brief introduction

In simple terms tcpdump, Namely :dump the traffic on a network, A packet analysis tool that intercepts packets on the network according to the user's definition . tcpdump Can transfer packets in the network “ head ” Completely intercepted to provide analysis . It supports for network layer 、 agreement 、 host 、 Network or port filtering , And provide and、or、not Wait for logical statements to help you get rid of useless information .

Examples of practical commands

The default startup

tcpdump

In general , Direct start tcpdump Will monitor all packets that flow through the first network interface .

Monitors packets for the specified network interface

tcpdump -i eth1

If you do not specify a network card , Default tcpdump Only the first network interface is monitored , It's usually eth0, None of the following examples specify a network interface .

Monitors packets for the specified host

Print all in or out sundown Data packets of .

tcpdump host sundown

You can also specify ip, Such as intercepting all 210.27.48.1 All packets received and sent by the host

tcpdump host 210.27.48.1 

Print helios And hot Or with ace A packet communicating between

tcpdump host helios and \( hot or ace \)

Intercept the host 210.27.48.1 And host 210.27.48.2 or 210.27.48.3 Communication for

tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \) 

Print ace Communicating with any other host IP Data packets , But not with helios Between packets .

tcpdump ip host ace and not helios

If you want to get the host 210.27.48.1 In addition to and host 210.27.48.2 All other hosts communicate ip package , Use command :

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

Intercept the host hostname All the data sent

tcpdump -i eth0 src host hostname

Monitor all incoming hosts hostname Data packets of

tcpdump -i eth0 dst host hostname

Monitors packets for the specified host and port

If you want to get the host 210.27.48.1 To receive or send telnet package , Use the following command

tcpdump tcp port 23 and host 210.27.48.1

For the machine udp 123 Port monitoring 123 by ntp Service port for

tcpdump udp port 123 

Monitors packets for the specified network

Print local host and Berkeley All communication packets between hosts on the network (nt: ucb-ether, It can be understood as 'Berkeley The Internet ' Network address of , The original meaning of this expression can be expressed as : Print the network address as ucb-ether All the packets of )

tcpdump net ucb-ether

Print all through the gateway snup Of ftp Data packets ( Be careful , The expression is enclosed in single quotes , This prevents shell Error resolution of the parenthesis )

tcpdump 'gateway snup and (port ftp or ftp-data)'

Print all source or destination addresses that are local to the host IP Data packets

( If the local network is connected to another network through a gateway , The other network is not a local network .(nt: The translation of this sentence is tortuous , Need to be supplemented ).localnet In actual use, the name of the local network should be replaced )

tcpdump ip and not net localnet

Monitoring packets for a specified protocol

Print TCP Start and end packets in a session , And the source or destination of the packet is not the host on the local network .(nt: localnet, In actual use, the name of the local network should be replaced ))

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'

Printing all source or destination ports is 80, The network layer protocol is IPv4, And it contains data , instead of SYN,FIN as well as ACK-only And so on .(ipv6 You can do exercises with the expression of )

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

(nt: Can be understood as , ip[2:2] Represents the whole ip The length of the packet , (ip[0]&0xf)<<2) Express ip The length of the packet header (ip[0]&0xf Represents... In the package IHL Domain , And the unit of this field is 32bit, To convert

The number of bytes needs to be multiplied by 4, Move left 2. (tcp[12]&0xf0)>>4 Express tcp The length of the head , The unit of this field is also 32bit, Converted to the number of bits is ((tcp[12]&0xf0) >> 4) << 2,
namely ((tcp[12]&0xf0)>>2). ((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0 Express : Whole ip The length of the packet minus ip The length of the head , subtracting
tcp The length of the head is not 0, That means , ip There is data in the packet . about ipv6 Version only needs to consider ipv6 In the header 'Payload Length' And 'tcp The length of the head ' The difference between the , And the way it's expressed 'ip[]' It needs to be replaced with 'ip6[]'.)

The print length exceeds 576 byte , And the gateway address is snup Of IP Data packets

tcpdump 'gateway snup and ip[2:2] > 576'

Print all IP Layer broadcast or multicast packets , But it's not a broadcast or multicast datagram on the physical Ethernet layer

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

Print in addition to 'echo request' perhaps 'echo reply' Out of type ICMP Data packets ( such as , You need to print all the non ping This expression can be used when a program generates a packet .
(nt: 'echo reuqest' And 'echo reply' These two types of ICMP Packets are usually generated by ping Program generation ))

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

tcpdump And wireshark

Wireshark( It used to be ethereal) yes Windows Next is a very simple and easy-to-use bag grabbing tool . But in Linux It's hard to find a good graphic tool to grab bags .
Also good have Tcpdump. We can use Tcpdump + Wireshark The perfect combination of : stay Linux Grab the bag inside , And then in Windows Inside the analysis bag .

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

(1)tcp: ip icmp arp rarp and tcp、udp、icmp These options should be placed in the first parameter position , The type of datagram used to filter
(2)-i eth1 : Just grab through the interface eth1 My bag
(3)-t : Don't show timestamps
(4)-s 0 : When grabbing packets, the default grabbing length is 68 byte . add -S 0 After that, you can catch the complete data package
(5)-c 100 : Just grab 100 A packet
(6)dst port ! 22 : Do not grab the target port is 22 Data packets of
(7)src net 192.168.1.0/24 : The source network address of the packet is 192.168.1.0/24
(8)-w ./target.cap : Save as cap file , Easy to use ethereal( namely wireshark) analysis

Use tcpdump Grab HTTP package

tcpdump -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854

0x4745 by "GET" The first two letters "GE",0x4854 by "HTTP" The first two letters "HT".

tcpdump The intercepted data is not decoded completely , Most of the content in the packet is printed out directly in hexadecimal form . Obviously, this is not conducive to the analysis of network failure , The usual solution is to use the belt first -w Parametric tcpdump Capture data and save it to a file , Then use other programs ( Such as Wireshark) Decoding analysis . Of course, filtering rules should also be defined , To avoid the capture packets filling the entire hard disk .

Meaning of output information

First of all, let's pay attention to , Basically tcpdump The total output format is : system time Source host . port > The target host . port Packet parameters

tcpdump The output format of is protocol dependent . The following is a brief description of most commonly used formats and related examples .

Link layer head

about FDDI The Internet , '-e' send tcpdump Print out the name of the specified packet 'frame control' Domain , Source and destination addresses , And the length of the bag .(frame control Domain
Control parsing of other domains in the package ). A regular bag ( Like those IP datagrams) It's all with 'async'( Asynchronous flag ) Data packets of , And there are values 0 To 7 The priority of the ;
such as 'async4' This means that the packet is asynchronous , And the priority is 4. It is commonly believed , These bags will contain a LLC package ( Logical link control package ); At this time , If this package
Is not a ISO datagram Or so-called SNAP package , Its LLC The head will be printed (nt: It should refer to the LLC The head of the bag ).

about Token Ring The Internet ( Token ring network ), '-e' send tcpdump Print out the name of the specified packet 'frame control' and 'access control' Domain , And source and destination addresses ,
Plus the length of the bag . And FDDI The Internet is similar to , This packet usually contains LLC Data packets . No matter Is there a '-e' Options . For 'source-routed' Type packet (nt:
I'm sorry : Packets whose source address is tracked , The exact meaning is unknown , Need to be supplemented ), The source routing information of the packet is always printed .

about 802.11 The Internet (WLAN, namely wireless local area network), '-e' send tcpdump Print out the name of the specified packet 'frame control Domain ,
All the addresses contained in the header , And the length of the bag . And FDDI The Internet is similar to , This packet usually contains LLC Data packets .

( Be careful : The following description assumes that you are familiar with SLIP Compression algorithm (nt:SLIP by Serial Line Internet Protocol.), This algorithm can be found in
RFC-1144 We'll find the relevant clues in .)

about SLIP The Internet (nt:SLIP links, It can be understood as a network , That is, a connection established by a serial line , And a simple connection can also be seen as a network ),
Packet 'direction indicator'(' Direction signs ')("I" It means to enter , "O" To express ), Type and compressed information will be printed . The package type will be printed first .

Types are divided into ip, utcp as well as ctcp(nt: Unknown , Need to be supplemented ). about ip package , Connection information will not be printed (nt:SLIP Connected to the ,ip The connection information for the package may be useless or undefined .
reconfirm). about TCP Data packets , The connection identifier is printed immediately after the type representation . If this package is compressed , The encoded head will be printed .
In this case, for special packages , It will be shown as follows :
*S+n perhaps *SA+n, among n On behalf of the package ( Sequence number or ( Sequence number and response number )) Increase or decrease in number (nt | rt:S,SA Keep your mouth down , It needs to be translated again ).
For special uncompressed packets ,0 One or more ' change ' Will be printed .' change ' When printed, the format is as follows :
' sign '+/-/=n The length of the packet data Compressed head length .
among ' sign ' The following values can be taken :
U( On behalf of the emergency pointer ), W( Buffer window ), A( The reply ), S( Serial number ), I( package ID), And incremental expression '=n' Means to be given a new value , +/- To increase or decrease .

such as , The following shows an outgoing compression TCP Printing of packets , This packet contains a connection identifier (connection identifier); The answer number has been increased 6,
The sequence number has been increased 49, package ID The number one has been added 6; The packet data length is 3 byte (octect), The compressed head is 6 byte .(nt: So this should not be a special compressed packet ).

ARP/RARP Data packets

tcpdump Yes Arp/rarp The output information of the package contains the request type and the corresponding parameters of the request . The display format is simple and clear . Here's the slave rtsg To host csam Of 'rlogin'
( Remote login ) Sample packet at the beginning of the process :
arp who-has csam tell rtsg
arp reply csam is-at CSAM
The first line means :rtsg Sent a arp Data packets (nt: Send to the whole network segment ,arp Data packets ) To ask csam The Ethernet address of
Csam(nt: It can be seen from the following , yes Csam) Responded with her own Ethernet address ( In this case , Ethernet addresses are identified by uppercase names , and internet
Address ( namely ip Address ) Identify with all lowercase names ).

If you use tcpdump -n, You can see Ethernet and ip Address, not name identification :
arp who-has 128.3.254.6 tell 128.3.254.68
arp reply 128.3.254.6 is-at 02:07:01:00:01:c4

If we use tcpdump -e, You can clearly see that the first packet is broadcast across the network , And the second packet is point-to-point :
RTSG Broadcast 0806 64: arp who-has csam tell rtsg
CSAM RTSG 0806 64: arp reply csam is-at CSAM
The first packet shows : With arp The source Ethernet address of the packet is RTSG, The destination address is the full Ethernet segment , type A value of the domain 16 Base number 0806( Express ETHER_ARP(nt:arp The type ID of the package )),
The total length of the bag is 64 byte .

TCP Data packets

( Be careful : The following will assume that you are right about RFC-793 Described as TCP be familiar with . If you're not familiar with , The following description and tcpdump The program may not help you much .(nt: The warning can be ignored ,
Just keep looking , You can look back at unfamiliar places .).

Usually tcpdump Yes tcp The packet display format is as follows :
src > dst: flags data-seqno ack window urgent options

src and dst It's the source and the purpose IP Address and corresponding port . flags The logo is made up of S(SYN), F(FIN), P(PUSH, R(RST),
W(ECN CWT(nt | rep: Unknown , Need to be supplemented )) perhaps E(ECN-Echo(nt | rep: Unknown , Need to be supplemented )) form ,
One by one '.' It means that there is no flags identification . Data segment sequence number (Data-seqno) Describes a position in the sequence number space corresponding to the data in this package (nt: The whole data is segmented ,
Each paragraph has a sequence number , All the sequence numbers form a sequence number space )( Refer to the following examples ). Ack It describes the same connection , In the same direction , The next local should receive
( What the other party should send ) The sequence number of the data fragment . Window Is the size of the local available data receiving buffer ( When the other party sends data, it needs to organize the data according to this size ).
Urg(urgent) Indicates that there is urgent data in the packet . options It describes tcp Some options for , These options are represented by angle brackets ( Such as <mss 1024>).

src, dst and flags These three fields are always displayed . The display of other domains depends on tcp The information in the header of the agreement .

