Sunan
tcpdump - dump traffic a kan hanyar sadarwa
SYNOPSIS
tcpdump [ -deflfNoxxxxxx ] [ -c count ]
[ -C file_size ] [ -F fayil ]
[ -i samfurin ] [ -m module ] [ -r fayil ]
[ -s snaplen ] [ -a irin ] [ -U mai amfani ] [ -w fayil ]
[ -Yago: asiri ] [ fadi ]
Sakamakon
Tcpdump yana fitar da mažallan fakiti a kan hanyar sadarwa wadda ta dace da magana ta boolean. Haka kuma za a iya gudanar da shi - flag, wanda ya sa shi don adana bayanai na fakiti zuwa fayil don nazarin baya, da / ko tare da -r flag, wanda ya sa ya karanta daga fayil ɗin fakitin da aka ajiye maimakon maimakon karanta fayiloli daga cibiyar sadarwa. A duk lokuta, kawai buƙatun da za su yi magana da su za a sarrafa su ta hanyar tcpdump .
Tcpdump zai, idan ba a yi tafiya tare da -c flag, ci gaba da rike kwakwalwa ba sai an katse shi da siginar SIGINT (generated, alal misali, ta hanyar buga nau'in haɓaka, yawanci iko-C) ko siginar SIGTERM (yawanci da aka kashe tare da kashe (1) umurnin); idan yayi tafiya tare da -c flag, zai kama bugunan sai an katse shi ta hanyar Sigint ko SIGTERM ko an saita adadin takardun.
Yayinda tcpumpump ya kammala saitunan kwakwalwa, zai bada rahoton ƙidaya:
'' ta karɓa ta hanyar tace '' (ma'anar wannan ya dogara da OS wanda kake gudana tcpdump , kuma yiwu akan hanyar da aka saita OS - idan an yi tacewa akan layin umarni, a kan wasu OSes yana ƙidayar kullun ba tare da la'akari da ko sun kasance daidai da bayanan tace ba, kuma a kan wasu OSes yana ƙididdige kawai buƙatun da aka dace da bayanin tacewa kuma an sarrafa su ta hanyar tcpump );
'yan kwallaye' 'sun ragu ta kernel' '(wannan shi ne yawan fakitocin da aka bari, saboda rashin tasirin sararin samaniya, ta hanyar samfurin saiti a cikin OS wanda tcpdump yana gudana, idan OS ta ba da bayanin ga aikace-aikace; idan ba, za a ruwaito kamar yadda 0).
A kan dandamali wanda ke goyan bayan siginar SIGINFO, kamar mafi yawan BSDs, zai bayar da rahoton wadanda ƙidaya idan ya karbi siginar SIGINFO (wanda aka kafa, misali, ta yin amfani da halin '' status '', yawanci iko-T) kuma zai ci gaba da sa ido .
Lissafin karatu daga ƙwaƙwalwar cibiyar sadarwa yana iya buƙatar ka sami dama na musamman:
A karkashin SunOS 3.x ko 4.x tare da NIT ko BPF:
Dole ne ku karanta damar zuwa / dev / nit ko / dev / bpf * .
A karkashin Solaris tare da DLPI:
Dole ne ka karanta / rubuta damar yin amfani da na'ura mai zaman kanta, misali / dev / le . Aƙalla wasu sifofin Solaris, duk da haka, wannan bai isa ba don ƙyale tcpdump don kama shi a cikin yanayi mai lalacewa; a kan wašannan sifofin Solaris, dole ne ka kasance tushe, ko tcpdump dole ne a shigar da saitin zuwa tushen, don kama a cikin yanayin da ba za a yi ba. Yi la'akari da cewa, a kan mutane da yawa (watakila duk), idan ba a kama shi ba cikin yanayin saɓo, ba za ka ga kowane buƙatun mai fita ba, don haka kama da ba a yi a cikin yanayin saɓo ba zai zama da amfani sosai ba.
A karkashin HP-UX tare da DLPI:
Dole ne ka zama tushen ko tcpdump dole ne a shigar da saitin zuwa tushen.
A karkashin IRIX tare da snoop:
Dole ne ka zama tushen ko tcpdump dole ne a shigar da saitin zuwa tushen.
A karkashin Linux:
Dole ne ka zama tushen ko tcpdump dole ne a shigar da saitin zuwa tushen.
A karkashin Ultrix da Digital UNIX / Tru64 UNIX:
Duk wani mai amfani zai iya ɗaukar zirga-zirgar sadarwa tare da tcpdump . Duk da haka, babu mai amfani (banda maɗaukaki mai amfani) zai iya kamawa cikin yanayin saɓani a cikin wani karamin aiki sai dai idan mai amfani da ƙwaƙwalwar ya ba da damar yin aiki a kan wannan hanyar ta amfani da pfconfig (8), kuma babu mai amfani (banda maɗaukaki mai amfani ) na iya kama hanyar da ba ta samu ba ta hanyar aikawa ta na'urar ta hanyar amfani da pfconfig , don haka amfani da fakiti mai mahimmanci akan ƙwaƙwalwar mai yiwuwa yana buƙatar cewa ko dai yanayin layi ko kwafin -an-yanayin aiki, ko duk hanyoyi guda biyu na aiki, za a kunna a wannan karamin.
A karkashin BSD:
Dole ne ka karanta damar zuwa / dev / bpf * .
Karatu da ajiyayyen fayil ɗin fakitin baya buƙatar haɗi na musamman.
KARANTA
-a
Ƙoƙarin ƙoƙarin canza cibiyar sadarwa da kuma watsa adireshin ga sunayen.
-c
Fitawa bayan karɓar fakitin fakiti.
-C
Kafin yin rubutun raguwa zuwa savon, duba ko fayil din ya fi girma fiye da file_size kuma, idan haka ne, rufe saiti na yanzu kuma bude sabon saiti. Ajiye bayanan bayan saiti na farko zai sami sunan da aka ƙayyade tare da -w flag, tare da lambar bayanta , farawa a 2 kuma ci gaba da sama. Rukunin file_size sune miliyoyin bytes (1,000 octets, ba 1,648,576 bytes).
-d
Yi watsi da fakitin fakitin da aka haɗa-matching cikin siffar mutum wanda za a iya lissafawa zuwa fitarwa da kuma dakatarwa.
-dd
Dump fakiti-matching code a matsayin C shirin ɓangaren.
-ddd
Dump fakiti-matching code a matsayin ƙananan lambobi (da aka riga an ƙidaya).
-e
Buga maɓallin jagoran-haɗin kan kowane jigon jigon.
-E
Yi amfani da asali : asiri don rage labaran IPsec ESP. Algorithms na iya zama de-cbc , 3des-cbc , blowfish-cbc , rc3-cbc , cast128-cbc , ko babu . Labaran shi ne des-cbc . Ba'a iya yin amfani da buƙatun kwakwalwa ba kawai idan an tattara tcpump tare da yin amfani da cryptography. asirceccen rubutun da aka yi amfani da shi na asusun ESP. Ba za mu iya ɗaukar nauyin binary din ba a wannan lokacin. Zaɓin ya ɗauki RFC2406 ESP, ba RFC1827 ESP ba. Zaɓin shine kawai don dalilai na lalata, kuma amfani da wannan zaɓi tare da maɓallin 'sirri' ainihi an hana shi. Ta hanyar gabatar da mažallin sirri na IPsec akan layin umarni ka nuna shi ga wasu, ta hanyar ps (1) da wasu lokatai.
-f
Sanya adireshin intanet na kasashen waje ba tare da alama ba (wannan zabin yana nufin ɗaukar lalacewar ƙwaƙwalwa mai tsanani a uwar garken yp na Sun - yawanci yana rataya har abada fassara wasu lambobin yanar gizo ba na gida).
-F
Yi amfani da fayil azaman shigarwa don bayanin tacewa. Ƙarin bayani da aka ba akan layin umarni an ƙyale.
-i
Saurari saurare. Idan ba a bayyana shi ba, tcpdump yayi bincike kan jerin abubuwan da aka yi amfani da su akan tsarin da aka ƙidaya, ƙayyadadden samfurin (ba tare da loopback) ba. An karya taye ta hanyar zabar wasan farko.
A kan tsarin Linux tare da 2.2 ko kernels daga baya, za'a iya amfani da ƙwararrayar gwaji akan '' kowane '' don ɗaukar fakiti daga dukkan maganganu. Lura cewa kamawa akan '' kowane 'na'ura ba za'ayi a cikin yanayin saɓo ba.
-l
Sanya layin stdout da aka matsa. Amfani idan kana so ka ga bayanan yayin kame shi. Alal misali,
`` tcpdump -l | Wannan shi ne '' ko 'tppdump -l' dat & wutsiya -f dat ''.
-m
Yi amfani da ƙayyadaddun fasali na SMI MIB daga fayil ɗin fayil. Za'a iya amfani da wannan zaɓin sau da yawa don ɗaukar matakan MIB da yawa a cikin tcpump .
-n
Kada ku maida adireshin adireshi ga sunayen. Ana iya amfani da wannan don kauce wa DNS lookups.
-nn
Kada ka juyar da yarjejeniya da tashar tashar jiragen ruwa da sauransu zuwa sunayen ko dai.
-N
Kada ka buga yankin sunan cancanta na rundunar sunayen. Alal misali, idan kun ba da wannan tutar, to sai ku buga "nic" maimakon "` nic.ddn.mil ".
