Tcpdump Grab Bag

Names (name)
tcpdump-data flow on a dump network
Overview (Synopsis)
Tcpdump[-adeflnnopqstvx][-ccount][-ffile]

[-iinterface] [-rfile] [-ssnaplen]

[-ttype] [-wfile] [Expression]

Description (DESCRIPTION)
The tcpdump prints out the header of the Boolean expression expression on a network interface.

For SunOS's nit or BPF interface: To run tcpdump, you must have read access to/dev/nit or/dev/bpf*.

For Solaris Dlpi: You must have read access to the network emulation device (Networkpseudodevice), such as/dev/le.

For HP-UX DLPI: You must be root, or install it as the root Setup UID program. For IRIX Snoop: You must be root, or install it as the root UID program. For Linux: You must be root, or install it to the root Setup UID program.

For Ultrix and Digitalunix: Once the Superuser uses Pfconfig (8) to open the promiscuous operation mode (Promiscuous-mode), any user can run tcpdump.

For BSD: You must have read access to/dev/bpf*.


Option (Options)
-A
Try to convert the network and broadcast address into a name.
-C
Exit when Count message is received.
-D
Translate the compiled message matching template (Packet-matchingcode) into a readable form, pass it to standard output, and then exit.
-dd
The message matching template (Packet-matchingcode) is output in the form of a C program fragment.
-ddd
Output the message matching template (Packet-matchingcode) as a decimal number (preceded by the total).
-E
Each row shows the link-layer header.
-F
Display the ' External ' Internet address in digital form instead of the character form (this option is used to bypass the Sun Yellow Page server of the skull's bad light---generally it hangs long when it translates an external network digital address).
-F
Use the contents of file as a filter expression. Ignores expressions on the command line.
-I.
Monitor interface. If you do not specify an interface, tcpdump in the system's interface list, looking for the smallest, already configured interface (except loopback). When selected, the connection is interrupted.
-L
Row buffer standard output. Can be used to capture data while viewing data. For example,
' Tcpdump-l|teedat ' or ' tcpdump-l>dat&tail-fdat '.
-N
Do not convert the address to a name (i.e., host address, port number, etc.)
-N
The domain name portion of the host name is not displayed. For example, if you use this option, tcpdump only displays ' Nic ' instead of ' nic.ddn.mil '.
-O
Suppresses the optimizer to run the message matching template. Only if you suspect that the optimizer has a bug.
-P
It is forbidden to put the interface into promiscuous mode. Note that the interface may be in promiscuous mode for other reasons, so '-P ' cannot be abbreviated as ' etherhost{local-hw-addr} or Etherbroadcast '.
-Q
Fast output. Displays less protocol information, and the output line is a little shorter.
-R
Read the datagram from file (the file was created with the-w option). If file is '-', go to standard input.
-S
Intercept Snaplen bytes of data from each message instead of the default of 68 (if SunOS is the NIT, the minimum is 96). 68 bytes are available for ip,icmp,tcp and UDP, but it is possible to truncate the protocol information for the name Server and NFS messages (see below). If you specify ' [|proto] ' at the output, tcpdump can point to a datagram that is too small to capture, where the proto is the protocol layer name where the truncation occurs. Note that a larger capture range increases the time to process the message and correspondingly reduces the amount of buffer for the message. may result in the loss of the message. You should set the Snaplen as small as possible, as long as you can accommodate the protocol information you need.