This is a PI trsg To csam One of the rlogin The beginning of application login .
rtsg.1023 > csam.login: S 768512:768512(0) win 4096 <mss 1024>
csam.login > rtsg.1023: S 947648:947648(0) ack 768513 win 4096 <mss 1024>
rtsg.1023 > csam.login: . ack 1 win 4096
rtsg.1023 > csam.login: P 1:2(1) ack 1 win 4096
csam.login > rtsg.1023: . ack 2 win 4096
rtsg.1023 > csam.login: P 2:21(19) ack 1 win 4096
csam.login > rtsg.1023: P 1:2(1) ack 21 win 4077
csam.login > rtsg.1023: P 2:3(1) ack 21 win 4077 urg 1
csam.login > rtsg.1023: P 3:4(1) ack 21 win 4077 urg 1
The first line indicates that there is a packet from rtsg The host tcp port 1023 Sent to csam The host tcp port login On (nt:udp Protocol port and tcp The end of the protocol
Mouth is two separate spaces , Although the range of values is the same ). S Indicates that SYN sign . The sequence number of the package is 768512, And it doesn't contain data .( Representation format
by :'first:last(nbytes)', Its meaning is ' The sequence number of the data in this package is from first Start until last end , barring last. And it includes nbytes Of
User data '.) There's no piggyback (nt: From the following , The second line is the packet with a piggyback response ), The size of the available accept window is 4096bytes, And the request side (rtsg)
The maximum acceptable segment size for is 1024 byte (nt: This information is sent to the responder as a request csam, So that the two sides can further negotiate ).

Csam towards rtsg Basically the same SYN Data packets , The difference is just one more ' piggy-backed ack'(nt: I brought it back ack The reply , in the light of rtsg Of SYN Data packets ).

rtsg Also aim at csam Of SYN The packet replies with a ACK Packet as a reply . '.' No flag is set in this package . Since this reply packet does not contain data , therefore
There is also no segment serial number in the package . remind ! this ACK The sequence number of a packet is just a small integer 1. There is an explanation as follows :tcpdump For one tcp The session on the connection , Print only on both ends of the session
The sequence number of the initial packet , After that, the corresponding packet only prints out the difference from the initial packet serial number . The sequence number after the initial sequence number , It can be seen that the data fragment currently transmitted on this session is in the whole
Of the data to be transmitted ' Relative bytes ' Location (nt: The first position on both sides is 1, namely ' Relative bytes ' Start number of ). '-S' This feature will be overridden ,
Make the original sequence number of the packet printed out .

The sixth line means :rtsg towards csam Sent 19 Bytes of data ( The number of the byte is 2 To 20, The transmission direction is rtsg To csam). Set in the package PUSH sign . In the 7 That's ok ,
csam Shout to , She has gone from rtsg I've received 21 The following bytes , But does not include 21 Numbered bytes . These bytes are stored in csam Of socket In the receive buffer of , Accordingly ,
csam The size of the receive buffer window will be reduced 19 byte (nt: You can go from 5 Xing He 7 That's ok win The change in the value of the attribute can be seen ). csam In the 7 OK, this bag also asks rtsg Sent a
byte . In the 8 Xing He 9 That's ok , csam Go on to rtsg Two packets containing only one byte were sent , And this packet has PUSH sign .

If what you catch tcp package (nt: That is here snapshot) Is too small , So that tcpdump Can't get its head data completely , At this time , tcpdump Will try to parse this incomplete head ,
And show the remaining parts that cannot be parsed as '[|tcp]'. If the header contains false attribute information ( For example, the length attribute is actually longer or shorter than the actual length of the head ), tcpdump For the head
Show '[bad opt]'. If the length of the head tells us something (nt | rt: From the following , finger tcp The head of the bag is for ip Some of the package options , Turn it back ) In this bag ,
And the real IP( The packet is not long enough to accommodate these options , tcpdump Will be displayed '[bad hdr length]'.

Grab something with a special logo TCP package ( Such as SYN-ACK sign , URG-ACK Signs, etc ).

stay TCP In my head , Yes 8 The bit (bit) Used as a control bit area , Its value is :
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
(nt | rt: It can be inferred from the way of expression that : this 8 The individual bits are combined in the way of or , You can turn it back )

Now let's say we want to monitor and set up a TCP Connect the packets generated during the whole process . It can be recalled as follows :TCP Use 3 Second handshake protocol to establish a new connection ; He shook hands with them three times
The order of connection corresponds to , And with the corresponding TCP The packet of the control flag is as follows :
1) Connection initiator (nt:Caller) send out SYN Packets for flags
2) The receiving party (nt:Recipient) With SYN and ACK Mark the packet to respond
3) After receiving the response from the receiver, the initiator sends the message with ACK Mark the packet to respond

0 15 31
-----------------------------------------------------------------
| source port | destination port |
-----------------------------------------------------------------
| sequence number |
-----------------------------------------------------------------
| acknowledgment number |
-----------------------------------------------------------------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
-----------------------------------------------------------------
| TCP checksum | urgent pointer |
-----------------------------------------------------------------

One TCP Head , Without option data, it usually takes 20 Bytes (nt | rt:options Option data , Need back translation ). The first line contains 0 To 3 Numbered bytes ,
The second line contains the number 4-7 Bytes of .

If the number is from 0 Start counting , TCP The control sign is located at 13 byte (nt: The fourth line, the left half ).

0 7| 15| 23| 31
----------------|---------------|---------------|----------------
| HL | rsvd |C|E|U|A|P|R|S|F| window size |
----------------|---------------|---------------|----------------
| | 13th octet | | |

Let's take a closer look at the numbers 13 Bytes of :

| |
|---------------|
|C|E|U|A|P|R|S|F|
|---------------|
|7 5 3 0|

Here are the control flags we are interested in . From right to left, the bits are numbered as 0 To 7, thus PSH Bit in 3 Number , and URG Bit in 5 Number .

Remind yourself , We just want to get inclusion SYN Packets for flags . Let's see in the head of a bag , If SYN Bit is set , to the end
stay 13 What happened to byte number :

|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 0 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|

In the data of the control section , Only bits 1(bit number 1) To be placed .

Suppose the number is 13 The byte of is a 8 The unsigned character type of bit , And sort by network byte number (nt: For a byte , Network byte order is equivalent to host byte order ), Its binary value
As shown below :
00000010

And its 10 The base value is :

0*2^7 + 0*2^6 + 0*2^5 + 0*2^4 + 0*2^3 + 0*2^2 + 1*2^1 + 0*2^0 = 2(nt: 1 * 2^6 Express 1 multiply 2 Of 6 Power , Maybe it's more
Be clear , That is to say, the index in the original expression 7 6 ... 0 Moved to the bottom to express )

Close to the target , Because we already know , If the SYN To be placed , So the number one in the head 13 The value of bytes is 2(nt: In network order , That's the big head way , The most important byte
in front ( in front , That is, the actual memory address of the byte is relatively small , The most important byte , The high order of a number in mathematics , Such as 356 Medium 3) ).

Expressed as tcpdump The understandable relationship is :
tcp[13] 2

So we can take this relation as tcpdump The filter conditions of , The goal is to monitor only SYN Packets for flags :
tcpdump -i xl0 tcp[13] 2 (nt: xl0 Network interface , Such as eth0)

This expression says " Give Way TCP The number of packets is 13 A byte has a value 2 Well ", And that's what we want .

Now? , Suppose we need to grab the belt SYN Packets for flags , Ignore whether it contains other flags .(nt: Just bring SYN That's what we want ). Let's take a look at when one contains
SYN-ACK Data packets of (nt:SYN and ACK The signs all have ), What happened when I arrived :
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 1 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|

13 The number of bytes 1 Number and 4 The number position is set , Its binary value is :
00010010

To convert to decimal is to :

0*2^7 + 0*2^6 + 0*2^5 + 1*2^4 + 0*2^3 + 0*2^2 + 1*2^1 + 0*2 = 18(nt: 1 * 2^6 Express 1 multiply 2 Of 6 Power , Maybe it's more
Be clear , That is to say, the index in the original expression 7 6 ... 0 Moved to the bottom to express )

Now? , But not just 'tcp[13] 18' As tcpdump Filter expression for , Because this will lead to the selection of only SYN-ACK Packets for flags , The rest is discarded .
Remind yourself , Our goal is : As long as it's wrapped SYN Just set the flag , We don't care about other signs .

In order to achieve our goal , We need to take 13 The binary value of the number byte is compared with one of the other numbers AND operation (nt: Logic and ) To get SYN The value of a bit . The goal is : as long as SYN Set up
Just go , So we took her with us 13 The number of bytes SYN value (nt: 00000010).

00010010 SYN-ACK 00000010 SYN
AND 00000010 (we want SYN) AND 00000010 (we want SYN)
-------- --------
= 00000010 = 00000010

We can find out , Regardless of the package ACK Or whether other flags are set , The above AND All operations give us the same value , Its 10 The decimal expression is 2(2 The decimal expression is 00000010).
So we know , For with SYN Packets for flags , The result of the following expression is always true (true):

( ( value of octet 13 ) AND ( 2 ) ) ( 2 ) (nt: value of octet 13, namely 13 The value of byte number )

Inspiration comes along , So we got the following tcpdump Filter expression for
tcpdump -i xl0 'tcp[13] & 2 2'

Be careful , Single quotes or backslashes (nt: Here are single quotes ) Don't omit , This prevents shell Yes & To explain or replace .

UDP Data packets

UDP Packet display format , It can be done by rwho This specific application generates packets to illustrate :
actinide.who > broadcast.who: udp 84

The meaning of :actinide Ports on the host who towards broadcast Ports on the host who Sent a udp Data packets (nt: actinide and broadcast All refer to Internet Address ).
The user data carried by this packet is 84 Bytes .

some UDP The service can be identified from the source or destination port of the packet , It can also be identified from the higher layer protocol information displayed . such as , Domain Name service requests(DNS request ,
stay RFC-1034/1035 in ), and Sun RPC calls to NFS( Yes NFS Remote calls initiated by the server (nt: namely Sun RPC), stay RFC-1050 There is a description of the remote call in ).

UDP Name service request

( Be careful : The following description assumes that you are interested in Domain Service protoco(nt: stay RFC-103 Described in ), Otherwise, you will find that the following description is the book of heaven (nt: The Greek book of heaven ,
Don't pay any attention to , It scares you , Just look at it ))

The name service request has the following format :
src > dst: id op? flags qtype qclass name (len)
(nt: From the following , The format should be src > dst: id op flags qtype qclass? name (len))
For example, one actually shows :
h2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)

host h2opolo towards helios Name server query running on ucbvax.berkeley.edu The address record of (nt: qtype be equal to A). Of the query itself id Number is '3'. Symbol
'+' It means that the recursive query flag is set (nt: dns The server can go to a higher level dns The server queries the address records not included in the server ). This one finally passed IP Packet sent query request
The data length is 37 byte , It does not include UDP and IP The header data of the protocol . Because this query operation is the default (nt | rt: normal one The understanding of the ), op Fields are omitted .
If op Fields are not omitted , It will be shown in '3' and '+' Between . Again , qclass It's also the default value , C_IN, So it's not shown , If it's not ignored , She will be shown in 'A' after .

Exception checking shows additional fields in the box : If a query contains a response at the same time (nt: Can be understood as , A response to a previous request ), And this response contains authoritative or additional record segments ,
ancount, nscout, arcount(nt: Specific field meanings need to be supplemented ) Will be displayed as '[na]', '[nn]', '[nau]', among n Represents the appropriate count . If the package contains the following
Response bit ( such as AA position , RA position , rcode position ), Or bytes 2 or 3 Any one of them ' It has to be for 0' The bit of is set (nt: Set to 1), '[b2&3]=x' Will be displayed , among x Express
Header bytes 2 And byte 3 The value after the operation .