-O
Kada ku ci gaba da daidaitaccen ma'ajin ƙila na lambar. Wannan yana da amfani kawai idan kun yi tsammanin buguri a cikin mai gyara.
-p
Kada ka sanya kalma a cikin yanayin haɗin kai. Lura cewa ƙirar zai iya kasancewa cikin yanayin saɓo don wasu dalilai; sabili da haka, "-p" baza'a iya amfani da ita azaman raguwa ga 'maigida mai watsa shiri' [gida-hw-addr} ko watsa watsa labarai 'ba.
-q
Quick (m?) Fitarwa. Buga bayanai na taƙaitaccen bayani don haka sassan kayan sarrafawa sun fi guntu.
-R
Yi la'akari da saitunan ESP / AH da za su kasance bisa tsohuwar ƙayyadewa (RFC1825 zuwa RFC1829). Idan aka ƙayyade, tcpdump ba zai buga magungunan rigakafi ba. Tun da babu wata yarjejeniya ta hanyar ladabi a cikin ƙayyadaddun ESP / AH, tcpdump ba zai iya cire tsarin version na ESP / AH ba.
-r
Karanta kwakwalwa daga fayil (wanda aka halicce shi tare da zaɓi -w). Ana amfani da shigarwar daidaitattun idan fayil din "` - "'.
-S
Buga cikakkiyar, maimakon dangi, Lambobin TCP.
-s
Snarf snaplen bytes na bayanai daga kowane fakiti maimakon tsoho na 68 (tare da SunOS na NIT, m ne ainihin 96). 68 octets suna isasshen IP, ICMP, TCP da UDP amma ƙila za su goge bayanan yarjejeniyar daga uwar garken suna da kuma nau'in NFS (duba ƙasa). An nuna jigon sakonni saboda hotunan da aka ƙayyade a cikin fitarwa tare da '`[| yarjejeniya ] '', inda ladabi sunan sunan matakin layi ne wanda aka samu ƙaddamarwa. Yi la'akari da cewa karɓar ɗamara da yawa ya ƙãra yawan lokacin da yake buƙatar aiwatar da sakonni kuma, yadda ya kamata, ya rage adadin bugu na fakiti. Wannan na iya sa sakonni ya ɓace. Ya kamata ka taƙaita ƙararraki zuwa ƙaramin lambar da za su kama bayanin layin da kake sha'awar. Tsarin snaplen zuwa 0 yana nufin amfani da lokaci da ake buƙata don kama duk sakonni.
-T
Wakilan karfi da aka zaɓa ta hanyar " magana " don fassara fasalin da aka ƙayyade. Abubuwan da aka sani yanzu su ne cnfp (Cisco NetFlow yarjejeniya), rpc (Kirar kira na latsawa ), rtp (yarjejeniyar aikace-aikacen Real Time), rtcp (Gudanar da aikace-aikacen aikace-aikacen aikace-aikacen kwamfuta), snmp (Simple Network Management Protocol), vat ), da kuma wb (rarraba Filin White).
-t
Kada a buga kwararren lokaci akan kowace jigon jigilar.
-tt
Buga fasalin timun da ba a daidaita ba a kowane jeri.
-U
Sauke tushen tushen kuma canza ID ɗin mai amfani zuwa mai amfani da ID na ƙungiyar zuwa ƙungiyar masu amfani na farko .
Lura! Red Hat Linux ta atomatik sauke gata ga mai amfani da "pcap" 'idan babu wani abu da aka ƙayyade.
-ttt
Rubuta delta (a cikin ƙananan seconds) tsakanin layi da layi na baya akan kowane jigon jigilar.
-tttt
Fitar da mahimmin lokaci a yanayin da aka tsara ta hanyar kwanan wata akan kowane jigon jigilar.
-u
Buga magungunan NFS marasa tushe.
-v
(Ƙarin ƙarar) fitowa na verbose. Alal misali, lokacin da za a rayu, ganewa, tsawon lokaci da zaɓuɓɓuka a cikin fakitin IP an buga. Har ila yau, ya sa ƙarin daidaitattun fakiti ya bincikar su kamar tabbatar da adreshin IP da ICMP.
-vv
Ko da ƙarin fitarwa. Alal misali, an buga wasu filayen da aka sanya daga saitunan kuɗin NFS, kuma an kwashe sakonnin SMB cikakke.
-vvv
Ko da ƙarin fitarwa. Alal misali, ana iya buga sakonni na Telnet SB ... SE cikakke. Tare da -X telnet zažužžukan an buga a hex da.
-w
Rubuta takardun raƙuman don ajiyewa fiye da fadi da bugu da su. Za a iya buga su tare da zaɓi -r. Ana amfani da fitarwa na asali idan fayil din "` - "'.
-x
Buga kowane fakiti (rage maɓallin jagorar hanyar sadarwa) a hex. Za a buga ƙarami na dukan fakiti ko byte snaplen . Yi la'akari da cewa wannan jigon mahaɗin-link ne, don haka don haɗin linzamin kwamfuta da takalmin (misali Ethernet), za a buga kwakwalwan ƙaura yayin da babban fayil ɗin kashin ya fi guntu fiye da yadda ake buƙata.
-X
A lokacin da kake buga hex, buga Hoto kuma. Don haka idan -x an saita, ana buga fakiti a hex / ascii. Wannan yana da matukar amfani don nazarin sababbin ladabi. Ko da idan -x ba a saita shi ba, ana iya buga wasu ɓangarori na wasu sakonni a hex / ascii.
magana
zaɓan abin da za a zubar da fakiti. Idan ba a ba da bayanin ba, za'a ajiye dukkan buƙatun a kan net. In ba haka ba, kawai buƙatun da alamar "gaskiya" za a dumped.
Kalmar tana kunshe da ɗaya ko fiye na farko. Mahimmanci sukan kunshi id (suna ko lamba) wanda ya wuce daya ko fiye da ƙwararru. Akwai nau'o'in nau'o'in daban daban daban daban:
nau'in
'yan wasa sun ce abin da irin sunan id ko lambar ke nufi. Abubuwan iya yiwuwa su ne rundunar , net da tashar jiragen ruwa . Misali, 'host foo', 'net 128.3', 'port 20'. Idan ba'a cancanta ba, an dauki bakuncin .
dir
'yan wasan ƙayyadaddun suna ba da wani matsayi na musamman zuwa da / ko daga id . Matakan da za a iya yiwuwa src , dst , src ko dst da src da dst . Misali, 'src foo', 'net net 128.3', 'src ko tashar jiragen ruwa ftp-data'. Idan babu wani matsayi mai mahimmanci, src ko dst da aka zaci. Don 'alaƙa' mahaɗin layukan (watau ma'anar nuna ladabi kamar zamewa) za a iya amfani da ƙwararrun inbound da masu fita waje don ƙayyade jagoran da ake so.
yarjejeniya
'yan wasa na ƙayyade wasan zuwa wani tsari. Dalilai masu yiwuwa sune: ether , fddi , tr , ip , ip6 , arp , rarp , decnet , tcp da udp . Misali, 'ether src foo', 'arp net 128.3', 'tcp tashar 21'. Idan babu wata takaddama ta hanyar ladabi, ana bin dukkan ladabi da suka dace da irin wannan. Misali, 'src foo' yana nufin '(ip ko arp ko rarp) src foo' (sai dai karshen ba rubutattun doka ba), "barre na nuni" yana nufin "(ip ko arp ko rarp) bar na nesa" da "port 53" na nufin '(tcp ko udp) tashar jiragen ruwa 53'.
["fddi" shine ainihin sunan don 'ether'; Parser yana bi da su a matsayin ma'anar '' ma'aunin hanyar jigilar bayanan da aka yi amfani da shi a kan ƙayyadadden cibiyar sadarwa. '' Fiday masu mahimmanci sun ƙunshi adireshin Ethernet kamar su kuma adiresoshin manufa, kuma suna dauke da nau'in fakiti na Ethernet kamar haka, saboda haka zaka iya tace akan waɗannan fdd kamar yadda tare da filayen Ethernet analogous. Fidadi masu mahimmanci sun ƙunshi wasu wurare, amma ba za ka iya yin suna a bayyane ba a cikin bayanin tace.
Hakazalika, "tr" alama ce don 'ether'; Bayanan da sassan da suka gabata a game da masu biyan FDDI sun yi amfani da maƙallan hoton Token Ring.]
Baya ga abin da ke sama, akwai wasu kalmomi masu mahimmanci na '' primitive 'waɗanda ba su bin tsarin: ƙofar , watsa shirye-shirye , ƙananan , mafi girma da kuma maganganun lissafi. Duk waɗannan an bayyana a kasa.
Ana gina karin maganganun fitarwa ta hanyar amfani da kalmomin kuma , ko kuma ba su haɗu da alamomi. Alal misali, "Mai watsa shiri ne kuma ba tashar jiragen ruwa ba kuma ba tashoshin ftp-data ba". Don adana bugawa, za a iya kawar da jerin sunayen cancanta. Misali, "tashar tashar tashar jiragen ruwa ko sauf-data ko yanki" daidai yake da tashar tashar tashar jiragen ruwa ko tcp dst port ftp-data ko tcp dst port domain '.
