Name)
Tcpdump-dump data streams on the network
Overview (Synopsis)
Tcpdump [-adeflnnopqstvx] [-ccount] [-ffile]
[-Iinterface] [-rfile] [-ssnaplen]
[-TType] [-wfile] [expression]
Description)
Tcpdump prints the header matching the Boolean expression on a network interface.
For the NIT or BPF interface of SunOS: To Run tcpdump, you must have read permission for/dev/nit or/dev/BPF.
For the Solaris dlpi, you must have the read permission for the network simulation device, such as/dev/le.
For HP-UX dlpi: You must be the root, or install it as the root setting uid program. for IRIX snoop: You must be the root or install it as the root set UID program. for Linux: You must be the root user, or install it as the root user's uid setting program.
For Ultrix and digitalunix: Once the superuser opens promiscuous operation mode (promiscuous-mode) with pfconfig (8), any user can run tcpdump.
For BSD: You must have the read permission for/dev/BPF.
Options)
-
Try to convert the network and broadcast address into a name.
-C
Exit after receiving the Count message.
-D
Translate the compiled packet matching template (packet-matchingcode) into a readable form, pass it to the standard output, and exit.
-Dd
The packet-matchingcode template is output in the form of a C program segment.
-DDD
Output the packet matching template (packet-matchingcode) in decimal format (the total number is added before ).
-E
Each line displays the link layer header.
-F
Display 'external 'Internet addresses in digital form, rather than the character format (this option is used to circumvent the sun yellow page server with a bad brain shell-generally, it will be suspended for a long time when translating external network digital addresses ).
-F
Use the file content as a filter expression. Ignore the expression on the command line.
-I
Listening interface. If no interface is specified, tcpdump is in the system interface list and finds the minimum number. The configured interface (except loopback) will interrupt the connection when selected.
-L
Row buffer standard output. It can be used to capture data and view data. For example,
''Tcpdump-L | teedat ''or ''tcpdump-L> dat & tail-fdat ''.
-N
Do not convert the address to the name (that is, the host address, port number, and so on)
-N
The domain name section in the host name is not displayed. For example, if you use this option, tcpdump only displays ''nic ''instead of ''nic .ddn.mil ''.
-O
It is forbidden to run the optimizer of the message matching template. It is only useful when you suspect that the optimizer has a bug.
-P
Do not set the interface to promiscuous mode. note that the interface may be in promiscuous mode for other reasons. Therefore, '-p' cannot be abbreviated as 'etherhost {local-HW-ADDR} Or etherbroadcast.
-Q
Quick output: displays a small amount of protocol information, and the output line is a little shorter.
-R
Read the datagram from the file (the file was created using the-W option). If the file is ''-'', read the standard input.
-S
Truncate snaplen bytes of data from each message, instead of the default 68 (For SunOS nit, the minimum value is 96 ). the 68-byte Protocol is applicable to IP, ICMP, TCP, and UDP, but the protocol information of the name server and NFS packet may be truncated (see the following ). if ''[| proto]'' is specified during output, tcpdump can indicate the datagram with a small volume of captured data. The proto here is the name of the protocol layer where the capture occurs. note that using a larger capture range not only increases the time for processing packets, but also reduces the number of packets buffered, which may lead to packet loss. you should set snaplen as small as possible, as long as it can accommodate the required protocol information.
-T
The packets selected by expression are interpreted as the specified type. currently known types include: RPC (Remote Procedure Call remoteprocedurecall), RTP (Real-time application protocol real-timeapplicationsprotocol), RTCP (Real-time application control protocol real-timeapplicationscontrolprotocol ), VAT (Visual Audio Tool visualaudiotool), and WB (Distributed whiteboard distributedwhiteboard ).
-S
Display absolute, rather than relative TCP serial number.
-T
The timestamp flag cannot be displayed.
-TT
Displays unformatted timestamp.