UDP Name service response

Packets responding to the name service ,tcpdump There will be the following display format
src > dst: id op rcode flags a/n/au type class data (len)
For example, the specific display is as follows :
helios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)

The first line means : helios Yes h2opolo Sent 3 The inquiry request No 3 A record of answers (nt | rt: answer records), 3 Name server records ,
as well as 7 Additional records . The first answer record (nt: 3 The first of a record of responses ) The type is A(nt: Address ), The data is internet Address 128.32.137.3.
This response UDP Data packets , contain 273 Bytes of data ( It doesn't contain UPD and IP Header data for ). op Fields and rcode Field ignored (nt: op The actual value of is Query, rcode, namely
response code The actual value of is NoError), Also ignored are class Field (nt | rt: Its value is C_IN, This is also A The default value of type record is )

The second line says : helios Yes h2opolo Sent 2 The inquiry request No . Responding , rcode Encoded as NXDomain(nt: Represents a nonexistent domain )), There is no record of responses ,
But it contains a name server record , Does not contain authoritative server records (nt | ck: From the above , Here authority records It's the same as above additional
records). '*' Indicates that the authoritative server response flag is set (nt: thus additional records It means authority records).
Since there is no record of answers , type, class, data Fields are ignored .

flag There may be other characters in the field , such as '-'(nt: Represents a recursive query , namely RA The logo is not set ), '|'(nt: Represents a truncated message , namely TC sign
To be placed ). If you answer (nt | ct: Can be understood as , Containing the name service response UDP Data packets , tcpdump Know how to parse this kind of data package ) Of 'question' A piece of
Objective (entry) None of them contain (nt: The meaning of each entry , Need to be supplemented ),'[nq]' Will be printed out .

It should be noted that : The amount of request and response data of the name server is relatively large , And the default. 68 The grab length of bytes (nt: snaplen, Can be understood as tcpdump One of the settings for ) It may not be enough to grab
The entire contents of the packet . If you really need to take a closer look at the load of the name server , Can pass tcpdump Of -s Options to expand snaplen value .

SMB/CIFS decode

tcpdump It's possible to SMB/CIFS/NBT Decode the packet contents of related applications (nt: Respectively 'Server Message Block Common', 'Internet File System'
' stay TCP/IP Network protocol implemented on NETBIOS For short '. These services usually use UDP Of 137/138 as well as TCP Of 139 port ). The original is right IPX and NetBEUI SMB Packet
Decoding power can still be used (nt: NetBEUI by NETBIOS Enhanced version of ).

tcpdump By default, only the corresponding packets are decoded in the simplest mode , If we want detailed decoding information, we can use it -v Launch cash election . It should be noted that , -v It produces very detailed information ,
For example, for a single one SMB Data packets , Will produce a screen or more information , So this option , Use it when you really need it .

About SMB Information in packet format , And the meaning of each domain can be seen in www.cifs.org perhaps samba.org Mirror site's pub/samba/specs/ Catalog . linux Upper SMB Patch
(nt | rt: patch) from Andrew Tridgell (tridge@samba.org) Provide .

NFS Requests and responses

tcpdump Yes Sun NFS( Network file system ) Request and response UDP The packet has a printout in the following format :
src.xid > dst.nfs: len op args
src.nfs > dst.xid: reply stat len op results

Here is a specific set of output data
sushi.6709 > wrl.nfs: 112 readlink fh 21,24/10.73165
wrl.nfs > sushi.6709: reply ok 40 readlink "../var"
sushi.201b > wrl.nfs:
144 lookup fh 9,74/4096.6878 "xcolors"
wrl.nfs > sushi.201b:
reply ok 128 lookup fh 9,74/4134.3150

The first line of output shows : host sushi Host computer wrl Sent a ' Exchange requests '(nt: transaction), This requested id by 6709( Be careful , After the host name is the exchange
request id Number , Instead of the source port number ). The request data is 112 byte , It does not include UDP and IP The length of the head . The type of operation is readlink(nt: That is to say, this operation is read symbolic link operation ),
The operation parameters are fh 21,24/10.73165(nt: According to the actual operating environment , The analysis is as follows , fd Represents the description of a file handle , 21,24 Represents the setting corresponding to this handle
The master of the equipment / From the device number to , 10 Represents the corresponding i Node number (nt: Each file corresponds to one in the operating system i node , Be limited to unix Class system ),
73165 It's a number (nt: It can be understood as a random number identifying the request , The specific meaning needs to be added )).

In the second row , wrl Did 'ok' The response of the , And in results Field returns sushi The real directory of symbolic links you want to read (nt: namely sushi The symbolic link required to read is actually a directory ).

The third line says : sushi Ask again wrl stay 'fh 9,74/4096.6878' Find... In the directory described 'xcolors' file . It should be noted that , The meaning of the data displayed in each row depends on op Field
type (nt: Different op Corresponding args The meaning is different ), Its format follows NFS agreement , Pursue simplicity .

If tcpdump Of -v Options ( Detailed print options ) Set up , Additional information will be displayed . such as :
sushi.1372a > wrl.nfs:
148 read fh 21,11/12.195 8192 bytes @ 24576
wrl.nfs > sushi.1372a:
reply ok 1472 read REG 100664 ids 417/0 sz 29388

(-v The options usually print out IP The head of the TTL, ID, length, as well as fragmentation Domain , But in this case , It's all over (nt: Can be understood as , brevity , Made a deletion ))
In the first line , sushi request wrl From file 21,11/12.195(nt: The format is described above ) in , Self offset 24576 Start at byte , Read 8192 Bytes of data .
Wrl Response read successful ; Because the second line is just the beginning of the response request , So it only includes 1472 byte ( The rest of the data will be in the next reply In the clip , But there will be no more of these packets NFS
head , even to the extent that UDP The header information is also empty (nt: Source and destination should have ), This will result in these fragments not meeting the filtering conditions , So it's not printed ). -v In addition to displaying file data information , It also shows
Additional display file attribute information : file type( file type , ''REG'' Represents a common file ), file mode( File access mode , 8 In base notation ), uid and gid(nt: The document belongs to the owner and
The group belongs to the master ), file size ( file size ).

If -v The mark is repeated many times (nt: Such as -vv), tcpdump More detailed information will be displayed .

It must be noted that , NFS There is a lot of data in the request package , If tcpdump Of snaplen(nt: Grab length ) If it is too short, its details will not be displayed . You can use
'-s 192' To increase snaplen, This can be used to monitor NFS Network load of application (nt: traffic).

NFS The response package of is not strictly followed by the corresponding request package (nt: RPC operation). thus , tcpdump Will track a series of recently received request packets , And then through its
Exchange serial numbers (nt: transaction ID) Match with the corresponding request package . This could create a problem , If the response package comes too late , beyond tcpdump The tracking scope of the corresponding request package ,
The response package will not be analyzed .

AFS Requests and responses

AFS(nt: Andrew file system , Transarc , Unknown , Need to be supplemented ) The request and response are as follows

src.sport > dst.dport: rx packet-type
src.sport > dst.dport: rx packet-type service call call-name args
src.sport > dst.dport: rx packet-type service reply call-name args

elvis.7001 > pike.afsfs:
rx data fs call rename old fid 536876964/1/1 ".newsrc.new"
new fid 536876964/1/1 ".newsrc"
pike.afsfs > elvis.7001: rx data fs reply rename

In the first line , host elvis towards pike Sent a RX Data packets .
This is a request packet for file service (nt: RX data packet, Send packet , It can be understood as sending packets in the past , To ask for the other party's service ), This is also a RPC
The beginning of the call (nt: RPC, remote procedure call). this RPC request pike perform rename(nt: rename ) operation , And specify the relevant parameters :
The original directory descriptor is 536876964/1/1, The original file name is '.newsrc.new', The new directory descriptor is 536876964/1/1, The new file name is '.newsrc'.
host pike Regarding this rename Operation of the RPC The request was answered ( Response rename Successful operation , Because the response is the packet containing the data content, not the exception packet ).

Generally speaking , be-all 'AFS RPC' When the request is displayed , Will be given a name (nt: namely decode, decode ), The name is often RPC The name of the requested operation .
also , these RPC Some of the requested parameters are displayed , It will also be given a name (nt | rt: namely decode, decode , Generally speaking, it's also very direct , such as ,
One interesting Parameters , When it is displayed, it will be directly 'interesting', The meaning is not clear , We need to turn it over again ).

This display format is designed to ' A look at will understand ', But for those who are not familiar with AFS and RX The person who works may not be very
Useful (nt: I don't care , Writing scares you , Just look down ).

If -v( detailed ) The logo is repeated (nt: Such as -vv), tcpdump Will print out the confirmation package (nt: Can be understood as , Packets different from reply packets ) And additional header information
(nt: Can be understood as , All bags , Instead of just confirming the additional header information of the package ), such as , RX call ID( In the request package ' Request calling ' Of ID),
call number(' Request calling ' The number of ), sequence number(nt: Bao Shun serial number ),
serial number(nt | rt: It can be understood as another signal related to the data in the packet , The specific meaning needs to be added ), Identification of the request package . (nt: The next paragraph is a repeated description ,
So I omitted ), In addition, confirm that MTU Negotiation information will also be printed out (nt: The confirmation package is the confirmation package relative to the request package , Maximum Transmission Unit, Maximum transmission unit ).

If -v The option is repeated three times (nt: Such as -vvv), that AFS Application type data package ' Security index '('security index') as well as ' Service Index '('service id') will
Printed .

For packets that represent exceptions (nt: abort packet, Can be understood as , This package is used to inform the recipient that an exception has occurred ), tcpdump It will print the wrong number (error codes).
But for the Ubik beacon packets(nt: Ubik Lighthouse indicator pack , Ubik It can be understood as a special communication protocol , beacon packets, Lighthouse data package , It can be understood as indicating that in communication
Some packets of key information ), The error number will not be printed , Because for Ubik agreement , The exception packet does not represent an error , On the contrary, it means a positive response (nt: namely , yes vote).

AFS Large amount of data requested , There are also many parameters , So ask for tcpdump Of snaplen The larger , Generally, it can be started by tcpdump Set options when '-s 256' To increase snaplen, With
monitoring AFS Application communication load .

AFS The response package does not display the identity RPC What kind of remote call . thus , tcpdump Will track the most recent request packets , And pass call number( Call number ), service ID
( Service Index ) To match the response packets received . If the response package is not for the request package in the latest period of time , tcpdump The package will not be resolved .

KIP AppleTalk agreement

(nt | rt: DDP in UDP Can be understood as , DDP, The AppleTalk Data Delivery Protocol,
It's like supporting KIP AppleTalk Network layer protocol of protocol stack , and DDP It's through UDP To transmit ,
That is to say UDP Network layer for other networks implemented on ,KIP AppleTalk It's a complete network protocol stack developed by apple ).

AppleTalk DDP Packets are encapsulated in UDP In the packet , Its solution encapsulates (nt: It's like decoding ) And the corresponding information dump also follows DDP Package rules .
(nt:encapsulate, encapsulation , It's equivalent to encoding , de-encapsulate, decapsulation , It's like decoding , dump, dump , It usually means printing its information ).

/etc/atalk.names The file contains AppleTalk Network and node digital identification to the name of the corresponding relationship . The file format is usually as follows :
number name

1.254 ether
16.1 icsd-net
1.254.110 ace

The first two lines indicate that there are two AppleTalk The Internet . The third line shows the hosts on a particular network ( A mainframe can use 3 Two bytes to identify ,
And a network's identity is usually only two bytes , This is also the main difference between the two logos )(nt: 1.254.110 Can be understood as ether On the network ace host ).
The identifier must be separated from its corresponding name by white space . In addition to the above , /etc/atalk.names There are also blank lines and comment lines ( With '#' The first line ).

AppleTalk The full network address will be displayed in the following format :
net.host.port

The following is a specific display :
144.1.209.2 > icsd-net.112.220
office.2 > icsd-net.112.220
jssmag.149.235 > icsd-net.2

( If /etc/atalk.names file does not exist , Or there is no corresponding AppleTalk host / Internet entries , The network address of the packet will be displayed in digital form ).

In the first line , The Internet 144.1 Nodes on 209 adopt 2 port , To the Internet icsd-net Listen on 220 Port of 112 The node sent a NBP Application packages
(nt | rt: NBP, name binding protocol, Name Binding Protocol , From the data , NBP The server will be on the port 2 Provide this service .
'DDP port 2' Can be understood as 'DDP The port corresponding to the transport layer 2', DDP There is no concept of port in itself , This is not certain , Need to be supplemented ).

The second line is similar to the first line , Only the full address of the source is available 'office' Are identified .
The third line says : jssmag On the network 149 Node passing 235 towards icsd-net Of all the nodes on the network 2 port (NBP port ) Sent a packet .( It should be noted that ,
stay AppleTalk If there is no node in the address in the network , Indicates the broadcast address , Therefore, the node identification and network identification are better in /etc/atalk.names Somewhat different .
nt: Otherwise, a sign x.port Undetermined x It refers to all hosts on a network port Port or specified host x Of port mouth ).

tcpdump Analyzable NBP ( Name Binding Protocol ) and ATP (AppleTalk Transfer protocol ) Data packets , For other application layer protocols , Only the name of the agreement will be printed out (
If this Agreement does not register a common name , Only the agreement number will be printed ) And the size of the packet .

