<在线等>tcpdump输出信息看不懂啊。

cskyrain

运行环境描述：
使用unp1中tcpserv01和tcpcli01这两个程序，就是最简单的echo功能。

tcpserv01运行在demo版上，a8平台。
tcpcli01运行在pc端，fedora 7。

demo版上运行tcpdump，抓包。信息如下：那位能给解释下过程。谢谢！



# tcpserv01 &
# tcpdump host 172.8.11.27
[  192.660000] device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
00:03:18.439620 ARP, Request who-has 172.8.11.25 tell 172.8.11.27, length 1582
00:03:18.439823 ARP, Reply 172.8.11.25 is-at 00:22:44:23:32:23 (oui Unknown), length 28
00:03:18.443293 IP 172.8.11.27.56787 > 172.8.11.25.9877: Flags [S], seq 3387259866, win 5840, options [mss 1460,[|tcp]>
00:03:18.443539 IP 172.8.11.25.9877 > 172.8.11.27.56787: Flags [S.], seq 3111265960, ack 3387259867, win 14480, options [mss 1460,[>
00:03:18.443780 IP 172.8.11.27.56787 > 172.8.11.25.9877: Flags [.], ack 1, win 730, options [nop,nop,TS[|tcp]>
00:03:23.450191 ARP, Request who-has 172.8.11.27 tell 172.8.11.25, length 28
00:03:23.450460 ARP, Reply 172.8.11.27 is-at 00:0c:29:d5:93:08 (oui Unknown), length 1582
00:04:22.198900 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:04:30.032391 IP 172.8.11.27.56787 > 172.8.11.25.9877: Flags [P.], ack 1, win 730, options [nop,nop,TS[|tcp]>
00:04:30.032667 IP 172.8.11.25.9877 > 172.8.11.27.56787: Flags [.], ack 5, win 1810, options [nop,nop,TS[|tcp]>
00:04:30.032943 IP 172.8.11.25.9877 > 172.8.11.27.56787: Flags [P.], ack 5, win 1810, options [nop,nop,TS[|tcp]>
00:04:30.033152 IP 172.8.11.27.56787 > 172.8.11.25.9877: Flags [.], ack 5, win 730, options [nop,nop,TS[|tcp]>
00:04:35.040157 ARP, Request who-has 172.8.11.27 tell 172.8.11.25, length 28
00:04:35.040393 ARP, Reply 172.8.11.27 is-at 00:0c:29:d5:93:08 (oui Unknown), length 1582
00:06:00.434648 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:07:38.208850 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:09:16.031488 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:10:52.756047 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:12:31.052493 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:13:37.037146 ARP, Request who-has 172.8.11.27 tell 172.8.11.23, length 1582
00:14:07.233758 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:15:43.704674 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:17:21.715495 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:18:58.459971 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:20:35.144549 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:22:11.825914 IP 172.8.11.27.5353 > 224.0.0.251.5353: 0*- [0q] 3/0/0[|domain]
00:22:25.218112 IP 172.8.11.27.56787 > 172.8.11.25.9877: Flags [P.], ack 5, win 730, options [nop,nop,TS[|tcp]>
00:22:25.218528 IP 172.8.11.25.9877 > 172.8.11.27.56787: Flags [P.], ack 8, win 1810, options [nop,nop,TS[|tcp]>
00:22:25.218820 IP 172.8.11.27.56787 > 172.8.11.25.9877: Flags [.], ack 8, win 730, options [nop,nop,TS[|tcp]>
00:22:30.220127 ARP, Request who-has 172.8.11.27 tell 172.8.11.25, length 28
00:22:30.220460 ARP, Reply 172.8.11.27 is-at 00:0c:29:d5:93:08 (oui Unknown), length 1582

walleeee

http://bbs.chinaunix.net/thread-3727715-1-1.html

cskyrain

00:03:18.439620 ARP, Request who-has 172.8.11.25 tell 172.8.11.27, length 1582


这句最后的length指的是什么？？？包的长度吗，arp的包邮1582这么大吗？？？

walleeee

回复 3# cskyrain


    猜就是这样。你可以看看手册有没有写

cskyrain

回复 4# walleeee


    arp的包不可能有这么大，但length的确是传上来的包的长度，目前猜测是mac芯片传上了的包的length不对。

walleeee

回复 5# cskyrain

arp包为什么不能这么大？你凭什么说

cskyrain

回复 6# walleeee


    实际测试：我在同一网段用另一台机器抓的同一个包，只有60bytes。
   

cskyrain

回复 6# walleeee
对协议不熟，不过arp就是广播个who  has XXXXXX什么的，用得着1500bytes以上吗

   

walleeee

爆运行参数

cskyrain

回复 9# walleeee

????tcpdump host 172.8.11.27就这样啊