-T
The message selected through "expression" is interpreted as the specified type. Currently known types are: RPC (Remote procedure call Remoteprocedurecall), RTP ( Real-time Application protocol Real-timeapplicationsprotocol), RTCP (real-time application Control Protocol Real-timeapplicationscontrolprotocol), VAT ( Visual Audio Tools Visualaudiotool), and WB (distributed Whiteboard Distributedwhiteboard).
-S
Displays the absolute, not the relative TCP sequence number.
-T
Suppresses the display of timestamp flags.
-tt
Displays the unformatted timestamp flag.
-V
(A little more) tedious output. For example, displays the lifetime and service types in an IP datagram.
-vv
More verbose output. For example, displays an additional Domain for NFS response messages.
-W
The original message is stored in file instead of analyzed and displayed. They can be displayed later with the-r option. If file is '-', write to standard output.
-X
Displays each message in 16 decimal digits (after removing the link layer header). You can display a smaller complete message, otherwise only Snaplen bytes are displayed.
Expression
Used to select the datagram to dump. If expression is not specified, all messages for the network are dumped. Otherwise, only datagrams with expression ' true ' are dumped.
Expression one or more primitives (primitive). The primitive is usually composed of an identity (ID, name, or number), and one or more modifiers (qualifier) preceding the identity. There are three different types of modifiers:

Type
Type modifiers indicate what type of identity name or identity number represents. The types you can use are host,net and port. For example, ' Hostfoo ', ' net128.3 ', ' port20 '. If you do not specify a type modifier, the default host is used.

Dir
The orientation modifier indicates the transport direction relative to the identity (whether the data is incoming or outgoing). The directions you can use are SRC,DST,SRCORDST and SRCANDDST. For example, ' Srcfoo ', ' dstnet128.3 ', ' Srcordstportftp-data '. If you do not specify a direction modifier, the default srcordst is used. For the ' null ' link layer (that is, a point-to-side protocol like slip), specify the desired transmission direction with the inbound and outbound modifiers.
Proto
Protocol modifiers are required to match the specified protocol. The protocols that can be used are: Ether,fddi,ip,arp,rarp,decnet,lat,sca,moprc,mopdl,tcp and UDP. For example, ' Ethersrcfoo ', ' arpnet128.3 ', ' tcpport21 '. If you do not specify a protocol modifier, all protocols that conform to the type are used. For example, ' Srcfoo ' means ' (IP or ARP or rarp) Srcfoo ' (note that the latter does not conform to the syntax), ' Netbar ' refers to ' ( IP or ARP or rarp) Netbar ', ' port53 ' refers to ' (TCP or UDP) Port53 '.
[' FDDI ' is actually an alias of ' ether '; the parser treats them as ' the data link layer used on the specified network interface. ' The FDDI header contains a source address similar to the Ethernet protocol, and typically contains a message type similar to the Ethernet protocol, so you can filter the FDDI domain as if you were analyzing the Ethernet protocol. The FDDI header also contains other domains, but you cannot explicitly describe them in filter expressions.


As a complement to the above, there are special ' primitive ' keywords that are different from the above pattern: Gateway,broadcast,less,greater and mathematical expressions. These are described in the back.

More complex filter expressions can be formed through and,or and not connection primitives. For example, ' Hostfooandnotportftpandnotportftp-data '. The same modifier can be omitted in order to knock down the key less. For example, ' Tcpdstportftporftp-dataordomain ' is actually ' tcpdstportftportcpdstportftp-dataortcpdstportdomain '.

The Allowed primitives are:

Dsthosthost
If the destination address domain of the IP in the message is host, the logic is true. The host can be either an address or a host name.
Srchosthost
If the source address domain of the IP in the message is host, the logic is true.
Hosthost
If the source address domain or destination address domain of the IP in the message is host, the logic is true. All the host expressions above can be prefixed with ip,arp, or Rarp keywords, as follows:
Iphosthost

It is equivalent to:
Etherproto\ipandhosthost

If host is a hostname with more than one IP address, each of its addresses will be inspected.