NBP The packet will be displayed in the following format :
icsd-net.112.220 > jssmag.2: nbp-lkup 190: "=:LaserWriter@*"
jssmag.209.2 > icsd-net.112.220: nbp-reply 190: "RM1140:LaserWriter@*" 250
techpit.2 > icsd-net.112.220: nbp-reply 190: "techpit:LaserWriter@*" 186

The first line means : The Internet icsd-net The nodes in the 112 adopt 220 Port to network jssmag The ports of all nodes in 2 Sent the right 'LaserWriter' Name query request for (nt:
Here, the name can be understood as the name of a resource , Like a printer ). The sequence number of this query request is 190.

The second line says : The Internet jssmag The nodes in the 209 adopt 2 Port direction icsd-net.112 Port of node 220 In response : I have a 'LaserWriter' resources , Its resource name
by 'RM1140', And on the port 250 We provide services to change resources on the Internet . The serial number of this response is 190, Corresponding to the sequence number of the previous query .

The third line is also a response to the first line request : node techpit adopt 2 Port direction icsd-net.112 Port of node 220 In response : I have a 'LaserWriter' resources , Its resource name
by 'techpit', And on the port 186 We provide services to change resources on the Internet . The serial number of this response is 190, Corresponding to the sequence number of the previous query .

ATP The packet display format is as follows :
jssmag.209.165 > helios.132: atp-req 12266<0-7> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:0 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:1 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:2 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:6 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp*12266:7 (512) 0xae040000
jssmag.209.165 > helios.132: atp-req 12266<3,5> 0xae030001
helios.132 > jssmag.209.165: atp-resp 12266:3 (512) 0xae040000
helios.132 > jssmag.209.165: atp-resp 12266:5 (512) 0xae040000
jssmag.209.165 > helios.132: atp-rel 12266<0-7> 0xae030001
jssmag.209.133 > helios.132: atp-req* 12267<0-7> 0xae030002

The first line represents the node Jssmag.209 To the node helios Sent a session number of 12266 Request package for , request helios
Respond 8 A packet ( this 8 The sequence number of the packets is 0-7(nt: The sequence number is different from the session number , The latter is the number of a complete transmission ,
The former is the number of each packet in the transmission . transaction, conversation , It's also called transmission )). At the end of the line 16 Decimal number representation
In the request package 'userdata' Domain value (nt: From the following , This doesn't print out all the user data ).

Helios In response 8 individual 512 Byte packets . Follow the conversation number (nt: 12266) The number after represents the sequence number of the packet in the session .
The numbers in brackets indicate the size of the data in the packet , This does not include atp The head of . The sequence number is 7 Data packets ( The first 8 That's ok ) I brought one out '*' Number ,
Represents the EOM The logo is set .(nt: EOM, End Of Media, Can be understood as , Indicates that the data response of a session is completed ).

The next one is 9 Row representation , Jssmag.209 And to helios A request was made : The sequence number is 3 as well as 5 Please retransmit . Helios Receiving this
After the request, the two packets were re sent , jssmag.209 After receiving these two packets again , Take the initiative to end (release) I've learned this conversation .

On the last line , jssmag.209 towards helios Sent the request packet to start the next session . Request... In the package '*' Represents the XO The logo is not set .
(nt: XO, exactly once, In this conversation , Packets are processed exactly once at the receiving end , Even if the other party sends the packet repeatedly ,
The receiver will only process it once , This requires a specially designed packet receiving and processing mechanism ).

IP Packet fragmentation

(nt: It refers to a IP Packets are divided into multiple IP Data packets )

debris IP Data packets (nt: It's a big one IP Small packets generated after packet fragmentation IP Data packets ) There are two display formats .
(frag id:size@offset+)
(frag id:size@offset)
( The first format represents , This fragment is followed by subsequent fragments . The second format represents , This fragment is the last one .)

id It means broken number (nt: From the following , For every big one that's going to break IP The package is assigned a crushing number , In order to distinguish whether each small fragment is broken from the same packet ).
size Represents the size of this fragment , Does not contain fragment header data . offset Indicates that the data contained in this fragment is in the original whole IP The offset in the package ((nt: From the following ,
One IP Packets are broken as a whole , Including header and data , It's not just the data being split ).

Every fragment will make tcpdump Produce the corresponding output print . The first fragment contains the header data of the high level protocol (nt: From the following , Broken IP The corresponding in the packet tcp Head and
IP The head is in the first fragment ), thus tcpdump This information will be displayed for the first fragment , And then display the information about the fragment itself . Some of the subsequent fragments do not contain
High level protocol header information , Thus, only the information of the fragment itself will be displayed after the source and destination are displayed . Here's an example : This is a PI arizona.edu To lbl-rtsg.arpa
Via CSNET The Internet (nt: CSNET connection It can be understood as based on CSNET Connections on the Internet ) Of ftp Application communication segment :
arizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
arizona > rtsg: (frag 595a:204@328)
rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560

There are several points worth noting :
First of all , The second line is printing , There is no port number after the address .
This is because TCP Protocol information is all in the first fragment , When the second fragment is displayed , We don't know what this fragment corresponds to TCP The sequence number of the package .

second , From the first line of information , You can find arizona You need to rtsg send out 308 Bytes of user data , And the truth is , The corresponding IP After the package is broken, it will produce 512 byte
data ( The first fragment contains 308 Bytes of data , The second fragment contains 204 Bytes of data , That's more than 308 byte ). If you're looking for... In the sequence number space of the packet
Some holes (nt: hole, empty , It means that the sequence number between packets is not linked up ), 512 That's enough to confuse you for a while (nt: In fact, just focus on 308 Just go ,
You don't have to focus on the amount of broken data ).

A packet (nt | rt: finger IP Data packets ) If it's not IP Broken marks , It will be displayed at the end '(DF)'.(nt: It means that IP The bag hasn't been broken ).

Time stamp

tcpdump Time stamp information will be included by default in all output print lines of .
The display format of timestamp information is as follows
hh:mm:ss.frac (nt: Hours : minute : second .(nt: frac Unknown , Need to be supplemented ))
The precision of this timestamp is the same as that of the kernel , It reflects the time when the kernel first saw the corresponding packet (nt: saw, You can operate on the packet ).
And the time it takes for a packet to pass from the physical line to the kernel , And the interrupt processing time spent by the kernel on this package is not included .

Command to use

tcpdump In command line mode , Its command format is :

tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ]
[ expression ]

tcpdump Simple options for

-A With ASCII Each packet is displayed in code mode ( The link layer header information in the packet is not displayed ). When grabbing packets containing web page data , Easy to view data (nt: namely Handy for capturing web pages).

-c count
tcpdump Will receive count Exit after a packet .

-C file-size (nt: This option is used in conjunction with -w file Option to use )
This option makes tcpdump Before saving the original package directly to a file , Check that this file size exceeds file-size. If you exceed , This file will be closed , Create another file to continue recording the original packet . The newly created file name is the same as -w The file name specified by the option is the same , But there's a number after the file name . The number will come from 1 Begin to increase with the number of newly created files . file-size It's in megabytes (nt: Here it means 1,000,000 Bytes , Is not 1,048,576 Bytes , The latter is based on 1024 bytes 1k, 1024k bytes 1M It is calculated that , namely 1M=1024 * 1024 = 1,048,576)

-d In an easy to read form , Print out the programmed package matching code on the standard output , And then tcpdump stop it .(nt | rt: human readable, Easy to read , Usually it means to use ascii Code to print some information . compiled, Arranged . packet-matching code, Packet matching code , The meaning is unknown , Need to be supplemented )

-dd With C Print out the package matching code in the form of language .

-ddd Print out the packet matching code in the form of decimal number ( There will be an additional 'count' Prefix ).

-D Print all the... In the system tcpdump Network interface on which packet capture can be carried out . Each interface prints a numeric number , Corresponding interface name , And a possible network interface description . The network interface name and number can be used in tcpdump Of -i flag Options (nt: Replace names or numbers with flag), To specify the network interface on which to capture packets .

This option is useful on systems that do not support interface list commands (nt: such as , Windows System , Or lack of ifconfig -a Of UNIX System ); The number of the interface is in windows 2000 Or later in the system , Because the interface names on these systems are complicated , It's not easy to use .

If tcpdump Compile time depends on libpcap Ku is too old ,-D Options are not supported , Because of the lack of pcap_findalldevs() function .

-e The printout of each line will include the data link layer header information of the packet

-E spi@ipaddr algo:secret,...

It can be done by spi@ipaddr algo:secret To decrypt IPsec ESP package (nt | rt:IPsec Encapsulating Security Payload,IPsec Encapsulating Security loads , IPsec Can be understood as , A whole set of right ip Encryption protocol of data packet , ESP For the whole IP The encrypted data of a packet or part of its upper layer protocol , The working mode of the former is called tunnel mode ; The working mode of the latter is called transmission mode . working principle , In addition ).

It should be noted that , Start at the terminal tcpdump when , It can be for IPv4 ESP packets Set key (secret).

The algorithms available for encryption include des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, Or not (none). The default is des-cbc(nt: des, Data Encryption Standard, Data encryption standard , The encryption algorithm is unknown , In addition ).secret For the use of ESP The key of , Use ASCII String representation . If the 0x start , The key will be 16 Read in decimal mode .

In this option ESP The definition of follows RFC2406, instead of RFC1827. also , This option is just for debugging , A real key is not recommended (secret) To use this option , Because it's not safe : On the command line secret It can be passed by other people ps Wait for the command to see .

In addition to the syntax above (nt: finger spi@ipaddr algo:secret), You can also add a syntax input file name for tcpdump Use (nt: Namely the spi@ipaddr algo:secret,... in ... Change to a syntax file name ). This file received the first ESP This file will be opened when the package is loaded , So it's better to give tcpdump Some of the privileges of (nt: Can be understood as , After this precaution , When the file is maliciously written , Not to cause too much damage ).

-f Show external IPv4 Address time (nt: foreign IPv4 addresses, Can be understood as , Not native ip Address ), Use numbers instead of names .( This option is used to deal with Sun The company's NIS Server defects (nt: NIS, network information service , tcpdump The name service provided by her is used to display the name of the external address ): this NIS When the server queries for non local address names , It's often trapped in endless query loops ).

Because of the external (foreign)IPv4 Address testing requires local network interface (nt: tcpdump The interface used to capture packets ) And its IPv4 Address and netmask . If this address or netmask is not available , Or this interface does not set the corresponding network address and network mask at all (nt: linux Under the 'any' Network interface does not need to set address and mask , But this 'any' Interface can receive data packets from all interfaces in the system ), This option doesn't work .

-F file
Use file File as input to filter condition expression , The input on the command line is ignored .

-i interface

Appoint tcpdump The interface you need to listen to . If not specified , tcpdump The configured interface with the smallest number will be searched from the system interface list ( barring loopback Interface ). Once the first qualified interface is found , The search is over. .

When using 2.2 Version or later version of the kernel Linux On the operating system , 'any' This virtual network interface can be used to receive packets on all network interfaces (nt: This will include the purpose of the network interface , It also includes those whose purpose is not the network interface ). Note that if the real network interface doesn't work in ' Hybrid ' Pattern (promiscuous) Next , Can't be in 'any' This virtual network interface grabs its packets .

If -D The logo is designated , tcpdump Will print the interface number in the system , And that number can be used here interface Parameters .

-l Line buffering of standard output (nt: Make the standard output device meet a new line character and print out the contents of this line immediately ). It is very useful when you need to observe the packet capture printing and save the packet capture record at the same time . such as , This can be achieved by a combination of the following commands :
``tcpdump -l | tee dat'' perhaps ``tcpdump -l > dat & tail -f dat''.(nt: The former uses tee Come and take tcpdump And put the output to the file at the same time dat And standard output , The latter operates through redirection '>', hold tcpdump Put the output of dat In file , At the same time through tail hold dat The contents of the file are put into standard output )

-L List the types of data link layer supported by the specified network interface and exit .(nt: Specify the interface through -i To specify the )

-m module
adopt module designated file load SMI MIB modular (nt: SMI,Structure of Management Information, Management information structure MIB, Management Information Base, Management information base . Can be understood as , Both are used for SNMP(Simple Network Management Protoco) Capture of protocol packets . Specifically SNMP How it works is unknown , In addition ).

