NAME
I-tcpdump - ukuthutha ithrafikhi kunethiwekhi
SYNOPSIS
tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ]
[ -C file_size ] [ -F ifayela ]
[ -i interface ] [ -m module ] [ -r ifayela ]
[ -s snaplen ] [ -T uhlobo ] [ -Usebenzisi ] ifayela [ -w ]
[ -E algo: ngasese ] [ ukukhuluma ]
DESCRIPTION
I-Tcpdump ifaka izihloko zamaphakethe kusikrini esibonakalayo senethiwekhi esivumelana nesibonakaliso se-boolean. Kungase futhi kusebenze ne-i-flag, okubangela ukuthi igcine idatha yepakethe efayeleni ukuze kuhlaziywe kamuva, futhi / noma nge-flag, okubangela ukuthi ifunde kusuka efayeleni eligcinwe ifayela yepakethe kunokuba ifunde amaphakethe kusuka esibonakalayo senethiwekhi. Kuzo zonke izimo, amaphakethe kuphela afana nkulumo azocutshungulwa yi- tcpdump .
I-Tcpdump izoba, uma ingahambisani ne-- c flag, qhubeka uthola amaphakethe uze uphazamise isignali ye-SIGINT (okwenziwe, isibonelo, ngokuthayipha umlingisi wakho wokuphazamisa, ngokuvamile ukulawula-C) noma isignali ye-SIGTERM (evame ukukhiqizwa ngokubulala (1) umyalo); uma ugijima ne-- c flag, izobamba amaphakethe aze aphazanyiswe isignali ye-SIGINT noma i-SIGTERM noma inombolo ecacisiwe yamaphakethe iye yacutshungulwa.
Uma i- tcpdump iqeda ukufaka amapakethe, izobika izibalo ze:
amaphakethe `` athola ngokuhlunga '' (okushiwo lokhu kuxhomeke ku-OS osebenza ngayo i- tcpdump , futhi mhlawumbe ngendlela i-OS ehlelwe ngayo - uma isihlungi sichazwe emgqeni womyalo, kwezinye ze-OSes kubalwa amaphakethe kungakhathaliseki ukuthi ahlotshaniswa nenkulumo yokuhlunga, futhi kwenye i-OSes ibalwa kuphela amaphakethe afaniswa nkulumo yokuhlunga futhi yacubungulwa yi- tcpdump );
amaphakethe `` ahlaselwe yi-kernel '' (lena yinani lamaphakethe adiliziwe, ngenxa yokuntuleka kwesikhala esiphezulu, nge-packet capture mechanism ku-OS lapho i- tcpdump isebenza khona, uma i-OS ibika ukuthi ulwazi kuzinhlelo zokusebenza; uma kungenjalo, kuzobikwa njenge-0).
Emapulatifomu asekela isignali ye-SIGINFO, njengama-BSD amaningi, izobika labo ababalelwayo lapho bethola isignali ye-SIGINFO (okwenziwe, isibonelo, ngokuthayipha umlingisi wakho 'isimo' ', ngokujwayelekile ukulawula-T) futhi uzoqhubeka nokufaka amaphakethe .
Ukufunda amaphakethe kusuka esibonakalayo senethiwekhi kungadinga ukuthi unamalungelo akhethekile:
Ngaphansi kwe-SunOS 3.x noma i-4.x nge-NIT noma i-BPF:
Kumelwe ukuba ufunde ukufinyelela ku / dev dev noma nit / dev / bpf * .
Ngaphansi kweSolaris ne-DLPI:
Kumele ube nokufunda / ukubhala ukufinyelela kwesevisi yomsebenzisi wenethiwekhi, isb / dev / le . Okungenani ezinye izinguqulo ze-Solaris, noma kunjalo, lokhu akwanele ukuvumela i- tcpdump ukuthi ibambeke kwimodi ephathekayo; kulawo nguqulo ye-Solaris, kufanele ube yimpande, noma i- tcpdump kumele ifakwe isethi yamadayimenti ukuze izimpande, ukuze zithathwe kwimodi ephathekayo. Qaphela ukuthi, ekungeneni okuningi (mhlawumbe konke), uma ungathathi kwimodi ephathekayo, ngeke ubone amaphakethe aphumayo, ngakho-ke ukuthunjwa okungenziwanga kwimodi ephathekayo kungase kungabi usizo.
Ngaphansi kwe-HP-UX ne-DLPI:
Kumele ube yimpande noma i- tcpdump kumele ifakwe isethawu ukuze izimpande.
Ngaphansi kwe-IRIX nge-snoop:
Kumele ube yimpande noma i- tcpdump kumele ifakwe isethawu ukuze izimpande.
Ngaphansi kwe-Linux:
Kumele ube yimpande noma i- tcpdump kumele ifakwe isethawu ukuze izimpande.
Ngaphansi kwe-Ultrix ne-Digital UNIX / Tru64 UNIX:
Noma yimuphi umsebenzisi angathatha ithrekhi yenethiwekhi nge- tcpdump . Noma kunjalo, akekho umsebenzisi (ngisho nomsebenzisi omkhulu) ongafakela kumodi enobungozi ku-interface ngaphandle uma umsebenzisi onamandla kakhulu enikeze amandla okusebenza ngendlela enobungozi kuleyo interface ngokusebenzisa i- pfconfig (8), futhi akukho msebenzisi (ngisho nomsebenzisi omkhulu ) ingathatha ithrafikhi engabonakali eyamukelwe noma ithunyelwe umshini ku-interface ngaphandle uma umsebenzisi omkhulu evumela ukukopisha yonke imodi ekusebenziseni i- pfconfig , ngakho-ke iphakethe eliwusizo elibanjwe ku-interface lidinga ukuthi noma imodi yokuziphatha kabi noma ikhophi -all-mode operation, noma zombili izindlela zokusebenza, inikwe amandla kuleso sikhombimsebenzisi.
Ngaphansi kwe-BSD:
Kumelwe ukuba ufunde ukufinyelela ku / dev / bpf * .
Ukufunda ifayela lepakethe elondoloziwe akudingi amalungelo akhethekile.
AMAKHONO
-a
Ukuzama ukuguqula inethiwekhi nokusakaza amakheli amagama.
-c
Phuma ngemuva kokuthola amaphakethe amabala.
-C
Ngaphambi kokubhala iphakethe eliluhlaza kwi-savefile, hlola ukuthi ifayela okwamanje likhulu kunefayela_size futhi, uma kunjalo, vala isilondolozi samanje bese uvula entsha. Amafoldafri emva kokugcina ifayela lokugcina lizoba negama elicacisiwe nge-i-flag, ngenombolo emva kwalo, kusukela ngo-2 nokuqhubeka phezulu. Amayunithi wefayela_size izigidi ze-bytes (1,000,000 bytes, hhayi 1,048,576 bytes).
-d
Lahla ikhodi ehambisana nepakethe efanelwe ngendlela efundwa ngumuntu ekuphumeni okujwayelekile nokuma.
-dd
Yeka ikhodi ehambisana nepakethe njenge- C c fragment.
-ddd
Yeka ikhodi ehambisana nepaketethi njengenombolo yedesimali (ngaphambi kokubala).
-e
Phrinta isihloko sezinga lokuxhumanisa kumugqa ngamunye wokulahla.
-E
Sebenzisa i- algo: imfihlo yokuchithwa kwamaphakethe we-IPsec ESP. I-algorithms ingaba yi- des-cbc , i- 3des-cbc , i- blowfish-cbc , i- rc3-cbc , i- cast128-cbc , noma ayikho . Okuzenzakalelayo kuyi- des-cbc . Ikhono lokumisa amaphakethe likhona kuphela uma i- tcpdump ihlanganisiwe nge-cryptography inikwe amandla. yimfihlo umbhalo we-ascii wekhiye eyimfihlo ye-ESP. Asikwazi ukuthatha inani elibanjwe kanambambili ngalesi sikhathi. Okukhethwa kukho kuthatha i-RFC2406 ESP, hhayi i-RFC1827 ESP. Okukhethwa kukho kuphela ngezinhloso zokulungisa, futhi ukusetshenziswa kwalolu khetho ngokukhiye ngempela 'okuyimfihlo' kudangele. Ngokuletha ukhiye wangasese we-IPsec kulayini womyalo uyakwenza ubonakale kwabanye, nge- ps (1) nezinye izikhathi.
-f
Phrinta amakheli e-intanethi angaphandle "ngenani" kunokuba ungokomfanekiso (lokhu kukhethwa ukuzungeze ukulimala kwengqondo engxenyeni ye-yp ye-Sun) ngokuvamile kuvame ukuguqula izinombolo ze-intanethi zangaphandle).
-F
Sebenzisa ifayela njengengeniso yezwi lokuhlunga. Inkulumo eyengeziwe enikezwe emgqeni wokulalelwa inganakwa.
-i
Lalela ku- interface . Uma kungacacisiwe, i- tcpdump isesha uhlu lwama-interface wesistimu yezinombolo eziphansi kunazo zonke, okulungiselelwe isikhombikubona (ngaphandle kwe-loopback). Amathanga aphulwa ngokukhetha umdlalo wokuqala.
Kuzinhlelo ze-Linux ezinezinhlamvu ezingu-2.2 noma kamuva, ukuphikisana kwesikhombimsebenzisi se `` noma yikuphi 'kungasetshenziselwa ukuthatha amapakethe kuzo zonke izixhumi. Qaphela ukuthi ukuthumba ku `` noma yimuphi '' idivayisi ngeke kwenziwe kwimodi yokuziphatha kabi.
-l
Yenza umugqa wesigcawu uvinjelwe. Kuwusizo uma ufuna ukubona idatha ngenkathi uyifaka. Isibonelo,
`` tcpdump -l | tee dat '' noma `` tcpdump -l> dat & umsila -f dat ''.
-m
Layisha izincazelo ze-SMI MIB module kusuka kwifayela yefayela. Le ndlela ingasetshenziswa izikhathi eziningana ukulayisha amamojula ambalwa we-MIB ku- tcpdump .
-n
Ungaguquli amakheli asehostela ngamagama. Lokhu kungasetshenziswa ukugwema ukubuka kwe-DNS.