-V
(A Little More) tedious output. For example, display the life cycle and service type in the IP datagram.
-VV
More complex output. For example, display the additional domain of the NFS response message.
-W
Store the original packets in file instead of analysis and display. They can be displayed later using the-r option. If the file is ''-'', it is written to the standard output.
-X
Each packet is displayed in hexadecimal notation (after the link layer header is removed). A smaller complete packet is displayed. Otherwise, only snaplen bytes are displayed.
Expression
Select the datagram to be dump. If no expression is specified, all packets of the network will be dump. Otherwise, only the datagram with the relative expression 'true' will be dump.
Expression is composed of one or more primitive elements. A primitive is usually composed of an identifier (ID, name, or number) and one or more modifiers before the identifier (qualifier. modifier has three different types:
Type
The Type modifier specifies the identifier name or number that represents the type. the available types include host, net, and port. for example, 'hostfoo', 'net128. 3 ', 'port20 '. if the type modifier is not specified, the default host is used.
Dir
The direction modifier specifies the transmission direction (whether the data is passed in or out) relative to the identifier ). the options are SRC, DST, srcordst, and srcanddst. for example, 'srcfoo', 'dstnet128. 3 ', 'srcordstportftp-data '. if the child modifier is not specified, the default srcordst is used. for the 'null' link layer (that is, point-to-point protocols such as slip), use inbound and outbound to modify the child to specify the required transmission direction.
PROTO
The Protocol modifier must match the specified protocol. available protocols include ether, FDDI, IP, ARP, RARP, decnet, Lat, SCA, moprc, mopdl, TCP, and UDP. for example, 'ethersrcfoo', 'arpnet128. 3', 'tcpport21 '. if no protocol modifier is specified, all protocol types are used. for example, 'srcfoo' refers to '(IP, ARP, or RARP) srcfoo' (note that the latter does not conform to the syntax), and 'netbar' refers to' (IP, ARP, or RARP) netbar ', 'port53' indicates '(TCP or UDP) port53 '.
['Fddi 'is actually the alias of 'ether'. The analyzer regards them as the data link layer used on the specified network interface. the ''fddi header contains the source address similar to the Ethernet protocol and usually contains the packet type similar to the Ethernet protocol. Therefore, you can filter the FDDI domain, just like analyzing the Ethernet protocol. the FDDI header also contains other fields, but you cannot explicitly describe them in the filter expression.]
As a supplement, there are some special 'Primitive 'keywords, which are different from the above pattern: Gateway, broadcast, less, greater, and mathematical expressions. These are described later.
More complex filter expressions can be formed through the and, or and not connection primitives. for example, 'hostfooandnotportftpandnotportftp-data '. you can ignore the same modifier to minimize the number of mouse clicks. for example, 'tcpdstportftporftp-dataordomain 'is actually 'tcpdstportftportcpdstportftp-dataortcpdstportdomain '.
Allowed primitives include:
Dsthosthost
If the IP address in the message is a host, the logic is true. The host can be either an address or a host name.
Srchosthost
If the source IP address of the packet is host, the logic is true.
Hosthost
If the IP Address Source Address domain or target address domain is host in the message, the logic is true. All the above host expressions can be prefixed with IP, ARP, or RARP keywords, just like:
Iphosthost
It is equivalent:
Etherproto \ ipandhosthost
If the host is a host name with multiple IP addresses, each of its addresses will be checked.
Etherdstehost
If the Ethernet destination address of the packet is ehost, the logic is true. the ehost can be either a name (in/etc/ethers) or a number (for details about the number format, see ethers (3N )).
Ethersrcehost
If the Ethernet Source Address of the packet is ehost, the logic is true.
Etherhostehost
If the Ethernet source address or destination address of the message is ehost, the logic is true.