This option can be used multiple times , Thus for tcpdump Loading different MIB modular .

-M secret If TCP Data packets (TCP segments) Yes TCP-MD5 Options ( stay RFC 2385 There are descriptions ), Specify a public key for the authentication of its digest secret.

-n No, the address ( such as , The host address , Port number ) Convert the number representation to the name representation .

-N Do not print out host The domain name section of . such as , If this selection is set , tcpdump Will print 'nic' instead of 'nic.ddn.mil'.

-O Do not enable optimization code for package matching . When doubting something bug It's caused by optimizing the code , This option will be useful .

-p In general , Set the network interface to not ' Hybrid ' Pattern . But attention must be paid to , Under special circumstances, this network interface will still be in the ' Hybrid ' Mode to work ; thus , '-p' Set or not set , It can't be used as a pronoun for the following :'ether host {local-hw-add}' or 'ether broadcast'(nt: The former means that only the Ethernet address is host My bag , The latter represents packets that match the Ethernet address to the broadcast address ).

-q Fast ( Maybe with ' quiet ' Better ?) Printout . That is, printing very little information about the protocol , So the output lines are short .

-R Set up tcpdump Yes ESP/AH The packet is parsed according to RFC1825 instead of RFC1829(nt: AH, Certification head , ESP, Secure load encapsulation , These two will be used in IP In the secure transmission mechanism of packets ). If this option is set , tcpdump Will not print out ' No relay ' Domain (nt: relay prevention field). in addition , because ESP/AH There is no provision in the specification ESP/AH The packet must have a protocol version number field , therefore tcpdump You can't get it from ESP/AH The protocol version number is derived from the packet .

-r file
From file file Read packet data from . If file Field is '-' Symbol , be tcpdump Will read package data from standard input .

-S Print TCP The sequence number of the packet , Use the absolute sequence number , Instead of the relative sequence number .(nt: The relative sequence number can be understood as , Relative to the first TCP The gap between the package number and the sequence number , such as , The absolute sequence number of the first packet received by the receiver is 232323, For the second 2 individual , The first 3 A packet , tcpdump Will print its serial number as 1, 2 The difference between the first packet and the first packet is 1 and 2. And if at this point -S Options are set , For the second 2 individual , The first 3 Each packet will print its absolute sequence number :232324, 232325).

-s snaplen
Set up tcpdump The length of packet grab is snaplen, If not set, the default will be 68 byte ( And supports network interface taps (nt: NIT, As described above , searchable ' Network interface taps ' Key words find there ) Of SunOS The default and minimum value of the series operating system is 96).68 Bytes for IP, ICMP(nt: Internet Control Message Protocol, Internet control message protocol ), TCP as well as UDP The protocol message is sufficient , But for name services (nt: Can be understood as dns, nis Etc ), NFS Service related packets will generate packet truncation . If packet truncation occurs , tcpdump In the corresponding printout line of ''[|proto]'' The logo of (proto It is actually shown as the relevant protocol level of the truncated packet ). It should be noted that , Use a long grab length (nt: snaplen The larger ), It will increase the processing time of the package , And it will decrease tcpdump The number of cacheable packets , This can result in packet loss . therefore , On the premise that we can grab the bag we want , The smaller the grab length, the better . hold snaplen Set to 0 It means to let tcpdump Automatically select the appropriate length to grab packets .

-T type
mandatory tcpdump Press type The packet structure described by the specified protocol is used to analyze the received packets . What is known type The preferred agreement is :
aodv (Ad-hoc On-demand Distance Vector protocol, On demand distance vector routing protocol , stay Ad hoc( Point to point mode ) Network usage ),
cnfp (Cisco NetFlow protocol), rpc(Remote Procedure Call), rtp (Real-Time Applications protocol),
rtcp (Real-Time Applications con-trol protocol), snmp (Simple Network Management Protocol),
tftp (Trivial File Transfer Protocol, Broken File Protocol ), vat (Visual Audio Tool, Can be used in internet Power on
The application layer protocol of videoconference ), as well as wb (distributed White Board, Application layer protocol for network conference ).

-t Don't print timestamps in each line of output

-tt Do not format the output time per line (nt: The meaning of this format may not be obvious at a glance , If the time stamp is printed as 1261798315)

-ttt tcpdump When the output , There is a delay between every two lines of printing ( In Milliseconds )

-tttt Add a date print before the time stamp printed on each line

-u Print out unencrypted NFS Handle (nt: handle Can be understood as NFS File handle used in , This will include the folder and the files in the folder )

-U Properly tcpdump In the use of -w Option , The file writing is synchronized with the package saving .(nt: namely , When each packet is saved , It will be written to the file in time , Instead of waiting until the output buffer of the file is full before writing to the file )

-U The logo is in the old version of libcap library (nt: tcpdump The packet capture library it depends on ) Up doesn't work , Because of the lack of pcap_cump_flush() function .

-v When analyzing and printing , Produces detailed output . such as , The lifetime of the package , identification , Total length and IP Some of the package options . This also opens up some additional package integrity checks , For example, yes. IP or ICMP The check sum of the head of the package .

-vv than -v More detailed output . such as , NFS Additional fields in the response package will be printed , SMB The packet will also be fully decoded .

-vvv than -vv More detailed output . such as , telent Used in SB, SE The options will be printed , If telnet At the same time, it uses a graphical interface ,
The corresponding graphic options will be 16 It's printed in decimal format (nt: telnet Of SB,SE The meaning of the option is unknown , In addition ).

-w Write the package data directly to the file without analysis and printout . The packet data can then be passed through -r Option to reread and analyze and print .

-W filecount
This option is associated with -C Options are used with , This limits the number of files that can be opened , And when the file data exceeds the limit set here , Replace the previous file in turn , It's equivalent to having filecount File buffer pool of files . meanwhile , This option will cause enough... To appear at the beginning of each file name 0, This makes it easy for these files to be sorted correctly .

-x When analyzing and printing , tcpdump The header data of each package will be printed , At the same time 16 Print out the data of each package ( But not the head of the connecting layer ). The total printed data size will not exceed the size of the entire packet and snaplen Minimum of . It must be noted that , If the high level protocol data does not snaplen So long , And the data link layer ( such as , Ethernet layer ) There's padding data , The data is also printed .(nt: so for link layers that pad, It fails to connect understanding with translation , Need to be supplemented )

-xx tcpdump The header data of each package will be printed , At the same time 16 Print out the data of each package , This includes the head of the data link layer .

-X When analyzing and printing , tcpdump The header data of each package will be printed , At the same time 16 Into the system and ASCII Print out the data of each packet in code form ( But not the head of the connecting layer ). This is very convenient for analyzing the packets of some new protocols .

-XX When analyzing and printing , tcpdump The header data of each package will be printed , At the same time 16 Into the system and ASCII Print out the data of each packet in code form , This includes the head of the data link layer . This is very convenient for analyzing the packets of some new protocols .

-y datalinktype
Set up tcpdump Capture only data link layer protocol type is datalinktype Data packets of

-Z user
send tcpdump Give up your super authority ( If the root User start tcpdump, tcpdump There will be super user rights ), And put the current tcpdump Users of ID Set to user, Group ID Set to user The primary group is ID(nt: tcpdump It can be understood as tcpdump The corresponding process after running )

This option can also be set to on by default at compile time .(nt: here user The value of is unknown , Need to be supplemented )

tcpdump Conditional expression

This expression is used to determine which packets will be printed . If no conditional expression is given , All packets captured on the network are printed , otherwise , Only packets that satisfy the conditional expression are printed .(nt: all packets, Can be understood as , All packets captured by the specified interface ).

An expression consists of one or more ' Expression element ' form (nt: primitive, Expression element , It can be understood as the basic elements of an expression ). It is usually expressed by one or more modifiers (qualifiers) Followed by a name or number id form (nt: namely , 'qualifiers id'). There are three different types of modifiers :type, dir as well as proto.

type The modifier specifies id The type of object represented , id It can be names or numbers . The optional object types are : host, net, port as well as portrange(nt: host indicate id Represents the host , net indicate id It's the Internet , port indicate id It's end and portrange indicate id It's a port range ). Such as , 'host foo', 'net 128.3', 'port 20', 'portrange 6000-6008'(nt: They represent the host respectively foo, The Internet 128.3, port 20, Port range 6000-6008). If you don't specify type Modifier , id The default modifier is host.

dir Modifier description id The corresponding transmission direction , Send it to id Or from the id receive (nt: and id What does it mean? It depends on the front type Modifier ). The preferred direction is : src, dst, src or dst, src also dst.(nt: respectively , id It's the transmission source , id It's the purpose of transmission , id Is the source or destination of transmission , id Is the transmission source and the transmission destination ). for example , 'src foo','dst net 128.3', 'src or dst port ftp-data'.(nt: In the qualified packets respectively , The source host is foo, The purpose of the network is 128.3, The source or destination port is ftp-data). If you don't specify dir Modifier , id The default modifier is src or dst. For link layer protocols , such as SLIP(nt: Serial Line InternetProtocol, Serial line internet protocol ), as well as linux Let's designate 'any' equipment , And designate 'cooked'(nt | rt: cooked The meaning is unknown , Need to be supplemented ) Grab type , Or other device types , It can be used 'inbound' and 'outbount' Modifier to specify the desired direction of transmission .

proto Modifier description id The agreement to which it belongs . Optional protocols are : ether, fddi, tr, wlan, ip, ip6, arp, rarp, decnet, tcp as well as upd.(nt | rt: ether, fddi, tr, The exact meaning is unknown , Need to be supplemented . It can be understood as physical Ethernet transport protocol , Optical fiber distributed data network transmission protocol , And protocols for routing tracking . wlan, WLAN protocol ; ip,ip6 That is, the usual TCP/IP Used in the protocol stack ipv4 as well as ipv6 Network layer protocol ;arp, rarp Address resolution protocol , Reverse Address Resolution Protocol ; decnet, Digital Equipment Corporation Developed , First used in PDP-11 Network protocol for machine interconnection ; tcp and udp, Usually TCP/IP Two transport layer protocols in the protocol stack ).

for example , `ether src foo', `arp net 128.3', `tcp port 21', `udp portrange 7000-7009' respectively ' From the Ethernet address foo The packets from ',' To or from 128.3 Online arp Protocol packet ', ' Send or receive port is 21 Of tcp Protocol packet ', ' Send or receive port range is 7000-7009 Of udp Protocol packet '.

If you don't specify proto Modifier , The default value is corresponding to type Matching modifiers . for example , 'src foo' The meaning is '(ip or arp or rarp) src foo' (nt: namely , From the host foo Of ip/arp/rarp Protocol packet , Default type by host),`net bar' The meaning is `(ip or arp or rarp) net bar'(nt: namely , From or to bar Online ip/arp/rarp Protocol packet ),`port 53' The meaning is `(tcp or udp) port 53'(nt: namely , Send or receive port is 53 Of tcp/udp Protocol packet ).(nt: because tcpdump Directly through the data link layer BSD Packet filter or DLPI(datalink provider interface, Data link layer provider interface ) To get network packets directly , It can capture all kinds of protocols in the upper layer , Include arp, rarp, icmp( Internet control message protocol ),ip, ip6, tcp, udp, sctp( Streaming control transport protocol ).

For modifiers followed by id The format of , Can be understood as , type id It's the most basic filtering condition for packets : That is to say, to the package related hosts , The Internet , Port restrictions ;dir Indicates a restriction on the direction of transmission of a packet ; proto Indicates the protocol restrictions on package )

'fddi'(nt: Fiber Distributed Data Interface) Actually with 'ether' Same meaning : tcpdump They will be treated as a kind of '' Specifies the data link layer protocol on the network interface ''. Like ehter network ( Ethernet ), FDDI Your head is usually active as well , Purpose , And package types , So it can look like ether These domains are filtered just like internet packets . Besides , FDDI There are other domains in the head , But it can't be put into an expression to filter

Again , 'tr' and 'wlan' And also 'ether' Have the same meaning , The last paragraph is right fddi The same applies to tr(Token Ring) and wlan(802.11 wireless LAN) The head of . about 802.11 The header of the protocol packet , The destination domain is called DA, The source domain is called SA; And one of the BSSID, RA, TA Domain (nt | rt: The specific meaning needs to be added ) It's not going to be detected (nt: Cannot be used in package filter expressions ).

