当前位置:网站首页>This article takes you to master the use of tcpdump command

This article takes you to master the use of tcpdump command

2022-06-22 17:25:00 Non famous operation and maintenance

1.tcpdump Introduce

  • In the debugging of network problems ,tcpdump It should be said that it is an indispensable tool , And most of them linux It's like a good tool , It's simple and powerful . It is based on Unix Packet sniffer system command line tools , It can capture the data packets flowing on the network card .
  • By default ,tcpdump Will not capture the internal communication message of this machine . According to the network protocol stack , For message , Even if the destination is local , Also need to go through the local network protocol layer , So the local communication must be through API Into the kernel , And complete the routing .【 For example, this machine's TCP signal communication , It has to be socket The basic elements of communication :src ip port dst ip port】
  • If you want to use tcpdump Grab other hosts MAC Address packets , Network card hybrid mode must be turned on , The so-called hybrid model , Using the simplest language is to let the network card grab any packet passing through it , Whether the packet is sent to it or not or it is sent . generally speaking ,Unix Don't let ordinary users set hybrid mode , Because you can see other people's information , such as telnet Username and password , This will cause some security problems , So only root Users can turn on hybrid mode , The command to turn on hybrid mode is :ifconfig en0 promisc, en0 It's the mixed mode you want to turn on .

Linux Principle of bag grabbing :

  • Linux Packet capture is to register a virtual underlying network protocol to complete the analysis of network packets ( Network devices, to be exact ) The right to process messages . When the network card receives a network message , It will traverse all registered network protocols in the system , For example, Ethernet protocol 、x25 Protocol processing module to try to parse the message , This is similar to mounting some file systems , That is to try to mount all the registered file systems in the system , If which one thinks he can handle it , Then complete the mount .
  • When the packet capture module disguises itself as a network protocol , The system will give the pseudo protocol a chance when it receives the message , Let it process the message received by the network card once , At this time, the module will take the opportunity to spy on the message , That is to make a complete copy of the message , Pretend to be the message you received , Report to the packet capture module .

2.tcpdump Use

2.1 grammar 

tcpdump [ -AdDefIKlLnNOpqRStuUvxX ] [ -B buffer_size ] [ -c count ]
        [ -C file_size ] [ -G rotate_seconds ] [ -F file ]
        [ -i interface ] [ -m module ] [ -M secret ]
        [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
        [ -W filecount ]
        [ -E [email protected] algo:secret,...  ]
        [ -y datalinktype ] [ -z postrotate-command ] [ -Z user ]
        [ expression ]

1. Keywords of type 

host( The default type ):  Indicate a host , Such as :host 159.48.22.2

net:  Specify a network address , Such as :net 205.0.0.0

port:  Indicate the port number , Such as :port 22

2. Key words to determine direction 

src: src 159.48.22.2, IP The packet source address is 159.48.22.2

dst: dst net 205.0.0.0,  The target network address is 205.0.0.0

dst or src( The default value )

dst and src

3. Key words of the agreement : The default is to listen to packets for all protocols 

fddi

ip

arp

rarp

tcp

udp

4. Other keywords 

gateway

broadcast

less

greater

5. Common expression : When there are multiple conditions, you can use brackets , But use \ escape 

 Not  : ! or "not" ( Remove the double quotation marks )

 And  : && or "and"

 or  : || or "or"