Abubuwan da aka iya nunawa sune:
dst host host
Gaskiya ne idan filin na IPv4 / v6 na fakiti ne mai watsa shiri , wanda zai zama ko dai adireshin ko sunan.
src host host
Gaskiya ne idan tushen IPv4 / v6 na fakiti ne mai karɓa .
host host
Gaskiya ne idan ko dai tushen IPv4 / v6 ko makasudin fakiti ne mai karɓa . Duk wani daga cikin maganganun da aka ambata a sama zai iya kasancewa tare da kalmomi, ip , arp , rarp , ko ip6 kamar yadda:
ip host hostwanda yake daidai da:
ether proto \ ip da host hostIdan masauki yana da suna tare da adiresoshin IP masu yawa, kowane adireshin za a bincika don wasa.
ether dst ehost
Tabbatacce idan adireshin adireshin ethernet shine ehost . Ehost yana iya zama ko dai daga suna / sauransu / ethers ko lambar (duba mawallafi (3N) don tsarin tsarawa).
ether src ehost
Tabbatacce idan adireshin tushen ethernet ya kasance.
ether mai watsa shiri yana haɓaka
Tabbatacce ne idan ko dai ma'anar ethernet ko adireshin adireshin shi ne ehost .
ƙofa mai shiga
Gaskiya idan fakiti da aka yi amfani dashi a matsayin ƙofa. Na'am, mabuɗin ethernet ko adireshin adireshin ya karbi bakuncin amma ba asalin IP ko kuma IP din ya dauki bakuncin ba . Dole ne Mai watsa shiri ya zama suna kuma dole ne a samu shi ta hanyar na'ura mai amfani da adireshin mai suna-to-IP (sunan mai suna mai suna, DNS, NIS, da dai sauransu) da kuma ta hanyar adireshin mai amfani-to-Ethernet ma'anar (/ sauransu / ethers, da dai sauransu). (Kalmomin daidai yake
ether mahalarta ehost kuma ba host hostwanda za'a iya amfani da shi ko dai sunaye ko lambobi don mai watsa shiri / ehost .) Wannan haɗin ɗin ba ya aiki a cikin daidaitawar IPv6 a wannan lokaci.
dst net net
Gaskiya idan adireshin IPv4 / v6 na fakiti yana da lambar sadarwa na net . Net na iya zama ko dai suna daga / sauransu / cibiyoyin sadarwa ko lambar sadarwa (duba cibiyoyin sadarwa (4) don cikakkun bayanai).
src net net
Tabbatacce idan adireshin tushen IPv4 / v6 na fakiti yana da lambar sadarwa na net .
net net
Gaskiya ne idan ko dai adireshin IPv4 / v6 ko adireshin manufa na fakiti na fakiti yana da lambar sadarwa na net .
net net mask netmask
Tabbatacce idan adireshin IP yayi daidai da net tare da ƙananan ƙwayoyin yanar gizo . Zai iya zama mai dacewa da src ko dst . Lura cewa wannan jigidar ba ta da tasiri ga shafin IPv6.
net net / len
Tabbatacce ne idan IPv4 / v6 adireshin haɗuwar haɗi tare da ƙananan layi na yanar gizo gaba ɗaya. Zai iya zama mai dacewa da src ko dst .
tashar jiragen ruwa tashar jiragen ruwa
Tabbatacce idan fakiti shine ip / tcp, ip / udp, ip6 / tcp ko ip6 / udp kuma yana da tashar jiragen tashar tashar tashar tashar jiragen ruwa . Tashar jiragen ruwa na iya zama lamba ko sunan da aka yi amfani da / sauransu / ayyuka (duba tcp (4P) da udp (4P)). Idan an yi amfani da suna, ana bincika lambar tashar jiragen ruwa da yarjejeniya. Idan an yi amfani da lambar ko sunan maras amfani, kawai ana duba lambar tashar jiragen ruwa (misali, tashar tashar jiragen ruwa 513 za ta buga duka tcp / zirga-zirga na intanet da kuma udp / wanda ke aiki, kuma yankin tashar jiragen ruwa zai buga duka tcp / yankin da kuma sakonni / wayoyin hannu).
tashar tashar jiragen ruwa na src
Gaskiya idan fakiti na da tashar tashar tashar tashar tashar jiragen ruwa .
tashar tashar jiragen ruwa
Tabbatacce idan ko dai asalin ko tashar tashar jiragen ruwa na fakiti ne tashar jiragen ruwa . Duk wani bayani daga cikin tashar jiragen sama na sama da za'a iya amfani dasu tare da kalmomin, tcp ko udp , kamar yadda:
tcp src tashar jiragen ruwawanda ya haɗu da matakan tcp kawai wanda tashar tashar jiragen ruwa tana tashar jiragen ruwa .
kasa da tsayi
Gaskiya idan fakiti yana da tsawon ƙasa ko daidai da tsawon . Wannan ya dace da:
len <= tsawon .mafi tsawo
Gaskiya idan fakiti yana da tsawon ya fi ko daidai da tsawon . Wannan ya dace da:
len> = tsawon .IP yarjejeniya
Tabbatacce idan fakiti ne fakiti na IP (duba ip (4P)) na yarjejeniyar ladabi . Lissafi na iya zama lamba ko ɗaya daga cikin sunayen icmp , icmp6 , igmp , igrp , pim , ah , esp , wpp , udp , ko tcp . Lura cewa masu mahimman bayanai tcp , udp , da icmp ma kalmomi ne kuma dole ne su tsere ta hanyar baka (\), wanda shine \\ a C-shell. Yi la'akari da cewa wannan ƙuri'ar ba ta bi hanyar sakon layi ba.
IP6 yarjejeniya
Tabbatacce ne idan fakiti ne mai fakitin IPv6 na yarjejeniyar ladabi . Yi la'akari da cewa wannan ƙuri'ar ba ta bi hanyar sakon layi ba.
ip6 protochain yarjejeniya
Tabbatacce idan fakiti ne fakitin IPv6, kuma yana ƙunshe da saitunan ladabi tare da tsarin layi a cikin sakon layi na saitunan. Misali,
ip6 protochain 6ya haɗu da kowane sakon IPv6 tare da mahimman rubutun TCP a cikin sakon layi na ladabi. Kayan zai iya ƙunsar, alal misali, header authentication, rubutun kaida kai, ko maɓallin zaɓi na hop-hop-hop, tsakanin maɓallin IPv6 da TCP header. Lambar BPF da aka ƙaddamar da wannan mahimmanci ya zama hadaddun kuma baza a iya daidaita shi ta hanyar BPF mai kariya ba a cikin tcpdump , don haka wannan zai iya zama ɗan jinkirin.
ip protochain yarjejeniya
Ya dace da yarjejeniyar protocain ip6 , amma wannan shine IPv4.
ether watsa shirye-shirye
Tabbatacce idan fakiti ne fakitin watsa labarai na ethernet. Ma'anar ether keyword ne na zaɓi.
ip watsa shirye-shirye
Tabbatacce idan fakiti shine fakitin watsa shirye-shiryen IP. Yana bincika dukkanin zauren zane-zane da dukkanin rahotannin watsa shirye-shiryen watsa shirye-shiryensu, kuma suna duba maskurin masallacin gida.
ether multicast
Tabbatacce ne idan fakiti ne mai fakitin yaduwa na ethernet multicast. Ma'anar ether keyword ne na zaɓi. Wannan gajere ne don ' ether [0] & 1! = 0 '.
ip multicast
Tabbatacce idan fakiti ne mai fakitin IP ɗin multicast.
ip6 multicast
Tabbatacce idan fakiti ne mai fakitin IPv6 multicast.
ether yarjejeniya
Tabbatacce idan fakiti yana da yarjejeniya ta hanyar éther. Tsarin yanar gizo na iya zama lamba ko daya daga cikin sunayen ip , ip6 , arp , rarp , atalk , aarp , decnet , sca , lat , mopdl , moprc , iso , stp , ipx , ko netbeui . Ka lura waɗannan maƙallan sune maƙalai ne kuma dole ne su tsere ta hanyar sa ido (\).
[Dangane da FDDI (misali, ' fddi protocol arp ') da Token Ring (misali, ' tr protocol arp '), don mafi yawan waɗannan ladabi, ƙididdiga ta hanyar ƙwaƙwalwa ta fito ne daga BBC 802.2 Logical Link Control (LLC), wanda yawancin lokaci ana sare a saman FDDI ko Token Ring header.
A lokacin da aka samo mafi yawan masu gano bayanai kan FDDI ko Token Ring, tcpdump ne kawai ke kulawa da hanyar ID na tasiri na LLC wanda ake kira SNAP format tare da Ƙungiyar Ƙididdiga na Ƙungiyar (YES) na 0x000000, domin Ethernet wanda aka sanyawa; ba ya duba ko fakiti yana cikin tsarin SNAP tare da YUI na 0x000000.
Wadanda aka ƙyale su ne, saboda haka yana duba DSAP (Bayarwar Bayarwar Bayar da Bayani) da kuma SSAP (Asusun Bayar da Bayani na Sabis) na kamfanin BBC, stp da netbeui , inda yake kula da DSAP na BBC header, kuma atalk , inda bincikar lissafin tsarin SNAP tare da OUI na 0x080007 da kuma Appletalk etype.