Gatewayhost
If the message uses the host as the gateway, the logic is true. that is to say, the Ethernet source or destination address of the message is host, but the Source and Destination addresses of the IP are not host. the host must be a host name and must exist in/etc/hosts and/etc/ethers. (an equivalent expression is
Etherhostehostandnothosthost
For host/ehost, it can be either a name or a number .)
Dstnetnet
If the IP address of the packet belongs to the network ID net, the logic is true. net can be a name (in/etc/networks) or a network number. (For details, see networks (4 )).
Srcnetnet
If the IP address of the packet belongs to the network ID net, the logic is true.
Netnet
If the source or destination IP address of the packet belongs to the network ID net, the logic is true.
Netnetmaskmask
If the IP address matches the net of the specified netmask, the logic is true. The primitive language can be modified using SRC or DST.
Netnet/Len
If the IP address matches the net with the specified network mask, the logic is true. The valid bit width of the mask is Len. The primitive language can be modified using SRC or DST.
Dstportport
If the packet is IP/tcp or IP/udp and the destination port is port, the logic is true. A port is a number or a name specified in/etc/services (see TCP (4 P) and UDP (4 p )). if the name is used, check the port number and protocol. if you use a number or a binary name, check only the port number. For example, dstport513 displays TCP/login data and UDP/WHO data, and portdomain will display TCP/domain and UDP/domain data ).
Srcportport
If the source port number of the message is port, the logic is true.
Portport
If the source port or destination port of the packet is port, the logic is true. Any of the above port expressions can be prefixed with the keyword TCP or UDP, like:
Tcpsrcportport
It only matches TCP packets whose source port is port.
Lesslength
If the length of a message is less than or equal to length, the logic is true. It is equivalent:
Len <= length.
Greaterlength
If the length of a message is greater than or equal to length, the logic is true. It is equivalent:
Len> = length.
Ipprotocol
If the message is an IP datagram (see IP (4 p) and the protocol type of its content is protocol, the logic is true. protocol can be a number or one of the following names: ICMP, IGRP, UDP, Nd, or TCP. note that the identifiers TCP, UDP, and ICMP are also keywords, so they must be escaped using a backslash (\). In C-shell, they should be \\.
Etherbroadcast
If the message is an Ethernet broadcast message, the logic is true. The keyword ether is optional.
Ipbroadcast
If the packet is an IP broadcast packet, the logic is true. tcpdump checks all 0 and all 1 Broadcast conventions, and checks the local subnet mask.
Ethermulticast
If the message is sent with too many entries (Multicast), the logic is true. The keyword ether is optional. This is actually 'ether [0] & 1! = 0.
Ipmulticast
The logic is true if the IP address sends messages to multiple targets.
Etherprotocol
If the message protocol belongs to an Ethernet protocol, the logic is true. protocol can be a number or name, such as IP, ARP, or RARP. note that these identifiers are also keywords, so they must be escaped using a backslash. [for FDDI (for example, 'fddiprotocolarp '), the Protocol identity comes from the 802.2 Logical Link Control (LLC) header, which is usually located at the top layer of the FDDI header. when a packet is filtered based on the protocol identifier, tcpdump assumes that all FDDI packets contain the LLC header, and the LLC header uses the SNAP format.]
Decnetsrchost
If the source address of decnet is host, the logic is true. The host address format may be ''10. 123 '', or the decnet host name. [only the Ultrix system configured to run decnet supports the decnet host name.]
Decnetdsthost
If decnet's destination address is host, the logic is true.
Decnethosthost
If the source or destination address of decnet is host, the logic is true.
IP, ARP, RARP, decnet
Yes:
Etherprotop
In short, where p is one of the above protocols.
Lat, moprc, mopdl
Yes:
Etherprotop
In short, P is one of the above protocols. Note that tcpdump currently does not know how to analyze these protocols.
TCP, UDP, ICMP
Yes:
Ipprotop
In short, where p is one of the above protocols.