-nn
Ungaguquli izinombolo zeprotocol nezokuthutha njll kumagama noma.
-N
Ungaphrinta amagama wegama lesizinda samagama we-host. Isibonelo, uma unikeza leli flegi bese i- tcpdump izophrinta `` nic '' kunokuthi `` nic.ddn.mil ''.
-O
Ungasisebenzisi i-packet-matching code optimizer. Lokhu kuyasiza kuphela uma usola isikhuthaza ku-optimizer.
-p
Ungabeki isikhombimsebenzisi ngaphakathi kwimodi enobungozi. Qaphela ukuthi isikhombimsebenzisi singase sibe kwimodi yokuziphatha kabi ngenxa yesizathu esithile; ngakho-ke, `-p 'ayikwazi ukusetshenziselwa isifinyezo se` ether host {yendawo-hw-addr} noma ether ukusakaza'.
-q
Ukukhishwa okusheshayo (okuthulile?). Phrinta ulwazi oluthile lokwethulwa komthetho ngakho imigqa yokukhishwa ifushane.
-R
Cabanga amaphakethe e-ESP / AH ukuze asekelwe ekuchazeni kwangaphambili (RFC1825 kuya ku-RFC1829). Uma kukhonjisiwe, i- tcpdump ngeke iphrinta inkambu yokuvikela yokuphindaphinda. Njengoba kungekho nhlobo yenkambiso yenqubo ye-protocol e-ESP / AH, i- tcpdump ayikwazi ukuqonda inguqulo ye-protocol ye-ESP / AH.
-r
Funda amaphakethe kusuka kwifayili (eyadalwa nge--w inketho). Okokufaka okujwayelekile kusetshenziswa uma ifayela lithi `` - ''.
-S
Phrinta ngokuphelele, kunezihlobo, izinombolo zokulandelana kwe-TCP.
-s
Snarf snaplen yedatha yedatha kusuka kwepakethe ngayinye kune-default ye-68 (nge-NIT ye-SunOS, ubuncane empeleni ngu-96). Ama-byte angu-68 anele i-IP, i-ICMP, i-TCP no-UDP kodwa ingahle ihlukanise ulwazi lweprotocol kusukela kumaseva wegama namaphakethe we-NFS (bheka ngezansi). Amaphakethe amisiwe ngenxa yesifinyelelo esinqunyiwe aboniswa emkhatsini we `` [| | proto ] '', lapho i- proto yigama lezinga leprotocol lapho i-truncation yenzeka khona. Qaphela ukuthi ukuthatha izithombe ezikhudlwana zombili kokubili kukhulisa isikhathi esithathayo ukucubungula amaphakethe futhi, ngokuphumelelayo, kunciphisa inani lepakethe yokuhlunga. Lokhu kungabangela amapakethe ukuthi alahleke. Kufanele unciphise i- snaplen kunombolo encane kakhulu ezobamba imininingwane yolwazi oluthile oyithandayo. Ukubeka i- snaplen ku-0 kusho ukusebenzisa ubude obudingekayo ukuze ubambe amaphakethe aphelele.
-T
Phakamisa amaphakethe akhethwe " inkulumo " ukuze ahumushe uhlobo olucacisiwe. Izinhlobo zamanje ezaziwayo ziyi- cnfp (i-Cisco NetFlow protocol), i- rpc (i-Remote Procedure Call), i- rtp (i-Real-Time Applications protocol), i- rtcp ( Impendulo ye- Real-Time Control Protocol), i- snmp (i-Simple Network Management Protocol), i-Visual Audio Tool ), futhi i- wb (yasakaza iBhodi Elimhlophe).
-t
Ungaphrinta isitembu sesikhathi kumugqa ngamunye wokulahla.
-tt
Phrinta isitembu sesikhathi esingafundiwe kumugqa ngamunye wokulahla.
-U
Ihla i-ID ye-ID yomsebenzisi ne-ID yeqoqo eqenjini lokuqala lomsebenzisi .
Qaphela! I-Red Hat Linux iwisa amalungelo ngokuzenzakalelayo kumsebenzisi `` pcap '' uma kungekho okunye okucacisiwe.
-ttt
Phrinta i-delta (kumasekhondi amancane) phakathi komugqa wamanje naphambili kumugqa ngamunye wokulahla.
-tttt
Phrinta isitembu sesikhathi ngesakhiwo esizenzakalelayo senziwa ngosuku kumugqa ngamunye wokulahla.
-u
Phrinta ukuphathwa kwe-NFS okungavumelekile.
-v
(Okuncane kakhulu) okukhiphayo. Isibonelo, isikhathi sokuhlala, ukuhlonza, ubude obuphelele kanye nezinketho kuphakethe le-IP liphrintiwe. Ibuye ibuye ihlole ukuhlolwa kwepakethe okungeziwe njengokuqinisekisa ukuhlolwa kwekhanda le-IP ne-ICMP.
-vv
Okukhipha okungaphezulu nakakhulu. Isibonelo, amasimu engeziwe ayanyatheliswa kusuka kumaphakethe ependulo e-NFS, futhi amaphakethe we-SMB ahlelwe ngokugcwele.
-vvv
Okukhipha okungaphezulu nakakhulu. Isibonelo, izinketho ze-telnet SB ... SE ziphrintiwe ngokugcwele. With -X telnet izinketho zinyatheliswa hex kanye.
-w
Bhala amaphakethe aluhlaza ukuze ulayishe esikhundleni sokuwasebenzisa nokuwashicilela. Kamuva bangaphrinta nge--r inketho. Ukukhishwa okujwayelekile kusetshenziswa uma ifayela lithi `` - ''.
-x
Phrinta iphakethe ngalinye (nciphisa ikhanda layo lokuxhumanisa kwezinga) ku-hex. Amancane amaphakethe wonke noma ama- byte aqoshiwe azophrinta . Qaphela ukuthi lokhu yiyo yonke iphakethe le-link-layer, ngakho-ke izixhumanisi zesikhangiso ezipakanyisiwe (isib. Ethernet), ama-bytes wokugada azophrinta futhi uma iphakethe lesikhumba esiphezulu lifinyeleleka kunesikhwama esidingekayo.
-X
Uma ushicilela i-hex, phrinta i-ascii futhi. Ngakho-ke uma-- x isethwe futhi, iphakethe liphrintiwe ku-hex / ascii. Lokhu kuyasiza kakhulu ukuhlaziya izinqubo ezintsha. Ngisho uma -x ingasethi futhi, ezinye izingxenye zamaphakethe zingashicilelwa ku-hex / ascii.
inkulumo
ukhetha ukuthi yimaphi amaphakethe azokwehliswa. Uma kungekho nkulumo enikezwayo, wonke amaphakethe enetha azolahlwa. Uma kungenjalo, amaphakethe kuphela okusho ukuthi 'iqiniso' azolahlwa.
Le nkulumo iqukethe eyodwa noma ngaphezulu izimboni. Amakhomithi ngokuvamile aneziqu (igama noma inombolo) elandelwa yi-qualification eyodwa noma ngaphezulu. Kunezinhlobo ezintathu ezihlukene zokufaneleka:
thayipha
abaqeqeshiwe bathi yiluphi uhlobo lwegama igama noma inombolo ekhonjisiwe kuyo. Izinhlobo ezinokwenzeka zingabanjwa, inetha nechweba . Isibonelo, 'isikhungo sempi', 'net 128.3', 'port 20'. Uma kungekho uhlobo lwe-qualifier type, umphathi uyacatshangwa.
faka
abaqeqeshiwe bacacisa isiqondiso esithile sokudlulisela futhi / noma kusuka ku- id . Izinkhombandlela ezingenzeka kungenzeka yi- src , i- dst , i- src noma i-dst ne- src ne- dst . Isibonelo, 'src foo', 'idethi yedatha 128.3', 'src noma i-dst port ftp-data'. Uma kungekho isitifiketi sokungcola , i- src noma i-dst icatshangwa. Ngezingxenyana ze-link 'null' (okungukuthi ukhomba amaphuzu amaphoyinti afana nesimboli) izitifiketi ezingenayo neziphumayo zingasetshenziswa ukucacisa isiqondiso esifuna.
i-proto
iziqu zivimbela umlingisi othile ku-protocol ethile. I-protos engenzeka ikhona: ether , fddi , tr , ip , ip6 , arp , rarp , decnet , tcp kanye udp . Isibonelo, 'ether src foo', 'arp net 128.3', `tcp port 21 '. Uma kungekho-qualifier proto, wonke ama-protocol ahambisana nohlobo acatshangwa. Isibonelo, 'src foo' kusho `(ip noma i-arp noma i-rarp) i-src foo '(ngaphandle kwalokhu okungekho umthetho we-syntax wezomthetho),' ibha yangasese 'lisho` (ip noma i-arp noma i-rarp) ibha net' futhi 'port 53' kusho `(tcp noma udp) port 53 '.
[`fddi 'empeleni iyinhlangano ye-` ether'; umlingisi uwaphatha ngokuqondile njengencazelo `` izinga lokuxhumanisa kwedatha elisetshenziselwa isikhombimsebenzisi esibonakalayo senethiwekhi. '' Izihloko ze-FDDI ziqukethe amakheli e-Ethernet-like source and destination, futhi ngokuvamile ziqukethe izinhlobo zepakethe ze-Ethernet-like, ukuze ukwazi ukuhlunga kulezi zinkundla ze-FDDI njengoba nje nezinkambu ezifanayo ze-Ethernet. Izihloko ze-FDDI nazo ziqukethe ezinye izinkambu, kodwa awukwazi ukuzibiza ngokucacile ekukhulumeni kwesihlungi.
Ngokufanayo, 'tr' iyi-alias ye- `ether '; izitatimende zendima ezedlule mayelana nezihloko ze-FDDI ziyasebenza nasezihlokweni ze-Token Ring.]
Ngaphezu kwalokhu okungenhla, kunamagama ayingqayizivele 'ayimfihlo' angahambisani nephethini: isango , ukusakaza , okuncane , okukhulunywe ngakho okukhulu nokubhala. Zonke lezi zichazwe ngezansi.
