Tcpdump Introduction

12/21/2015
Tcpdump:Introduction
LessonObjectives
Inthislesson,youwill:
captureandanalyzepacketinformationwithTCPDump.
Welookedatapacketcapturefile(orpcap)earlierthatallowedustoseetheactualdataasittraveledacrossthe
network.Nowyou'lllearnthebasicsofusingtheTCPdumputilitytocaptureandexaminenetworkpackets.
PacketCaptures
Sometimesyou'llwanttodivedeepintotheinformationflowingintoandoutofasystem.Thisinformation
canhelpyoutounderstandanapplicationbetter,troubleshootaperformanceissue,orallowasecurity
analystinsightintoaneworunknownprotocol.We'lluseapacketanalyzerorsniffertocapture,andhelp
usquicklyanalyze,thenetworktransmissionsofasystem.
ThemostpopularprotocolanalyzerforcommandlineusersisTCPdump(http://www.tcpdump.org).This
toolisavailableforallcommonLinuxdistributions,aswellasotherUNIXvariants.It'susuallyinstalledby
default,thoughyou'lltypicallyneedrootaccessinordertoreadrawnetworktraffic.
AnalyzingYourFirstPacket
Inthislesson,weprovideabinarydatafilecalledsample.pcap.pcapfilesarethemostpopularfileformat
forstoringpacketcaptures(pcapbeingshortforpacketcapture)thelibpcaplibraryisauthoredby,andis
thebasisfor,theTCPdumptool.
Usingthemostbasictcpdumpsyntax,wecantakeaquicksurveyofsample.pcap.Weusether
sample.pcapflagtoindicatethatwewanttoreadfromafileinsteadofalivenetworkadapter,andc10
tellstcpdumptodisplayonlythefirst10packetsinthecapturefile.We'llalsoadd"nn"topreventtcpdump
fromtryingtoconvertIPaddressesandportnumbersintonames.Thisisusefulforclarityandcanalso
speeduptcpdumpwhendoingalivecapture.Let'sexperimentwithapacketcapture:
http://courses.oreillyschool.com/sysadmin5/Tcpdump_Intro.html
1/11
12/21/2015
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpr/usr/share/sysadmin5/sample.pcapc10nn|cat
n
readingfromfilesample.pcap,linktypeEN10MB(Ethernet)
111:09:12.953506IP192.168.0.1>192.168.0.2:ICMPechorequest,id56323
,seq1,length64
211:09:12.953739IP192.168.0.2>192.168.0.1:ICMPechoreply,id56323,
seq1,length64
,seq2,length64
seq2,length64
511:09:16.549665IP192.168.0.1.41588>192.168.0.2.80:Flags[S],seq296
7676207,win5840,options[mss1460,sackOK,TSval75658ecr0,nop,wscale6],len
gth0
611:09:16.550140IP192.168.0.2.80>192.168.0.1.41588:Flags[S.],seq29
56775637,ack2967676208,win5792,options[mss1460,sackOK,TSval74877ecr756
58,nop,wscale6],length0
711:09:16.550183IP192.168.0.1.41588>192.168.0.2.80:Flags[.],ack1,
win92,options[nop,nop,TSval75658ecr74877],length0
811:09:16.550647IP192.168.0.1.41588>192.168.0.2.80:Flags[P.],seq1:
110,ack1,win92,options[nop,nop,TSval75658ecr74877],length109
911:09:16.551046IP192.168.0.2.80>192.168.0.1.41588:Flags[.],ack110
,win91,options[nop,nop,TSval74877ecr75658],length0
1011:09:16.562191IP192.168.0.2.80>192.168.0.1.41588:Flags[P.],seq1:
339,ack110,win91,options[nop,nop,TSval74877ecr75658],length338
[root@usernamem0~]#
WealsousedtheUNIXcatutilitytoaddnumberstoeachline.Let'stakeacloserlookatjustthefirsttwo
packets:
OBSERVE:
,seq1,length64
seq1,length64
ThesetwopacketsaretheresultoftheUNIXcommandpingc1192.168.0.2.Pingisapopulartoolused
totestconnectivitytoaremotehosthereitwasusedtosendasingleICMPRequestPackettothetarget
host.ThesecondpacketcontainstheICMPResponsePacketindicatingthattheserverisup.