Exprrelopexpr
If the relationship is true, the logic is true. The relop is >,<,>=, <=, = ,! =, Expr is a mathematical expression consisting of a constant INTEGER (Standard C syntax form), a common binary operator [+,-, *,/, &, |], a length operator, and the specified packet data access operator. to access the data in a message, use the following syntax:
PROTO [expr: Size]
Proto is one of ether, FDDI, IP, ARP, RARP, TCP, UDP, and oricmp. It also points out the protocol layer for subscript operations. expr returns the offset of the byte unit relative to the specified protocol layer. size indicates the number of bytes of interest. It can be 1, 2, 4, and the default value is 1 byte. the length operator given by the keyword Len indicates the length of the message.
For example, 'ether [0] & 1! = 0' capture all multi-object transmission packets. Expression 'IP [0] & 0xf! = 5' capture all IP packets with optional domains. the expression 'IP [] & 0x1fff = 0' captures only the data packets with no fragments and the offset of the slices. this check is implicit in the TCP and UDP subscript operations. for example, TCP [0] must be the first byte of the TCP Header, rather than the first byte of an IP segment.
The primitive can be used in combination with the following methods:
Primitive and operator enclosed by garden brackets (garden brackets are dedicated in shell, so they must be escaped ).
Reverse operation ('! 'Or 'not ').
Link operation ('&' or 'and ').
Or operation ('|' or ').
The inverse operation has the highest priority. Or the operation and the link operation have the same priority. The operation is performed from left to right. Note that the link operation requires an explicit and operator instead of being placed in parallel.
If an identifier is provided but no keyword is provided, it indicates the recently used keyword. For example,
Nothostvsandace
As
Nothostvsandhostace
Cannot be the same
Not (hostvsorace)
Obfuscation.
Expression parameters can be passed to tcpdump as a single parameter or composite parameter, which is more convenient. generally, if the expression contains the shell metacharacter, it is easier to pass a single enclosed parameter. composite parameters are joined with spaces before being parsed.
Example (examples)
Display all incoming and outgoing sundown packets:
Tcpdumphostsundown
Display the message transmission between Helios and host hot and ACE:
Tcpdumphostheliosand \ (hotdeske \)
Display the IP packets of ACE and all hosts except Helios:
Tcpdumpiphostaceandnothelios
Displays network data between the local host and the Berkeley Host:
Tcpdumpnetucb-ether
Display All FTP messages sent through the gateway snup (note that this expression is enclosed in single quotes to prevent shell from interpreting the garden arc ):
Tcpdump 'gatewaysnupand (portftporftp-data )'
Displays network data neither from the local host nor to the local host (if you direct the gateway to another network, the data will not be sent to your local network ).
Tcpdumpipandnotnetlocalnet
The start and end packets (SYN and FIN packets) of each TCP session are displayed, and a remote host exists in the session.
Tcpdump 'tcp [13] & 3! = 0andnotsrcanddstnetlocalnet'
Displays IP data packets larger than 576 bytes after the gateway snup:
Tcpdump 'gatewaysnupandip []> 100'
Displays IP broadcast or multi-view transmitted datagram. These packets are not transmitted through Ethernet broadcast or multi-view transmission:
Tcpdump 'ether [0] & 1 = 0 andip [16]> = 1000'
Display All ICMP packets that are not responding to requests/responses (that is, not Ping packets ):
Tcpdump 'ICMP [0]! = 8 andicmp [0]! = 0"
Output Format)
The output format of tcpdump depends on the Protocol. The following describes a brief description and example of most formats.
Link Layer header (linklevelheaders)
If the '-e' option is provided, the link layer header is displayed. The source address, protocol, and length of the message are displayed on the Ethernet.
On the FDDI network, the '-e' option causes tcpdump to display the 'framecontrol' domain, source object address, and message length. (The 'frame control' domain is responsible for interpreting other packets. A common packet (for example, containing an IP datagram) is an asynchronous packet with a priority ranging from 0 to 7. For example, 'async4 '. these are considered to contain 802.2 Logical Link Control (LLC) packets. If they are not ISO datagram or so-called snap packets, the LLC header is displayed.