Izinkulumo zokuhlunga eziyinkimbinkimbi zakhiwa ngokusebenzisa amagama futhi , noma hhayi ukuhlanganisa izimboni. Isibonelo, 'isikhungo sempi futhi hhayi port ftp futhi hhayi port ftp-data'. Ukuze ulondoloze ukuthayipha, uhlu olufanayo lwe-qualifier lungashiywa. Isibonelo, i-tcp dst port portp noma i-ftp-data noma isizinda 'iyafana' ne-tcp dst port ftp noma i-tcp dst port ftp-data noma i-tcp dst port domain '.
Izimali zokuvuna ezivumelekile yizo:
umphathi we- dst host host
Iqiniso uma insimu ye-IPv4 / v6 yokuphela kwepakethe isingathwa , okungenzeka kube ikheli noma igama.
umphathi we- src
Iqiniso uma inkambu yomthombo we-IPv4 / v6 yepakethe isingathwa .
umphathi wendawo
Kuyiqiniso uma ngabe umthombo we-IPv4 / v6 noma ukufika kwepakethe ubamba . Noma yikuphi okushiwo okungenhla okungabanjwanga kungenziwa kuqala ngamagama angukhiye, ip , arp , rarp , noma i- ip6 njengoba ku:
ip host hostokufana nalokhu:
i-ether proto \ ip ne-host hostUma umnikazi wegama ngamakheli amaningi e-IP, ikheli ngalinye lizohlolwa ngomdlalo.
futhi est ehost
Kuyiqiniso ukuthi ikheli le-ethernet lokuya kuyo liyi- ehost . I-Ehost kungenzeka ibe igama kusuka / etc / ethers noma inombolo (bona ethers (3N) yefomethi yenombolo).
ether src ehost
Iqiniso uma ikheli le-ethernet lomthombo liyi- ehost .
ether host ehost
Iqiniso uma ngabe ikheli le-ethernet noma ikheli lokuphela liyi- ehost .
umphathi wesango
Iqiniso uma iphakethe lisetshenzisiwe njengendlela yesango. Ie, ikheli le-ethernet noma ikheli lokungena liye lasingathwa kepha akukho mthombo we-IP noma indawo ye-IP eyabanjwe . I-host kufanele ibe igama futhi kufanele itholakale kokubili ngamasu okuxazulula amakheli omshini-igama-kuya-IP-ikheli (ifayela legama lesikhamuzi, i-DNS, i-NIS, njll) kanye nokuxazulula ikheli le-host-name-to-Ethernet-address indlela (/ etc / ethers, njll). (Inkulumo elinganayo yile
u-host host ehost hhayi umsingathi wempiokungasetshenziswa ngamagama noma izinombolo ze- host / ehost .) Le syntax ayisebenzi ku-IPv6 ukulungiswa kwamandla okwamanje.
I-net net net
Kuyiqiniso uma ikheli le-IPv4 / v6 yokuphela kwepakethe linenani lenethiwekhi lenetha . I-Net ingaba igama kusuka / njll / amanethiwekhi noma inamba yenethiwekhi (bona amanethiwekhi (4) ngemininingwane).
src net net
Kuyiqiniso ukuthi ikheli le-IPv4 / v6 lomthombo wepakethe linenani lenethiwekhi lenetha .
net net
Iqiniso uma ngabe ikheli le-IPv4 / v6 noma ikheli lokuphela lepakethe linenani lenethiwekhi lenetha .
mask net net netmask
Iqiniso uma ikheli le-IP lihambisana net netk . Kungenzeka ukuthi ufaneleke nge- src noma i- dst . Qaphela ukuthi le syntax ayivumelekile ku-IPv6 net .
net net net len
Kuyiqiniso uma ikheli le-IPv4 / v6 lihambelana nenetha ngokubanzi kwe-netmask len bits. Kungenzeka ukuthi ufaneleke nge- src noma i- dst .
port port port
Iqiniso uma iphakethe liyi-ip / tcp, ip / udp, ip6 / tcp noma i-ip6 / udp futhi linenani lokungena kwechweba . Ichweba ingaba inombolo noma igama elisetshenziselwa / njll / amasevisi (bona i- tcp (4P) ne- udp (4P)). Uma igama lisetshenzisiwe, kokubili inombolo ye-port kanye neprotocol ehlolwayo. Uma inombolo noma igama elingavumelani lisetshenzisiwe, kuphela inombolo ye-port ehlolwe (isb., I- dst port 513 izophrinta kokubili ithrafikhi ye-tcp / login kanye nodp / ukuthi ithrafikhi, kanye nesizinda se-port sizophrinta kokubili i-tcp / isizinda ne-trap / domain traffic).
port port src
Iqiniso uma iphakethe inenani lechweba lomthombo wechweba .
port port
Iqiniso uma ngabe ichwethi yomthombo noma indawo yokuphela kwepakethe liyi- port . Noma yikuphi okushiwo ngenhla ye-port kungenziwa kuqala ngamagama angukhiye, i- tcp noma i- udp , njengokuthi:
iTcp src port portokufana namaphakethe we-tcp kuphela ogama lakhe lomthombo eliyichweba .
ubude obuphansi
Kuyiqiniso uma iphakethe inesikhathi sobude ngaphansi noma esilingana nobude . Lokhu kufana nalokhu:
len <= ubude .ubude obukhulu
Iqiniso uma iphakethe inamade amakhulu kunawo noma afana nobude . Lokhu kufana nalokhu:
len> = ubude .ip proto protocol
Iqiniso uma iphakethe liyi-packet ye-IP (bheka ip (4P)) yeprotocol yenqubo yeprotocol . I-Protocol ingaba inombolo noma eyodwa yamagama icmp , icmp6 , igmp , igrp , i- pim , ah , i- esp , i- vrrp , i- udp , noma i- tcp . Qaphela ukuthi izihlungi tcp , udp , kanye ne- icmp nazo ngamagama angukhiye futhi kufanele ziphunyuke nge-backslash (\), okuyi \\ ku-C-shell. Qaphela ukuthi lokhu okuyimfihlo akuxoshanga ukhenketho lwekhanda lokulandelela.
ip6 proto protocol
Kuyiqiniso uma iphakethe liyi-IPv6 iphakethe lenqubo yeprotocol yokulandela . Qaphela ukuthi lokhu okuyimfihlo akuxoshanga ukhenketho lwekhanda lokulandelela.
ip6 protochain protocol
Iqiniso uma iphakethe iphakethe le-IPv6, futhi liqukethe unhlokweni we-protocole nge- protocol yenhlobo kumaketeni ayo e-header protocol. Ngokwesibonelo,
ip6 protochain 6ifanisa noma yiliphi iphakethe le-IPv6 ne-TCP protocol header ku-chain header chain. Iphakethe ingaqukatha, isibonelo, inhloko yokugunyaza, ikhanda lokuhambisa, noma ikhanda lokukhetha le-hop-by-hop, phakathi kwekhanda le-IPv6 ne-TCP. Ikhodi ye-BPF ekhishwe yilezi zinkimbinkimbi iyinkimbinkimbi futhi ayikwazi ukulungiswa ngekhodi ye-BPF optimizer ku- tcpdump , ngakho lokhu kungaba kancane kancane.
ip protochain protocol
Ilingana ne- ip6 protochain protocol , kodwa lokhu ku-IPv4.
ether ukusakaza
Iqiniso uma iphakethe liyi-packet yokusakaza ye-ethernet. Igama elingukhiye le- ether lizikhethela.
ip ukusakaza
Iqiniso uma iphakethe liyipakethe yokusakaza i-IP. Ihlola kokubili ama-zeroes nawo wonke ama-broadcast conventions, futhi ibuka imaski yendawo yasendaweni.
ether multicast
Iqiniso uma iphakethe liyiphakethe le-multicast ye-ethernet. Igama elingukhiye le- ether lizikhethela. Lokhu kufushane kakhulu ku- ` ether [0] & 1! = 0 '.
ip multicast
Iqiniso uma iphakethe liyipakethe ye-multicast ye-IP.
ip6 multicast
Iqiniso uma iphakethe liyiphakethe le-IPv6 multicast.
ether proto protocol
Kuyiqiniso ukuthi iphakethe liyi-ether hlobo protocol . I-Protocol ingaba inombolo noma eyodwa yamagama ip , ip6 , arp , rarp , atalk , aarp , decnet , sca , lat , mopdl , moprc , iso , stp , ipx , noma netbeui . Qaphela lezi zihlonzi nazo zingamagama angukhiye futhi kufanele ziphunyuke nge-backslash (\).
[Esikhathini se-FDDI (isib., ` Fddi protocol arp ') ne-Token Ring ( isib.` Tr tr protocol arp '), iningi lalezo zinqubo, ukuhlonza okulandelwayo kuvela ku-header 802.2 Logical Link Control (LLC), okuyinto ngokuvamile kukhishwe phezulu kwe-header FDDI noma ye-Token Ring.
Uma ukuhlunga kwamakholi amaningi weprotocol ku-FDDI noma i-Token Ring, i- tcpdump ihlola inkambu ye-ID yenqubo ye-LLC ehlokweni okuthiwa i-SNAP format ne-Identifier Unit Identifier (OUI) ye-0x000000, ye-Ethernet encane; ayihlolisisi ukuthi iphakethe lisefomethi ye-SNAP ne-OUI ye-0x000000.
Okuhlukile kuyi- iso , okuhlola khona i-DSAP (Destination Service Access Point) kanye nezinsizakalo ze-SSAP (Source Service Access Point) ze-LLC, isihloko se-LLC, i- stp ne- netbeui , lapho ihlola i-DSAP yesihloko se-LLC, ne- atalk , lapho uhlola iphakethe le-SNAP-format ne-OUI ye-0x080007 ne-Appletalk etype.