2.2 Options 

-A: With ASCII Encode and print each message ( Not including the link layer header ), This is very convenient for analyzing web pages ;
-a: Change network address and broadcast address into name ; 
-c< Number of packets >: After receiving the specified number of packets ,tcpdump Will stop ;
-C: Used to judge  -w  Option to check whether the size of the file to which the message is written exceeds this value , If it exceeds, create a new file ( The file name suffix is 1、2、3 In turn increase );
-d: The code matching the information package is given in an assembly format that people can understand ; 
-dd: Will match the package's code to c The format of language program segment is given ; 
-ddd: The code that matches the packet is given in decimal form ;
-D: List all network card numbers and names of the current host , Can be used for options  -i;
-e: Print out the header information of the data link layer in the output line ; 
-f: Put the external Internet The address is printed out as a number ; 
-F< Expression files >: Read the expression from the specified file , Ignore other expressions ; 
-i< Network interface >: Monitor the data flow on the network card of the host , If not specified , Will use the network card with the smallest network card number ( In the options -D May know , But not including the loop interface ),linux 2.2  Kernel and later versions support  any  network card , Used to refer to any network card ; 
-l: If not used  -w  Options , You can print the message to   Standard output terminals ( At this point, this is the default ); 
-n: Show ip, Not the host name ; 
-N: Don't list domain names ; 
-O: Don't optimize packet encoding ; 
-p: Don't let the web interface go into hybrid mode ; 
-q: Fast output , Only a few transport protocol information are listed ; 
-r< Package file >: Read package from specified file ( These bags usually go through -w Option generation ); 
-s< Packet size >: Specify the width of the line to be displayed in the snapshot ,-s0 Indicates that the complete package can be displayed according to the package length , Often with -A Together with , The default intercept length is 60 Bytes , But not so ethernet MTU All are 1500 byte . therefore , To grab more than 60 Bytes of packets , Using default parameters will result in packet data loss ; 
-S: List... In absolute rather than relative numbers TCP Correlation number ; 
-t: Do not print time stamp on each line of output ; 
-tt: Displays an unformatted timestamp on each line of the output ; 
-T< Packet type >: Interpret the monitored packet as a message of the specified type , Common types are rpc ( Remote procedure call ) and snmp( Simple network management protocol ); 
-v: Output a little more detail , For example, in ip The package can include ttl And service type information ; 
-vv: Output detailed message information ; 
-x/-xx/-X/-XX: Show package contents in hexadecimal , A few options are only slightly different , See man manual ; 
-w< Package file >: Write the package directly to the file , Don't analyze and print it out ;
expression: Logical expressions for filtering ;

2.3 Command practice

1. Direct start tcpdump, Will grab all packets passing through the first network interface 

[[email protected] ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:28:18.573605 IP 192.168.2.195.23282 > 192.168.2.252.24118: UDP, length 172
07:28:18.574144 IP 192.168.2.252.36558 > 192.168.2.195.17168: UDP, length 172

2. Capture all packets passing through the specified network interface 

[[email protected] ~]# tcpdump -i ens37
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
21:20:31.431060 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1904493269:1904493457, ack 1808492261, win 257, length 188
21:20:31.431604 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 188, win 4098, length 0

3. Grab all the way through ens37, The destination or source address is 192.168.2.195 Network data 

[[email protected] ~]# tcpdump -i ens37 host 192.168.2.195
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
21:24:05.041207 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1904781305:1904781493, ack 1808494885, win 257, length 188
21:24:05.041799 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 188, win 4095, length 0
21:24:05.042899 IP localhost.localdomain.37266 > gateway.domain: 26682+ PTR? 252.2.168.192.in-addr.arpa. (44)

4. Grab the host 192.168.2.195 In addition to and host 192.168.2.161 All host communication packets except 

[[email protected] ~]# tcpdump -n host 192.168.2.195 and ! 192.168.2.161

5. Grab the host 192.168.2.195 And host 192.168.2.161 or 192.168.1.192 Communication for 

[[email protected] ~]# tcpdump host 192.168.2.195 and \(192.168.2.161 or 192.168.2.192 \)