Etherdstehost
The logic is true if the Ethernet destination address of the message is ehost. Ehost can be either a name (/etc/ethers) or a number (see also ethers (3N) for the number format).
Ethersrcehost
If the Ethernet source address of the message is Ehost, then the logic is true.
Etherhostehost
If the Ethernet source address or the Ethernet destination address of the message is Ehost, then the logic is true.
Gatewayhost
If the message hosts the host as a gateway, the logic is true. That is, the source or destination address of the message is host, but the IP address is not host.host must be a hostname, and must exist in/etc/hosts and/etc/ethers. (An equivalent expression is
Etherhostehostandnothosthost

For Host/ehost, it can be either a name or a number.)
Dstnetnet
If the IP destination address of the message belongs to network number NET, the logic is true. NET can be either a name (in/etc/networks) or a network number. (See Networks (4)).
Srcnetnet
If the IP source address of the message belongs to network number NET, the logic is true.
Netnet
If the IP source address or destination address of the message belongs to network number NET, the logic is true.
Netnetmaskmask
If the IP address matches the net of the specified netmask (netmask), the logic is true. Primitives can be modified with SRC or DST.
Netnet/len
If the IP address matches the net of the specified netmask, the logic is true and the effective bit width of the mask is Len. The primitive language can be modified with SRC or DST.
Dstportport
If the message is IP/TCP or IP/UDP, and the destination port is port, the logic is true. Port is a number, or it can be a name described in/etc/services (see TCP (4P) and UDP (4P)). If you use a name, Then check the port number and protocol. If you use a number, or if you have two righteous names, only the port number is checked (for example, dstport513 will display tcp/login data and udp/who data, and Portdomain will show Tcp/domain and udp/ Domain data).
Srcportport
If the source port number of the message is port, the logic is true.
Portport
If the source port or destination port of the message is port, then the logic is true. Any of these port expressions can be prefixed with the keyword TCP or UDP, as follows:
Tcpsrcportport

It only matches the TCP message that the source port is port.
Lesslength
If the message is less than or equal to length, the logic is true. It is equivalent to:
Len<=length.

Greaterlength
If the message is longer than or equal to length, the logic is true. It is equivalent to:
Len>=length.

Ipprotoprotocol
If the message is an IP datagram (see IP (4P)), the protocol type of the content is protocol, then the logic is true. Protocol can be either a number or one of the following names: Icmp,igrp,udp,nd, or TCP. Note These identifiers tcp,udp, and ICMP are also keywords, so you must escape with a backslash (\), which should be \ \ in C-shell.
Etherbroadcast
If the message is an Ethernet broadcast message, the logic is true. The keyword ether is optional.
Ipbroadcast
If the message is an IP broadcast message, the logic is true. Tcpdump checks the full 0 and all 1 broadcast conventions, and checks the local subnet mask.
Ethermulticast
If the message is an Ethernet multicast message (multicast), the logic is true. The keyword ether is optional. This is actually a shorthand for ' ether[0]&1!=0 '.
Ipmulticast
If the message is an IP multicast message, the logic is true.
Etherprotoprotocol
If the message protocol belongs to the Protocol of the ether type, the logic is true. Protocol can be a number, or it can be a name, such as Ip,arp, or rarp. Note These identifiers are also keywords, so you must escape with a backslash (\). [If it is FDDI (for example, ' Fddiprotocolarp '), the protocol identifier comes from the 802.2 logical Link Control (LLC) header, which is usually located at the top of the FDDI header. When the packet is filtered according to the protocol, Tcpdump assumes that all FDDI messages contain the LLC header, and the LLC header is in SNAP format.]

Decnetsrchost
If the source address of the DECnet is host, the logic is true and the host address may be in the form of ' 10.123 ', or the DECnet host name. [Only the ULTRIX system configured to run DECnet supports DECnet hostname.]
Decnetdsthost
If the destination address of the DECnet is host, the logic is true.
Decnethosthost
If the source address or destination address of the DECnet is host, the logic is true.
Ip,arp,rarp,decnet
Is:
Etherprotop

, where P is a form of the above-mentioned protocol.
Lat,moprc,mopdl
Is:
Etherprotop

, where P is one of the above protocols. Note Tcpdump currently does not know how to analyze these protocols.
tcp,udp,icmp
Is:
Ipprotop