A game da Ethernet, tcpdump yana duba filin filin Ethernet don mafi yawan waɗannan ladabi; ƙananan su ne iso , sap , da kuma yanar gizo , don haka yana bincika tsarin siffar 802.3 sa'an nan kuma yana duba shugaban kamfanin LLC kamar yadda FDDI da Token Ring suka yi, atalk , inda yake duba duka biyu ga Appletalk da kuma cikin harsunan Ethernet da kuma Saitin SNAP-format kamar yadda ya yi don FDDI da Token Ring, aarp , inda yake dubawa ga Appletalk ARP a cikin wani maɓallin Ethernet ko 802.2 na SNAP tare da YES na 0x000000, da ipx , inda yake dubawa ga IPX da da Ethernet frame, da IPX DSAP a cikin header LLC, da 802.3 ba tare da LLC header encapsulation na IPX, da kuma IPX kwance a cikin wani SNAP frame.]
ƙaddara src mai karɓa
Gaskiya ne idan adireshin tushen DECNET ya kasance mai masauki , wanda zai iya zama adireshin nau'in '`10.123', ko sunan mai suna DECNET. [BAYANTA sunan mai suna na rundunar yana samuwa a kan tsarin Ultrix wanda aka tsara don gudu DECNET.]
ƙaddarawa a cikin mahaɗar
Tabbatacce idan Adireshin manufa na DECNET shine mai watsa shiri .
ƙaddara mai watsa bakuncin
Gaskiya ne ko dai dai ma'anar DECNET ko adireshin masaukin baki ne mai masauki .
ip , ip6 , arp , rarp , atalk , aarp , decnet , iso , stp , ipx , netbeui
Abbreviations for:
ether bin pinda p yake ɗaya daga cikin ladabi na sama.
lat , moprc , mopdl
Abbreviations for:
ether bin pinda p yake ɗaya daga cikin ladabi na sama. Yi la'akari da cewa tcpdump bai san yadda za a lalata wadannan ladabi ba.
vlan [vlan_id]
Tabbatacce idan fakiti ne mai fakitin IEEE 802.1Q VLAN. Idan [vlan_id] aka ƙayyade, kawai gaskiya ne fakiti yana da vlan_id da aka ƙayyade. Ka lura cewa farkon vlan keyword da aka ci karo a cikin magana yana canja-canje-canje ga ƙayyadaddun kalmomi don sauraran magana akan zaton cewa fakiti ne mai fakitin VLAN.
tcp , udp , icmp
Abbreviations for:
IP sabo ko IP6 ladabi pinda p yake ɗaya daga cikin ladabi na sama.
iso bin yarjejeniya
Tabbatacce ne idan fakiti ne mai fakitin OSI na yarjejeniya ta yarjejeniya . Lissafi na iya zama lamba ko daya daga cikin sunayen clnp , esis , ko isis .
clnp , esis , isis
Abbreviations for:
iso bin ladabi pinda p yake ɗaya daga cikin ladabi na sama. Lura cewa tcpdump yana da aikin da bai cika ba wajen kaddamar da waɗannan ladabi.
An kammala expr
Gaskiya ne idan dangantaka ta ƙunshi, inda relop ya kasance ɗaya daga>, <,> =, <=, =,! =, Kuma expr wata kalma ce ta ƙididdigewa da aka hada da maƙalar lamba (wanda aka bayyana a cikin daidaitattun C na al'ada), mai gudanarwa na al'ada na al'ada [+ , -, *, /, &, |], mai aiki na tsawon, da kuma bayanan saiti na musamman. Don samun damar bayanai a cikin fakiti, yi amfani da haɗin rubutu na gaba:
yarjejeniya [ girman ]Layi yana daya daga ether, fddi, tr, ppp, slip, link, ip, arp, rarp, tcp, udp, icmp ko ip6 , kuma ya nuna ladabin ladabi don yin aiki. ( ether, fddi, tr, ppp, slip da link duk suna komawa ga mahaɗin haɗin kai.) Ka lura cewa tcp, udp da sauran ka'idodin layi na sama kawai suna amfani da IPv4, ba IPv6 (za'a gyara wannan a nan gaba). An ba da farashin da aka ba da shi, dangane da yarjejeniyar ladabi da aka nuna, ta hanyar expr . Girman yana zaɓi kuma yana nuna adadin bytes a fagen sha'awa; yana iya zama ko ɗaya, biyu, ko hudu, da kuma saɓo ɗaya zuwa ɗaya. Adadin mai aiki, wanda aka nuna ta motsa na len , yana bada tsawon fakiti.
Alal misali, ' ether [0] & 1! = 0 ' ya dauki dukkan hanyoyin zirga-zirga. Sakamakon " ip [0] & 0xf! = 5 'tana kama dukkan buƙatun IP tare da zaɓuɓɓuka. Maganar " ip [6: 2] & 0x1fff = 0 " tana daukar nau'ikan tsare-tsaren da ba a raba shi ba tare da siffar ɓangaren ƙididdigar lissafi. Wannan rajistan ana amfani dashi ne akan ayyukan tcp da udp . Alal misali, tcp [0] yana nufin ma'anar farko na maɓallin TCP, kuma baya nufin maɓallin farko na ɓangaren mai shiga.
Za'a iya bayyana wasu alamu da kuma dabi'u a wurare a matsayin sunayen maimakon a matsayin lambobi. Kuskuren shafukan masu saiti na gaba suna samuwa: icmptype (filin ICMP), icmpcode (filin ICMP code), da tcpflags (TCP flags filin).
Wadannan dabi'un filin ICMP suna samuwa: ƙananan matsala , ƙwaƙwalwar kwamfuta , icmp-sourcequench , redirect , icmp-echo , icmp-routeradvert , icmp-routersolicit , icmp-timeradvert , icmp-paramprob , icmp-tstamp , icmp -tstampreply , icmp-ireq , icmp-ireqreply , icmp-maskreq , icmp-maskreply .
Wadannan alamomin TCP masu zuwa suna samuwa: tcp-fin , tcp-syn , tcp-rst , tcp-push , tcp-push , tcp-ack , tcp-urg .
Za'a iya haɗa mahimman farko ta amfani da:
Ƙungiya mai kulawa da iyaye da kuma aiki (iyayensu na musamman ga Shell kuma dole ne su tsere).
Negation (" ! " Ko " a'a ").
Concatenation (' && ' ko ' da ').
Sauyawa (' || ' ko ' ko ').
Negation yana da matsayi mafi girma. Sauya da ƙaddamarwa suna da daidaito daidai kuma suna haɗaka hagu zuwa dama. Ka lura cewa bayyane da alamu, ba juxtaposition ba, yanzu an buƙatar don yin tambayoyi.
Idan an ba da mai ganowa ba tare da wata kalma ba, ana ɗaukar mahimman kalmomin da suka gabata. Misali,
ba masauki da mu bagajere ne
ba a dauki bakuncin mu ba kuma mu dauki bakuncin wani abuabin da ba'a damu da shi ba
ba (haɗu da mu ko ace)Ƙwararriyar jayayya za a iya wucewa zuwa tuddai kamar ko dai wata gardama ko kuma ƙwararraki masu yawa, duk wanda ya fi dacewa. Yawanci, idan bayanin ya ƙunshi Shell metacharacters, yana da sauƙi don wuce shi a matsayin ƙwararra ɗaya, wanda aka ambata. Maganganu masu yawa suna da alaƙa tare da sararin samaniya kafin a ci su.
Misalai
Don buga duk sakonni da ke isa ko barin daga rana :
Ranar rana ta karɓaDon buga fassarar tsakanin helios kuma ko dai zafi ko ace :
Sakon helios da \ (hot ko ace)Don buga dukkan buƙatun IP a tsakanin wani abu da kowane mai watsa shiri sai dai helios :
tcpdump ip host ace kuma ba heliosDon buga duk zirga-zirgar tsakanin rundunonin gida da runduna a Berkeley:
tcpdump net ucb-etherDon buga duk hanyar tuta ta hanyar hanyar yanar gizo snup : (lura cewa an bayyana kalma don hana harsashi daga (mis-) fassara parentheses):
Tcpdump 'ƙofa snup da (tashar jiragen ruwa ftp ko ftp-data)'Don buga fassarar ba'a samo shi ba daga kuma ba a ƙaddara ga rundunonin gida ba (idan ka shiga wata hanya, wannan kaya ba zai sa shi a kan gidan ka ba).
Tcpdump ip kuma ba net localnetDon buga buƙatun farawa da ƙarshen (sassan SYN da FIN) na kowane tattaunawa na TCP wanda ya ƙunshi mai ba da gida.
Tcpump 'tcp [tcpflags] & (tcp-syn | tcp-fin)! = 0 kuma ba src da dst net localnet 'Don buga buƙatun IP fiye da 576 bytes aika ta hanyar ƙofa snup :
Ƙarfin 'ƙofa snup da ip [2: 2]> 576'Don buga watsa labarai na IP ko multicast packets waɗanda ba a aika ta hanyar watsa labaran yanar gizo ba ko multicast:
tadpump 'ether [0] & 1 = 0 da ip [16]> = 224'Don buga dukkan buƙatun ICMP wadanda basu da buƙatun amsawa / amsawa (watau ba ping packets):
tcpdump 'icmp [icmptype]! = icmp-echo da icmp [icmptype]! = icmp-exphoreply'KARANTA KUMA
Sakamakon fitowar tcpdump yana dogara ne a kan yarjejeniya. Wadannan suna bada taƙaitaccen bayani da misalan mafi yawan samfurori.