6. Grab the host 192.168.2.195 In addition to and host 192.168.2.161 All other hosts communicate ip package 

[[email protected] ~]# tcpdump ip -n host 192.168.2.195 and ! 192.168.2.161

7. Grab the host 192.168.2.195 All the data sent 

[[email protected] ~]# tcpdump -i ens37 src host 192.168.2.195 ( Pay attention to the data flow )
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:03:26.464844 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 1905084757:1905084945, ack 1808509393, win 257, length 188
22:03:26.469440 IP localhost.localdomain.39264 > gateway.domain: 27217+ PTR? 252.2.168.192.in-addr.arpa. (44)
22:03:26.481412 IP localhost.localdomain.53247 > gateway.domain: 6371+ PTR? 195.2.168.192.in-addr.arpa. (44)
22:03:26.487318 IP localhost.localdomain.58260 > gateway.domain: 52148+ PTR? 1.2.168.192.in-addr.arpa. (42)
22:03:26.487878 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 188:368, ack 1, win 257, length 180
22:03:26.492947 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 368:860, ack 1, win 257, length 492
22:03:26.496669 IP localhost.localdomain.ssh > 192.168.2.252.64705: Flags [P.], seq 860:1016, ack 1, win 257, length 156

8. Grab the host 192.168.2.195 All data received 

[[email protected] ~]# tcpdump -i ens37 dst host 192.168.2.195 ( Pay attention to the data flow )
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:05:38.212869 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 1905088285, win 4095, length 0
22:05:38.218244 IP gateway.domain > localhost.localdomain.53967: 14803 NXDomain* 0/0/0 (44)
22:05:38.229078 IP gateway.domain > localhost.localdomain.46026: 48360 NXDomain* 0/0/0 (44)
22:05:38.232544 IP gateway.domain > localhost.localdomain.49773: 29420 NXDomain* 0/0/0 (42)
22:05:38.233906 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 473, win 4100, length 0
22:05:38.278512 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 621, win 4099, length 0
22:05:38.323606 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 769, win 4099, length 0
22:05:38.367239 IP 192.168.2.252.64705 > localhost.localdomain.ssh: Flags [.], ack 917, win 4098, length 0

9. Grab the host 192.168.2.195 All in TCP 80 The packets on the port 

[[email protected] ~]# tcpdump -i ens37 host 192.168.2.195 and tcp port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:09:41.001031 IP 192.168.2.252.56896 > localhost.localdomain.http: Flags [S], seq 4142713941, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:09:41.001115 IP localhost.localdomain.http > 192.168.2.252.56896: Flags [S.], seq 2314038867, ack 4142713942, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
22:09:41.001867 IP 192.168.2.252.56897 > localhost.localdomain.http: Flags [S], seq 1124231281, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:09:41.001951 IP localhost.localdomain.http > 192.168.2.252.56897: Flags [S.], seq 3765993047, ack 1124231282, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

10. Grab HTTP host 192.168.2.195 stay 80 Packets received by the port 

[[email protected] ~]# tcpdump -i ens37 host 192.168.2.195 and dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:14:53.001984 IP 192.168.2.252.57017 > localhost.localdomain.http: Flags [S], seq 522768429, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.003398 IP 192.168.2.252.57018 > localhost.localdomain.http: Flags [S], seq 638329607, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.004030 IP 192.168.2.252.57017 > localhost.localdomain.http: Flags [.], ack 3320819599, win 513, length 0
22:14:53.004096 IP 192.168.2.252.57018 > localhost.localdomain.http: Flags [.], ack 285611684, win 513, length 0
22:14:53.162771 IP 192.168.2.252.56947 > localhost.localdomain.http: Flags [F.], seq 2938864200, ack 2243393952, win 1020, length 0
22:14:53.163069 IP 192.168.2.252.56946 > localhost.localdomain.http: Flags [F.], seq 2820151409, ack 882247900, win 1024, length 0
22:14:53.163179 IP 192.168.2.252.57023 > localhost.localdomain.http: Flags [S], seq 3156484712, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.163531 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [S], seq 21775267, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:14:53.163890 IP 192.168.2.252.57023 > localhost.localdomain.http: Flags [.], ack 990188203, win 1024, length 0
22:14:53.163943 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [.], ack 19856703, win 1024, length 0
22:14:53.164541 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [P.], seq 0:403, ack 1, win 1024, length 403: HTTP: GET / HTTP/1.1
22:14:53.180512 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [.], ack 181, win 1023, length 0
22:14:53.189681 IP 192.168.2.252.57024 > localhost.localdomain.http: Flags [P.], seq 403:780, ack 181, win 1023, length 377: HTTP: GET /root/1.jpg HTTP/1.1

2.4 Try a website

Want to capture the network data when visiting a website , Such as website http://www.baidu.com/ How to do it? ?