PingreliesontheICMPechorequestandechoreplymessagetypesasdefinedinRFC792.ICMPecho
requests(whicharealsoidentifiedasICMPType8packets)followabasicformat:
Tcpdumptranslatesthebinarydatausingthespecifiedformattoprovidesomeoverviewdataofthepacket.
Inourexample,thedataprovidedbythe"highlevel"defaultsummarycontainsloadsofinformation.
Let'stakeacloserlookattheinformationthatTCPDumpprovidesasasummaryinline1:
20:22:11.245560isatimestampthisisnotpartoftheactualpacketcapturedata,butadditional
informationthatwasinsertedintothePCAPfilecontainingthetimestampoftheeventas
witnessedbytheinitialpacketcapture.
2/11
12/21/2015
IPindicatesthatthisisanIPpacket.
192.168.0.1istheIPaddressofthesourceofthepacket.Ifwehadnotusedthe"n"optionswith
tcpdump,itwouldhavetriedtoresolvethistothehostnameofthesource.
>:indicatesthedirectionofthepacket.It'smostlyfordisplaypurposesTCPdumpalways
displaystheoriginofthepacketfirst.
192.168.0.2isthedestinationaddresstowhichthepacketwastransmitted.
ICMPechorequestisadescriptionofthepacketandmessagetype.
id56323isanumericidentifier(typicallyarandomnumber)wheremultipleechorequestsare
sent,theclientneedsthisidtodeterminetherequestpackettowhichtheserverisresponding.
seq1isasequencenumber,thatassociatesclientrequeststoserverreponses,butthisnumber
istypicallyincrementedratherthangeneratedrandomly.
Length64indicatesthattheICMPpacketlengthwas64bytes,whichisthedefaultsizeforLinux
ping.(Theminimumlengthwouldbe8bytesiftherequestusedthepingflagss0toindicate
thatnopayloadinthepingrequestshouldbesent).
CreatingNewCaptures
Sofar,we'vebeenreadingexistingpcapfilesnow,let'slearnhowtocreatesomenewonesourselves.
We'llstartbydisplayinglivetraffic,asithappens.Startcapturinginthissession:
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpieth1nn
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize65535bytes
Theieth1optionspecifieswhichnetworkdevicewewanttousetocapture.Bydefault,TCPdumpwill
usuallygoforeth0,butinourlabenvironmentwewanttolookatpacketsbetweenm0andm1weknow
thosewillbeontheeth1interface.Thenetworkusedforthelabenvironmentisprettyquiet.Letthis
sessionrunfornowandopenanotherconsoleonm0(PressCtrl+aandthenpressnandloginagain)to
generatetrafficthat'smoreinteresting:
INTERACTIVESESSION:
[root@usernamem0~]#pingc2192.168.0.2
PING192.168.0.2(192.168.0.2)56(84)bytesofdata.
From192.168.0.1icmp_seq=1DestinationHostUnreachable
From192.168.0.1icmp_seq=2DestinationHostUnreachable
192.168.0.2pingstatistics
2packetstransmitted,0received,+2errors,100%packetloss,time3009ms
pipe2
Now,switchbacktothefirstconsoletoseewhatwascaptured.StoptheTCPdumpsessionwithCtrl+C:
INTERACTIVESESSION:
...
15:34:01.730092ARP,Requestwhohas192.168.0.2tell192.168.0.1,length28
Ctrl+C
3packetscaptured
3packetsreceivedbyfilter
0packetsdroppedbykernel
3/11
12/21/2015
Note
You'llseeatleastthreepacketshere.
Thisisn'tatallwhatweexpectedtosee.WeshouldbeseeingICMPpacketsfromthepingright?(Ifyoudo,
you'remoreontopofthisthanIam!)Therearetwocluesinourcodethattelluswhat'shappening.First,
thepingcommandresultedin"DestinationUnreachable."Second,sincem0andm1aredirectly
connected(thereisn'tanotherrouterbetweenthem),m0can'tjustsendoutnetworkpacketswithout
determiningthenetworkaddressofthehostthathas192.168.0.2.That'swhattheARPpacketsdo.
Thisexampleisaresultoftheauthornotstartinguphism1systembeforetryingtopingit.Weshowit
becauseitdemonstrateshowTCPdumpisalsoagreattoolfordebuggingnetworks.Goaheadandstartup
m1andtryTCPdumpagain:
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpieth1nn
tcpdump:verboseoutputsuppressed,usevorvvforfullprotocoldecode
listeningoneth1,linktypeEN10MB(Ethernet),capturesize65535bytes
...
