分类: LINUX
2006-05-14 22:03:28
The frequently used options:
-n: display the IP address instead of host name.
-S: display the actual TCP/IP sequence numbers instead of the relative one.
-vv: more verbose output
some useful filter expressions: the expressions supports logic operations, and, or, not.
host: the destination or source host.
The
data format of tcpdump outputs. 09:44:54.549293 IP (tos 0x0, ttl 64, id
38374, offset 0, flags [DF], length: 60) 192.168.1.2.43986 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 698054336:698054336(0) win 5840
09:44:54.549293: timestamp.
IP: protocal.
IP head:
tos: type of service.
ttl: time to live.
id: Identifier.
offset:
flags:
length: the length of total data including the ip head.
192.168.1.2.43986: source address and it's port.
XXX.XXX.XXX.XXX.80: destination address and it's port.
S:TCP flags
S:SYN, Synchrosized the sequence numbers to init a connection.
F:FIN, The sender is finished sending data.
P:PUSH, The redeiver should send this data to application as soon as possible.
RST:Reset, Reset the connection.
.:no flags.
698054336:698054336(0):sequence numbers and bytes of user data.
win:TCP window size.
TCP options
mss: maximum segment size.
sackOK:Selective Acknowledgment Permitted,SackOK must be included in the TCP options in both the SYN and SYN/ACK packets during the TCP three-way handshake, or it cannot be used. SackOK should not appear in any other packets.
timestamp:
nop:No Operation (NOP) TCP option
wscale:Window Scale, definde in
The TCP IP structure.
The IP's strcture
IP header structure |
||||
4 |
8 |
16 |
32 bits |
|
Ver. |
IHL |
Type of service |
Total length |
|
Identification |
Flags(3Bits) |
Fragment offset |
||
Time to live |
Protocol |
Header checksum |
||
Source address |
||||
Destination address |
||||
Option + Padding |
||||
Data |
The TCP's Head structure
TCP's Head |
||||
8 |
8 |
8 |
8 |
|
SOURCE PORT |
DESTINATION PORT |
|||
SEQENCE NUMBER |
||||
ACKNOWLEDGMENT NUMBER |
||||
HLEN |
RESERVED(6bits) |
FLAGS(6bits) |
WINDOW SIZE |
|
CHECKSUM |
URGENT POINTER |
|||
OPTIONS AND PADDDING |
ICMP
ICMP's HEAD |
|||
8 |
8 |
8 |
8 |
TYPE |
CODE |
CHECKSUM |
The commanly used type and code |
|||
NAME |
TYPE |
CODE |
COMMENT |
ICMP_ECHO |
8 |
0 |
Ping |
ICMP_ECHOREPLY |
0 |
0 |
Ping response. |
ICMP_UNREACH |
3 |
4 |
ICMP_UNREACH_NEEDFRAG - Used by Path MTU to determine the optimal MTU setting. |
ICMP_TIMXCEED |
11 |
0 |
TTL expired in transit. Used by UNIX traceroute and Windows tracert. Note that UNIX traceroute also uses a high UDP port. This message is also important when routing loops occur. |
The tracert's ouptput
6:53:23.579839 IP (tos 0x0, ttl 1, id 41569, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50432, length 72
16:53:27.640386 IP (tos 0x0, ttl 1, id 41619, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50688, length 72
16:53:31.645176 IP (tos 0x0, ttl 1, id 41670, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 50944, length 72
16:53:35.650113 IP (tos 0x0, ttl 2, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
16:53:35.664651 IP (tos 0x0, ttl 254, id 16045, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
IP (tos 0x0, ttl 1, id 41719, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ece (->8183)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51200, length 72
16:53:35.664766 IP (tos 0x0, ttl 2, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
16:53:35.680677 IP (tos 0x0, ttl 254, id 16061, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
IP (tos 0x0, ttl 1, id 41720, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecd (->8182)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51456, length 72
16:53:35.680755 IP (tos 0x0, ttl 2, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
16:53:35.696444 IP (tos 0x0, ttl 254, id 16068, offset 0, flags [none], proto: ICMP (1), length: 56) 61.148.36.17 > 192.168.1.2: ICMP time exceeded in-transit, length 36
IP (tos 0x0, ttl 1, id 41721, offset 0, flags [none], proto: ICMP (1), length: 92, bad cksum 7ecc (->8181)!) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51712, length 72
16:53:36.682241 IP (tos 0x0, ttl 3, id 41734, offset 0, flags [none], proto: ICMP (1), length: 92) 192.168.1.2 > XXX.XXX.XXX.XXX: ICMP echo request, id 512, seq 51968, length 72
The above is the WindowsXP tracert packet output. It sends an ECHO Requset 3 times with TTL value as 1 at first, then increase TTL by 1 every time. The node with send the Time to Live Exceeded Transmit(ICMP11/0) to the clients.
The original output of TCP packet from tcpdump.
0x0000: 4500 003c 2c84 4000 4006 7911 c0a8 0102 E..<,.@.@.y.....
0x0010: ca6c 0910 a0c6 0050 9107 d404 0000 0000 .l.....P........
0x0020: a002 16d0 9cf7 0000 0204 05b4 0402 080a ................
0x0030: 0073 f880 0000 0000 0103 0302
The length of the TCP head is 5 x 4 = 20 bytes, so the TCP head part of this packet is
0x0000: 4500 003c 2c84 4000 4006 7911 c0a8 0102 E..<,.@.@.y.....
0x0010: ca6c 0910
And the remaining part is the TCP and user data part.
a0c6 0050 9107 d404 0000 0000 .l.....P........
0x0020: a002 16d0 9cf7 0000 0204 05b4 0402 080a ................
0x0030: 0073 f880 0000 0000 0103 0302
The 13th oct's is the TCP head lenght, so the TCP lenght is a x 4 = 60 bytes.
The TCP three way handshake is the process for establishing a TCP connection. A TCP connection is established as shown in the below example. In this example, we assume a client computer is contacting a server to send it some information.
The client sends a packet with the SYN bit set and a sequence number of N. 11:20:00.779825 IP (tos 0x0, ttl 64, id 11396, offset 0, flags [DF], length: 60) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: S [tcp sum ok] 2433209348:2433209348(0) win 5840
The server sends a packet with an ACK number of N+1, the SYN bit set and a sequence number of X. 11:20:00.795387 IP (tos 0x0, ttl 59, id 0, offset 0, flags [DF], length: 60) XXX.XXX.XXX.XXX.80192.168.1.2.41158: S [tcp sum ok] 906011348:906011348(0) ack 2433209349 win 5792
The client sends a packet with an ACK number of X+1 and the connection is established. 11:20:00.795505
IP (tos 0x0, ttl 64, id 11398, offset 0, flags [DF], length: 52)
192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: . [tcp sum ok]
2433209349:2433209349(0) ack 906011349 win 1460
The client sends the data. 11:20:00.801691 IP (tos 0x0, ttl 64, id 11400, offset 0, flags [DF], length: 589) 192.168.1.2.41158 > XXX.XXX.XXX.XXX.80: P 2433209349:2433209886(537) ack 906011349 win 1460