Rukunin Haɗin Link
Idan an ba da zaɓi '-e', an buga maɓallin jagoran haɗin kai. A kan tuni, ana buƙatar adireshin tushen da kuma makoma, yarjejeniya, da kuma tsawon fakiti.
A kan hanyoyin sadarwar FDDI, zaɓin '-e' ya sa tcpumpump ya buga ma'anin 'kula da' sha'idodin, adireshin source da manufa, da kuma tsawon fakiti. (Aikin "kulawa" yana jagorancin fassarar sauran fakiti. Saitunan al'ada (kamar wadanda suke dauke da saitunan IP) su ne '' async 'packets, tare da fifiko mai muhimmanci tsakanin 0 da 7, misali,' async4 '. ana sa ran fakitin su ƙunshi fakiti na 802.2 Logical Link Control (LLC), an buga mabuɗin LLC ne idan ba hujjar ISO ba ko abin da ake kira SNAP fakiti.
A kan tashoshin Token Ring, zaɓi '-e' ya sa tppumpump ya buga 'sarrafa dama' da kuma 'shafukan kulawa', adireshin tushen da makomar, da kuma tsawon saiti. Kamar yadda a kan hanyoyin sadarwar FDDI, ana zaton ana sa ƙunshin su dauke da fakiti na LLC. Ko da kuwa ko an zaɓi '-e'' 'ko ba'a ba, ana buƙatar bayanin bayanan sarrafa bayanai don buƙatun da aka samo asali.
(NB: Wadannan bayanan sunyi sanannun sanannen algorithm na SLIP da aka bayyana a RFC-1144.)
A kan hanyoyin SLIP, alamar jagora (`'Na' 'don inbound,' '' 'don outbound), nau'in fakiti, da kuma bayanan rubutun da aka buga. An buga nau'in fakiti na farko. Nau'ikan nau'ikan guda guda ne ip , utcp , da ctcp . Ba a buga wani bayani game da haɗin da aka ajiye ba don fakitin fakitin. Ga masu fakitin TCP, an gano ma'anar haɗin gizon bayan irin. Idan aka kunshi fakiti, an buga maɓallin da aka sanya shi a ciki. Ana fitar da ƙananan sharaɗɗa a matsayin * S + n da * SA + n , inda n shine adadin wanda lambar jerin (ko jerin jerin da sauƙi) ya canza. Idan ba wata doka ta musamman ba, an yi zane ko mafi canje-canje. Canjin da aka nuna ta U (mai gaggawa), W (taga), A (ack), S (lambar jerin), da I (ID na fakiti), sa'annan delta (+ n ko -n), ko sabon darajar (= n). A ƙarshe, yawan adadin bayanai a cikin fakiti da kuma jigilar ɗigon kai suna tsawo.
Alal misali, layin da ke biyo baya nuna jakar TCP mai fita daga waje, tare da mai ganowa ta hanyar haɗin kai; Ack ya canza ta 6, lambar jerin 49, da ID na fakitin ta 6; akwai 3 bytes na bayanai da kuma 6 bytes na rubutun matsawa:
O ctcp * A + 6 S + 49 I + 6 3 (6)Shirye-shiryen ARP / RARP
Arp / rarp fitarwa ya nuna irin buƙatar da kuma muhawara. An tsara tsarin don zama bayani na kai. Ga ɗan gajeren samfurin da aka samo daga farkon 'rlogin' daga mai watsa shiri rtsg don dauki bakuncin csam :
arp wanda-yana da csam gaya rtsg arp amsa csam ne-a CSAMLissafi na farko ya ce rtsg ya aika wani jakar jakar da ke buƙatar adireshin ethernet na csam yanar gizo. Csam yana amsa da adireshin ethernet (a cikin wannan misali, adireshin Ethernet yana cikin shafuka da adiresoshin intanit a ƙananan ƙwayar).
Wannan zai yi la'akari da maimaita idan mun yi tcpumpump -n :
arp wanda-yana da 128.3.254.6 gaya 128.3.254.68 arp amsa 128.3.254.6 ne-a 02: 07: 01: 00: 01: c4Idan muka yi tcpumpump -e , gaskiyar cewa fakiti na farko an watsa shi kuma na biyu shine zance-zane-zane zai kasance bayyane:
RTSG Watsa shirye-shirye 0806 64: arp wanda-ya csam gaya rtsg CSAM RTSG 0806 64: arp amsa csam ne-a CSAMDomin kundin farko ya ce adireshin source na ethernet shine RTSG, makomar shine adreshin watsa labarai na Ethernet, filin da ya ƙunshi hex 0806 (rubuta ETHER_ARP) kuma tsawon tsayinsa yana da 64 bytes.
TCP Packets
(NB: Sakamakon nan yana da masaniya da yarjejeniyar TCP da aka bayyana a RFC-793. Idan ba ku da masaniya da yarjejeniyar, ba wannan bayanin ko tppumpump zai kasance da amfani sosai gare ku.)
Tsarin gaba ɗaya na tcp yarjejeniyar layi shine:
src> dst: flags data-sekno ack taga zažužžukan gaggawa Src da dst su ne tushen da kuma manufa adiresoshin IP da kuma tashar jiragen ruwa. Flags sun hada da S (SYN), F (FIN), P (PUSH) ko R (RST) ko kuma guda guda. ' (babu alamun). Data-seqno ya bayyana ɓangaren wuri na sarari da bayanan da ke cikin wannan fakiti ya rufe (duba misalin da ke ƙasa). Ack ne lambar jerin na gaba data sa ran wani shugabanci a kan wannan dangane. Window shine adadin bytes na karbar sararin samaniya wanda aka sami sauran shugabanci akan wannan haɗin. Hakanan yana nuna akwai 'bayanai' gaggawa a cikin fakiti. Zaɓuka masu tcp suna da alaƙa a cikin kusoshi kusurwa (misali,
Src, dst da flags ne a koyaushe. Sauran filayen sun dogara ne akan abinda ke cikin sakonnin tcp na fakiti da kuma kayan aiki ne kawai idan ya dace.
A nan ne farkon ɓangaren wani rlogin daga mai watsa shiri rtsg don karɓar csam .
rtsg.1023> csam.login: S 768512: 768512 (0) lashe 4096Lissafi na farko ya ce tashar tashar tashar tashar jiragen ruwa 1023 a kan rtsg ta aika da fakiti zuwa tashar jiragen shiga a kan csam. S yana nuna cewa an saita flag din SYN . Lambar jerin fakitin ita ce 768512 kuma babu abinda ke ciki. (Bayanan shine "farko: karshe (nbytes)" wanda ke nufin "lambobin jerin farko har zuwa amma ba tare da karshe wanda shine bayanan mai amfani da bayanan mai amfani" ba.) Babu alamar da aka kwance, wanda aka samo asali 4096 da akwai wani zaɓi na girman-kashi wanda yake neman mss na 10tes bytes.
Csam yana amsa irin wannan fakiti har sai ya haɗa da sakonni na talla don alamar SYN. Rtsg sannan SYN ta csam. A '.' yana nufin babu alamar da aka saita. Packet bai ƙunshi bayanai don haka babu lambar lissafin bayanai. Lura cewa lambar ƙidayar alama ce ta karami (1). A karo na farko tcpdump na ganin zancen zance, "yana wallafa lambar yawan daga fakiti. A kan saitunan da ke cikin zangon tattaunawar, bambanci tsakanin lambar jerin fakiti na yanzu kuma an buga wannan lambar jerin farko. Wannan yana nufin cewa lambobin jerin bayan an fara fassara su a matsayi na matsayi na dangi a cikin jigilar bayanan taɗi (tare da bayanan bayanan farko da kowane shugabanci shine '1'). `-S 'za ta share wannan alama, ta haifar da lambobin jerin asali.
A kan 6th line, rtsg aika csam 19 bytes bayanai (bytes 2 zuwa 20 a cikin rtsg -> csam gefen tattaunawar). Ana saita PUSH flag a cikin fakiti. A kan layi na 7, csam ya ce an karbi bayanan da rtsg ya aika zuwa amma ba tare da byte 21. Mafi yawan wannan bayanan yana bayyana a zaune a cikin bucket na sutura tun lokacin da aka karɓa csam ya karu 19 bytes karami. Csam kuma yana aika bayanan bayanan zuwa rtsg a cikin wannan fakiti. A kan 8th da 9th lines, csam aika biyu bytes na gaggawa, tura bayanai to rtsg.
Idan hoto bai isa ba cewa tcpdump bai kama cikakken mashigin TCP ba, yana fassara kamar yawancin rubutun kamar yadda zai iya sannan kuma rahotanni '`[| tcp ] '' don nuna cewa sauran ba za a iya fassara ba. Idan rubutun ya ƙunshi wani zaɓi na zaɓuɓɓuka (wanda yana da tsawon lokacin da yayi ko ƙarami ko bayan ƙarshen maɓallin kai), tcpdump yayi rahoton shi azaman "[ bad opt ]" 'kuma ba ya fassara wani ƙarin zaɓuɓɓuka (tun da yake ba zai iya fada ba inda suka fara). Idan tsinkin farko ya nuna zaɓuɓɓuka sun kasance amma ladaran bayanan IP bai daina isa ga zaɓuɓɓuka don kasancewa a can ba, tcpdump yayi rahoton shi azaman "[ bad hdr length ]".