(Note: The following description assumes that you are familiar with the slip compression algorithm described in the RFC-1144 .)
On the slip link, tcpdump displays outbound indications ('I' indicates inbound, ''o' indicates outbound), packet type, and compression information. the message type is displayed first. there are three types of IP addresses: utcp and CTcP. no more link information is displayed for IP packets. for TCP packets, the connection ID is displayed after the type. if the packet is compressed, the encoding header is displayed. in special cases, it is displayed in the form of * s + N and * Sa + N. Here, n is the sum of changes in the sequence number (or sequence number and its confirmation. if this is not a special case, 0 or multiple changes are displayed. changes are specified by U (urgentpointer), w (window), A (ACK), S (sequencenumber), And I (packetid), followed by a change volume (+ nor-N ), or another value (= N ). the total data in the packet and the length of the compressed header are displayed.
For example, the following line shows an outgoing compressed TCP packet with an implicit connection identifier. The variation of Ack is 6, the sequence number is 49, and the message ID is 6; there are three bytes of data and six bytes of compressed header:
Octcp * A + 6 S + 49I + 63 (6)
Arp/RARP packets
The output of ARP/RARP packets shows the request type and its parameters. The output format tends to be self-explanatory. Here is a simple example from the 'rlogin' start section of the host rtsg to the host csam:
Arpwho-hascsamtellrtsg
Arpreplycsamis-atcsam
The first line indicates that rtsg sends an ARP packet to ask about the ethernet address of the Internet host csam. csam uses its ethernet address as a response (in this example, the ethernet address is in upper case, and the Internet address is in lower case ).
If tcpdump-N is used, it seems clear:
Arpwho-has128.3.254.6tell128.3.254.68
Arpreply128.3.254.6is-at02: 07: 01: 00: 01: C4
If tcpdump-E is used, we can see that the first packet is actually broadcast, and the second packet is point-to-point:
Rtsgbroadcast080664: arpwho-hascsamtellrtsg
Csamrtsg080664: arpreplycsamis-atcsam
The first packet indicates that the Ethernet source address is rtsg, And the destination address is the Ethernet broadcast address. The type field is hexadecimal 0806 (type ether_arp), and the packet length is 64 bytes.
TCP Packets
(Note: The following description assumes that you are familiar with the TCP protocol described in the RFC-793, if you do not understand this Protocol, either this article or tcpdump is of little use to you)
Generally, the output format of TCP protocol is:
SRC> DST: flagsdata-seqnoackwindowurgentoptions
SRC and DST are source object IP addresses and ports. flags are S (SYN), F (FIN), P (push), R (RST), or separate '. '(unsigned), or their combination. data-seqno indicates the position of the data in this document in the stream sequence number (see the following example ). ack is the sequence number (sequencenumber) of the byte received by the source machine on this connection ). window is the size of the buffer byte received by the source machine on this connection. URG indicates that the packet is 'Urgent 'data. options is an optional TCP Header, which is enclosed by Angle brackets (for example ,).
SRC, DST, and flags must exist. Other domains output only necessary parts based on the TCP header content of the packet.
Below is the starting part from the host rtsgrlogin to the host csam.