Endabeni ye-Ethernet, i- tcpdump ihlola insimu yohlobo lwe-Ethernet ngeningi lalezo zinhlelo; okungekho i- iso , i- sap , ne- netbeui , lapho ihlola khona uhlaka lwama-802.3 bese ihlola isihloko se-LLC njengoba kwenza i-FDDI ne-Token Ring, i- atalk , lapho ihlola khona i-Appletalk etype kuhlaka lwe-Ethernet futhi Iphakethe le-SNAP-format njengoba lenzelwa i-FDDI ne-Token Ring, i- aarp , lapho ihlola khona i-Appletalk ARP ifreyimu ku-Ethernet ifreyimu noma uhlaka lwe-802.2 SNAP ne-OUI ye-0x000000, ne- ipx , lapho ihlola i-IPX etype uhlaka lwe-Ethernet, i-IPX DSAP kusihlokweni se-LLC, i-802.3 engekho i-IPX encapsulation encapsulation ye-IPX, ne-IPX etype ku-SNAP frame.]
i-decnet src host
Kuyiqiniso uma ikheli le-DECNET lisekela, elingase libe ikheli lefomu `` 10.123 '', noma igama le-host ye-DECNET. [I-DECNET igama lenkampani yokusekela igama litholakala kuphela ku-Ultrix izinhlelo ezilungiselelwe ukuqhuba i-DECNET.]
i-decnet dst host host
Kuyiqiniso uma ikheli le-DECNET lokuya kulo lizosingatha .
i-decnet host host host
Iqiniso uma ngabe ikheli le-DECNET noma ikheli lokungena lihambelana .
ip , ip6 , arp , rarp , atalk , aarp , decnet , iso , stp , ipx , netbeui
Izifinyezo ze:
I-ether proto iphelapho p ingenye yezivumelwano ezibalwe ngenhla.
lat , moprc , mopdl
Izifinyezo ze:
I-ether proto iphelapho p ingenye yezivumelwano ezibalwe ngenhla. Qaphela ukuthi i- tcpdump okwamanje ayakwazi ukukhipha lezi zinhlelo.
vlan [vlan_id]
Iqiniso uma iphakethe liyiphakethe le-IEEE 802.1Q VLAN. Uma [vlan_id] icacisiwe, yiqiniso kuphela iphakethe ine- vlan_id ecacisiwe. Qaphela ukuthi i- keyword yokuqala ye- vlan ehlangene nkulumo ishintshela ukukhishwa kwe-decoding ye- expression encane ekucatshangweni ukuthi iphakethe liyiPhakethe le-VLAN.
tcp , udp , icmp
Izifinyezo ze:
ip proto p noma i-ip6 proto klapho p ingenye yezivumelwano ezibalwe ngenhla.
iso proto protocol
Kuyiqiniso ukuthi iphakethe liyi-pack ye-OSI yenqubo yeprotocol . I-Protocol ingaba yinombolo noma enye yamagama angu- clnp , sis , noma isis .
i-clnp , isis , isis
Izifinyezo ze:
iso proto plapho p ingenye yezivumelwano ezibalwe ngenhla. Qaphela ukuthi i- tcpdump inomsebenzi ongaqediwe wokuhlaziya lezi zinhlelo.
expr relop expr
Kuyiqiniso uma ubuhlobo buphethe , lapho kuvuliwe khona enye ye->, <,> =, <=, = ,! =, Futhi i- expr iyinkulumo ye-arithmetic eyakhiwa yizintambo eziningi (ezichazwe ku-standard C syntax), opharetha abonakalayo okuvamile [+ , -, *, /, &, |], opharetha ubude, kanye nabafinyeleli bemininingwane yepakethe. Ukufinyelela idatha ngaphakathi kwepakethe, sebenzisa i-syntax elandelayo:
i-proto [ expr : usayizi ]I-Proto ingenye ye- ether, fddi, tr, ppp, slip, isixhumanisi, ip, i-arp, i-rarp, i-tcp, i-udp, i-icmp noma i- ip6 , futhi ibonisa isendlalelo seprotocol sokusebenza kwenkomba. ( ether, fddi, tr, ppp, slip futhi uxhumanise konke ubheke ungqimba lwesixhumanisi .) Qaphela ukuthi i- tcp, udp nezinye izinhlobo zokulandelana ezingaphezulu kwezingqalasizinda zisebenza kuphela ku-IPv4, hhayi i-IPv6 (lokhu kuzolungiswa esikhathini esizayo). I-byte offset, ngokuhambisana nesendlalelo sokuboniswa kweprotocol, inikezwa ngu- expr . Ubukhulu buyakhethwa futhi bubonisa inani lezintandokazi ensimini yesithakazelo; ingaba yinye, emibili, noma emine, futhi ehlukile kumunye. Opharetha obude, oboniswe igama elingukhiye len , unikeza ubude bepakethe.
Isibonelo, i- ' ether [0] & 1! = 0 ' ibamba yonke inqwaba yezimoto. Inkulumo ethi ip [0] & 0xf! = 5 'ibamba wonke amaphakethe e-IP ngezinketho. Inkulumo ethi ip [6: 2] & 0x1fff = 0 'ibamba kuphela amadathamenti angafani futhi ihlukanise ama datagrams ahlukaniswe. Lesi sheke sisebenza ngokugcwele emisebenzini yenkomba ye- tcp ne- udp . Ngokwesibonelo, i- tcp [0] isho njalo i-byte yokuqala ye- header TCP, futhi ingalokothi isho i-byte yokuqala ye-fragment engenelayo.
Amanye amanani angalungile namasimu angaboniswa njengamagama kunokuba abe ngamanani ezinombolo. I-header protocol field field offsets iyatholakala: icmptype (ICMP field field), icmpcode (ICMP ikhodi field), kanye tcpflags (field TCP flags field).
Lezi zindlela ezilandelayo ze-ICMP field field ziyatholakala: icmp-echoreply , icmp-unreach , icmp-sourcequench , icmp-redirect , icmp-echo , icmp-routeradvert , icmp-routersolicit , icmp-timxceed , icmp-paramprob , icmp-tstamp , icmp -tstampreply , icmp-ireq , icmp-ireqreply , icmp-maskreq , icmp-maskreply .
Amanani we-flags field field alandelayo ayatholakala: tcp-fin , tcp-syn , tcp-rst , tcp-push , tcp-push , tcp-ack , tcp-urg .
Amakhomithi angahlanganiswa esebenzisa:
Iqembu labazali lababelethi kanye nama-opharetha (abazali babazali bakhethekile kwiShell futhi kumele baphunyuke).
I-Negation (` ! 'Noma` hhayi ').
I-Concatenation (` && ' noma` futhi ').
Okunye (` || ' noma` noma' noma ').
I-Negation inokuqala okuphezulu. Okunye nokuncintisana kunokuqala okulinganayo futhi kufaka phakathi kwesokunxele kuya kwesokudla. Qaphela ukuthi okucacile namathokheni, hhayi i-juxtaposition, manje kuyadingeka ukuze kwenziwe ukukhonjiswa.
Uma isihlonzi sinikezwa ngaphandle kwegama elingukhiye, igama elingukhiye lwakamuva lithathwa. Ngokwesibonelo,
hhayi ukubamba i-vs ne-aceilula
hhayi ukubamba i-vs ne-host hostokuyinto akufanele idideke nayo
hhayi (ukubamba i-vs noma i-ace)Iziphakamiso zokuchaza zingadluliselwa ku- tcpdump njengokungaba okukodwa noma njengezingxabano eziningi, noma yikuphi okulula kakhulu. Ngokuvamile, uma le nkulumo iqukethe ama-metacharacters e-Shell, kulula ukuyidlulisa njengengxabano eyodwa, ecashunwe. Iziphakamiso eziningi zikhonjiswe ngezikhala ngaphambi kokuba zixoshwe.
EXAMPLES
Ukuze uprinte wonke amaphakethe afika noma ahambe kusukela ekushoneni kwelanga :
ukushona kwe-tcpdump sundownUkuphrinta ithrafikhi phakathi kwe- helios noma ishisa noma i- ace :
i-tcpdump helios ye-host kanye \ (eshisayo noma i-ace)Ukuphrinta wonke amaphakethe we-IP phakathi kwe- ace nanoma yikuphi ukusingatha ngaphandle kwe- helios :
tcpdump IP host host futhi hhayi heliosUkuphrinta yonke ithrafikhi phakathi kwabasekhaya basekhaya nabase-Berkeley:
tcpdump net ucb-etherUkuphrinta yonke i-ftp traffic ngokusebenzisa i-intanethi yesango: (inothi ukuthi le nkulumo icatshangelwe ukuvimbela igobolondo ukusuka ku- (mis-) ukuhumusha abazali):
I-tcpdump 'yesango lendawo futhi (i-port ftp noma i-ftp-data)'Ukuphrinta ithrafikhi ayigciniwe noma ayihloselwe amabutho asekhaya (uma ungena kwelinye inetha, lezi zinto akufanele neze zenzele inetha lakho lendawo).
tcpdump ip futhi hhayi net localnetUkuze uprinte amaphakethe okuqala nokuphela (amaphakethe we-SYN nama-FIN) wengxoxo ngayinye ye-TCP ehilela umuntu ongeyena owendawo.
tcpdump 'tcp [tcpflags] & (i-tcp-syn | tcp-fin)! = 0 hhayi i-src ne-dst net localnet 'Ukuphrinta amaphakethe we-IP isikhathi eside kunama-bytes angu-576 athunyelwe ngesango lendlela :
I-tcpdump 'isango lendlela futhi ip [2: 2]> 576'Ukuphrinta i-IP yokusakaza noma amaphakethe amaningi okungazange athunyelwe nge-ethernet ukusakazwa noma i-multicast:
tcpdump 'ether [0] & 1 = 0 kanye ip [16]> = 224'Ukuze uprinte wonke amaphakethe we-ICMP angaphakamisi izicelo / izimpendulo (okungukuthi, hhayi ama-ping amaphakethe):
I-tcpdump 'icmp [icmptype]! = i-icmp-echo ne-icmp [icmptype]! = icmp-echoreply'I-FORMAT YE-OUTPUT
Okukhipha kwe- tcpdump kuncike kuncike ekulandeleni. Okulandelayo kunikeza incazelo emfushane nezibonelo eziningi zefomethi.
Izihloko zezinga lokuxhumanisa
Uma inketho ye-'e' 'inikezwa, isihloko sezinga lokuxhumanisa sinyatheliswa. Ku-ethernets, amakheli asemithonjeni nasendaweni, amaprotholothi, kanye nobude bepakethe zinyatheliswa.