, where P is a form of the above-mentioned protocol.
exprrelopexpr
If this relationship is true, then the logic is real, where RelOp is one of the >,<,>=,<=,=,!=, and expr is a mathematical expression, consisting of a constant integer (the standard C syntax form), a normal binary operator [+,-, *,/,&,|], A length operator, and a specified message data access operator. To access the data within the message, use the following syntax:
Proto[expr:size]

Proto is one of the ether,fddi,ip,arp,rarp,tcp,udp,oricmp, and also points out the protocol layer for subscript operations. Expr gives the offset of the byte unit, which is relative to the specified protocol layer. The size is optional and indicates the number of bytes of interest; it can be 1,2,4, which defaults to 1 bytes. The length operator given by the keyword Len indicates the length of the message.
For example, ' Ether[0]&1!=0 ' captures all the multicast messages. Expression ' ip[0]&0xf!=5 ' captures all IP packets with optional domains. Expression ' ip[6:2]&0x1fff=0 ' Only datagrams that are not fragmented and have a slice offset of 0 are captured. This check is implied in TCP and UDP subscript operations. For example, tcp[0] must be the first byte of the TCP header, not the first byte of one of the IP slices.

The primitives can be used in combination with the following methods:

The primitive and operator (the garden brackets in the shell are dedicated, so they must be escaped).
Take the reverse action ('! ') or ' not ').
Link operation (' && ' or ' and ').
Or operation (' | | ') or ' or ').
The reverse operation has the highest priority. Or the operation and the link operation have the same priority, the operation is combined from left to right. Note the JOIN operation requires an explicit and operator instead of a side-by-side placement.

If an identifier is given, but the keyword is not given, then the most recently used keyword is implied. For example,

Nothostvsandace

As
Nothostvsandhostace

The shorthand form should not and
Not (Hostvsorace)

Confuse.
Expression parameters can be passed as a single parameter to tcpdump or as a composite parameter, which is more convenient. Generally speaking, it is easier to pass a single enclosed parameter if the expression contains Shell metacharacters (metacharacter). Compound parameters are joined together with a space before being parsed.


Example (EXAMPLES)
Show all incoming and outgoing sundown messages:

Tcpdumphostsundown

Shows the message transfer between the Helios and the host Hot,ace:

Tcpdumphostheliosand\ (hotorace\)

Displays the ACE and IP messages for all hosts except Helios:

Tcpdumpiphostaceandnothelios

Displays network data between the local host and the host of the Berkeley:

Tcpdumpnetucb-ether

Display all FTP messages via Gateway Snup (Note that this expression is enclosed in quotation marks to prevent the shell from interpreting the brackets):

Tcpdump ' Gatewaysnupand (portftporftp-data) '

Displays network data that is neither from the local host nor to the local host (if you turn the gateway to a different network, this will not send the data to your local network).

Tcpdumpipandnotnetlocalnet

Displays the start and end messages for each TCP session (SYN and FIN messages), and a remote host in the conversation party.

Tcpdump ' Tcp[13]&3!=0andnotsrcanddstnetlocalnet '

Displays IP datagrams that are larger than 576 bytes in the Gateway Snup:

Tcpdump ' gatewaysnupandip[2:2]>576 '

Displays the datagram of IP broadcasts or multicast transmissions that are not transmitted via Ethernet broadcast or multi-purpose transmission:

Tcpdump ' ether[0]&1=0andip[16]>=224 '

Displays all ICMP messages that are not echo requests/responses (that is, not ping messages):

Tcpdump ' icmp[0]!=8andicmp[0]!=0 '

Output Format (OutputFormat)
The output format of the tcpdump depends on the protocol. The following description gives a brief description and example of most formats.

Link Layer Header (linklevelheaders)

The link layer header is displayed if the '-e ' option is given. On the Ethernet, the source address, protocol and message length of the message are displayed.