Kula da takardun TCP tare da haɗakar haɗakar juna (SYN-ACK, URG-ACK, da dai sauransu)
Akwai 8 raguwa a cikin ɓangaren raguwa na ɓangaren TCP:
CWR | ECE | URG | ACK | PSH | RST | SYN | FIN
Bari mu ɗauka cewa muna so mu duba saitunan da aka yi amfani dashi wajen kafa hanyar TCP. Ka tuna cewa TCP yana amfani da yarjejeniyar mota mai sauƙi 3 lokacin da ta fara haɗi sabon haɗi; jerin haɗin da aka yi dangane da ragowar sarrafawa ta TCP shine
1) Mai kira ya aika SYN
2) Mai karɓa yana amsawa tare da SYN, ACK
3) Mai kira ya aika ACK
Yanzu muna sha'awar kama fayilolin da kawai aka sanya SYN (Mataki 1). Lura cewa ba mu son buƙatun daga mataki na 2 (SYN-ACK), kawai SYN. Abinda muke bukata shine bayanin magancewa na daidai don tcpdump .
Ka tuna tsarin tsarin TCP ba tare da zabin ba:
0 15 31 ----------------------------------------------- -------------------- tashar tashar jiragen ruwa | tashar tashar jiragen ruwa | -------------------------------------------------- --------------- | lamba jerin | -------------------------------------------------- --------------- | lambar sanarwa | -------------------------------------------------- --------------- | HL | rsvd | C | E | U | A | P | R | S | F | girman taga | -------------------------------------------------- --------------- | TCP mai kulawa | Maganin gaggawa | -------------------------------------------------- ---------------Tallabin TCP yana riƙe da 20 octets na bayanai, sai dai idan zaɓuɓɓuka sun kasance. Hanya na farko na jadawalin ta ƙunshi bytes 0 - 3, layin na biyu yana nuna wasiƙu 4 - 7 da dai sauransu.
Farawa don ƙidaya tare da 0, raƙuman kulawa na TCP masu dacewa suna ƙunshe a cikin octet 13:
0 7 | 15 | 23 | 31 ------------------ --------------- | --------------- | ------------------ HL | rsvd | C | E | U | A | P | R | S | F | girman taga | ------------------ --------------- | --------------- | - --------------- | | 13th octet | | |Bari mu kara kallo ta hanyar octet ba. 13:
| | | --------------- | | C | E | U | A | P | R | S | F | | --------------- | | 7 5 3 0 |Wadannan sune raunin kulawar TCP da muke sha'awar. Mun ƙidaya raguwa a cikin wannan octet daga 0 zuwa 7, dama zuwa hagu, don haka PSH bit bidiyon lamba 3, yayin da URG bit shine lambar 5.
Ka tuna cewa muna so mu samo fakiti tare da tsarin SYN kawai. Bari mu ga abin da ke faruwa a cikin octet 13 idan TCP datagram ya zo tare da SYN bit sanya a cikin rubutun kai:
| C | E | U | A | P | R | S | F | | --------------- | | 0 0 0 0 0 0 1 0 | | --------------- | | 7 6 5 4 3 2 1 0 |Idan muka dubi ɓangaren raƙuman sarrafawa mun ga cewa an saita lamba mai lamba 1 kawai (SYN).
Da tsammanin cewa lambar octet 13 ita ce mai lamba 8-bit ba tare da izini ba a cikin tsari na byte, lambar binary wannan octet ita ce
00000010
da kuma wakilta na decimal shine
7 6 5 4 3 2 1 0 0 * 2 + 0 * 2 + 0 * 2 + 0 * 2 + 0 * 2 + 0 * 2 + 1 * 2 + 0 * 2 = 2Mun kusan aikatawa, saboda yanzu mun san cewa idan an saita SYN kawai, darajar 13th octet a cikin maɓallin TCP, lokacin da aka fassara shi azaman mai lamba 8-bit ba tare da izini ba, to dole ne daidai 2.
Wannan dangantaka za a iya bayyana a matsayin
tcp [13] == 2
Za mu iya amfani da wannan magana a matsayin tace don tcpdump don kallon fakiti wanda kawai SYN ya kafa:
tcpdump -i xl0 tcp [13] == 2
Maganar ta ce "bari 13th octet na TCP datagram na da ƙimar decimal 2", wanda shine daidai abin da muke so.
Yanzu, bari mu ɗauka cewa muna buƙatar ɗaukar sakonni na SYN, amma ba mu damu ba idan an saita ACK ko wani TCP sarrafa bit a lokaci guda. Bari mu ga abin da yake faruwa a ranar 13 ga watan octet lokacin da TCP datagram da SYN-ACK ya zo:
| C | E | U | A | P | R | S | F | | --------------- | | 0 0 0 1 0 0 1 0 | | --------------- | | 7 6 5 4 3 2 1 0 |Yanzu raguwar 1 da 4 an saita a cikin 13th octet. Ƙimar binary na octet 13 shine
00010010
wanda yake fassara zuwa ƙaddara
7 6 5 4 3 2 1 0 0 * 2 + 0 * 2 + 0 * 2 + 1 * 2 + 0 * 2 + 0 * 2 + 1 * 2 + 0 * 2 = 18Yanzu ba za mu iya amfani kawai da 'tcp [13] == 18' a cikin maɓallin bayanan tcpdump ba, domin wannan zai zaɓi kawai takardun da SYN-ACK ya kafa, amma ba wadanda suke da SYN kawai ba. Ka tuna cewa ba mu damu ba idan an saita ACK ko wani iko bit idan har an kafa SYN.
Domin cimma manufarmu, muna buƙatar mahimmanci DA darajan binaryar taita 13 tare da wasu darajar don adana SYN bit. Mun san cewa muna son SYN za a saita shi a kowane hali, saboda haka za mu yi daidai kuma DA darajar a cikin 13th octet tare da binary darajar SYN:
00010010 SYN-ACK 00000010 SYN DA 00000010 (muna son SYN) DA 00000010 (muna son SYN) -------- -------- = 00000010 = 00000010Mun ga cewa wannan kuma aiki yana bada wannan sakamakon ko da kuwa an saita ACK ko wani TCP iko bit. Sakamakon adadi na darajar DA da kuma sakamakon wannan aiki shine 2 (binary 00000010), saboda haka mun san cewa don saitunan tare da SYN sun haɗa da haɗin da ke biyowa dole ne su kasance masu gaskiya:
((darajar byte 13) DA (2)) == (2)
Wannan yana nuna mana ga bayanin da aka samo asali na tcpdump
tcpdump -i xl0 'tcp [13] & 2 == 2'
Yi la'akari da cewa ya kamata ka yi amfani da ƙididdiga guda ɗaya ko ƙaddamarwa cikin magana don ɓoye nauyin AND ('&') musamman daga harsashi.
UDP Packets
Kayan tsarin UDP an kwatanta shi da wannan fakiti na rwho:
actinide.who> watsa labarai.who: udp 84Wannan ya ce wannan tashar jiragen ruwa wanda ke aiki a cikin mai amfani da aikawa ta aika sako zuwa wayar tarho zuwa kan tashar jiragen ruwa wanda ke watsa shirye-shiryen yanar gizo. Packet dauke da 84 bytes na bayanan mai amfani.
Ana gane wasu ayyukan UDP (daga asalin source ko tashar tashar tashar jiragen ruwa) da kuma bayanin ƙirar mafi girma da aka buga. Musamman ma, buƙatun sabis na Domain Name (RFC-1034/1035) da kuma Rundunar Sun RPC (RFC-1050) zuwa NFS.
UDP Sunan Kira
(NB: Abubuwan da ke biyowa sun san saba da yarjejeniyar Sabis na Domain wanda aka bayyana a RFC-1035. Idan ba ka saba da yarjejeniya ba, bayanin da ya bayyana zai bayyana a rubuce a cikin harshen Girkanci.)
An tsara asusun buƙatar suna as
src> dst: id op? flags qtype qclass name (len) h2opolo.1538> helios.domain: 3+ A? ucbvax.berkeley.edu. (37)Mai watsa shiri H2opolo ya tambayi uwar garken yankin a helios don rikodin adireshin (qtype = A) hade da sunan ucbvax.berkeley.edu. Tambayar ID ta kasance '3'. The '+' yana nuna cewa sake dawo da sigina. Tambayar tambaya tana da 37 bytes, ba tare da haruffa na UDP da IP ba. Ayyukan tambaya shine al'ada, Bincike , saboda haka an cire majin filin. Idan op ya kasance wani abu, dã an buga tsakanin "3" da "+". Hakazalika, ƙwallon ƙwallon ya zama daidai, C_IN , kuma ya cire. Duk wani nau'in ƙananan ƙila zai buga nan da nan bayan 'A'.
An gano wasu anomalies kuma zai iya haifar da wasu filayen da aka haɗa a cikin sakonni na shinge: Idan da tambaya ta ƙunshi amsa, bayanan hukuma ko ƙarin sashe na rubutun, tsohuwar , ƙa'ida , ko arcount an buga kamar "[ n ]", " n n ] 'ko' [ n au] 'inda n yake ƙidayar da ya dace. Idan an saita ɗaya daga cikin raguwar mayar da martani (AA, RA ko Rcode) ko kuma wani daga cikin 'dole ne' raguwa 'an saita ta bytes biyu da uku,' [b2 & 3 = x ] 'an buga, inda x shine darajar hex Maɓallai na asali biyu da uku.