Kumanethiwekhi e-FDDI, inketho ye- 'e 'idala i- tcpdump ukuphrinta insimu' yokulawula uhlaka ', amakheli asemithonjeni nasendaweni, kanye nobude bepakethe. (Ipulazi 'lokulawula uhlaka' lilawula ukuhunyushwa kwepakethe lonke. Amaphakethe evamile (afana nalawo aqukethe i-datagrams ye-IP) yi-'yync 'amaphakethe, enexabiso lokuqala phakathi kuka-0 no-7; isibonelo,' async4 '. amaphakethe acatshangwa ukuthi aqukethe iphakethe le-802.2 Logical Link Control (LLC); ikhanda le-LLC liphrintiwe uma kungeyona i-ISO datagram noma iphakethe okuthiwa i-SNAP.
On amanethiwekhi we-Token Ring, inketho ye- 'e 'ibangela i- tcpdump ukuphrinta' ukulawula kokufinyelela 'nezindawo' zokulawula uhlaka, 'amakheli okuvela kumthombo nendawo yokuhlala, kanye nobude bepakethe. Njengamanethiwekhi e-FDDI, amaphakethe acatshangwa ukuthi aqukethe iphakethe le-LLC. Kungakhathaliseki ukuthi inketho ye-'e 'iyacacisiwe noma cha, ulwazi lomzila womsuka luyanyatheliswa kumaphakethe aqhutshwa ngumthombo.
(NB: Incazelo elandelayo ijwayele ukujwayelana ne-SLIP compression algorithm echazwe ku-RFC-1144.)
Ezingxenyeni ze-SLIP, inkomba yokuqondisa (`` I '' yokungena, `O '' ephumayo), uhlobo lwepakethe, nolwazi lokucindezela lushicilelwe. Uhlobo lwepakethe luphrinta kuqala. Lezi zinhlobo ezintathu ziyi- ip , i- utcp , ne- ctcp . Alukho olunye ulwazi lokuxhumanisa olwanyatheliswa amaphakethe we- ip . Kumaphakethe we-TCP, isihlonzi sokuxhumana sinyatheliswa kulandela uhlobo. Uma iphakethe licindezelekile, ikhanda layo elifakiwe liphrintiwe. Amacala akhethekile ashicilelwa njenge * S + n kanye * SA + n , lapho n isamba lapho inombolo yokulandelana (noma inombolo yokulandelana ne-ack) ishintshile. Uma kungesiwo okhethekile, izinguquko zero noma ngaphezulu zinyatheliswa. Ushintsho luboniswa ngu-U (iphoyinti eliphuthumayo), W (iwindi), A (ack), S (inombolo yokulandelana), nami (i-ID yepakethe), ilandelwa i-delta (+ n noma -n), noma inani elisha (= n). Okokugcina, inani lemininingwane ephaketheni kanye nobude bekhanda elicindezelweyo linyatheliswa.
Isibonelo, umugqa olandelayo ubonisa iphakethe le-TCP eliphelelwe yisikhathi, elinesihlonzi sokuxhuma okuphelele; i-ack ishintshe ngo-6, inombolo yokulandelana ngo-49, kanye ne-ID yephakheji ngo-6; kukhona ama-bytes amathathu wedatha kanye nama-bytes angu-6 we-header ocindezelwe:
O ctcp * A + 6 S + 49 I + 6 3 (6)AmaPhakethe we-ARP / RARP
Ukukhishwa kwe-Arp / rarp kubonisa uhlobo lwesicelo nezimpikiswano zalo. Ifomathi ihloselwe ukuzichaza. Nasi isampula esifushane esithathwe kusukela ekuqaleni kwe-'Rlogin 'kusuka kumbuthano wokusingatha ukuze ubambe iqhaza :
I-arp ngubani-ene-csam etshela impendulo ye-rtsg arp i-CSAMUmzila wokuqala uthi i-rtsg ithumele ipakethi ye-arp icela ikheli le-ethernet ye-internet host csam. I-Csam iphendula ngekheli layo le-ethernet (kulesi sibonelo, amakheli e-ethernet akhona kuma-caps namakheli e-inthanethi esimweni esincane).
Lokhu kuzobukeka kuncane uma ngabe senze tcpdump -n :
U-arp obani-128.3.254.6 utshele i-128.3.254.68 impendulo ye-arp 128.3.254.6 i-02: 07: 01: 00: 01: c4Uma ngabe senze i- tcpdump -e , iqiniso lokuthi iphakethe lokuqala lisakazwa futhi lesibili liyi-point-to-point lizobonakala:
I-RTSG Idluliselwa ku-0806 64: i-arp obani-ine-csam etshela i-rtsg CSAM RTSG 0806 64: impendulo ye-arp i-CSAMNgephakethe lokuqala lokhu kusho ukuthi ikheli le-ethernet liyi-RTSG, indawo okuyiyona ikheli le-ethernet yokusakaza, insimu yohlobo iqukethe i-hex 0806 (uhlobo U-ETHER_ARP) kanti ubude obuphelele babuyi-bytes angu-64.
Amaphakethe we-TCP
(I-NB: Incazelo elandelayo ijwayele ukujwayelana neprotocol ye-TCP echazwe ku-RFC-793. Uma ungajwayele iphrothotho, le ncazelo noma i-tcpdump ngeke ibe yinto enhle kakhulu kuwe.)
Ifomethi ejwayelekile yomugqa we-tcp protocol yi:
I-src> i-dst: amaflegi ama-data-seqno ack iwindi okukhethwa kukho okuphuthumayo I-Src ne- dst yilapho ivela khona futhi iya khona amakheli e-IP namaports. Amafulegi yinhlanganisela ethile ye-S (SYN), F (FIN), P (PUSH) noma i-R (RST) noma eyodwa `. ' (ayikho amafulegi). Idatha-seqno ichaza ingxenye yesigaba sokulandelana esembozwe idatha kule phakethe (bheka isibonelo ngezansi). I-Ack ilandelana nenombolo yedatha elandelayo kulindeleke enye enye indlela ekuxhumaneni. Iwindi yilezi zinombolo ze-bytes zithola isikhala se-buffer ezitholakalayo esinye isiqondiso kulokhu kuxhumano. I-Urg ibonisa ukuthi kukhona idatha 'ephuthumayo' epakethe. Izinketho kukhona izinketho ze-tcp ezifakwe kubakaki be-angle (isib.
I-Src, i-dst nama- flags zikhona njalo. Amanye amasu ancike kokuqukethwe kwekhanda lenqubo yepakethe ye-tcp yepakethe futhi akhiqizwa kuphela uma kufanelekile.
Nasi ingxenye evulekile ye-rlogin kusuka ku-host rtsg ukuze ubambe i- csam .
rtsg.1023> csam.login: S 768512: 768512 (0) win 4096Umzila wokuqala uthi i-tcp port 1023 ku-rtsg ithumele iphakethe ekungeneni kwe-port kwi-csam. I- S ibonisa ukuthi i-flag ye- SYN isethiwe. Inombolo yokulandelana kwepakethi yayiyi-768512 futhi ayinakho idatha. (I-notation yiyokuthi 'yokuqala: yokugcina (nbytes)' okusho ukuthi 'izinombolo zokulandelana kuqala kodwa azibandakanyi ukugcina okungukuthi yi- nbytes byte yomsebenzisi womsebenzisi'.) Kwakungenayo i-ack esekelwa ngogogo, ifasitela yokuthola etholakalayo yayingu-4096 byte kwakukhona okukhethwa kukho okungaphezulu kwesigaba sokucela i-mss yama-bytes angu-1024.
I-Csam iphendula ngepakethe efanayo ngaphandle kokuthi ihlanganisa i-ack ehambisana ne-piggy ye-SYN ye-rtsg. I-Rtsg bese i-SYN i-SYN csam. I `. ' kusho ukuthi ayikho amaflegi asethiwe. Iphakethe aliqukethe idatha ngakho ayikho inombolo yokulandelana kwedatha. Qaphela ukuthi inombolo ye-ack yokulandelana iyinani elincane (1). Isikhathi sokuqala i- tcpdump ibona i-tcp `ingxoxo ', iprinta inombolo yokulandelana kusuka epakethe. Emaphaketheni alandelayo wengxoxo, umehluko phakathi kwenombolo yokulandelana kwamaphakethe wamanje futhi le namba yokulandelana yokuqala iphrintiwe. Lokhu kusho ukuthi izinombolo zokulandelana emva kokuqala kungahunyushwa njengezikhundla ezihambisanayo ngokusakaza kwedatha yengxoxo (ngeyokuqala yedatha yedatha isheke ngasinye sibe ngu `1 '). `-S 'izodlula lesi sici, okwenza izinombolo zokulandelana zangempela zikhishwe.
Emgqeni wesi-6, i-rtsg ithumela ama-byte wedatha angu-19 (ama-bytes amabili kuya ku-20 eceleni kwe-rtsg -> csam yengxoxo). Ifulegi le-PUSH lisethelwe ipakethe. Emgqeni wesi-7, i-csam ithi ithola idatha ethunyelwe yi-rtsg kodwa ayihlanganisi i-byte 21. Iningi lale datha kubonakala sengathi lihlezi esitokisini esisekelweni kusukela iwindi lokuthola le-csam lithole ama-byte angu-19 amancane. I-Csam iphinde ithumele i-byte yedatha eyodwa ku-rtsg kuleli phakethe. Emigqa yesishiyagalombili nesishiyagalolunye, i-csam ithumela ama-bytes amabili okuphuthumayo, ifaka idatha ku-rtsg.
Uma lesi sithombe esincane sasincane ngokwanele ukuthi i- tcpdump ayizange ibambe i-header ephelele ye-TCP, ihumusha okuningi njengenhloko bese ibika ukuthi `` | tcp ] '' ukukhombisa ukuthi okusele akukwazanga ukuhunyushwa. Uma unhlokweni uqukethe inketho engamanga (enye enobuningi obuncane kakhulu noma engapheli kokuphela kwekhanda), i- tcpdump ibika ngokuthi `` [i- opt bad ] '' futhi ayichazi ezinye izinketho (ngoba akunakwenzeka ukutshela lapho baqala khona). Uma ubude bekhanda bubonisa izinketho zikhona kodwa ubude be-IP datagram abukona okwanele ukuthi izinketho zibe khona ngempela, i- tcpdump ibika ngokuthi `` [ hdr length ] ''.