On FDDI networks, the '-e ' option causes Tcpdump to display the ' Frame Control (framecontrol) ' field, source address, and message length. (The ' Frame control ' field is responsible for interpreting the remaining messages.) a normal message (such as an IP datagram) is an ' asynchronous ' message with a priority of 0 to 7, for example, ' Async4 '. These are considered to contain 802.2 logical link control (LLC) messages; If they are not an ISO datagram or a so-called snap message, the LLC header is displayed.

(Note: The following description assumes that you are familiar with the slip compression algorithm described in RFC-1144.)

On the slip link, tcpdump shows direction indication (' I ' refers to inbound, ' O ' refers to outbound), message type, and compression information. The message type is displayed first. There are three types of IP, Utcp and ctcp. No more link information is displayed for IP messages. For TCP messages, the connection ID is displayed after the type. If the message is compressed, the encoded header is displayed. Special cases are shown in the form of *s+n and *sa+n, where n is the sequence number (or sequence number and its confirmation) The sum of the changes that occurred. If it is not a special case, 0 or more changes are shown. Changes are indicated by U (urgentpointer), W (window), a (ACK), S (SequenceNumber), and I (Packetid), followed by a change (+ Nor-n), or another value (=n). Finally, the sum of the data in the message is displayed, along with the length of the compressed header.

For example, the following line shows an outgoing compressed TCP message with an implied connection identifier, a confirmation (ACK) Change of 6, a sequence number of 49, a message ID of 6, a three-byte data, and a six-byte compression header:

OCTCP*A+6S+49I+63 (6)

Arp/rarp message

The output of the ARP/RARP message displays the request type and its parameters. The output format tends to be self-explanatory. Here is a simple example, from the host RTSG to the host Csam ' Rlogin ' Start part:

Arpwho-hascsamtellrtsg
Arpreplycsamis-atcsam


The first line indicates that RTSG sends an ARP message asking for the Ethernet address of the Internet host Csam. Csam uses its Ethernet address (in this case, the Ethernet address is uppercase and the Internet address is lowercase).
If you use Tcpdump-n to look clear:

arpwho-has128.3.254.6tell128.3.254.68
Arpreply128.3.254.6is-at02:07:01:00:01:c4

If you use TCPDUMP-E, you can see that the first message is actually broadcast, and the second message is point-to:

Rtsgbroadcast080664:arpwho-hascsamtellrtsg
Csamrtsg080664:arpreplycsamis-atcsam


Here the first message indicates that the Ethernet source address is RTSG, the destination address is the Ethernet broadcast address, the type domain is 16 binary number 0806 (type Ether_arp), the message length 64 bytes.
TCP Messages

(Note: The following description assumes you are familiar with the TCP protocol described in RFC-793, and if you do not understand this protocol, either this article or the tcpdump is not very useful to you)

Generally, the output format of the TCP protocol is:

Src>dst:flagsdata-seqnoackwindowurgentoptions


SRC and DST are source IP addresses and ports. Flags are S (SYN), F (FIN), P (PUSH) or R (RST) or separate '. ' (no flags), or a combination of them. Data-seqno describes the position of the data in this article in the flow sequence number (see the following example). The ACK is the stream sequence number (SequenceNumber) of the incoming byte that the source machine wants to receive on this connection. window is the byte size of the source receive buffer on this connection. Urg indicates that the message is ' Emergency (urgent) ' data. Options are TCP optional headers, enclosed in angle brackets (for example,).
SRC,DST and flags must be there. Other domains only output the necessary portions based on the TCP header content of the message.