1. adopt tcpdump Intercept the host http://www.baidu.com/ Send and receive all packets 

[[email protected] ~]# tcpdump -i ens37 host www.baidu.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes

2. Open another terminal to visit Baidu 

[[email protected] ~]# curl www.baidu.com
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title> use Baidu Search , You will know

terminal 1 Console display :

...
22:34:15.927132 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [S], seq 943770983, win 29200, options [mss 1460,sackOK,TS val 449936864 ecr 0,nop,wscale 7], length 0
22:34:15.964430 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [S.], seq 922061785, ack 943770984, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
22:34:15.964500 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 1, win 229, length 0
22:34:15.964788 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1
22:34:16.001627 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [.], ack 78, win 908, length 0
22:34:16.005731 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [P.], seq 1:2782, ack 78, win 908, length 2781: HTTP: HTTP/1.1 200 OK
22:34:16.005786 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2782, win 272, length 0
22:34:16.006299 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [F.], seq 78, ack 2782, win 272, length 0
22:34:16.019073 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [P.], seq 1421:2782, ack 78, win 908, length 1361: HTTP
22:34:16.019127 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2782, win 272, options [nop,nop,sack 1 {1421:2782}], length 0
22:34:16.058086 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [.], ack 79, win 908, length 0
22:34:16.058144 IP 14.215.177.39.http > localhost.localdomain.58156: Flags [F.], seq 2782, ack 79, win 908, length 0
22:34:16.058170 IP localhost.localdomain.58156 > 14.215.177.39.http: Flags [.], ack 2783, win 272, length 0

3. Confirm serial number ack Why? 1. This is the relative value , How to display absolute values 

[[email protected] ~]# tcpdump -S -i ens37 host www.baidu.com ( Visit Baidu on the other end )

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:37:03.007599 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [S], seq 2579767550, win 29200, options [mss 1460,sackOK,TS val 450103944 ecr 0,nop,wscale 7], length 0
22:37:03.046689 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [S.], seq 159367515, ack 2579767551, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
22:37:03.046759 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [.], ack 159367516, win 229, length 0
22:37:03.047002 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [P.], seq 2579767551:2579767628, ack 159367516, win 229, length 77: HTTP: GET / HTTP/1.1
22:37:03.085555 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [.], ack 2579767628, win 908, length 0
22:37:03.087793 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [P.], seq 159367516:159368956, ack 2579767628, win 908, length 1440: HTTP: HTTP/1.1 200 OK
22:37:03.087850 IP localhost.localdomain.43828 > 14.215.177.38.http: Flags [.], ack 159368956, win 251, length 0
22:37:03.088470 IP 14.215.177.38.http > localhost.localdomain.43828: Flags [P.], seq 159368956:159370297, ack 2579767628, win 908, length 1341: HTTP

4. Want to see the details http message . How do you do it? ?

[[email protected] ~]# tcpdump -A -i ens37 host www.baidu.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:39:41.707406 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [S], seq 3662513049, win 29200, options [mss 1460,sackOK,TS val 450262644 ecr 0,nop,wscale 7], length 0
E..<[email protected]@..e.......&.6.P.M........r............
..vt........
22:39:41.751033 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [S.], seq 3205237971, ack 3662513050, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E`.<[email protected]&.....P.6.....M.... ..g......................
22:39:41.751103 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [.], ack 1, win 229, length 0
E..([email protected]@..x.......&.6.P.M......P.......
22:39:41.751403 IP localhost.localdomain.43830 > 14.215.177.38.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1
[email protected]@..*.......&.6.P.M......P.......GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: www.baidu.com
Accept: */*
22:39:41.795966 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [.], ack 78, win 908, length 0
E`.([email protected]&.....P.6.....M..P...SC....    
22:39:41.928944 IP 14.215.177.38.http > localhost.localdomain.43830: Flags [P.], seq 1:1441, ack 78, win 908, length 1440: HTTP: HTTP/1.1 200 OK
E`[email protected]&.....P.6.....M..P....#..HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 2381
Content-Type: text/html
Date: Mon, 09 Mar 2020 08:39:55 GMT
Etag: "588604dc-94d"
Last-Modified: Mon, 23 Jan 2017 13:27:56 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/