Ukuthatha amaphakethe we-TCP ngehlanganisela ethile yefulege (SYN-ACK, URG-ACK, njll)
Kunezinkinobho ezingu-8 kusigaba sokulawula izingxenye ze-header TCP:
CWR | ECE | URG | I-ACK | I-PSH | RST | SYN | FIN
Ake sicabange ukuthi sifuna ukubukela amaphakethe asetshenziselwa ukusetha uxhumano lwe-TCP. Khumbula ukuthi i-TCP isebenzisa indlela yokubambisana ngezindlela ezintathu lapho iqalisa uxhumano olusha; ukulandelana kokuxhumeka ngokuphathelene nezinkinobho zokulawula i-TCP
1) Umshayeli uthumela i-SYN
2) Umamukeli uphendula nge-SYN, i-ACK
3) Umshayeli uthumela i-ACK
Manje sinesithakazelo ekutholeni amapakethe anesethi kuphela se-SYN esethiwe (Isinyathelo 1). Qaphela ukuthi asifuni amapakethe asuka kwisinyathelo sesi-2 (SYN-ACK), nje i-SYN yokuqala. Lokho esikudingayo kuyinkulumo yokuhlunga efanele ye- tcpdump .
Khumbula isakhiwo senhloko ye-TCP ngaphandle kokukhetha:
0 15 31 ----------------------------------------------- ------------------ | port port | indawo yokufika | | -------------------------------------------------- --------------- | inombolo yokulandelana | -------------------------------------------------- --------------- | inombolo yokuvuma | -------------------------------------------------- --------------- | HL | rs | i | C | E | U | A | P | R | S | F | usayizi wewindi | | -------------------------------------------------- --------------- | I-TCP checksum | i-pointer esiphuthumayo | -------------------------------------------------- ---------------Umhloli we-TCP uvame ukuphatha ama-octet angama-20 wedatha, ngaphandle kokuthi izinketho zikhona. Umugqa wokuqala wegrafu uqukethe ama-octet 0 - 3, umugqa wesibili ubonisa ama-octet 4 - 7 njll.
Ukuqala ukubala nge-0, izingcingo ezilawulayo ze-TCP ziqukethwe ku-octet 13:
0 7 | 15 | 23 | 31 ---------------- | --------------- | --------------- | ---------------- | HL | rs | i | C | E | U | A | P | R | S | F | usayizi wewindi | | ---------------- | --------------- | --------------- | - --------------- | | | I-octet yesi-13 | | | | |Ake sihlolisise i-octet no. 13:
| | | | | --------------- | | C | E | U | A | P | R | S | F | | --------------- | | 7 5 3 0 |Lezi yizinkinobho zokulawula ze-TCP esizifunayo. Sifake ama-bits kule octet ukusuka ku-0 kuya ku-7, kwesokudla kwesobunxele, ngakho-ke i-PSH yinombolo encane ye-3, kanti i-URG bit yinombolo 5.
Khumbula ukuthi sifuna ukufaka amapakethe nge-SYN kuphela. Ake sibone ukuthi kwenzekani ku-octet 13 uma i-datagram ye-TCP ifika ne-SYN bit esethwe kusihlokweni sayo:
| C | E | U | A | P | R | S | F | | --------------- | | 0 0 0 0 0 0 1 0 0 | | --------------- | | 7 6 5 4 3 2 1 0 |Ukubuka isigaba sokulawula izingxenye sibona ukuthi inombolo yocingo kuphela (i-SYN) isethwe.
Ucabanga ukuthi inombolo ye-octet iyinombolo engu-8-bit engabhalisiwe kwinhlawulo ye-inte yenethiwekhi, inani lebhanti le-octet
00000010
futhi ukumelwa kwayo kwesimangadi
7 6 5 4 3 2 1 0 0 * 2 + 0 * 2 + 0 * 2 + 0 * 2 + 0 * 2 + 0 * 2 + 1 * 2 + 0 * 2 = 2Sesivele siphelile, ngoba manje siyazi ukuthi uma i-SYN kuphela isethwe, inani le-octet le-13 ku-header TCP, uma lihunyushwa njengenombolo engu-8-bit engabhalwanga kwinamba yenethiwekhi ye-byte, kumele ibe yi-2 ngokuqondile.
Lobudlelwane bungabonakaliswa njengo
tcp [13] == 2
Singasebenzisa le nkulumo njengesihlungi se- tcpdump ukuze ubuke amaphakethe anesethi kuphela ye-SYN:
tcpdump -i xl0 tcp [13] == 2
Le nkulumo ithi "vumela i-octet yesi-13 ye-TCP datagram ibe nenani lamashumi amabili", yilokho esikufunayo.
Manje, ake sicabange ukuthi sidinga ukuthatha amaphakethe we-SYN, kodwa asikhathaleli uma i-ACK noma enye into yokulawula ye-TCP isethwe ngesikhathi esifanayo. Ake sibone ukuthi kwenzekani ku-octet 13 uma i-TCP datagram ne-SYN-ACK isethi ifika:
| C | E | U | A | P | R | S | F | | --------------- | | 0 0 0 1 0 0 1 0 | | --------------- | | 7 6 5 4 3 2 1 0 |Manje izingqimba 1 no-4 zibekwe ku-octet 13. Inani lebhanana le-octet 13 liyi
00010010
okuhunyushwa kudesimali
7 6 5 4 3 2 1 0 0 * 2 + 0 * 2 + 0 * 2 + 1 * 2 + 0 * 2 + 0 * 2 + 1 * 2 + 0 * 2 = 18Manje asikwazi ukusebenzisa nje i- 'tcp [13] == 18' enkulumweni yokuhlunga ye- tcpdump , ngoba lokho kungakhetha kuphela amaphakethe anesethi ye-SYN-ACK, kodwa hhayi lawo asetshenziswa kuphela i-SYN. Khumbula ukuthi asikhathaleli uma i-ACK noma enye into yokulawula isethwe uma i-SYN isethiwe.
Ukuze sifinyelele umgomo wethu, sidinga ngokulinganayo Nenani elibambisene le-octet 13 elinamanye amanani ukulondoloza i-SYN bit. Siyazi ukuthi sifuna i-SYN ukuba isethwe kunoma yikuphi, ngakho-ke sizobe senzekile futhi kube nenani ku-octet le-13 elinenani elibambisene le-SYN:
00010010 SYN-ACK 00000010 SYN NO 00000010 (sifuna SYN) NO 00000010 (sifuna SYN) -------- -------- = 00000010 = 00000010Sibona ukuthi lokhu nokusebenza kuhlinzeka umphumela ofanayo kungakhathaliseki ukuthi i-ACK noma enye into yokulawula ye-TCP isethiwe. Isiphakamiso sesimangadi se-AND AND value kanye nomphumela walo msebenzi ngu-2 (kanambambili 00000010), ngakho-ke siyazi ukuthi ngamaphakethe nge-SYN abeka ubuhlobo obulandelayo kufanele abambe iqiniso:
((inani le-octet 13) NO (2)) == (2)
Lokhu kusitshela ekukhulumeni kwesihlungi se- tcpdump
tcpdump -i xl0 'tcp [13] & 2 == 2'
Qaphela ukuthi kufanele usebenzise izingcaphuno ezilodwa noma ukuhlehliswa emuva kwegama ukufihla uhlamvu lwe-AND ('&') olukhethekile kusuka kugobolondo.
AmaPhakethe we-UDP
Ifomethi ye-UDP iboniswa yili phakethe ye-rwho:
actinide.who> ukusakaza.who: udp 84Lokhu kusho ukuthi i-port ephethe i- actinide yempi yathumela i-udp datagram ku-port lapho isakazwa khona , ikheli le-Intanethi yokusakaza. Iphakethe liqukethe ama-bytes angu-84 wedatha yomsebenzisi.
Amanye amasevisi we-UDP ayaziwa (kusukela enombeni yomthombo noma ekungena kuyo) kanye nolwazi oluphezulu lweprotocol oluphrintiwe. Ngokuyinhloko, izicelo zesevisi ye-Domain Name (RFC-1034/1035) kanye nocingo lwe-Sun RPC (RFC-1050) ku-NFS.
Izicelo Zeseva Zegama le-UDP
(I-NB: Incazelo elandelayo ijwayele ukujwayelana ne-Domain Service protocol echazwe ku-RFC-1035. Uma ungazazi le protocol, incazelo elandelayo izovela ukuthi ibhalwe ngesiGreki.)
Izicelo zevava yegama zifomathiwe njenge
src> i-dst: i-id op? amafulegi igama le-qtype (len) h2opolo.1538> helios.domain: 3+ A? ucvhax.berkeley.edu. (37)I-Host h2opolo icele iseva yesizinda kuma- helios ukuze irekhodi lekheli (qtype = A) elihlotshaniswa negamaxva.berkeley.edu. I-id yombuzo yayingu- `3 '. I `` + 'ibonisa ukuthi ifulegi elifunayo libuyele. Ubude bombuzo babuyi-37 byte, engabandakanyi izihloko ze-protocol ze-UDP ne-IP. Ukusebenza kombuzo kwakuyinto evamile, Umbuzo , ngakho-ke insimu ye-op ayikhishiwe. Uma ngabe i-op yayingenye into, ngabe ishicilelwe phakathi kwe- `3 'ne` +'. Ngokufanayo, i-qclass yayiyinto evamile, i- C_IN , futhi ishiyiwe. Noma iyiphi enye i-qclass ingabe ishicilelwe masinyane ngemva kokuthi `A '.
Kuhlolwe ukuhlukana okuncane futhi kungaholela emasimini angaphezulu afakwe kubakaki abesikwele: Uma umbuzo uqukethe impendulo, amarekhodi egunya noma ingxenye yamarekhodi angeziwe, i- ancount , nscount , noma i- arcount ishicilelwe njenge `[ n a] ',` n n ] 'noma `[ n au]' lapho n kuyinto inani elifanele. Uma ngabe yiziphi izinkinobho zokuphendula ezibekiwe (i-AA, RA noma i-rcode) noma noma yikuphi okumele kube yi-zero bits ibekwe ku-bytes amabili nantathu, '[b2 & 3 = x ]' iyanyatheliswa, lapho i-value ye-hex i-bytes ekhanda amabili nantathu.