The following is the beginning of the host Rtsgrlogin to the host Csam.

rtsg.1023>csam.login:s768512:768512 (0) win4096
csam.login>rtsg.1023:s947648:947648 (0) ack768513win4096
rtsg.1023>csam.login:.ack1win4096
Rtsg.1023>csam.login:p1:2 (1) ack1win4096
csam.login>rtsg.1023:.ack2win4096
Rtsg.1023>csam.login:p2:21 (ack1win4096)
Csam.login>rtsg.1023:p1:2 (1) ack21win4077
Csam.login>rtsg.1023:p2:3 (1) ack21win4077urg1
Csam.login>rtsg.1023:p3:4 (1) ack21win4077urg1


The first line is to send a message from the RTSG TCP port 1023 to the Csam login port. The S flag indicates that the SYN flag is set. The stream sequence number of the message is 768512, no data. (This is written as ' First:last (nbytes) ', which means ' from stream serial number first to last, not including last, nbytes bytes of user data '.) At this time there is no piggyback acknowledgement (piggy-backedack), the valid receive window is 4096 bytes, there is a maximum segment size (max-segment-size) option, the request setting MSS is 1024 bytes.
Csam responds in a similar form, but adds a piggyback acknowledgment to the Rtsgsyn. Then RTSG confirms the Csam syn. '. ' This means that no flags are set. This message does not contain data, so there is no stream sequence number for the data. Note that this confirmation stream sequence number is a small integer (1). When Tcpdump first discovers a TCP session, it displays the stream sequence number that the message carries. In the subsequent messages received, It shows the difference between the current message and the stream sequence number of the original message. This means that starting with the first message, the subsequent flow sequence numbers can be understood as relative displacements in the data stream asrelativebytepositionsintheconversation ' Sdatastream ( Withthefirstdatabyteeachdirectionbeing ' 1 '). The '-S ' option can change this feature to directly display the original stream sequence number.

On line sixth, RTSG is passed to csam19 bytes of data (bytes 2 to 20). The push flag is set in the message. Line seventh Csam indicates that it received the data rtsg, the byte sequence number is 21, but not the 21st byte. Obviously most of the data is in the buffer area of the socket, Because the Csam receive window receives less than 19 bytes of data. At the same time, Csam sends a byte of data to RTSG. The first and Nineth lines show that Csam sent two bytes of emergency data to RTSG.

If the snapping area is set too small to capture the full TCP header, Tcpdump will translate the captured parts as much as possible and then display "[|tcp]", which indicates that the remainder cannot be translated. If the header contains a forged option (tcpdump Onewithalengththat ' Seithertoosmallorbeyondtheendoftheheader), tcpdump show ' [badopt] ' and no longer translate the other options section (because it is impossible to determine where to start) If the header length indicates an option, but the IP datagram length is not sufficient, it is not possible to really save the option, Tcpdump will display "[Badhdrlength]".

UDP packets

The UDP format is shown as this rwho message:

Actinide.who>broadcast.who:udp84


This means sending a UDP datagram from the WHO port of the host actinide to the WHO port of the Broadcast,internet broadcast address. The message contains 84 bytes of user data.
Some UDP services can be identified (from the source port number), thus displaying higher level protocol information. In particular, Domain Name service requests (rfc-1034/1035) and NFS RPC calls (RFC-1050).

UDP Domain Name Service request (nameserverrequests)

(Note: The following description assumes that you are familiar with the RFC-1035 description of the Domain Name Service agreement.) If you are unfamiliar with this protocol, the following content is like a heavenly book.)

The format of the Domain Name Service request is

Src>dst:idop?flagsqtypeqclassname (len)

H2opolo.1538>helios.domain:3+a?ucbvax.berkeley.edu. (37)

Host H2opolo accesses the domain name service on Helios, asking for and ucbvax.berkeley.edu. Associated Address record (QTYPE=A). The query number is ' 3 '. ' + ' indicates that a recursive request flag is set. The query length is 37 bytes, The UDP and IP headers are not included. The query operation is a normal querying operation, so the OP domain can be ignored. If OP is set to something else, it should appear between ' 3 ' and ' + '. Similarly, Qclass is a common c_in type and is ignored. Other types of qclass should be in the ' A ' is shown later.
Tcpdump will check for irregularities, and the corresponding result is placed in square brackets as a supplemental field: If a query contains an answer, a name service, or a management body part, the Ancount,nscount, or Arcount, is displayed as ' [Na] ', ' [nn] ' or ' [Nau] ', The n here represents the corresponding quantity. If in the second and third bytes, any one of the answer bits (Aa,ra or rcode) or any one ' must be zero ' is set, the ' [B2&3=x] ' is displayed, where x is the 16 binary number of the second and third bytes of the header.

