- 论坛徽章:
- 0
|
Tcpdump Tutorial
The frequently used options:
- -n: display the IP address instead of host name.
- -S: display the actual TCP/IP sequence numbers instead of the relative one.
- -vv: more verbose output
- some useful filter expressions: the expressions supports logic operations, and, or, not.
- host: the destination or source host.
The
data format of tcpdump outputs. 09:44:54.549293 IP (tos 0x0, ttl 64, id
38374, offset 0, flags [DF], length: 60) 192.168.1.2.43986 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 698054336:698054336(0) win 5840
- 09:44:54.549293: timestamp.
- IP: protocal.
- IP head:
- tos: type of service.
- ttl: time to live.
- id: Identifier.
- offset:
- flags:
- length: the length of total data including the ip head.
- 192.168.1.2.43986: source address and it's port.
- XXX.XXX.XXX.XXX.80: destination address and it's port.
- S:TCP flags
- S:SYN, Synchrosized the sequence numbers to init a connection.
- F:FIN, The sender is finished sending data.
- P:PUSH, The redeiver should send this data to application as soon as possible.
- RST:Reset, Reset the connection.
- .:no flags.
- 698054336:698054336(0):sequence numbers and bytes of user data.
- win:TCP window size.
- TCP options
- mss: maximum segment size.
- sackOK:Selective
Acknowledgment Permitted,SackOK must be included in the TCP options in
both the SYN and SYN/ACK packets during the TCP three-way handshake, or
it cannot be used. SackOK should not appear in any other packets.
- timestamp:
- nop:No Operation (NOP) TCP option
- wscale:Window Scale, definde in
RFC1323
![]()
![]()
The Freqently used TCP/IP Head's format analyze with tcpdump output
The TCP IP structure.
- The IP's strcture
IP header structure
4
8
16
32 bits
Ver.
IHL
Type of service
Total length
Identification
Flags(3Bits)
Fragment offset
Time to live
Protocol
Header checksum
Source address
Destination address
Option + Padding
Data
The TCP's Head structure
TCP's Head
8
8
8
8
SOURCE PORT
DESTINATION PORT
SEQENCE NUMBER
ACKNOWLEDGMENT NUMBER
HLEN
RESERVED(6bits)
FLAGS(6bits)
WINDOW SIZE
CHECKSUM
URGENT POINTER
OPTIONS AND PADDDING
ICMP
ICMP's HEAD
8
8
8
8
TYPE
CODE
CHECKSUM
The commanly used type and code
NAME
TYPE
CODE
COMMENT
ICMP_ECHO
8
0
Ping
ICMP_ECHOREPLY
0
0
Ping response.
ICMP_UNREACH
3
4
ICMP_UNREACH_NEEDFRAG - Used by Path MTU to determine the optimal MTU setting.
ICMP_TIMXCEED
11
0
TTL
expired in transit. Used by UNIX traceroute and Windows tracert. Note
that UNIX traceroute also uses a high UDP port. This message is also
important when routing loops occur.
- The tracert's ouptput
6:53:23.579839 IP (tos 0x0, ttl 1, id 41569, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50432, length 72
16:53:27.640386 IP (tos 0x0, ttl 1, id 41619, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50688, length 72
16:53:31.645176 IP (tos 0x0, ttl 1, id 41670, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50944, length 72
16:53:35.650113 IP (tos 0x0, ttl 2, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
16:53:35.664651 IP (tos 0x0, ttl 254, id 16045, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
IP (tos 0x0, ttl 1, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ece (->8183)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
16:53:35.664766 IP (tos 0x0, ttl 2, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
16:53:35.680677 IP (tos 0x0, ttl 254, id 16061, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
IP (tos 0x0, ttl 1, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecd (->8182)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
16:53:35.680755 IP (tos 0x0, ttl 2, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
16:53:35.696444 IP (tos 0x0, ttl 254, id 16068, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
IP (tos 0x0, ttl 1, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecc (->8181)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
16:53:36.682241 IP (tos 0x0, ttl 3, id 41734, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51968, length 72
The
above is the WindowsXP tracert packet output. It sends an ECHO Requset
3 times with TTL value as 1 at first, then increase TTL by 1 every
time. The node with send the Time to Live Exceeded Transmit(ICMP11/0)
to the clients.
The original output of TCP packet from tcpdump.
0x0000: 4500 003c 2c84 4000 4006 7911 c0a8 0102 E.. 0x0010: ca6c 0910 a0c6 0050 9107 d404 0000 0000 .l.....P........
0x0020: a002 16d0 9cf7 0000 0204 05b4 0402 080a ................
0x0030: 0073 f880 0000 0000 0103 0302
The length of the TCP head is 5 x 4 = 20 bytes, so the TCP head part of this packet is
0x0000: 4500 003c 2c84 4000 4006 7911 c0a8 0102 E.. 0x0010: ca6c 0910
And the remaining part is the TCP and user data part.
a0c6 0050 9107 d404 0000 0000 .l.....P........
0x0020: a002 16d0 9cf7 0000 0204 05b4 0402 080a ................
0x0030: 0073 f880 0000 0000 0103 0302
The 13th oct's is the TCP head lenght, so the TCP lenght is a x 4 = 60 bytes.
TCP/IP hree way handshake
The TCP
three way handshake is the process for establishing a TCP connection. A
TCP connection is established as shown in the below example. In this
example, we assume a client computer is contacting a server to send it
some information.
The client sends a packet with the SYN bit set and a sequence number of N. 11:20:00.779825 IP (tos 0x0, ttl 64, id 11396, offset 0, flags [DF], length: 60) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 2433209348:2433209348(0) win 5840
The server sends a packet with an ACK number of N+1, the SYN bit set and a sequence number of X. 11:20:00.795387 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], length: 60) XXX.XXX.XXX.XXX.80192.168.1.2.41158: S [tcp sum ok] 906011348:906011348(0) ack 2433209349 win 5792
The client sends a packet with an ACK number of X+1 and the connection is established. 11:20:00.795505
IP (tos 0x0, ttl 64, id 11398, offset 0, flags [DF], length: 52)
192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: . [tcp sum ok]
2433209349:2433209349(0) ack 906011349 win 1460
The client sends the data. 11:20:00.801691 IP (tos 0x0, ttl 64, id 11400, offset 0, flags [DF], length: 589) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: P 2433209349:2433209886(537) ack 906011349 win 1460
The first three steps in the above process is called the three way handshake which is used to establish a TCP connection.
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/6566/showart_112686.html |
|
免费注册
发表于 2006-05-14 22:03