Dothepingagainonm0'ssecondconsole:
INTERACTIVESESSION:
[root@usernamem0~]#pingc2192.168.0.2
PING192.168.0.2(192.168.0.2)56(84)bytesofdata.
64bytesfrom192.168.0.2:icmp_seq=1ttl=64time=11.1ms
64bytesfrom192.168.0.2:icmp_seq=2ttl=64time=0.372ms
192.168.0.2pingstatistics
2packetstransmitted,2received,0%packetloss,time1003ms
rttmin/avg/max/mdev=0.372/5.736/11.101/5.365ms
GobacktotheTCPDumpsessionandpressCtrl+C:
INTERACTIVESESSION:
...
15:51:58.844664ARP,Reply192.168.0.2isatfe:ff:00:00:1b:4c,length28
15:51:58.844673IP192.168.0.1>192.168.0.2:ICMPechorequest,id27396,seq1,
length64
15:51:58.844881IP192.168.0.2>192.168.0.1:ICMPechoreply,id27396,seq1,l
ength64
length64
15:51:59.837022IP192.168.0.2>192.168.0.1:ICMPechoreply,id27396,seq2,l
ength64
Ctrl+C
Muchbetter!
Note
Becarefuldisplayingalltrafficonbusysystemscanoverwhelmyourterminalfast.
Let'strythispingexampleonemoretime,butinsteadofviewingthetrafficlive,we'llasktcpdumptowriteit
4/11
12/21/2015
toafilewiththewoption:
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpieth1nnwoutput.pcap
tcpdump:listeningoneth1,linktypeEN10MB(Ethernet),capturesize65535bytes
Gointotheotherm0consoleandrunthepingcommandagain.Afterpingingm1,stoptcpdumpwith
Ctrl+C:
INTERACTIVESESSION:
Ctrl+C
8packetscaptured
Uponexiting,TCPdumpgivesasummaryofhowmanypacketsitsawandhowmanywerecapturedinto
thenewfile.Ofcourse,it'snotallaboutpingpackets.Beforethisnextcommand,makesurethewebserver
(httpd)isrunningonm1:
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpieth1nnwwebtest.pcap
tcpdump:listeningoneth1,linktypeEN10MB(Ethernet),capturesize65535bytes
Fromyoursecondm0console,usewgettogenerateasimplerequest:
INTERACTIVESESSION:
[root@usernamem0~]#wget192.168.0.2
2013051220:05:50http://192.168.0.2/
Connectingto192.168.0.2:80...connected.
HTTPrequestsent,awaitingresponse...200OK
Length:115[text/html]
Savingto:`index.html'
100%[======================================>]115.K/sin0s
2013051220:05:50(24.3MB/s)`index.html'saved[115/115]
Finally,stopthecaptureprocess:
INTERACTIVESESSION:
Ctrl+C
12packetscaptured
ReviewYourCapturedPackets
5/11
12/21/2015
Withsomewebtrafficcapturedinwebtest.pcap,wecanreviewitmultipletimeswithouthavingto
regeneratethetraffic.Readwebtest.pcap:
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpnnrwebtest.pcap
readingfromfilewebtest.pcap,linktypeEN10MB(Ethernet)
22:00:13.236502IP192.168.0.1.54863>192.168.0.2.80:Flags[S],seq758125040,
win14600,options[mss1460,sackOK,TSval3977169059ecr0,nop,wscale7],length
0
22:00:13.236566IP192.168.0.2.80>192.168.0.1.54863:Flags[S.],seq3829998121
,ack758125041,win14480,options[mss1460,sackOK,TSval3977169059ecr397716
22:00:13.236965IP192.168.0.1.54863>192.168.0.2.80:Flags[.],ack1,win115,
options[nop,nop,TSval3977169059ecr3977169059],length0
22:00:13.237002IP192.168.0.1.54863>192.168.0.2.80:Flags[P.],seq1:110,ack
1,win115,options[nop,nop,TSval3977169059ecr3977169059],length109
22:00:13.237049IP192.168.0.2.80>192.168.0.1.54863:Flags[.],ack110,win11
4,options[nop,nop,TSval3977169059ecr3977169059],length0