Rtsg.1023> csam. login: s768512: 768512 (0) win4096
Csam. login> rtsg.1023: s947648: 947648 (0) ack768513win4096
Rtsg.1023> csam. login:. ack1win4096
Rtsg.1023> csam. login: P1: 2 (1) ack1win4096
Csam. login> rtsg.1023:. ack2win4096
Rtsg.1023> csam. login: P2: 21 (19) ack1win4096
Csam. login> rtsg.1023: P1: 2 (1) ack21win4077
Csam. login> rtsg.1023: P2: 3 (1) ack21win4077urg1
Csam. login> rtsg.1023: P3: 4 (1) ack21win4077urg1
The first line is to send a packet from TCP port 1023 of rtsg to the login port of csam. the s flag indicates that the SYN flag is set. the stream Number of the message is 768512, with no data. (This is written as 'first: Last (nbytes) ', which means 'user data with nbytes bytes from stream number first to last, not including last '.) at this time, there is no piggy-backedack, the valid receiving window is 4096 bytes, there is a maximum segment size (max-segment-size) option, the request is set to 1024 bytes.
Csam responds in a similar way, but adds a token validation for rtsgsyn. then rtsg confirms the SYN of csam. '. 'means no flag is set. this packet does not contain data, so there is no data stream number. note that the sequence number of this validation stream is a small INTEGER (1 ). when tcpdump finds a TCP session for the first time, it displays the stream number carried by the packet. in the subsequent message, it shows the difference between the current message and the first stream Number of the packet. this means that starting from the first packet, the stream sequence number can be understood as the relative displacement asrelativebytepositionsintheconversation 'sdatastream (withthefirstdatabyteeachdirebeing '1') in the data stream '). the '-S' option can change this feature to directly display the original stream sequence number.
In row 6, rtsg transmits 19 bytes of data to csam( Bytes: 2 to 20 ). the push flag is set in the message. the seventh line of csam indicates that it has received rtsg data. The Byte number is 21, but it does not include 21st bytes. apparently, most of the data is in the buffer zone of the socket, because the Receiving Window of csam receives less than 19 bytes of data. at the same time, csam sends a byte of data to rtsg. lines 8 and 9 show that csam sent two bytes of emergency data to rtsg.
If the capture area is too small, so that tcpdump cannot capture the complete TCP Header, tcpdump will try to translate the captured part, and then display ''[| TCP]'', it indicates that the remaining part cannot be translated. if the header contains a forged option (onewithalengththat 'seithertoosmallorbeyondtheendoftheheader), tcpdump displays ''[badopt]'' and does not translate other options (because it cannot determine where to start ). if the Header Length indicates that there are options, but the IP datagram length is not enough, it is impossible to really save the options, tcpdump will display ''[badhdrlength]''.
UDP Packets
The UDP format is shown in the following figure:
Actinide. Who> broadcast. Who: udp84
That is to say, a UDP datagram is sent from the WHO port of the host actinide to broadcast, and the WHO port of the Internet broadcast address. The packet contains 84 bytes of user data.
Some UDP services can be identified (from the source destination port number), thus displaying higher level of protocol information, especially Domain Name Service requests (RFC-1034/1035) and nfs rpc calls (RFC-1050 ).
UDP Domain Name Service Request (nameserverrequests)
(Note: The following description assumes that you are familiar with the Domain Name Service Agreement described in the RFC-1035. If you are not familiar with this Agreement, the following content is like the book .)
The domain name service request format is
SRC> DST: idop? Flagsqtypeqclassname (LEN)
H2opolo. 1538> Helios. Domain: 3 +? Ucbvax.berkeley.edu. (37)
The host h2opolo accesses the Domain Name Service on Helios and asks about it and ucbvax.berkeley.edu. the associated Address Record (qtype = ). the query number is '3 '. '+' indicates that the recursive request flag is set. the query length is 37 bytes, excluding UDP and IP headers. the query operation is a common query operation, so the op field can be ignored. if op is set to something else, it should be displayed between '3' and '+. similarly, qclass is a common c_in type and is ignored. other types of qclass should be displayed after 'A.
Tcpdump checks some irregular situations and the corresponding results are placed in square brackets as the supplementary domain. If a query contains an answer, name service, or administrative organization, the ancount, nscount, or arcount is displayed as '[Na]', '[NN]', or '[NAU]'. Here, N represents the corresponding number. if in the second and third bytes, any one of the answer bits (AA, Ra, or RCODE) or any one of the bits must be zero, '[ B2 & 3 = x] 'is displayed. Here, X is the hexadecimal number of the second and third bytes of the header.