UDP Name Service Answer

The format of the name service answer is

Src>dst:idoprcodeflagsa/n/autypeclassdata (len)

helios.domain>h2opolo.1538:33/3/7a128.32.137.3 (273)
helios.domain>h2opolo.1537:2nxdomain*0/1/0 (97)


In the first example, Helios answered H2opolo's 3 query, which is a total of 3 answer records, 3 name Service records, and 7 management structure records. The first type of answer record is a (address), The data is an Internet address 128.32.137.3. The total length of the answer is 273 bytes, not including UDP and IP headers. The Class A record (c_in) can ignore OP (ask) and Rcode (NOERROR).
In the second example, Helios the answer to the domain name does not exist (NXDomain) for the query identified as 2, there is no answer record, a name service record, and no management structure.
' * ' indicates that the authoritative answer is set (Authoritativeanswer). Because there is no answer record, type,class and data are not displayed here.

Other flag characters can be displayed as '-' (No recursive Active (RA) set) and ' | ' (Set message truncation (TC)). If the ' Problem ' section does not have a valid content, it displays ' [NQ] '.

Note that the query and answer to the name service is generally large, and the 68-byte Snaplen may not capture enough of the message content. If you do study the name service, you can use the-s option to increase the capture buffer. '-s128 ' should have worked well.


NFS Requests and responses

The request and Response display format for the SUNNFS (Network File system) is:

Src.xid>dst.nfs:lenopargs
Src.nfs>dst.xid:replystatlenopresults


sushi.6709>wrl.nfs:112readlinkfh21,24/10.73165
Wrl.nfs>sushi.6709:replyok40readlink ". /var "
Sushi.201b>wrl.nfs:
144lookupfh9,74/4096.6878 "Xcolors"
WRL.NFS&GT;SUSHI.201B:
replyok128lookupfh9,74/4134.3150

On the first line, the host sushi sends a trade session number 6709 to the WRL (note that the number behind the source host is the transaction number, not the port). This request is 112 bytes long and does not include UDP and IP headers. in file handle (FH) 21,24/ The Readlink (read symbolic Connection) operation is performed on 10.731657119. (If you're lucky, as in this case, the file handle can be translated into primary and secondary device number, I node number, and event number (Generationnumber).) The WRL answers ' OK ' and connected content.
On the third line, sushi requests that the WRL find ' xcolors ' in the catalog file 9,74/4096.6878. Note The format of the data depends on the type of operation. The format should be self-explanatory.

The-V (verbose) option is given to display additional information. For example:


Sushi.1372a>wrl.nfs:
148readfh21,11/[email protected]
WRL.NFS&GT;SUSHI.1372A:
replyok1472readreg100664ids417/0sz29388

(-V also causes it to display the IP header's Ttl,id, and the Shard fields, which are omitted in this example.) In the first line, sushi requests the wrl to read 8192 bytes from the offset position of file 21,11/12.195 24576. The WRL answers ' OK '; the second line shows the first shard of the answer, so only 1472 bytes (the rest of the data is passed in the subsequent shards, but because there is no NFS or even UDP header in these shards, it may not be displayed depending on the filter expression used).- The V option also displays some file attributes (which are passed back as part of the file data): File type (normal file ' REG '), access mode (octal number), UID and GID, and file size.
If you give another-v option (-VV), you can also show more details.

Note the amount of data that is requested by NFS is very large, and many details cannot be displayed unless you increase snaplen. Try the '-s192 ' option.

The NFS response message is not explicitly marked with an RPC operation. Therefore, Tcpdump reserves the "recent" request record, matching the response message according to the transaction number. If the response message does not have a corresponding request message, it cannot be parsed.