5. Save the result of the grab to a file test1

[[email protected] ~]# tcpdump -A -i ens37 -w test1 host www.baidu.com

6. How to read the basic information of this file 

[[email protected] ~]# tcpdump -r test1 
reading from file test1, link-type EN10MB (Ethernet)
22:42:01.321830 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [S], seq 2706590061, win 29200, options [mss 1460,sackOK,TS val 450402259 ecr 0,nop,wscale 7], length 0

7. Want to know more , Like the one above http message 

[[email protected] ~]# tcpdump -A -r test1 
reading from file test1, link-type EN10MB (Ethernet)
22:42:01.321830 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [S], seq 2706590061, win 29200, options [mss 1460,sackOK,TS val 450402259 ecr 0,nop,wscale 7], length 0
E..<[email protected]@..........'.2.P.SIm......r............
............
22:42:01.361527 IP 14.215.177.39.http > localhost.localdomain.58162: Flags [S.], seq 2388635062, ack 2706590062, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E`.<[email protected]'.....P.2._...SIn.. ..Z......................
22:42:01.361596 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [.], ack 1, win 229, length 0
E..([email protected]@..........'.2.P.SIn._..P.......
22:42:01.361876 IP localhost.localdomain.58162 > 14.215.177.39.http: Flags [P.], seq 1:78, ack 1, win 229, length 77: HTTP: GET / HTTP/1.1
[email protected]@..X.......'.2.P.SIn._..P.......GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: www.baidu.com
Accept: */*

8. Also want to confirm the serial number ack Print to absolute value 

[[email protected] ~]# tcpdump -AS -r test1 

 notes :

 Parameterless options like  -A, -S, -e,  etc. . Can share a minus sign

'src host www.baidu.cn' Belong to expression , If it is too long , It can be enclosed in single quotes :

[[email protected] ~]# tcpdump -i ens37 'src host www.baidu.com'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens37, link-type EN10MB (Ethernet), capture size 262144 bytes
22:47:52.389567 IP 14.215.177.38.http > localhost.localdomain.43834: Flags [S.], seq 1091142458, ack 3695757409, win 8192, options [mss 1420,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
22:47:52.430102 IP 14.215.177.38.http > localhost.localdomain.43834: Flags [.], ack 78, win 908, length 0

 The first column is the timestamp : when 、 branch 、 second 、 Microsecond 

 The second column is the name of the Internet Protocol 

 The third column is the decimal IP address of the sender , And the port number immediately after it ( Occasionally it's a protocol name like  http , If the port number is still displayed here plus  -n  Options )

 The fourth column is the greater than sign 

 The fifth column is the decimal IP address of the message receiver , And the port number immediately after it ( Occasionally it's a protocol name like  http , If the port number is still displayed here plus  -n  Options )

 The sixth column is a colon 

 The seventh column is  Flags  identification , The possible values are  [S.] [.] [P.] [F.]

 The eighth 、 Nine 、 Ten …… Column   yes tcp Some variable values of protocol header :

seq  yes   Request synchronization   Serial number 

ack  yes   Synchronized   Serial number 

win  yes   Currently available window size 

length  yes  tcp The length of the protocol paper 

 If you do -S Options , You'll see it  seq, ack  yes   Two colon separated values , Before the change 、 After the value of .
原网站

版权声明
本文为[Non famous operation and maintenance]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/173/202206221540102169.html

边栏推荐

猜你喜欢

随机推荐