Igama le-UDP Igama lempendulo
Izimpendulo zeseva yegama zifomathiwe njenge
src> i-id: i-id op rcode amafulege a / n / au uhlobo lwe-class class data (len) helios.domain> h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273) i-helios.domain> h2opolo.1537: 2 i-NXDoma * 0/1/0 (97)Esikhathini sokuqala, i- helios isabela kumbuzo we-id 3 kusuka ku- h2opolo ngamarekhodi e- 3 ephendulwayo, amarekhodi e-server angu-3 namarekhodi angu-7 engeziwe. Impendulo yokuqala yokuphendula uhlobo A (ikheli) kanye nedatha yayo ikheli le-inthanethi 128.32.137.3. Ubungako bokwempendulo buyi-273 bytes, ngaphandle kwama-header e-UDP ne-IP. I-op (i-Query) nekhodi yokuphendula (i-NoError) ayikhishiwe, njengoba kwakukhona isigaba (C_IN) serekhodi A.
Esikhathini sesibili, i- helios isabela kumbuzo wesi-2 ngekhodi yokuphendula ye-domain engekho (NXDomain) engenakho izimpendulo, iseva elilodwa negama elingenawo amarekhodi. I-`* 'ibonisa ukuthi ibhali lempendulo eligunyaziwe selihlelwe. Njengoba bekungekho izimpendulo, akukho hlobo, isigaba noma idatha eshicilelwe.
Ezinye izinhlamvu zefulege ezingase zivele'-- '(ukuphindaphinda kuyatholakala, i-RA, ayisethiwe) nokuthi `|' (umlayezo onqunywe ngomshini, TC, usethe). Uma isigaba 'sombuzo' singenayo into eyodwa, '[nq]' iyanyatheliswa.
Qaphela ukuthi izicelo zevava yegama nezimpendulo zivame ukuba zikhulu futhi i- snaplen ezenzakalelayo yama-byte angu-68 angeke ithathe ngokwanele iphakethe ukuze iphrinta. Sebenzisa i-flag ukuze ukwandise i-snaplen uma udinga ukuphenya ngokucophelela igama le-server yeseva. ` -ss 128 'isebenzele kahle kimi.
Ukukhishwa kwe-SMB / CIFS
I-tcpdump manje ihlanganisa ukucaciswa okubanzi kwe-SMB / CIFS / NBT yedatha ku-UDP / 137, UDP / 138 no-TCP / 139. Okunye ukucubungula kokuqala kwemininingwane ye-IPX ne-NetBEUI SMB nakho kwenziwa.
Ngokuzenzakalelayo kwenziwa i-decode encane kakhulu, nge-decode eyengeziwe kakhulu uma -s isetshenziswa. Qwayiswa ukuthi nge -va eyodwa iphakheji ye-SMB ingathatha ikhasi noma ngaphezulu, ngakho-ke sebenzisa kuphela-uma ufuna ngempela yonke imininingwana ye-gory.
Uma uhlaziya amaseshini we-SMB aqukethe izintambo ze-unicode ungase ufise ukusetha ukuhlukahluka kwemvelo USE_UNICODE ku-1. I-patch yokuzihlola ngokuzenzakalelayo amasimu we-unicode angamukelekile.
Ukuze uthole ulwazi mayelana namafomethi wepakethe ye-SMB nokuthi yiziphi zonke izinsizakalo zakho ezisho ukuthi bheka www.cifs.org noma isitifiketi se-pub / samba / specs / isayithi esibukweni sakho se-samba.org. Ama-patches e-SMB abhalwe ngu-Andrew Tridgell (tridge@samba.org).
Izicelo ze-NFS nezimpendulo
Izicelo nezimpendulo ze-Sun NFS (Ifayela Lenethiwekhi Yenethiwekhi) zinyatheliswa njenge:
src.xid> dst.nfs: len op args src.nfs> dst.xid: impendulo stat len op imiphumela sushi.6709> wrl.nfs: 112 readlink fh 21,24 / 10.73165 wrl.nfs> sushi.6709: phendula ok 40 readlink "../var" sushi.201b> wrl.nfs: 144 ukubuka fh 9,74 / 4096.6878 "xcolors" wrl.nfs> sushi.201b: phendula ok 128 lookup fh 9,74 / 4134.3150Emgqeni wokuqala, umusi we- sushi uthumela ukuthengiselana nge-id 6709 kuya ku- wrl (phawula ukuthi inombolo elandela i-src host is id yokuthengiselana, hhayi i -port source). Isicelo sasiyi-112 bytes, ngaphandle kwama-headers we-UDP ne-IP. Ukusebenza kwakuyi- readlink (funda isixhumanisi esingokomfanekiso) kusibambo sefayela ( fh ) 21,24 / 10.731657119. (Uma umuntu enenhlanhla, njengaleli cala, isibambo sefayili singachazwa njengombhangqwana omkhulu wenombolo yedivayisi, kulandelwa inombolo ye-inode kanye nenombolo yesizukulwane.) Izimpendulo ze- Wrl `ok 'nokuqukethwe kwesixhumanisi.
Emgqeni wesithathu, i- sushi icela wrl ukuvula igama ` xcolors 'kufayela lomqondisi 9,74 / 4096.6878. Qaphela ukuthi idatha ephrintiwe incike kunhlobo lokusebenza. Ifomethi ihloswe ukuba ibe yincazelo uma ifundwa ngokubambisana ne-NFS protocol spec.
Uma i-flag ye-vv (verbose) inikezwa, ulwazi olwengeziwe luyanyatheliswa. Ngokwesibonelo:
sushi.1372a> wrl.nfs: 148 ff 21,11 / 12.195 8192 bytes @ 24576 wrl.nfs> sushi.1372a: phendula ok 1472 funda REG 100664 ids 417/0 sz 29388(-v iphinda icindezele i-IP ye-header TTL, ID, ubude, nezinkambu zokuhlukanisa, okuye kwashiywa kulolu sibonelo.) Emgqeni wokuqala, uSushi ucela ukuba afunde ama-byte angu-8192 kusuka kufayela 21,11 / 12.195, ngokukhipha i-offset 24576. Izimpendulo ze- Wrl `ok '; iphakethe eliboniswe emgqeni wesibili liyisiqephu sokuqala sempendulo, ngakho-ke yi-1472 bytes kuphela (ezinye izithayo zizolandela ezinxenyeni ezalandela, kodwa lezi zingcezu azinawo ama-NFS noma izinhloko ze-UDP ngakho-ke angeke ziphrintiwe, kuye ngokuthi inkulumo yokuhlunga isetshenzisiwe). Ngenxa yokuthi i-flag ivuliwe, ezinye zezimfanelo zefayela (ezibuyiswa ngaphezu kwedatha yefayela) ziphrintiwe: uhlobo lwefayili (`` REG '', ifayela ejwayelekile), imodi yefayela (ngo-octal), i-uid ne-gid, nosayizi wefayela.
Uma i-flag ivuliwe kaningi, imininingwane eminye iyanyatheliswa.
Qaphela ukuthi izicelo ze-NFS zinkulu kakhulu futhi imininingwane eminingi ngeke iphrintiwe ngaphandle kokuthi i- snaplen yanda. Zama ukusebenzisa i- ` -s 192 'ukubuka ithrekhi ye-NFS.
Amaphakethe e-NFS aphendula awasho ngokucacile ukusebenza kwe-RPC. Esikhundleni salokho, i- tcpdump igcina ithrekhi ye `` izicelo zamuva ', futhi iyazifanisa nezimpendulo usebenzisa i-ID yokuthengiselana. Uma impendulo ingasilandeli ngokulandela isicelo esivumelanayo, kungenzeka ukuthi ayinakwenzeka.
Izicelo ze-AFS nezimpendulo
I-Transarc AFS (Andrew File System) izicelo nezimpendulo zinyatheliswa njenge:
src.sport> i-dst.dport: i-rx iphakethe-uhlobo lwe-src.sport> dst.dport: i-rx i-pc-type service call call-igama i-args src.sport> dst.dport: i-rx i-packet-type service response response-name args elvis. 7001> pike.afsfs: i-rx idatha fs ibiza kabusha igama elidala 536876964/1/1 ".newsrc.new" entsha fid 536876964/1/1 ".newsrc" pike.afsfs> elvis.7001: i-rx data fs impendulo iqamba kabushaEmgqeni wokuqala, i-host elvis ithumela iphakethe le-RX ukuhamba. Lokhu kwakuyiphakeji yedatha ye-RX kumsebenzi we-fs (fileserver), futhi kungukuqala kocingo lwe-RPC. Ikholi ye-RPC yayisiqamba kabusha, ne-id yefayela lemibhalo yakudala ye-536876964/1/1 kanye negama elidala le-`.newsrc.new ', ne-id yefayela yomhlahlandlela omusha ka-536876964/1/1 kanye negama lefayela elisha le` `. izindaba '. Umshayeli we-pike uyaphendula ngempendulo ye-RPC ku-call rename (eyaphumelela, ngoba kwakuyipakethe yedatha hhayi iphakethe lokuphumula).
Ngokuvamile, wonke ama-RPS ama-RPC anqunywe okungenani ngegama lekholi ye-RPC. Iningi lama-RPS ama-RPC anenani okungenani lezingxabano ezibhalwe phansi (ngokujwayelekile nje izimpendulo 'ezithakazelisayo', ngencazelo ethile ezithakazelisayo).
Ifomathi ihloselwe ukuzichaza, kodwa ngeke kube usizo kubantu abangazi kahle ukusebenza kwe-AFS ne-RX.
Uma i-flag ye-vv (verbose) inikezwa kabili, ukuvuma amaphakethe nolwazi olwengeziwe lwekhanda linyatheliswa, njenge-ID yekholi ye-RX, inombolo yocingo, inombolo yokulandelana, inombolo ye-serial, namaflegi e-RX.
Uma i-flag ivuliwe kabili, ulwazi olwengeziwe luyanyatheliswa, njenge-ID yekholi ye-RX, inombolo ye-serial, namaflegi e-RX. Ulwazi lwe-MTU yokuxoxisana luphrintiwe kusuka kumaphakethe we-RX ack.