In addition to the expression elements described above ('primitive'), There are other forms of expression elements , And it is different from the above expression meta format . such as : gateway, broadcast, less, greater And arithmetic expressions (nt: Each of them is a new kind of expression element ). These expression elements will be explained below .

Expression elements can also be separated by keywords and, or as well as not Connect , Thus, a more complex conditional expression can be formed . such as ,`host foo and not port ftp and not port ftp-data'(nt: The filtering conditions can be understood as , The host of the packet is foo, And the port is not ftp( port 21) and ftp-data( port 20, Common port and name correspondence can be found in linux In the system /etc/service Found in file )).

For convenience , The same modifier can be omitted , Such as 'tcp dst port ftp or ftp-data or domain' It has the same meaning as the following expression 'tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.(nt: The filtering conditions can be understood as , The protocol of the package is tcp, The destination port is ftp or ftp-data or domain( port 53) ).

With the help of parentheses and corresponding operators , Expression elements can be used together ( Because the brackets are shell Special characters for , So in shell Brackets must be escaped when used in scripts or terminals , namely '(' And ')' It needs to be expressed separately as '\(' And '\)').

The effective operators are :

 Negative operation (`!' or `not')
And operation (`&&' or `and')
Or operation (`||' or `or')

The negation operator has the highest priority . Same as operation and or operation priority , And the combination order of the two is from left to right . It should be noted that , expression ' And operation ' when ,

You need to explicitly write 'and' The operator , Instead of just juxtaposing the front and back expression elements (nt: Between the two 'and' Operators cannot be omitted ).

If there is no keyword before an identifier , The keywords used recently in the parsing process of the expression ( It is also the keyword closest to the identifier from left to right ) Will be used . such as ,
    not host vs and ace
  It's a simplification of the following expression :
    not host vs and host ace
  instead of not (host vs or ace).(nt: The first two represent , The required packets are not from or to host vs, It's from or to ace. The latter means a packet as long as it is not from or to vs or ac All meet the requirements )

The whole conditional expression can be passed in as a single string parameter or as multiple parameters separated by spaces tcpdump, The latter is more convenient . Usually , If the expression contains metacharacters (nt: As in regular expressions '*', '.' as well as shell Medium '(' Equal character ), It's better to pass in as a separate string . At this time , The entire expression needs to be enclosed in single quotes . Multi parameter input mode , All the parameters are finally concatenated by spaces , Parsed as a string .

appendix :tcpdump The expression element of

(nt: True In the following description, it means : The corresponding conditional expression contains only one specific expression element listed below , In this case, the expression is true , That is, the condition is satisfied )