UDP Sunan Jakadan Sunan
Ana tsara sakonnin uwar garken sunan azaman
src> dst: id op rcode flags a / n / au type data (len) helios.domain> h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273) helios.domain> h2opolo1537: 2 NXDomain * 0/1/0 (97)A misali na farko, helios yana amsa tambaya 3 daga h2opolo tare da bayanan amsoshi guda 3, rubutun uwar garke 3 da kuma ƙarin bayanan 7. Rubutun amsar farko shine rubutun A (adireshin) kuma bayaninsa shine adireshin intanet 128.32.137.3. Jimlar girman mayar da martani ya kasance 273 bytes, banda UDP da IP headers. An cire op (Tambaya) da lambar amsa (NoError), kamar yadda akayi (C_IN) na A rikodin.
A misalin na biyu, helios yana amsa tambaya 2 tare da lambar amsawa na yankin da ba a taɓa kasancewa ba (NXDomain) ba tare da amsoshin ba, sunan uwar garke daya kuma babu wani bayanan hukuma. The '*' yana nuna cewa an saita amsar amsar amsar bit. Tun da babu amsoshin, ba a buga nau'in, aji ko bayanai ba.
Wasu harafin haruffan da zasu iya bayyana su ne '-' (sake dawowa, RA, ba a saita) da `| ' (sakon tayi, TC, saita). Idan ƙungiyar "tambaya" ba ta ƙunshi daidai ɗaya shigarwa ba, "[ n q]" an buga.
Lura cewa sunan buƙatun sunan uwar garke da kuma martani ya zama babban kuma tsoffin batutuwa na bytes 68 bazai iya kama isa ga fakiti don bugawa ba. Yi amfani da -s flag don ƙara ƙararrakin idan kana buƙatar bincika matsala ta hanyar sadarwar uwar garke. " -s 128 " ya yi aiki sosai a gare ni.
Yanayi na SMB / CIFS
tcpdump yanzu ya haɗa da ƙaddarar SMB / CIFS / NBT mai kyau don bayanai akan UDP / 137, UDP / 138 da TCP / 139. Wasu mahimman bayanai na IPX da NetBEUI SMB bayanai an yi.
Ta hanyar tsoho an yi iyakacin ƙananan ƙaddara, tare da ƙarin bayani da aka ƙaddara idan aka yi amfani da -v. Yi gargadin cewa tare da fakitin SMB guda ɗaya zai iya ɗaukar wani shafi ko fiye, don haka kawai amfani da -f idan kuna so duk bayanan gory.
Idan kuna ƙaddamar da taro na SMB wanda ke ƙunshe da ƙirar unicode sa'an nan kuma za ku iya so a saita matakan muhalli USE_UNICODE zuwa 1. Za a maraba da sutura don gano motar kai-tsaye a unicode.
Don bayani game da tsarin saiti na SMB da abin da duk fannonin ke nufi gani www.cifs.org ko mashaya / samba / jayayya / shugabanci kan shafin yanar gizon samba.org da kake so. Hotunan SMB sun rubuta da Andrew Tridgell (tridge@samba.org).
NFS Bukatar da Sauyewa
Sun NFS (Rukunin Fasahar Network) buƙatun da amsoshi an buga su ne kamar:
src.xid> dst.nfs: len op args src.nfs> dst.xid: amsa stat len op sakamakon sushi.6709> wrl.nfs: 112 readlink fh 21,24 / 10.73165 wrl.nfs> sushi.6709: amsa ok 40 readlink "../var" sushi.201b> wrl.nfs: 144 duba fh 9,74 / 4096.6878 "xcolors" wrl.nfs> sushi.201b: amsa ok 128 duba fh 9,74 / 4134.3150A cikin layi na farko, sushi mai watsa shiri yana aiki da ma'amala tare da id 6709 zuwa wrl (lura cewa lambar da ke karɓar mai karɓar src shine haɗin ciniki, ba tashar tashar jiragen ruwa ba). Binciken ya kasance 112 ta hanyar, ba tare da rubutun UDP da IP ba. Ayyukan shine littafi ne (read link symbol ) a kan rike fayil ( fh ) 21,24 / 10.731657119. (Idan mutum yana da sa'a, kamar yadda a cikin wannan yanayin, ana iya fassara fayil din a matsayin babban, ƙananan lambobin na'urorin, kuma biye da lambar ƙira da lambar ƙarni.) Wrl amsa yana da kyau tare da abinda ke ciki na mahada.
A layin na uku, sushi ya nemi wrl don bincika sunan ' xcolors ' a cikin fayil din shugabanci 9,74 / 4096.6878. Ka lura cewa bayanan da aka buga ya dogara da nau'in aiki. An tsara tsarin don zama bayani na kai idan karanta tare da haɗin NFS.
Idan aka ba da -v (verbose) flag, ana buga ƙarin bayani. Misali:
sushi.1372a> wrl.nfs: 148 karanta fh 21,11 / 12.195 8192 bytes @ 24576 wrl.nfs> sushi.1372a: amsa ok 1472 karanta REG 100664 ids 417/0 sz 29388(-Ya kuma wallafa rubutun IP na TTL, ID, tsawon, da kuma rukunin fadi, waɗanda aka cire daga wannan misali.) A cikin layi na farko, sushi ya nemi wrl don karanta fayiloli 8192 daga filayen 21,11 / 12.195, a lokacin biya 24576. Wrl amsa 'ok'; cikin fakiti da aka nuna a layin na biyu shi ne ɓangaren farko na amsawa, saboda haka ne kawai adadin dogaru 1472 (sauran ƙananan za su bi a cikin ƙananan ƙididdigar, amma waɗannan rukunin ba su da NFS ko ko ma UDP masu saiti kuma don haka ba za a buga su ba, dangane da bayanin da aka yi amfani da ita). Saboda an ba da -w flag, wasu daga cikin fayilolin fayil (wanda aka mayar da su bayan bayanan fayil ɗin) an buga: nau'in fayil ("REG" ', don fayil na yau da kullum), yanayin fayil (a cikin octal), da uid da gid, da kuma girman fayil.
Idan an ba -v flag fiye da sau ɗaya, har ma da cikakkun bayanai an buga.
Ka lura cewa buƙatun NFS suna da yawa kuma mafi yawa daga cikin dalla-dalla ba za a buga ba sai dai idan an ƙara karuwar snaplen . Yi kokarin amfani da ' -s 192 ' don kallon NFS traffic.
NFS amsa buƙatun ba a bayyane gane aikin RPC ba. Maimakon haka, tcpdump yana lura da '' buƙatun '' '' '' '' '', kuma yayi daidai da su zuwa ga amsa ta amfani da ID na ma'amala. Idan amsa ba ta bin biyan bukata daidai ba, to bazai yiwu ba.
Abubuwan da aka buƙaci da kuma amsa
Transarc AFS (Andrew File System) buƙatun da amsoshi an buga su ne kamar:
src.sport> dst.dport: rx bucket-type src.sport> dst.dport: rx bucket-type sabis na kira kira-sunan args src.sport> dst.dport: rx fakiti-type sabis sabis amsa-sunan args elvis. 7001> pike.afsfs: rx bayanai fs kira sake suna tsohon fid 536876964/1/1 ".newsrc.new" sabon fid 536876964/1/1 ".newsrc" pike.afsfs> elvis.7001: Rx data fs reply sake sunaA cikin layi na farko, mai watsa shiri elvis ya aika wani fakiti na RX zuwa pike. Wannan jigilar bayanai na RX zuwa sabis na fs (fileserver), kuma shine farkon kira na RPC. An kira sunan RPC ne, tare da tsoffin fayil na shugabancin fayil na 536876964/1/1 da kuma tsohon sunan suna na '.newsrc.new', da kuma sabon fayil din rikodin 536876964/1/1 da sabon sunan sunan '. newsrc '. Kwangijin mai karɓa yana amsawa tare da amsa RPC don sake kiran kira (abin da ya ci nasara, saboda yana da fakitin bayanai amma ba fakitin fakata).
Gaba ɗaya, dukkanin RPCs na AFS an rubuta su a kalla ta sunan RPC. Yawancin RPCs na AFS suna da wasu ƙananan muhawarar da aka ƙaddara (yawanci kawai 'gardama', don wasu ma'anar ban sha'awa).
An tsara tsarin don bayyana kansa, amma tabbas bazai kasance da amfani ga mutanen da basu saba da aikin AFS da RX ba.
Idan ana ba da alama ta -v (verbose) sau biyu, buƙatun bayanan da kuma ƙarin bayani game da rubutun kai, irin su ID na RX, lambar kira, lambar jerin, lambar serial, da kuma sakon layi na RX.
Idan an ba -v flag sau biyu, ana buga ƙarin bayani, irin su ID na RX, lambar serial, da kuma sakon layi na RX. Bayanin shawarwari na MTU kuma an buga shi daga Rikon kwata-kwata na RX.
Idan an ba da -w flag sau uku, an buga maƙallin tsaro da id idin.
Kuskuren lambobin da aka buga don ɓoye buƙatun, banda buƙatun labaran Ubik (saboda ana amfani da saitunan don nuna alamar zabe ga yarjejeniyar Ubik).
