Common usage (sudo is used here because the current account does not have the permission to use tcpdump. here we only use a tcp example to describe it ): sudo/usr/sbin/tcpdumptcpport80andhost172.23.1.69-each row of the ieth1-n carries the flag in the middle of the package: SSYN, initiate the connection flag PPUSH, transfer the data flag FFIN, close the connection flag ack table
Common usage (sudo is used here because the current account is not authorized to useTcpdump): Sudo/usr/sbin/TcpdumpTcp port 80 and host 172.23.1.69-ieth1-n
Each line contains the flag carried by this package:
S = SYN, connection initiation flag
P = PUSH, data transfer mark
F = FIN, closing the connection flag
Ack indicates confirmation package
RST = RESET. the connection is closed due to an exception.
. Indicates no flag
Common parameters:
Tcp/udp/arp: specify the protocol type.
(Src/dst) Host: specifies the source or destination ip address.
(Src/dst) port: specifies the source or destination
-I: specify the NIC.
-N: displays the ip address instead of the host name.
-C: specify the number of packages to be captured and exit.
-A: displays the package content in ASCII format. this option is useful for protocol packages in text format.
-S: specifies the width of A row to be captured.-s0 indicates that the complete package is displayed, which is often used with-.
-X/-xx/-X/-XX: The package content is displayed in hexadecimal format. there are only minor differences among the several options. for details, see the man manual.
Detailed process of the example:
Line 1: 17: 40: 10 at this time, starting from the temporary port 49376 of 172.17.66.27 (client) to the 9500 listening port of 172.23.1.66 (server), the initial client package number is 1350828479, the size of the sliding window is 5840 bytes (the size of the tcp receiving buffer for tcp congestion control), and the size of the mss is 1460 (the maximum packet length that can be received, generally, the MTU is reduced by 40 bytes, and the IP header and TCP header are 20 bytes each ).
Line 2: The server responds to the connection and carries the ack information of the first package. It adds the first package number to the initial package number of the client, that is, the server waits to accept the package number next time, used for sequential control of tcp byte streams. The initial package number of the Server is 258050143, and the mss is also 1460.
Row 3: The client confirms again and completes the three-way handshake.
Row 4: The client sends a request packet in 91 bytes.
Line 5: server responds to ack.
Row 6: server return package. the package length is 21 bytes.
Row 7: The client responds to ack.
Row 8: The client initiates a request to close the connection.
Row 9: The server responds to the ack and also sends the FIN flag to close the ack.
Row 10: the client responds to ack and closes the connection.
Through this, we can understand the tcp protocol well. the connection closing process, byte stream sequence control, congestion control, and tcp State conversion are also good. But I will not go into detail here.