Kipappletalk (DDP on UDP)

The APPLETALKDDP message is encapsulated in a UDP datagram and then dumped by the DDP message after unpacking (that is, ignoring all UDP header information). The file/etc/atalk.names is used to translate the AppleTalk network and the node number into a name. The line format for this file is

Numbername

1.254ether
16.1icsd-net
1.254.110ace


The first two lines give the network name of the AppleTalk. The third line gives the name of a host (host and network based on the third set of numbers-the network number must be two sets of numbers, the host number must be three groups of numbers.) The number and name are separated by a blank character (space or tab)./etc/atalk.names files can contain blank lines or comment lines (lines starting with ' # ').
AppleTalk address is displayed in this format

Net.host.port

144.1.209.2>icsd-net.112.220
office.2>icsd-net.112.220
Jssmag.149.235>icsd-net.2


(If there is no/etc/atalk.names, or if a valid item is missing, the address is displayed numerically.) In the first example, a 209-node NBP (DDP Port 2) of network 144.1 sends data to 220 ports on the network ICSD's 112 node. The second line is the same as above, just knowing the full name of the source node (' Office '). The third line is broadcast from the 235 port of the network Jssmag 149 node to the NBP port of Icsd-net (note that the broadcast address (255) is implied in the network name without the host number-so it is a good idea to differentiate node names and network names in/etc/atalk.names).
Tcpdump can translate the message contents of the NBP (name Junction Protocol) and the ATP (AppleTalk Interaction Protocol). Other protocols only dump the protocol name (or number if it has not yet registered the name) and the message size.

The output format of the NBP message is like the following example:

icsd-net.112.220>jssmag.2:nbp-lkup190: "=:[email protected]*"
jssmag.209.2>icsd-net.112.220:nbp-reply190: "Rm1140:[email protected]*" 250
techpit.2>icsd-net.112.220:nbp-reply190: "Techpit:[email protected]*" 186


The first line is the network ICSD 112 host on the network Jssmag broadcast, the name LaserWriter make the name query request. The NBP identification number for the name Query request is 190. The second line shows the answer to the request (note that they have the same identification number), Host jssmag.209 indicates that a LaserWriter resource is registered on its port 250, and the name is "RM1140". The third line is the other answer to this request, the host Techpit 186 ports have LaserWriter registered "Techpit".
The ATP message format is shown in the following example:

jssmag.209.165>helios.132:atp-req12266<0-7>0xae030001
helios.132>jssmag.209.165:atp-resp12266:0 (0xae040000)
Helios.132>jssmag.209.165:atp-resp12266:1 (0xae040000)
Helios.132>jssmag.209.165:atp-resp12266:2 (0xae040000)
Helios.132>jssmag.209.165:atp-resp12266:3 (0xae040000)
Helios.132>jssmag.209.165:atp-resp12266:4 (0xae040000)
Helios.132>jssmag.209.165:atp-resp12266:5 (0xae040000)
Helios.132>jssmag.209.165:atp-resp12266:6 (0xae040000)
Helios.132>jssmag.209.165:atp-resp*12266:7 (0xae040000)
jssmag.209.165>helios.132:atp-req12266<3,5>0xae030001
Helios.132>jssmag.209.165:atp-resp12266:3 (0xae040000)
Helios.132>jssmag.209.165:atp-resp12266:5 (0xae040000)
jssmag.209.165>helios.132:atp-rel12266<0-7>0xae030001
jssmag.209.133>helios.132:atp-req*12267<0-7>0xae030002


jssmag.209 initiated transaction No. 12,266th to host Helios, requesting 8 messages (' <0-7> '). The hexadecimal number of the end of the line is the value of the ' UserData ' field in the request.

Wireshark Analysis of the clutch

./tcpdump-i eth0-s 0-w successc2server.pcap host 192.168.1.20 grab all the packages on the host, let Wireshark filter

Tcpdump Grab Bag