Uma i-flag ivuliwe kathathu, inkomba yokuphepha ne-id yesevisi ishicilelwe.
Iphutha lamakhodi liphrintiwe ukukhipha amaphakethe, ngaphandle kwamaPhakethe we-beacon amaphakethe (ngoba ukukhipha amaphakethe asetshenziselwa ukukhombisa ivoti ye-yebo ye-protocol ye-Ubik).
Qaphela ukuthi izicelo ze-AFS zinkulu kakhulu futhi eziningi zezimpikiswano ngeke ziphrintiwe ngaphandle kokuthi i- snaplen yanda. Zama ukusebenzisa i- ' -s 256 ' ukuze ubuke i-AFS traffic.
I-AFS impendulo amaphakethe ayichazi ngokucacile umsebenzi we-RPC. Esikhundleni salokho, i- tcpdump igcina ithrekhi ye `` izicelo zamuva ', futhi iyazifanisa nezimpendulo usebenzisa inombolo yocingo ne-ID yesevisi. Uma impendulo ingasilandeli ngokulandela isicelo esivumelanayo, kungenzeka ukuthi ayinakwenzeka.
I-KIP Appletalk (i-DDP ku-UDP)
Amaphakethe we-Appletalk DDP afakwe kuma-datagrams akwa-UDP ahlanganisiwe futhi ahlaselwa njengePhakethe ye-DDP (okungukuthi, yonke imininingwane ye-header ye-UDP ilahliwe). Ifayela / /etc/atalk.names isetshenziselwa ukuhumusha izinombolo ze-appletalk net node kumagama. Imigqa kule fayela ifomu
igama lenombolo 1.254 ether 16.1 icsd-net 1.254.110 aceImigqa emibili yokuqala inikeza amagama wamanethiwekhi we-appletalk. Umzila wesithathu unikeza igama lomhlangano othile (umsingathi uhlukaniswe enetheni yi-octet yesi-3 enombolweni - inamba enetha kumele ibe nama-octet amabili nenombolo yenkathi kufanele ibe nama-octet amathathu.) Inombolo negama kufanele lihlukaniswe nge-white spacepace (izikhala noma amathebhu). Ifayela le-/etc/atalk.names lingase libe nemigqa engenalutho noma imigqa yokuphawula (imigqa eqala ngo `# ').
Amakheli e-Appletalk ashicilelwe efomu:
net.host.port 144.1.209.2> icsd-net.112.220 ihhovisi.2> icsd-net.112.220 jssmag.149.235> icsd-net.2(Uma i /etc/atalk.names engekho noma ingenayo i-appletalk host host / inombolo net, amakheli ashicilelwe ifomu lezinombolo.) Esikhathini sokuqala, i-NBP (i-DDP port 2) enetheni 144.1 I-noode 209 ithumela kunoma yikuphi ukulalela ku-port 220 ye-icsd node 112. I-line yesibili iyafana ngaphandle kokuthi igama eliphelele le-node yomthombo liyaziwa (`office '). Umzila wesithathu ukuthumela kusuka port 235 on net net jssmag node 149 ukusakaza kwi-icsd-net NBP port (inothi ukuthi ikheli lokusakaza (255) likhonjiswe igama lenetha elingenayo inombolo yesibindi - ngenxa yalesi sizathu umqondo omuhle ukugcina amagama we-node namagama enethiwekhi ahlukile ku /etc/atalk.names).
I-NBP (igama elibophezelayo iprotocol) ne-ATP (amaphakethe we-Appletalk transaction protocol) ahumusha okuqukethwe kwabo. Ezinye izivumelwano zilahla igama leprotocol (noma inombolo uma kungekho gama elibhalisiwe ku-protocol) nosayizi wepakethe.
Amaphakethe we-NBP afakwa njengezibonelo ezilandelayo:
icsd-net.112.220> jssmag.2: nbp-lkup 190: "=: LaserWriter @ *" jssmag.209.2> icsd-net.112.220: nbp-impendulo 190: "RM1140: LaserWriter @ *" 250 techpit.2> icsd -net.112.220: nbp-impendulo 190: "i-techpit: LaserWriter @ *" 186Umzila wokuqala kuyisicelo sokungena igama labakwa-laserwriters ethunyelwe nge-icsd host host 112 futhi basakazwa nge-net jssmag. I-id ye-nbp ye-lookup ingu-190. Umugqa wesibili ubonisa impendulo yalesi sicelo (inothi ukuthi unayo id efanayo) kusuka kumphathi we-jssmag.209 ethi unomthombo wemithombo yamagama okuthiwa i- "RM1140" ebhaliswe ku-port 250. Okwesithathu umugqa ungenye impendulo yesicelo esifanayo ethi umphathi we-techpit une-laserwriter "techpit" ebhalisiwe ku-port 186.
Ukufometha kwepakethe ye-ATP kuboniswa yisibonelo esilandelayo:
jssmag.209.165> helios.132: atp-req 12266 <0-7> 0xae030001 helios.132> jssmag.209.165: atp-resp 12266: 0 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 1 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 2 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 3 (512) 0xae040000 helios.132> jssmag.209.165: atp- i-12266: 4 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 5 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 6 (512) 0xae040000 helios.132> jssmag. 209.165: atp-resp * 12266: 7 (512) 0xae040000 jssmag.209.165> helios.132: atp-req 12266 <3,5> 0xae030001 helios.132> jssmag.209.165: atp-resp 12266: 3 (512) 0xae040000 helios .132> jssmag.209.165: atp-resp 12266: 5 (512) 0xae040000 jssmag.209.165> helios.132: atp-rel 12266 <0-7> 0xae030001 jssmag.209.133> helios.132: atp-req * 12267 <0 -7> 0xae030002I-Jssmag.209 iqalisa id ye-transaction 12266 nge-helios yokusingatha ngokucela amaphakethe angu-8 (`<0-7> '). Inombolo ye-hex ekugcineni komugqa ibaluleka kwenkambu ethi 'userdata' ngesicelo.
I-Helios iphendula amaphakethe angu-8 512-byte. I-'dijithi ': kulandela i-id yokuthengiselana inikeza inombolo yokulandelana kwepakethe ngokuthengiselana futhi inombolo yama-parens inani lemininingwane epakethe, ngaphandle kwekhanda le-atp. I `* 'ephaketheni 7 ibonisa ukuthi i-EOM bit isethwe.
I-Jssmag.209 icela ukuthi amaphakethe amathathu no-5 abuyiselwe emuva. I-Helios iyababuyisela yona ke i-jssmag.209 ikhishwa ukuthengiselana. Ekugcineni, i-jssmag.209 iqalisa isicelo esilandelayo. I `* 'esicelweni ibonisa ukuthi i-XO (` kanye kanye') ayisethiwe.
Ukuhlukaniswa kwe-IP
Ama-datagrams e-Intanethi ahlukanisiwe ashicilelwa njenge
(frag id : usayizi @ offset +) (frag id : usayizi @ offset )(Ifomu lokuqala libonisa ukuthi kunezingcezu ezingaphezulu. Owesibini ubonisa ukuthi lokhu kuyisiqeshana sokugcina.)
I-Id yi-id ye-fragment. Usayizi ubukhulu befragment (ngama-byte) ngaphandle kwesihloko se-IP. Ukusethelwa yi- offset ye-fragment (nge-bytes) ku-datagram yangempela.
Ulwazi lwe-fragment lukhipha isahluko ngasinye. I-fragment yokuqala iqukethe ikhanda eliphakeme leprotocol yokulandelela kanye nolwazi lwe-frag lushicilelwa ngemuva kolwazi lweprotocol. Ama-fragments ngemuva kokuba okokuqala kungenakho ikhanda eliphakeme le-protocol yezinga eliphezulu futhi imininingwane edicilelwe iphrintiwe ngemuva kwamakheli omthombo nendawo okuyo. Isibonelo, nansi ingxenye ye-ftp evela ku-arizona.edu kuya ku-lbl-rtsg.arpa ngaphezu kokuxhumeka kwe-CSNET okungabonakali ukusingatha ama-datagrams angu-576 byte:
Arizona.ftp-data> rtsg.1170:. I-1024: 1332 (308) i-ack 1 inqoba 4096 (i-595a: 328 @ 0 +) i-arizona> rtsg: (frag 595a: 204 @ 328) rtsg.1170> arizona.ftp-data:. i-ack 1536 inqoba 2560Kukhona izinto ezimbalwa okufanele uziqaphele lapha: Okokuqala, amakheli emgqeni wesibili ayifaki izinombolo ze-port. Lokhu kungenxa yokuthi ulwazi lweprotocol lwe-TCP luphelele kusiqephu sokuqala futhi asikwazi ukuthi yiziphi izinombolo noma ukulandelana kwezinombolo lapho sinyathelisa izingcezu zakamuva. Okwesibili, ulwazi lokulandelana kwe-tcp emgqeni wokuqala luphrintiwe njengokungathi kunama-bytes angu-308 wedatha yomsebenzisi uma, eqinisweni, kunama-bytes angu-512 (308 ku-frag yokuqala no-204 kwesibili). Uma ufuna izimbobo endaweni yokulandelana noma uzama ukufanisa ama-acks namaphakethe, lokhu kungakukhohlisa.
Ipakethe ene-IP ayihlukanisi ifulegi imakwe nge-trailing (DF) .
Ama-timestamps
Ngokuzenzakalelayo, yonke imigqa yokukhishwa ilandelwa yisikhathi sesikhathi. I-timestamp yisikhathi samanje sewashi efomini
hh: mm: ss.fracfuthi inembile njengewashi le-kernel. I-timestamp ibonisa isikhathi lapho i-kernel ibona kuqala iphakethe. Awukho umzamo owenziwe ukufaka i-akhawuntini ngesikhathi sokulahla phakathi kokuthi isikhombimsebenzisi se-ethernet sususe iphakethe kusuka kwithebhu futhi uma i-kernel isebenza 'ipakethe entsha' iphazamise.
BONA FUTHI
traffic (1C), nit (4P), bpf (4), pcap (3)
Okubalulekile: Sebenzisa umyalo womuntu ( % umuntu ) ukuze ubone ukuthi umyalo usetshenziswe kanjani kukhompyutha yakho ethile.