UDP name service answer
The answer format of the name service is
SRC> DST: idoprcodeflagsa/n/autypeclassdata (LEN)
Helios. Domain> h2opolo. 1538: 33/3/7a128. 32.137.3 (273)
Helios. Domain> h2opolo. 1537: 2nxdomain * 0/1/0 (97)
In the first example, Helios answered the question marked as 3 issued by h2opolo, which contains three answer records, three name service records, and seven management structure records. the type of the first answer record is a (address), and the data is Internet address 128.32.137.3. the answer is 273 bytes in length, excluding UDP and IP header. class (c_in) as a record can ignore OP (query) and RCODE (noerror ).
In the second example, Helios answers a query marked as 2 with a domain name that does not exist (nxdomain), no answer record, a name service record, and no management structure.
'*' Indicates that authoritativeanswer is set. Because there is no answer record, type, class, and data are not displayed here.
Other flag characters can be '-' (no recursive valid (RA) and '|' (Set message truncation (TC )). if the question Section does not have valid content, '[ NQ] 'is displayed.
Note that the query and answer of the name service are generally large, and the 68-byte snaplen may not be able to capture enough message content. if you are studying the name service, you can use the-s option to increase the capture buffer. '-s128' should have a good effect.
NFS request and response
The request and response display formats of sunnfs (Network File System) are:
SRC. Xid> DST. NFS: lenopargs
SRC. NFS> DST. Xid: replystatlenopresults
Sushi.6709> WRL. NFS: slave readlinkfh21, 24/10. 73165
WRL. NFS> sushi.6709: replyok40readlink ".../Var"
Sushi.201b> WRL. NFS:
144lookupfh9, 74/4096. 6878 "xcolors"
WRL. NFS> sushi.201b:
Replyok128lookupfh9, 74/4134. 3150.
In the first line, the host sushi sends the transaction number 6709 to WRL (Note that the number following the source host is the transaction number, not the port ). this request is 112 bytes long and does not include UDP and IP header. execute the readlink (read symbolic connection) operation on the file handle (FH) 10.731657119. (If you are lucky, in this case, the file handle can be translated into the primary and secondary device numbers, I node numbers, and event numbers (generationnumber) in turn ).) WRL answers 'OK' and the connection content.
In the third row, sushi requests WRL to search for 'xcolor' in the directory files 9, 74/4096.6878. Note that the print format of the data depends on the operation type. The format should be self-explanatory.
The-V (verbose) option is provided to display additional information. For example:
Sushi.1372a> WRL. NFS:
148readfh21, 11/12. 1958192bytes @ 24576
WRL. NFS> sushi.1372a:
Replyok1472readreg100664ids417/0sz29388
(-V also enables it to display the TTL, ID, and shard fields of the IP header. In this example, they are omitted .) in the first line, the WRL request for sushi reads 12.195 bytes from the offset position of file 24576, 8192, and. WRL answers 'OK'. The message displayed in the second line is the first part of the response, so it only contains 1472 bytes (the rest of the data is transmitted in subsequent parts, however, because these fragments do not contain NFS or even UDP headers, they may not be displayed according to the filter expression used ). the-V option also displays some file attributes (which are passed back as an additional part of the file data): file type (common file ''reg ''), access mode (eight bytes ), UID, GID, and file size.
If you give the-V option (-vv), more details will be displayed.
Note that the volume of NFS requests is very large. Unless snaplen is added, many details cannot be displayed. Try the '-s192' option.
The RPC operation is not explicitly indicated in the NFS response message. therefore, tcpdump retains ''recent ''request records and matches the response message according to the transaction number. if the response packet does not have the corresponding request packet, it cannot be analyzed.