22:00:13.237380IP192.168.0.2.80>192.168.0.1.54863:Flags[P.],seq1:382,ack
22:00:13.237418IP192.168.0.2.80>192.168.0.1.54863:Flags[F.],seq382,ack1
22:00:13.237455IP192.168.0.1.54863>192.168.0.2.80:Flags[.],ack382,win12
22:00:13.237631IP192.168.0.1.54863>192.168.0.2.80:Flags[F.],seq110,ack3
22:00:13.237656IP192.168.0.2.80>192.168.0.1.54863:Flags[.],ack111,win11
22:00:19.689218IP0.0.0.0>224.0.0.1:igmpqueryv2
22:00:19.689221IP6574:6f6e:6963:56c:6f63:616c:a75:7365>ff02::1:HBHICMP6,mu
lticastlistenerquerymaxrespdelay:1000addr:::,length24
Herewecanseeallthepacketsinvolvedinthatonesimplewebrequest.Now,whilethisshowsthetraffic,
itdoesn'tactuallyshowthecontentsofthepackets.Nottoworry!Wecanasktcpdumptodisplaythe
contentsofthepacketsinASCIIformattingwiththeAflag:
6/11
12/21/2015
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpAnnrwebtest.pcap
readingfromfilewebtest.pcap,linktypeEN10MB(Ethernet)
22:00:13.236502IP192.168.0.1.54863>192.168.0.2.80:Flags[S],seq758125040,
win14600,options[mss1460,sackOK,TSval3977169059ecr0,nop,wscale7],length
0
E..<.S@.@............O.P0........9..1.........
............
22:00:13.236566IP192.168.0.2.80>192.168.0.1.54863:Flags[S.],seq3829998121
,ack758125041,win14480,options[mss1460,sackOK,TSval3977169059ecr397716
E..<..@.@..h.........P.O.I")0....8..s.........
............
22:00:13.236965IP192.168.0.1.54863>192.168.0.2.80:Flags[.],ack1,win115,
options[nop,nop,TSval3977169059ecr3977169059],length0
E..4.T@.@............O.P0...I"*...sm\.....
........
22:00:13.237002IP192.168.0.1.54863>192.168.0.2.80:Flags[P.],seq1:110,ack
E....U@.@............O.P0...I"*...s.......
........GET/HTTP/1.0
UserAgent:Wget/1.12(linuxgnu)
Accept:*/*
Host:192.168.0.2
Connection:KeepAlive
22:00:13.237049IP192.168.0.2.80>192.168.0.1.54863:Flags[.],ack110,win11
E..4..@.@............P.O.I"*0.^...rl......
........
22:00:13.237380IP192.168.0.2.80>192.168.0.1.54863:Flags[P.],seq1:382,ack
E.....@.@..h.........P.O.I"*0.^...r.......
........HTTP/1.1200OK
Date:Mon,19Aug201302:00:13GMT
Server:Apache/2.2.15(CentOS)
LastModified:Wed,05Jun201319:35:49GMT
ETag:"173734de6d4e0b2f40"
AcceptRanges:bytes
ContentLength:115
Connection:close
ContentType:text/html;charset=UTF8
<head>
<title>DeveloperWebsite</title>
</head>
CheckoutourWiki!
<br>
<ahref="twiki/bin/view">TWiki</a>
<br>
22:00:13.237418IP192.168.0.2.80>192.168.0.1.54863:Flags[F.],seq382,ack1
E..4..@.@............P.O.I#.0.^...rkq.....
........
22:00:13.237455IP192.168.0.1.54863>192.168.0.2.80:Flags[.],ack382,win12
E..4.V@.@............O.P0.^.I#....{kh.....
........
22:00:13.237631IP192.168.0.1.54863>192.168.0.2.80:Flags[F.],seq110,ack3
7/11
12/21/2015
E..4.W@.@............O.P0.^.I#....{kf.....
........
22:00:13.237656IP192.168.0.2.80>192.168.0.1.54863:Flags[.],ack111,win11
E..4..@.@............P.O.I#.0._...rko.....
........
22:00:19.689218IP0.0.0.0>224.0.0.1:igmpqueryv2
F....@..................d......
22:00:19.689221IP6574:6f6e:6963:56c:6f63:616c:a75:7365>ff02::1:HBHICMP6,mu
lticastlistenerquerymaxrespdelay:1000addr:::,length24
`.......tonic.local
use................:.........He....................