dst host host
If IPv4/v6 The destination domain of the packet is host, Then the corresponding conditional expression is true .host It could be a ip Address , It can also be a host name .
src host host
If IPv4/v6 The source domain of the packet is host, Then the corresponding conditional expression is true .
host It could be a ip Address , It can also be a host name .
host host
If IPv4/v6 The source or destination address of the packet is host, Then the corresponding conditional expression is true . A few of the above host The following keywords can be added before the expression :ip, arp, rarp, as well as ip6. such as :
ip host host
It can also be expressed as :
ether proto \ip and host host(nt: This expression is explained below , among ip There needs to be \ To escape , because ip Yes tcpdump It's already a keyword .)
If host It's one with multiple IP The host , Then any address will be used for packet matching (nt: That is, to host The destination address of the packet can be these IP Any one of them , from host The source address of the received packet can also be these IP Any one of them ).
ether dst ehost
If the packet (nt: finger tcpdump Grabbing packets , Include ip Data packets , tcp Data packets ) The Ethernet destination address of is ehost, Then the corresponding conditional expression is true . Ehost It can be /etc/ethers A name or a numeric address in a file (nt: It can be done by man ethers See right /etc/ethers Description of the document , The example uses a numeric address )
ether src ehost
If the Ethernet source address of the packet is ehost, Then the corresponding conditional expression is true .
ether host ehost
If the Ethernet source address or destination address of the packet is ehost, Then the corresponding conditional expression is true .
gateway host
If the gateway address of the packet is host, Then the corresponding conditional expression is true . It should be noted that , The gateway address here refers to the Ethernet address , instead of IP Address (nt | rt: I.e., for example , Can be understood as ' Be careful '.the Ethernet source or destination address, Ethernet source and destination address , Can be understood as , It refers to in the above sentence ' default gateway ' ).host It has to be a name, not a number , And it has to be in the machine's ' Host name -ip Address ' as well as ' Host name - Ethernet address ' In the two mapping relations There are entries ( The former mapping relation can be obtained by /etc/hosts file , DNS or NIS obtain , The latter mapping can be achieved by /etc/ethers The documents are available . nt: /etc/ethers It doesn't have to exist , It can be done by man ethers See the data format , How to create the file , Unknown , Need to be supplemented ). in other words host The meaning is ether host ehost instead of host host, also ehost It has to be a name, not a number .
at present , This option supports IPv6 The address format doesn't work in the configuration environment (nt: configuration, Configuration environment , Can be understood as , Network configuration of both sides of communication ).
dst net net
If the destination address of the packet (IPv4 or IPv6 Format ) The network number field of is net, Then the corresponding conditional expression is true .
net It can be from a network database file /etc/networks The name of , It can also be a digital network number .
A number IPv4 The network number will be divided into four tuples by dots ( such as , 192.168.1.0), Or dot triples ( such as , 192.168.1 ), Or dot binary ( such as , 172.16), Or single unit group ( such as , 10) To express ;
The netmasks corresponding to these four cases are respectively : Four tuple :255.255.255.255( It also means right net It's like matching the host address (host) The matching of : All four parts of the address are used ), A triple :255.255.255.0, Binary : 255.255.0.0, A tuple :255.0.0.0.
about IPv6 The address format of , The network number must be written in full (8 All three parts have to be written down ); The corresponding netmask is :
ff:ff:ff:ff:ff:ff:ff:ff, therefore IPv6 Network matching is real 'host' The match of ways (nt | rt | rc: Address of the 8 I'll use all of them , Whether the byte that does not belong to the network is filled in 0, It needs to be added next ), But at the same time, we need a netmask length parameter to specify how many bytes are the netmask (nt: This can be done by net net/len To specify the )
src net net
If the source address of the packet (IPv4 or IPv6 Format ) The network number field of is net, Then the corresponding conditional expression is true .
net net
If the source or destination address of the packet (IPv4 or IPv6 Format ) The network number field of is net, Then the corresponding conditional expression is true .
net net mask netmask
If the source or destination address of the packet (IPv4 or IPv6 Format ) The netmask of is related to netmask matching , Then the corresponding conditional expression is true . This option can also be used with src and dst To match the source or destination network address (nt: such as src net net mask 255.255.255.0). This option is useful for ipv6 Invalid network address .
net net/len
If the source or destination address of the packet (IPv4 or IPv6 Format ) The number of bits in the network number field of and len identical , Then the corresponding conditional expression is true . This option can also be used with src and dst To match the source or destination network address (nt | rt | tt: src net net/24, The network numbers that need to match the source address are 24 Bit packets ).
dst port port
If the packet ( Include ip/tcp, ip/udp, ip6/tcp or ip6/udp agreement ) The destination port of is port, Then the corresponding conditional expression is true .port It can be a number or a name ( The corresponding name can be found in /etc/services Find the name in , It can also be done through man tcp and man udp Get the relevant description information ). If you use a name , The port number corresponding to the name and the protocol used will be checked . If you just use a digital port number , Only the corresponding port number is checked ( such as , dst port 513 Will make tcpdump Grab tcp Agreed login Service and udp Agreed who Service packets , and port domain Will make tcpdump Grab tcp Agreed domain Service packets , as well as udp Agreed domain Data packets )(nt | rt: ambiguous name is used Incomprehensible , Need to be supplemented ).
src port port
If the source port of the packet is port, Then the corresponding conditional expression is true .
port port
If the source or destination port of the packet is port, Then the corresponding conditional expression is true .
dst portrange port1-port2
If the packet ( Include ip/tcp, ip/udp, ip6/tcp or ip6/udp agreement ) The destination port of belongs to port1 To port2 This port range ( Include port1, port2), Then the corresponding conditional expression is true . tcpdump Yes port1 and port2 Analysis and comparison port It's the same (nt: stay dst port port The description of the options says ).
src portrange port1-port2
If the source port of the packet belongs to port1 To port2 This port range ( Include port1, port2), Then the corresponding conditional expression is true .
portrange port1-port2
If the source port or destination port of the packet belongs to port1 To port2 This port range ( Include port1, port2), Then the corresponding conditional expression is true .
The above is about port You can add keywords in front of any of the options :tcp perhaps udp, such as :
tcp src port port
This will enable tcpdump Just grabbing the source port is port Of tcp Data packets .
less length
If the packet is longer than length Small or equal to length, Then the corresponding conditional expression is true . This is related to 'len <= length' It means the same thing .
greater length
If the packet is longer than length Big or equal to length, Then the corresponding conditional expression is true . This is related to 'len >= length' It means the same thing .
ip proto protocol
If the packet is ipv4 And its protocol type is protocol, Then the corresponding conditional expression is true .
Protocol It can be a number or a name , such as :icmp6, igmp, igrp(nt: Interior Gateway Routing Protocol, Internal Gateway Routing Protocol ), pim(Protocol Independent Multicast, Independent multicast protocol , For multicast routers ),ah, esp(nt: ah, Certification head , esp Secure load encapsulation , These two will be used in IP In the secure transmission mechanism of packets ), vrrp(Virtual Router Redundancy Protocol, Virtual router redundancy protocol ), udp, or tcp. because tcp , udp as well as icmp yes tcpdump Key words of , So before the names of these agreements, you have to use \ To escape ( If in C-shell We need to use \\ To escape ). Note that this expression element will not print out all the protocol header contents in the protocol header chain in the packet (nt: In fact, only some header information of the specified protocol will be printed , For example, you can use tcpdump -i eth0 'ip proto \tcp and host 192.168.3.144', Only the host computer is printed 192.168.3.144 In packets sent or received tcp The information contained in the protocol header )
ip6 proto protocol
If the packet is ipv6 And its protocol type is protocol, Then the corresponding conditional expression is true .
Note that this expression element will not print out all the protocol header contents in the protocol header chain in the packet
ip6 protochain protocol
If the packet is ipv6 And its protocol chain contains the type of protocol Protocol header , Then the corresponding conditional expression is true . such as ,
ip6 protochain 6
Will match its protocol header chain with TCP The head of the agreement IPv6 Data packets . Of this packet IPv6 The head and TCP There may also be validation headers between the headers , Routing header , Or hop by hop routing option header .
The corresponding response triggered by this BPF(Berkeley Packets Filter, Can be understood as , It provides a mechanism of packet filtering in the data link layer ) The code is tedious ,
also BPF Optimization code also fails to take care of this part , Thus, the packet matching triggered by this option may be slow .
ip protochain protocol
And ip6 protochain protocol The meaning is the same , But it's for IPv4 Data packets .
ether broadcast
If it's a broadcast packet , Then the corresponding conditional expression is true . ether Keywords are optional .
ip broadcast
If the packet is IPv4 Broadcast packet , Then the corresponding conditional expression is true . This will enable tcpdump Check that the broadcast address matches the full 0 And all 1 Some of the conventions of , And find the network mask of the network interface ( The network interface is the network interface on which packets are captured at that time ).
If the network mask of the network interface where the packet is captured is illegal , Or this interface doesn't set the corresponding network address and network at all , Or in linux Under the 'any' Packet capture on network interface ( this 'any' An interface can receive packets from more than one interface in the system (nt: actually , It can be understood as all available interfaces in the system )), Netmask check is not working properly .
ether multicast
If the packet is an Ethernet multicast packet (nt: Multipoint broadcasting , It can be understood as delivering messages to a set of destination addresses at the same time , Not all the addresses in the network , The latter can be called broadcasting (broadcast)), Then the corresponding conditional expression is true . keyword ether It can be omitted . This option has the same meaning as the following conditional expression :`ether[0] & 1 != 0'(nt: Can be understood as , In Ethernet packet, the second 0 The lowest bit of a byte is 1, That means it's a multicast packet ).
ip multicast
If the packet is ipv4 Multicast packets , Then the corresponding conditional expression is true .
ip6 multicast
If the packet is ipv6 Multicast packets , Then the corresponding conditional expression is true .
ether proto protocol
If the packet belongs to the following Ethernet protocol type , Then the corresponding conditional expression is true .
agreement (protocol) Field , It can be numbers or names listed below : ip, ip6, arp, rarp, atalk(AppleTalk Network protocol ),
aarp(nt: AppleTalk Address Resolution Protocol, AppleTalk Network address resolution protocol ),
decnet(nt: One by DEC The network protocol stack provided by the company ), sca(nt: Unknown , Need to be supplemented ),
lat(Local Area Transport, Area transfer protocol , from DEC Ethernet host interconnection protocol developed by the company ),
mopdl, moprc, iso(nt: Unknown , Need to be supplemented ), stp(Spanning tree protocol, Spanning tree protocol , It can be used to prevent link loops in the network ),
ipx(nt: Internetwork Packet Exchange, Novell Network layer protocols used in networks ), perhaps
netbeui(nt: NetBIOS Extended User Interface, Can be understood as , Network basic I / O system interface extension ).
protocol The field can be a number or one of the following protocol names :ip, ip6, arp, rarp, atalk, aarp, decnet, sca, lat,
mopdl, moprc, iso, stp, ipx, perhaps netbeui.
It's important to note that identifiers are also keywords , So we have to go through '\' To escape .
(SNAP: Subnet access protocol (SubNetwork Access Protocol))
In fiber distributed data network interface ( It can be expressed in the form of 'fddi protocol arp'), Token ring network ( It can be expressed in the form of 'tr protocol arp'),
as well as IEEE 802.11 WLAN ( It can be expressed in the form of 'wlan protocol arp') in , protocol
The identifier comes from 802.2 Logical link control layer header ,
stay FDDI, Token Ring or 802.1 The logical link control layer header will be included in the header .
When the corresponding protocol identification on these networks is used as the filtering condition , tcpdump Just check LLC In the head with 0x000000 Is the unit identifier (OUI, 0x000000
Identify an internal Ethernet ) A section of 'SNAP Format structure ' Medium protocol ID Domain , It doesn't matter if there is a section in the package OUI by 0x000000 Of 'SNAP Format
structure '(nt: SNAP, SubNetwork Access Protocol, Subnet access protocol ). The following exceptions :
iso tcpdump Will check the LLC The head of the DSAP Domain (Destination service Access Point, Target service access point ) and
SSAP Domain ( Source service access point ).(nt: iso Protocol unknown , Need to be supplemented )
stp as well as netbeui
tcpdump Will check LLC The target service access point in the header (Destination service Access Point);
atalk
tcpdump Will check LLC In the head with 0x080007 by OUI Identification of the 'SNAP Format structure ', And will check AppleTalk etype Domain .
(nt: AppleTalk etype Whether it is located in SNAP In the format structure , Unknown , Need to be supplemented ).
Besides , In Ethernet , about ether proto protocol Options , tcpdump Would be protocol Specified protocol check
Ethernet type domain (the Ethernet type field), Except for the following agreements :
iso, stp, and netbeui
tcpdump Will check 802.3 Physical frames and LLC head ( These two tests are related to FDDI, TR, 802.11 The corresponding checks in the network are consistent );
(nt: 802.3, Understood as a IEEE 802.3, It's a series of IEEE A collection of standards . This collection defines the physical layer and the data layer in a wired Ethernet network
Media access control sublayer of link layer . stp As described above )
atalk
tcpdump Will check the Ethernet physical frame for AppleTalk etype Domain , At the same time, it will check the data package LLC The head of the 'SNAP Format structure '
( These two tests are related to FDDI, TR, 802.11 The corresponding checks in the network are consistent )
aarp tcpdump Will check AppleTalk ARP etype Domain , This domain may exist in the Ethernet physical frame , Or exist in LLC( from 802.2 Defined by ) Of
'SNAP Format structure ' in , When it comes to the latter , The 'SNAP Format structure ' Of OUI The label is 0x000000;
(nt: 802.2, Can be understood as , IEEE802.2, The logical link control layer is defined (LLC), This layer corresponds to OSI The upper part of data link layer in network model .
LLC Layer provides a unified interface for users using data link layer ( Usually the user is the network layer ). LLC Below the MAC layer is the MAC layer (nt: MAC layer ,
Corresponding to the lower part of the data link layer ). The implementation and working mode of this layer will be different according to different physical transmission media ( such as , Ethernet , Token ring network ,
Fiber optic distributed data interface (nt: Actually, it can be understood as a kind of optical fiber network ), WLAN (802.11), wait .)
ipx tcpdump Will check for... In the physical Ethernet frame IPX etype Domain , LLC In the header IPX DSAP Domain , nothing LLC Head and face IPX It's packaged 802.3 frame ,
as well as LLC Head 'SNAP Format structure ' Medium IPX etype Domain (nt | rt: SNAP frame, Can be understood as , LLC In the header 'SNAP Format structure '.
The meaning belongs to the stage of preliminary understanding , Need to be supplemented ).
decnet src host
If the packet DECNET The source address is host, Then the corresponding conditional expression is true .
(nt:decnet, from Digital Equipment Corporation Development , First used in PDP-11 Network protocol for machine interconnection )
decnet dst host
If the packet DECNET The destination address is host, Then the corresponding conditional expression is true .
(nt: decnet As explained above )
decnet host host
If the packet DECNET Destination address or DECNET The source address is host, Then the corresponding conditional expression is true .
(nt: decnet As explained above )
ifname interface
If the packet has been marked as received from the specified network interface , Then the corresponding conditional expression is true .
( This option is only available when OpenBSD in pf Package marked by program (nt: pf, packet filter, Can be understood as OpenBSD Firewall program in ))
on interface
And ifname interface Have the same meaning .
rnr num
If the packet has been marked as matching PF The rules of , Then the corresponding conditional expression is true .
( This option is only available when OpenBSD in pf Package marked by program (nt: pf, packet filter, Can be understood as OpenBSD Firewall program in ))
rulenum num
And rulenum num Have the same meaning .
reason code
If the packet has been marked as containing PF The matching result code of , Then the corresponding conditional expression is true . Valid result codes are : match, bad-offset,
fragment, short, normalize, as well as memory.
( This option is only available when OpenBSD in pf Package marked by program (nt: pf, packet filter, Can be understood as OpenBSD Firewall program in ))
rset name
If the packet has been marked to match the specified rule set , Then the corresponding conditional expression is true .
( This option is only available when OpenBSD in pf Package marked by program (nt: pf, packet filter, Can be understood as OpenBSD Firewall program in ))
ruleset name
And rset name Have the same meaning .
srnr num
If the packet has been marked to match a specific rule in the specified rule set (nt: specified PF rule number, Specific rule numbers , Specific rules ),
Then the corresponding conditional expression is true .( This option is only available when OpenBSD in pf Package marked by program (nt: pf, packet filter, Can be understood as
OpenBSD Firewall program in ))
subrulenum num
And srnr Have the same meaning .
action act
If the packet is recorded PF Will execute act The designated action , Then the corresponding conditional expression is true . The effective movements are : pass, block.
( This option is only available when OpenBSD in pf Package marked by program (nt: pf, packet filter, Can be understood as OpenBSD Firewall program in ))
ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
It is consistent with the following expression :
ether proto p
p It's one of the above agreements .
lat, moprc, mopdl
It is consistent with the following expression :
ether proto p
p It's one of the above agreements . It must be noted that tcpdump It is not yet possible to analyze these protocols .
vlan [vlan_id]
If the packet is IEEE802.1Q VLAN Data packets , Then the corresponding conditional expression is true .
(nt: IEEE802.1Q VLAN, namely IEEE802.1Q Virtual network protocol , This protocol is used for interconnection between different networks ).
If [vlan_id] To be designated , Only the data contains the specified virtual network id(vlan_id), Then the corresponding conditional expression is true .
It should be noted that , about VLAN Data packets , The first one encountered in the expression vlan Keyword will change the data in the packet corresponding to the next keyword in the expression
Starting position ( That is decoding offset ). stay VLAN When filtering packets in the network system , vlan [vlan_id] Expressions can be used many times . keyword vlan Every time it appears, it increases
4 Byte filter offset (nt: Filter offset , It can be understood as the decoding offset above ).
for example :
vlan 100 && vlan 200
Express : The filter is encapsulated in VLAN100 Medium VLAN200 Packets on the network
Another example is :
vlan && vlan 300 && ip
Express : The filter is encapsulated in VLAN300 Network IPv4 Data packets , and VLAN300 The Internet has been further developed VLAN encapsulation
mpls [label_num]
If the packet is MPLS Data packets , Then the corresponding conditional expression is true .
(nt: MPLS, Multi-Protocol Label Switch, Multiprotocol label switching , A technology that uses tags to guide data transmission over open communication networks ).
If [label_num] To be designated , Only the data contains the specified label id(label_num), Then the corresponding conditional expression is true .
It should be noted that , For inclusion MPLS The information of IP Data packets ( namely MPLS Data packets ), The first one encountered in the expression MPLS Keyword will change the data in the packet corresponding to the next keyword in the expression
Starting position ( That is decoding offset ). stay MPLS When filtering packets in the network system , mpls [label_num] Expressions can be used many times . keyword mpls Every time it appears, it increases
4 Byte filter offset (nt: Filter offset , It can be understood as the decoding offset above ).
for example :
mpls 100000 && mpls 1024
Express : The filter outer label is 100000 And the layer label is 1024 Data packets of
Again :
mpls && mpls 1024 && host 192.9.200.1
Express : To or from 192.9.200.1 Data packets of , The inner label of the packet is 1024, And have an outer label .
pppoed
If the packet is PPP-over-Ethernet Search for packets on your server (nt: Discovery packet,
Its ethernet type by 0x8863), Then the corresponding conditional expression is true .
(nt: PPP-over-Ethernet, Point to point Ethernet bearer protocol , Its point-to-point connection establishment is divided into Discovery Stage ( Address discovery ) and
PPPoE Session setup phase , discovery A packet is a packet sent out in the first stage . ethernet type
It's a field in the ether frame , Used to indicate the protocol applied to the frame data field )
pppoes
If the packet is PPP-over-Ethernet Session packets (nt: ethernet type by 0x8864, PPP-over-Ethernet As explained above , searchable
keyword 'PPP-over-Ethernet' Find the description ), Then the corresponding conditional expression is true .
It should be noted that , about PPP-over-Ethernet Session packets , The first one encountered in the expression pppoes Keyword will change the data in the packet corresponding to the next keyword in the expression
Starting position ( That is decoding offset ).
for example :
pppoes && ip
Express : Filtering is embedded in PPPoE In the packet ipv4 Data packets
tcp, udp, icmp
It is consistent with the following expression :
ip proto p or ip6 proto p
among p It's one of the above agreements ( The meanings are respectively : If the packet is ipv4 or ipv6 And its protocol type is tcp,udp, or icmp It's the same for
The conditional expression that should be true )
iso proto protocol
If the protocol type of the packet is iso-osi Protocol stack protocol agreement , Then the corresponding conditional expression is true .(nt: [ Initial solution ]iso-osi In the network model, every
Layer specific protocol and tcp/ip Different protocols are used in the corresponding layer . iso-osi Specific protocols in each layer need to be supplemented )
protocol It could be a number , Or one of the following names :
clnp, esis, or isis.
(nt: clnp, Connectionless Network Protocol, This is a OSI Network layer protocol in network model , esis, isis Unknown , Need to be supplemented )
clnp, esis, isis
It's an abbreviation for
iso proto p
among p It's one of the above agreements
l1, l2, iih, lsp, snp, csnp, psnp
by IS-IS PDU type Abbreviation .
(nt: IS-IS PDU, Intermediate system to intermediate system Protocol Data Unit, Intermediate system to
Protocol data unit of intermediate system . OSI(Open Systems Interconnection) The network consists of terminal systems , The intermediate system consists of .
A terminal system is a router , The terminal system refers to the user equipment . The local group formed by the router is called ' Area '(Area) And multiple regions to form a ' Domain '(Domain).
IS-IS Provides routing within a domain or region . l1, l2, iih, lsp, snp, csnp, psnp Express PDU The type of , The specific meaning needs to be supplemented )
vpi n
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment ,
If the packet is ATM Data packets , And its virtual path is identified as n, Then the corresponding conditional expression is true .
(nt: ATM, Asychronous Transfer Mode, In fact, it can be understood as ITU-T( Telecommunications standardization division of the international telecommunication union ) A new idea is put forward
TCP/IP in IP A series of protocols with the same function of the layer , Specific agreement levels need to be supplemented )
vci n
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment ,
If the packet is ATM Data packets , And its virtual channel identification is n, Then the corresponding conditional expression is true .
(nt: ATM, As described above )
lane
If the packet is ATM LANE Data packets , Then the corresponding conditional expression is true . It should be noted that , If it's analog Ethernet LANE Packet or
LANE Logical unit control package , The first one in the expression lane Keywords change the test of subsequent conditions in the expression . without
Appoint lane keyword , The conditional test will be performed according to the LLC( Logical link layer ) Of ATM Bag to carry out .
llc
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment ,
If the packet is ATM Data packets , And it contains LLC Then the corresponding conditional expression is true
oamf4s
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And is Segment OAM F4 Cell (VPI=0 also VCI=3), Then the corresponding conditional expression is true .
(nt: OAM, Operation Administration and Maintenance, Operation management and maintenance , Can be understood as :ATM Network is used in the network
Management produces ATM The classification of cells .
ATM The transmission unit in the network is cell , The data to be transmitted will eventually be divided into fixed lengths (53 byte ) The cell of the ,
( I understand : A physical circuit can be reused , Form a virtual path (virtual path). And a virtual path is reused again , Forming a virtual channel (virtual channel)).
The addressing mode of both sides of the communication is : Virtual path number (VPI)/ Virtual channel number (VCI)).
OAM F4 flow Cells can be divided into segment Classes and end-to-end class , The difference is unknown , Need to be supplemented .)
oamf4e
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And is end-to-end OAM F4 Cell (VPI=0 also VCI=4), Then the corresponding conditional expression is true .
(nt: OAM And end-to-end OAM F4 As described above , searchable 'oamf4s' To locate )
oamf4
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And is end-to-end or segment OAM F4 Cell (VPI=0 also VCI=3 perhaps VCI=4), Then the corresponding conditional expression is true .
(nt: OAM And end-to-end OAM F4 As described above , searchable 'oamf4s' To locate )
oam
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And is end-to-end or segment OAM F4 Cell (VPI=0 also VCI=3 perhaps VCI=4), Then the corresponding conditional expression is true .
(nt: This option is associated with oamf4 repeat , Need to confirm )
metac
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And it's from ' Meta signaling lines '(nt: VPI=0 also VCI=1, ' Meta signaling lines ', meta signaling circuit, The exact meaning is unknown , Need to be supplemented ),
Then the corresponding conditional expression is true .
bcc
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And it's from ' Broadcast signaling lines '(nt: VPI=0 also VCI=2, ' Broadcast signaling lines ', broadcast signaling circuit, The exact meaning is unknown , Need to be supplemented ),
Then the corresponding conditional expression is true .
sc
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And it's from ' Signaling lines '(nt: VPI=0 also VCI=5, ' Signaling lines ', signaling circuit, The exact meaning is unknown , Need to be supplemented ),
Then the corresponding conditional expression is true .
ilmic
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And it's from 'ILMI line '(nt: VPI=0 also VCI=16, 'ILMI', Interim Local Management Interface , Can be understood as
be based on SNMP( Simple network management protocol ) Interface for network management )
Then the corresponding conditional expression is true .
connectmsg
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And it's from ' Signaling lines ' And is Q.2931 The following messages are specified in the protocol : Setup, Calling Proceeding, Connect,
Connect Ack, Release, perhaps Release Done. Then the corresponding conditional expression is true .
(nt: Q.2931 by ITU( international telecommunications union ) The signaling protocol developed . It provides for the establishment of the user interface layer in the broadband integrated services digital network , maintain , Cancel
Related steps of network connection .)
metaconnect
If the packet is ATM Data packets , Then the corresponding conditional expression is true . about Solaris On the operating system SunATM equipment , If the packet is ATM Data packets
And it's from ' Meta signaling lines ' And is Q.2931 The following messages are specified in the protocol : Setup, Calling Proceeding, Connect,
Connect Ack, Release, perhaps Release Done. Then the corresponding conditional expression is true .
expr relop expr
If relop Operands on both sides (expr) Satisfy relop Specified relationship , Then the corresponding conditional expression is true .
relop It can be one of the following relational operators : >, <, <=, =, !=.
expr It's an arithmetic expression . Integer constants can be used in this expression ( Representation and standards C In the agreement ), Binary operators (+, -, *, /, &, |,
<<, >>), Length operators , And the reference operator to the data in a particular package . It should be noted that , All comparison operations default to unsigned operands ,
for example , 0x80000000 and 0xffffffff Are greater than 0 Of (nt: For signed comparisons , According to the complement rule , 0xffffffff
It will be less than 0). If you want to refer to the data in the package , The following expressions can be used :
proto [expr : size]
proto The value of can be one of the following values :ether, fddi, tr, wlan, ppp, slip, link, ip, arp, rarp,
tcp, udp, icmp, ip6 perhaps radio. This indicates the protocol layer corresponding to the reference operation .(ether, fddi, wlan,
tr, ppp, slip and link Corresponding to the data link layer , radio Corresponding to 802.11(wlan, WLAN ) Some packets come with
"radio" head (nt: It describes the baud rate , Data encryption and other information )).
It should be noted that , tcp, udp At present, the upper layer protocol can only be applied to the network layer IPv4 or IPv6 The network of protocols ( This limit will be in tcpdump In future versions
Make changes ). For the required data for the specified protocol , Its offset byte in the packet data is determined by the expr To specify the .
In the above expression size It's optional , It is used to indicate the length of the data segment we are interested in (nt: Usually this data
It's a domain of packets ), Its length can be 1, 2, or 4 Bytes . If you don't give size, The default is 1 Bytes . The keyword of the length operator is len,
This is the length of the entire packet of the code .
for example , 'ether[0] & 1 != 0' Will make tcpdump Grab all multicast packets .(nt: ether[0] The lowest bit of the byte is 1 Express
The destination address of the packet is the multicast address ). 'ip[0] & 0xf != 5' Corresponding to grab all with options
IPv4 Data packets . 'ip[6:2] & 0x1fff = 0' It's about grabbing what's not broken IPv4 Packet or
Its fragment number is 0 The broken IPv4 Data packets . This data checking method also applies to tcp and udp References to data ,
namely , tcp[0] Corresponding to TCP The first byte in the header , Instead of corresponding to any middle byte .
The values of some offsets and fields can be expressed not only by numbers but also by names . Here are some of the available domains ( The domain in the protocol header ) Name : icmptype ( finger ICMP Protocol header
in type Domain ), icmpcode ( finger ICMP Protocol header code Domain ), as well as tcpflags( finger TCP The head of the agreement flags Domain )
The following is a ICMP Protocol header type The available values of the field :
icmp-echoreply, icmp-unreach, icmp-sourcequench, icmp-redirect, icmp-echo, icmp-routeradvert,
icmp-routersolicit, icmp-timx-ceed, icmp-paramprob, icmp-tstamp, icmp-tstampreply,
icmp-ireq, icmp-ireqreply, icmp-maskreq, icmp-maskreply.
The following is a TCP Protocol header flags The available values of the field :tcp-fin, tcp-syn, tcp-rst, tcp-push,
tcp-ack, tcp-urg.

