免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1435 | 回复: 0
打印 上一主题 下一主题

Tcpdump Tutorial [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2006-05-14 22:03 |只看该作者 |倒序浏览

               
               
               
               
                Tcpdump Tutorial
  • The frequently used options:
    • -n: display the IP address instead of host name.
    • -S: display the actual TCP/IP sequence numbers instead of the relative one.
    • -vv: more verbose output
    • some useful filter expressions: the expressions supports logic operations, and, or, not.
      • host: the destination or source host.
  • The
    data format of tcpdump outputs. 09:44:54.549293 IP (tos 0x0, ttl 64, id
    38374, offset 0, flags [DF], length: 60) 192.168.1.2.43986 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 698054336:698054336(0) win 5840  
    • 09:44:54.549293: timestamp.
    • IP: protocal.
    • IP head:
      • tos: type of service.
      • ttl: time to live.
      • id: Identifier.
      • offset:
      • flags:
      • length: the length of total data including the ip head.
    • 192.168.1.2.43986: source address and it's port.
    • XXX.XXX.XXX.XXX.80: destination address and it's port.
    • S:TCP flags
      • S:SYN, Synchrosized the sequence numbers to init a connection.
      • F:FIN, The sender is finished sending data.
      • P:PUSH, The redeiver should send this data to application as soon as possible.
      • RST:Reset, Reset the connection.
      • .:no flags.
    • 698054336:698054336(0):sequence numbers and bytes of user data.
    • win:TCP window size.
    • TCP options
      • mss: maximum segment size.
      • sackOK:Selective
        Acknowledgment Permitted,SackOK must be included in the TCP options in
        both the SYN and SYN/ACK packets during the TCP three-way handshake, or
        it cannot be used. SackOK should not appear in any other packets.
      • timestamp:
      • nop:No Operation (NOP) TCP option
      • wscale:Window Scale, definde in
        RFC1323




    The Freqently used TCP/IP Head's format analyze with tcpdump output
  • The TCP IP structure.
    • The IP's strcture
        IP header structure
        4
        8
        16
        32 bits
        Ver.
        IHL
        Type of service
        Total length
        Identification
        Flags(3Bits)
        Fragment offset
        Time to live
        Protocol  
        Header checksum
        Source address
        Destination address
        Option + Padding
        Data
      The TCP's Head structure
        TCP's Head
        8
        8
        8
        8
        SOURCE PORT
        DESTINATION PORT
        SEQENCE NUMBER
        ACKNOWLEDGMENT NUMBER
        HLEN
        RESERVED(6bits)
        FLAGS(6bits)
        WINDOW SIZE
        CHECKSUM
        URGENT POINTER
        OPTIONS AND PADDDING
      ICMP
        ICMP's HEAD
        8
        8
        8
        8
        TYPE
        CODE
        CHECKSUM
        The commanly used type and code
        NAME
        TYPE
        CODE
        COMMENT
        ICMP_ECHO
        8
        0
        Ping
        ICMP_ECHOREPLY
        0
        0
        Ping   response.
        ICMP_UNREACH
        3
        4
        ICMP_UNREACH_NEEDFRAG - Used by Path MTU to determine the optimal MTU setting.
        ICMP_TIMXCEED
        11
        0
        TTL
      expired in transit. Used by UNIX traceroute and Windows tracert. Note
      that UNIX traceroute also uses a high UDP port. This message is also
      important when routing loops occur.
      • The tracert's ouptput
          6:53:23.579839 IP (tos 0x0, ttl   1, id 41569, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50432, length 72
          16:53:27.640386 IP (tos 0x0, ttl   1, id 41619, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50688, length 72
          16:53:31.645176 IP (tos 0x0, ttl   1, id 41670, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50944, length 72
          16:53:35.650113 IP (tos 0x0, ttl   2, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
          16:53:35.664651 IP (tos 0x0, ttl 254, id 16045, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
                  IP (tos 0x0, ttl   1, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ece (->8183)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
          16:53:35.664766 IP (tos 0x0, ttl   2, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
          16:53:35.680677 IP (tos 0x0, ttl 254, id 16061, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
                  IP (tos 0x0, ttl   1, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecd (->8182)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
          16:53:35.680755 IP (tos 0x0, ttl   2, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
          16:53:35.696444 IP (tos 0x0, ttl 254, id 16068, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
                  IP (tos 0x0, ttl   1, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecc (->8181)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
          16:53:36.682241 IP (tos 0x0, ttl   3, id 41734, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51968, length 72
        The
        above is the WindowsXP tracert packet output. It sends an ECHO Requset
        3 times with TTL value as 1 at first, then increase TTL by 1 every
        time. The node with send the Time to Live Exceeded Transmit(ICMP11/0)
        to the clients.
  • The original output of TCP packet from tcpdump.
            0x0000:  4500 003c 2c84 4000 4006 7911 c0a8 0102  E..        0x0010:  ca6c 0910 a0c6 0050 9107 d404 0000 0000  .l.....P........
            0x0020:  a002 16d0 9cf7 0000 0204 05b4 0402 080a  ................
            0x0030:  0073 f880 0000 0000 0103 0302         
    The length of the TCP head is 5 x 4 = 20 bytes, so the TCP head part of this packet is
            0x0000:  4500 003c 2c84 4000 4006 7911 c0a8 0102  E..        0x0010:  ca6c 0910
    And the remaining part is the TCP and user data part.
                               a0c6 0050 9107 d404 0000 0000  .l.....P........
            0x0020:  a002 16d0 9cf7 0000 0204 05b4 0402 080a  ................
            0x0030:  0073 f880 0000 0000 0103 0302         
    The 13th oct's is the TCP head lenght, so the TCP lenght is a x 4 = 60 bytes.
  • TCP/IP hree way handshake
    The TCP
    three way handshake is the process for establishing a TCP connection. A
    TCP connection is established as shown in the below example. In this
    example, we assume a client computer is contacting a server to send it
    some information.
  • The client sends a packet with the SYN bit set and a sequence number of N. 11:20:00.779825 IP (tos 0x0, ttl  64, id 11396, offset 0, flags [DF], length: 60) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 2433209348:2433209348(0) win 5840  
  • The server sends a packet with an ACK number of N+1, the SYN bit set and a sequence number of X. 11:20:00.795387 IP (tos 0x0, ttl  59, id 0, offset 0, flags [DF], length: 60) XXX.XXX.XXX.XXX.80192.168.1.2.41158: S [tcp sum ok] 906011348:906011348(0) ack 2433209349 win 5792  
  • The client sends a packet with an ACK number of X+1 and the connection is established. 11:20:00.795505
    IP (tos 0x0, ttl 64, id 11398, offset 0, flags [DF], length: 52)
    192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: . [tcp sum ok]
    2433209349:2433209349(0) ack 906011349 win 1460  
  • The client sends the data. 11:20:00.801691 IP (tos 0x0, ttl  64, id 11400, offset 0, flags [DF], length: 589) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: P 2433209349:2433209886(537) ack 906011349 win 1460  
    The first three steps in the above process is called the three way handshake which is used to establish a TCP connection.
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   
                   

    本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/6566/showart_112686.html
  • 您需要登录后才可以回帖 登录 | 注册

    本版积分规则 发表回复

      

    北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
    未成年举报专区
    中国互联网协会会员  联系我们:huangweiwei@itpub.net
    感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

    清除 Cookies - ChinaUnix - Archiver - WAP - TOP