WithoutgettingintothespecificsoftheHTTPprotocol,theoutputwilltellyouwherethewebrequest
happenedandtheresponsefromtheserver.Ifyou'refamiliarwithwebdevelopmentyou'llevenrecognize
HTMLinthepackets.Ofcourse,notallprotocolscanberepresentedinASCII,butwhenyouneedtolook
attheindividualbitsandbytes,tcpdumpispowerful.
BehindtheScenes
Inthefirstsection,weletTCPdumpdowhatitdoesbest:helpus,theusers,makesenseoutoftheraw
datatransmissions.Next,we'llleveragesomeofthepowerfuloptionsoftcpdumptolookattherawdata,
anddosomehighlevelanalysisourselves.WeusedTCPdump'sdefaultbehaviortogetasummaryofour
firstpacket.TCPdumpcanalsoprovideuswithacompletedumpofthepacket,includingthepayloadof
thepacket.Beforewedothis,though,let'suseTCPdumptotellusalittlemoreaboutpacket1byadding
the"e"flag.ThisflagtellsTCPdumptoprintinformationabouttheentireEthernetframecaptured(link
levelinformation):
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpnnc1r/usr/share/sysadmin5/sample.pcape
readingfromfilesample.pcap,linktypeEN10MB(Ethernet)
11:09:12.953506fe:fe:00:00:1b:4c>fe:ff:00:00:1b:4c,ethertypeIPv4(0x0800),
length98:192.168.0.1>192.168.0.2:ICMPechorequest,id56323,seq1,length
64
Welookatthisinformationtodemonstratetheideaofencapsulation.Inourfirstexample,TCPdump
assumedweonlywantedtoknowabouttherelevantICMPinformationhowever,anICMPechorequestis
aLayer4protocolintheOSIModel,thetransportlayer.Inorderforthisprotocoltowork,itrequireslower
layerprotocolstoexist,whichitleveragestogettheinformationfromorigintodestination.Inthiscase,the
TCPechorequestwaspartofaLowerLayer(NetworkLayerorLayer3)IPpacket,aswellasanEthernet
Frame(Layer2,knownastheDataLinkLayer).
NetworkprotocolsarebuiltonthisconceptofLayering,whichisoftenknownasencapsulation.Forthe
purposesofthislesson,wewilllookattheIPpacketinitsentirety,butwewon'tdiveintothelowerlevel
Ethernetframedetail.
ToprintanIPpacketusingTCPdump,weusetheadditional"X"argument,whichprovidesbotha
hexadecimalandASCIIrepresentationofthepacket:
8/11
12/21/2015
INTERACTIVESESSION:
[root@usernamem0~]#tcpdumpnnc1r/usr/share/sysadmin5/sample.pcapX
readingfromfile/usr/share/sysadmin5/sample.pcap,linktypeEN10MB(Ethernet)
length64
0x0000:45000054000040004001b955c0a80001E..T..@.@..U....
0x0010:c0a8000208000451dc030001a8fa7250.......Q......rP
0x0020:000000002f8c0e000000000010111213..../...........
0x0030:1415161718191a1b1c1d1e1f20212223.............!"#
0x0040:2425262728292a2b2c2d2e2f30313233$%&'()*+,./0123
0x0050:343536374567
We'lllearninfuturelessonsaboutthepowerofASCIIformattingofprotocols,butforthisexamplewe'lljust
usethehexadecimaldump.Remember,hexadecimalisaBase16numbersystem,meaningthatin
additiontodigits09,weuse09andAFtoallowasingledigittorepresent16uniquevalues.
Inordertomakesenseofanyprotocol,weneedinformationontheprotocolspecification.TheInternet
EngineeringTaskForce(IETF)establishesformaldocumentscalled"RequestsforComments"orRFCs
thatprovidethatspecification.Forthepurposesofthislesson,we'llrelyprimarilyonthedescriptionofthe
IPpacket(whichisanIPv4orInternetProtocolversion4packet)headerthatisdescribedindetailinRFC
791.Section3.1providestherelevantinformationforourlesson,anddescribestheIPv4header.
Thesediagramsarecommonindepictingnetworkprotocoldataunitformatting.Thewidthofeachline
represents4bytes,whichisagoodsizeforviewing.
So,let'susethepacketformatfromRFC791section3.1todecodeourICMPechorequestmanually.We'll
usetheformatdiagramtohelpguideusalong.