Linux tcpdump More related articles in detail

  1. Linux Order to explain —tail command

    tail Command is also a very common file view class command , Today I'd like to introduce you Linux tail command reference . more Linux For details of the order, please see :Linux Command quick reference manual Linux tail Command is mainly used to start the text from the specified point ...

  2. Linux Order to explain —less command

    Linux Next there's another one with more The command is very similar to the command --less command , Compared with more command ,less The command is more flexible and powerful , Today I'd like to introduce Linux Under the less command . more Linux For details of the order, please see :Linu ...

  3. Linux Order to explain —more command

    Linux more The order is the same as cat command , It is often used to view the contents of files , This article is for you to introduce Linux more command reference . more Linux For details of the order, please see :Linux Command quick reference manual Linux Of more Command similar ca ...

  4. 【 turn 】linux Detailed command :md5sum command

    [ turn ]linux Detailed command :md5sum command from :http://blog.itpub.net/29320885/viewspace-1710218/ Preface Over the Internet . Transfer between devices . Copy large files, etc , can ...

  5. Linux Order to explain —cat command

    cat The function of the command is to connect files or standard input and print , Today I'd like to introduce you Linux Medium cat command . more Linux For details of the order, please see :Linux Command quick reference manual Linux Of cat Commands are usually used to display the contents of a file , It can also be used to ...

  6. Linux Order to explain —pwd command

    Linux Of pwd Command is also a very common command , This article is to introduce Linux in pwd command reference . more Linux For details of the order, please see :Linux Command quick reference manual Linux pwd Command to display the working directory . perform pwd finger ...

  7. Linux Order to explain –cd command

    cd The order is linux Another very important command in actual use , This article is for you to introduce Linux in cd command reference . more Linux For details of the order, please see :Linux Command quick reference manual Linux cd Command to switch the current working directory to d ...

  8. Linux Order to explain –ls command

    Today, I'd like to introduce Linux Command commonly used in , First of all, let's introduce Linux The most frequently used command in --ls command . more Linux For details of the order, please see :Linux Command quick reference manual linux ls The command is used to display the ...

  9. Linux Detailed explanation of system structure

    Linux  Detailed explanation of system structure Linux The system generally has 4 Major parts : kernel .shell. File systems and Applications . kernel .shell Together with the file system, it forms the basic operating system structure , They allow users to run programs . Manage files and use the system ...

Random recommendation

  1. WPF Introductory tutorial series 15 ——WPF Data binding in ( One )

    Use Windows Presentation Foundation (WPF) Can be very convenient to design a powerful user interface , meanwhile WPF Provides data binding capabilities .WPF The data binding of Winform And ASP.NET The number in ...

  2. Overload operator : Class member function or Friend function

    Class member function : bool operator ==(const point &a)const { return x==a.x; } Friend function : friend bool operator ==(co ...

  3. python code snippet 20

    #coding=utf-8 # function def foo(x): print x foo(123) # import httplib def check_web_server(host,port,path ...

  4. asp.net Import page content as needed Excel, And set up excel style , Download the file ( Solve the problem that the open format is not consistent with the format specified by the extension )

    // Request one excel class Microsoft.Office.Interop.Excel.ApplicationClass excel = null; // establish Workbook object Microsoft ...

  5. Pandas Introduction to the series ——HDF5

    Pandas Introduction to the series --HDF5 brief introduction HDF5( Hierarchical data format ) For big data storage , Its efficient compression saves a lot of hard disk space , At the same time, it also has a certain impact on the query efficiency , The higher the compression efficiency , The less efficient the query .pandas ...

  6. JS Quick Foundation ( 3、 ... and )- DOM( File object model )

    .t1 { background-color: #ff8080; width: 1100px; height: 40px } One .DOM The basic structure of trees DOM Nodes fall into three categories : Element nodes ( Tag node ), Attribute section ...

  7. ASP.NET Core Configure cross domain (CORS)

    1. Erection sequence CORS Package Install-Package Microsoft.AspNetCore.Mvc.Cors Generally, this package is included by default 2. To configure CORS service stay Startup class ,Confi ...

  8. take Range Object to a variable

    There are many ways to integrate the existing Range Object to a variable . This topic describes two different approaches . In the following example , take Range Object to a variable Range1 and Range2. for example , The following command sets the first and second single in the active document ...

  9. Jenkins+Git+Maven Build and deploy war Package to tomcat

    Main idea :1.jenkins from git Pull project source code :jenkins Use maven Build and will generate war Deploy to tomcat Under the container . Environmental Science :Centos7.Maven3.5.3.git( stand-alone ) install Git ...

  10. swift Type constraints of

    key word : Type and function binding . Type designation . Access control . The nature of type constraints : 1. Whether to force a type with certain characteristics : See if the definition of the type constructor itself has constraints on the type : 2. Access control : The function of type constructor is divided into general function and constraint function : ...