or tabs. /etc/atalk. the names file can contain empty rows or comment rows (rows starting ).
The Appletalk address is displayed in this format.
(If/etc/atalk does not exist. names, or if there is a lack of valid items, the address is displayed in numbers .) in the first example, the NBP (DDP port 2) of the 144.1 node of the network 209 sends data to Port 112 of the 220 node of the network icsd. the second line is the same as above, but the full name of the source node ('Office ') is known '). the third line is to broadcast from Port 149 of the jssmag node to the NBP port of icsd-net (Note the broadcast address (235) hidden in the network name without the master node number-so in/etc/atalk. it is a good idea to distinguish node and network names in names ).
Tcpdump can be used to translate packets of NBP (name connection protocol) and ATP (Appletalk interaction protocol. for other protocols, only the protocol name (or number, if this protocol is not registered) and the packet size are dumped.
The first line is the broadcast of the 112 host on The icsd network on the jssmag network. it queries the name of laserwriter. the nbp ID of the name query request is 190. the second line shows the response to this request (note that they have the same identification number). host jssmag.209 indicates that a laserwriter resource is registered on port 250, the name is "RM1140 ". the third line is the other answer to this request. Port 186 of the host techpit has the "techpit" registered by laserwriter ".
The ATP message format is shown in the following example:
Jssmag.209 initiates a transaction No. 12266 to the helios host and requests 8 packets ('<0-7>'). the hexadecimal number at the end of the row is the value of the 'userdata' field in the request.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