Kipappletalk (DDP on UDP)
The appletalkddp packet is encapsulated in the UDP datagram. After the packet is unwrapped, it is dumped by the DDP packet (that is, all UDP header information is ignored ). file/etc/atalk. names is used to translate appletalk networks and node numbers into names. the row format of this file is
Numbername
1.254 Ether
16.1icsd-Net
1.254.110ace
The Network Name of appletalk is given in the first two lines. the third line shows the name of a host (the host and network are distinguished by the third group of numbers-the network number must be two groups of numbers, and the host number must be three groups of numbers .) the numbers and names are separated by spaces or tabs. /etc/atalk. the names file can contain empty rows or comment rows (rows starting ).
The appletalk address is displayed in this format.
Net. Host. Port
144.1.209.2> icsd-net.112.220
Office.2> icsd-net.112.220
Icsd-net.2 jssmag.149.235>
(If/etc/atalk does not exist. names, or if there is a lack of valid items, the address is displayed in numbers .) in the first example, the NBP (DDP Port 2) of the 144.1 node of the network 209 sends data to port 112 of the 220 node of the network ICSD. the second line is the same as above, but the full name of the source node ('Office ') is known '). the third line is to broadcast from Port 149 of the jssmag node to the NBP port of ICSD-Net (note the broadcast address (235) hidden in the network name without the master node number-So in/etc/atalk. it is a good idea to differentiate node and network names in names ).
Tcpdump can be used to translate packets of NBP (name connection protocol) and ATP (appletalk interaction protocol. for other protocols, only the protocol name (or number, if this protocol is not registered) and the packet size are dumped.
The output format of NBP packets is as follows:
Icsd-net.112.220> jssmag.2: nbp-lkup190: "=: laserwriter @*"
Jssmag.209.2> icsd-net.112.220: nbp-reply190: "rm1140: laserwriter @ *" 250
Techpit.2> icsd-net.112.220: nbp-reply190: "techpit: laserwriter @ *" 186
The first line is the broadcast of the 112 host on the ICSD network on the jssmag network. It queries the name of laserwriter. the nbp id of the name query request is 190. the second line shows the response to this request (note that they have the same identification number). Host jssmag.209 indicates that a laserwriter resource is registered on port 250, the name is "rm1140 ". the third line is the other answer to this request. Port 186 of the host techpit has the "techpit" registered by laserwriter ".
The ATP Message format is shown in the following example:
Jssmag.209.165> helios.132: atp-req12266 <0-7> 0xae030001
Helios.132> jssmag.209.165: atp-resp12266: 0 (512) 0xae040000
Helios.132> jssmag.209.165: atp-resp12266: 1 (512) 0xae040000
Helios.132> jssmag.209.165: atp-resp12266: 2 (512) 0xae040000
Helios.132> jssmag.209.165: atp-resp12266: 3 (512) 0xae040000
Helios.132> jssmag.209.165: atp-resp12266: 4 (512) 0xae040000
Helios.132> jssmag.209.165: atp-resp12266: 5 (512) 0xae040000
Helios.132> jssmag.209.165: atp-resp12266: 6 (512) 0xae040000
Helios.132> jssmag.209.165: ATP-Resp * 12266: 7 (512) 0xae040000
Jssmag.209.165> helios.132: atp-req12266 <3,5> 0xae030001
Helios.132> jssmag.209.165: atp-resp12266: 3 (512) 0xae040000
Helios.132> jssmag.209.165: atp-resp12266: 5 (512) 0xae040000
Jssmag.209.165> helios.132: atp-rel12266 <0-7> 0xae030001
Jssmag.209.20.> helios.132: ATP-req * 12267 <0-7> 0xae030002
Jssmag.209 initiates a transaction No. 12266 to the Helios host and requests 8 packets ('<0-7>'). The hexadecimal number at the end of the row is the value of the 'userdata' field in the request.