Byte1:VersionandIHL0x45Tcpdumphasdecodedourpacketdataintohexadecimal.Eachpairof
charactersinthehexadecimaldumprepresentsonebyte.Inordertodecomposeourfirstformatfields,we
needtodecomposeourfirstbytefurther,intotwo4bitnibbles.Todothat,usethebcprogramatthe
commandline:
INTERACTIVESESSION:
[root@usernamem0~]#bc
bc1.06.95
Copyright19911994,1997,1998,2000,2004,2006FreeSoftwareFoundation,Inc.
ThisisfreesoftwarewithABSOLUTELYNOWARRANTY.
Fordetailstype'warranty'.
ibase=16;obase=2;45
1000101
Ctrl+C
9/11
12/21/2015
Nowwecanpadthisnumbertogettwonibbles:01000101
Usebcagaintoconvertthesenumberstotheirdecimalequivalent.Besuretorestartbc,becauseifyou
changethebaseatthispoint,you'llbespecifyingthebaseusingtheinputbaseofbinary(soyouhaveto
say,ibase=10(2)obase=1010(10).Tokeepitsimple,alwaysrestartbcbeforesettingbases.
INTERACTIVESESSION:
bc1.06.95
Fordetailstype`warranty'.
obase=10
ibase=2
0100
4
0101
5
Ctrl+C
Note
Thisexamplemaybealittleconfusingbecause"45"inhexendsupbeing4and5indecimal
aswell.
Sobacktoourdiagram.TheIPversionfieldis4(ofcourse,wealreadyknewthiswasanIPv4packet!)and
theIHL(internetheaderlength)is5.Thisfieldismeasuredin32bitwords,so5*32bits=160bits.At
8bits/byte,thereare20bytes,sotheIPheaderlengthis20byteslong.Lookingatourdiagramwecansee
thatthereare6possiblelines,whichmeansthatthereare24possiblebytes(remember4bytesisthe
widthofthediagram),andthelastlinecontainsoptions,noneofwhichwereusedinthisparticularpacket.
Byte2:TypeofService0x00Thisonedoesn'trequireacalculator.TypeofServicecanbeusedtoseta
priorityorqualityofserviceonthepacket.Thisbyteiszero(inanybase),whichindicatesnoTypeof
Service(orastandardtypeofservice)isset.
Bytes3and4:TotalLength0x000x54Thesetwofieldsmustbeconcatenated.Typicallythemost
efficientwaytofindthetotallengthwouldbetoconvertbothbytestotheir8bitbinaryvalues,concatenate
theminorder,andconvertthatnumbertoadecimal.Inthiscase,theoperationislesscomplicated
becausethefirstbyteis0x00,sowecanobtainthetotallengthofthepacketusingonlytheseconddigit:
INTERACTIVESESSION:
bc1.06.95
Fordetailstype`warranty'.
obase=10
ibase=16
54
84
Ctrl+C
Great,thetotallengthofthepacketis84bytes.Butwait,didn'tweseethattheICMPmessagelength
abovewas64bytes?Nowwe'relookingattheICMPmessageandtheadditionalIPheaderlengthasthe
fulllengthofthepacket.64(ourICMPmessagelength)+20(ourIPheaderlengthwefoundfrombytes3
and4)is84bytes!
Sonowwe'regettingthehangofhowTCPdumpdoesitsmagic.Itunderstandstheheaderformatsand
protocoldefinitionsrequiredtotranslatethebinarydatainthepacketintomeaningfulvalues.It's
10/11
12/21/2015
convenientnottohavetodothiscomputationandRFCreferencingbyhand,butknowinghowtoanalyze
protocolslikethiscanbeextremelyvaluableforprotocolsthatTCPdumpdoesn'tunderstand.Usingthe
RFCorstandardsdefinitionsforthoseformats,andtherawdataavailablefromTCPdumpX,youcan
deciphertheseprotocolsbyhandaswell!
Copyright19982014O'ReillyMedia,Inc.
ThisworkislicensedunderaCreativeCommonsAttributionShareAlike3.0UnportedLicense.
Seehttp://creativecommons.org/licenses/bysa/3.0/legalcodeformoreinformation.
11/11

Tcpdump Introduction

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Tcpdump Introduction

Загружено:

Авторское право:

Доступные форматы

12/21/2015

Вам также может понравиться