Ka lura cewa buƙatun AFS suna da yawa kuma da yawa daga cikin muhawara ba za a buga ba sai dai idan an ƙara karuwar snaplen . Gwada amfani da ' -s 256 ' don kallon zirga-zirgar AFS.
AFS amsa buƙatun ba a bayyane gane aikin RPC ba. Maimakon haka, tcpdump yana lura da '' buƙatun '' '' '' ', kuma ya dace da su zuwa ga amsa ta amfani da lambar kiran da ID ɗin sabis. Idan amsa ba ta bin biyan bukata daidai ba, to bazai yiwu ba.
KIP Appletalk (DDP a UDP)
Applicalk DDP kwakwalwan da aka ƙaddara a cikin ƙayyadaddun tsarin UDP an ƙaddamar da su kuma an zubar da su a matsayin DDP kwakwalwa (watau, duk an cire duk bayanin bayanan UDP). An yi amfani da fayil /etc/atalk.names don fassara naman appletalk da lambobin kumburi zuwa sunayen. Lines a cikin wannan fayil suna da nau'i
sunan lambar 1.254 ether 16.1 icsd-net 1.254.110 aceLinesuna biyu na farko sun ba da sunayen sunayen cibiyoyin intletalk. Layi na uku ya bada sunan wani mai karɓa (an rarraba mashahurin daga hanyar yanar gizo ta 3rd octet a cikin lambar - dole ne lambar sadarwa ta sami ta biyu da tazarat da lambar mai amfani da ta'ira uku.) Lamba da sunan ya kamata a rabu by whitespace (blanks ko shafuka). Da /etc/atalk.names fayil zai iya ƙunsar layi marar layi ko layi sharuddan (Lines farawa da "#").
Ana buga adireshin Appletalk a cikin nau'i:
net.host.port 144.1.209.2> icsd-net.112.220 office.2> icsd-net.112.220 jssmag.149.235> icsd-net.2(Idan /etc/atalk.names ba ya wanzu ko ba ya ƙunshi shigarwa ga wasu adireshin mai kira / nettattun adireshi, adiresoshin an buga su a cikin nau'i nau'i.) A cikin misalin farko, NBP (DDP tashar 2) a kan 144.1 node 209 yana aikawa zuwa duk abin da yake sauraron tashar jiragen ruwa 220 na kumbun linzamin kwamfuta na 112. Hanya na biyu ɗaya ne kawai sai dai cikakken sunan asirin tushen shi ne ('office'). Layi na uku shi ne aika daga tashar jiragen ruwa 235 a kan kuskuren jssmag 149 don watsa shirye-shirye a kan tashar NBP icsd-net (lura cewa adireshin watsa shirye-shiryen (255) yana nuna ta hanyar mai suna ba tare da lambar mai watsa shiri - saboda wannan dalili yana da kyau don kiyaye sunayen sunaye da sunayen sunaye a cikin /etc/atalk.names).
NBP (ƙulla yarjejeniya da sunan) da kuma ATP (yarjejeniyar yarjejeniyar Appletalk) bugunan sun fassara fassarar su. Sauran ladabi kawai sun sauke sunan ladabi (ko lambar idan babu sunan da aka yi rajista domin yarjejeniyar) da kuma nau'in fakiti.
An tsara fasali na NBP kamar misalai masu zuwa:
icsd-net.112.220> jssmag.2: nbp-lkup 190: "=: LaserWriter @ *" jssmag.209.2> icsd-net.112.220: nbp-reply 190: "RM1140: LaserWriter @ *" 250 techpit.2> icsd -net.112.220: nbp-reply 190: "Labari: LaserWriter @ *" 186Lissafi na farko shine buƙatar neman nema na laserwriter da aka aika ta yanar gizo icsd host 112 kuma watsa shirye-shirye a kan net jssmag. Lambar nbp don binciken shine 190. Layin na biyu ya nuna amsa ga wannan buƙatar (lura cewa yana da wannan id) daga mai watsa shiri jssmag.209 cewa yana da hanyar laserwriter mai suna "RM1140" rajista a tashar jiragen ruwa 250. Na uku line ne wani amsa ga wannan bukatar cewa mai watsa shiri na da laserwriter "fasaha" rajista a tashar jiragen ruwa 186.
Ana nuna fasalin fasali ATP ta hanyar misali mai zuwa:
jssmag.209.165> helios.132: atp-req 12266 <0-7> 0xae030001 helios.132> jssmag.209.165: atp-resp 12266: 0 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 1 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 2 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 3 (512) 0xae040000 helios.132> jssmag.209.165: atp- Resp 12266: 4 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 5 (512) 0xae040000 helios.132> jssmag.209.165: atp-resp 12266: 6 (512) 0xae040000 helios.132> jssmag. 209.165: atp-resp * 12266: 7 (512) 0xae040000 jssmag.209.165> helios.132: atp-req 12266 <3,5> 0xae030001 helios.132> jssmag.209.165: atp-resp 12266: 3 (512) 0xae040000 helios .132> jssmag.209.165: atp-resp 12266: 5 (512) 0xae040000 jssmag.209.165> helios.132: atp-rel 12266 <0-7> 0xae030001 jssmag.209.133> helios.132: atp-req * 12267 <0 -7> 0xae030002Jssmag.209 haɗin ciniki na ID 12266 tare da helios hello ta hanyar neman samo 8 ("<0-7>"). Lambar hex a ƙarshen layin yana da darajar filin 'userdata' a cikin buƙatar.
Helios amsawa tare da fakitin 8,12-byte. Lambar: "digiri" bayan bin hanyar ciniki yana ba da lambar fakitin fakiti a cikin ma'amala kuma lambar a cikin parens shine adadin bayanai a cikin fakiti, ban da ɗan gajeren asiri. '' 'A kan fakiti na 7 yana nuna cewa an saita EOM bit.
Jssmag.209 sa'annan a buƙaci buƙatun 3 & 5 a sake dawowa. Helios yana jinkirta su sa'an nan kuma jssmag.209 ya sake yin ciniki. A ƙarshe, jssmag.209 fara buƙatar na gaba. Da '*' akan buƙatar ya nuna cewa XO ('daidai lokacin') ba a saita ba.
Ƙaddamarwar IP
Shirye-shiryen Intanit na Fragmented an buga su ne
(frag id : size @ offset +) (frag id : size @ offset )(Nauyin farko yana nuna akwai ƙananan gutsutssi. Na biyu yana nuna wannan ƙaddamarccen ɓangaren.)
Id shi ne ɓangaren id. Girman shine ƙananan ƙananan (a cikin bytes) ban da taken BBC. Ƙaddamarwa shine ƙaddamar da wannan ɓangaren (a cikin bytes) a cikin asalin asalin.
Bayanai na guntu shine fitarwa ga kowane ɓangaren. Kashi na farko yana ƙunshe da babba na ladabi na matakan tsaro kuma an buga bayanan da aka samu bayan bayanan yarjejeniya. Raguwa bayan na farko ba su ƙunshi babban jagoran ladaran matakan tsaro ba kuma an buga bayanan bayanan bayan adireshin tushen da masaukin. Alal misali, a nan wani ɓangare ne na ftp daga arizona.edu zuwa lbl-rtsg.arpa a kan haɗin CSNET wanda ba ya bayyana ya rike tsarin saitunan ta 576:
arizona.ftp-bayanai> rtsg.1170:. 1024: 1332 (308) Ack 1 win 4096 (frag 595a: 328 @ 0 +) arizona> rtsg: (frag 595a: 204 @ 328) rtsg.1170> arizona.ftp-data:. Ack 1536 lashe 2560Akwai abubuwa biyu da za ku lura a nan: Na farko, adiresoshin a cikin layi na biyu ba su haɗa da lambobin tashar jiragen ruwa ba. Wannan shi ne saboda bayanan yarjejeniyar TCP duka a cikin jeri na farko kuma ba mu da ma'anar abin da tashar jiragen ruwa ko lambobin jerin sune lokacin da muke buga ɓangaren ƙananan baya. Abu na biyu, an buga bayanin jigon bayanan a cikin layi na farko kamar dai akwai 308 bytes na bayanan mai amfani lokacin da, a gaskiya, akwai maɓuɓɓuka 512 (308 a farkon frag da 204 a na biyu). Idan kuna neman ramuka a cikin jerin jeri ko ƙoƙarin daidaita akwatuna tare da saitunan, wannan zai yaudare ku.
A fakiti tare da IP ba alamar ƙirar alama tana da alamar (DF) .
Timestamps
Ta hanyar tsoho, duk jerin kayan sarrafawa sun riga sun wuce ta timeramp. Lokaci na lokaci shine lokacin agogon halin yanzu a cikin nau'i
hh: mm: ss.frackuma yana da cikakkar daidai kamar yadda zanen jariri yake. Lambar timo yana nuna lokacin da kernel ya fara ganin fakiti. Babu ƙoƙari na lissafi don raguwa tsakanin lokacin da ethernet ke cire cire fakitin daga waya kuma lokacin da kernel yayi aiki da 'sabon saiti' katsewa.
Bincika ALSO
traffic (1C), nit (4P), bpf (4), pcap (3)
Muhimmin: Yi amfani da umurnin mutum ( % mutum ) don ganin yadda aka yi amfani da umarnin akan kwamfutarka.