Experimental analysis of tcpdump

Keywords: yum network

Experimental preparation

  1. Install nc tool: yum install nc
  2. Monitor local network card traffic: tcpdump-i lo-n-nn TCP port 8888
  3. Establish TCP/UDP connection: nc-p 1234 10.96.78.213 8888

Packet analysis

  • 14:07:53.220954 is the time stamp, accurate to subtle, plus - t does not show the time;
  • 10.96.78.213.1234 meaning: 10.96.78.213 is IP, 1234 is port, plus - n -nn shows IP, default shows domain name or hostname;
  • 10.96.78.213.1234 > 10.96.78.213.8888 is the data flow direction;
  • Flag meaning: S (SYN request) (ACK confirmation package) P (message sending) F (FIN package, indicating normal connection closing, no data loss) R (RST package, indicating forced connection closing, possible data loss)
  • win 342 is the window size of East China;
  • length 0 is the packet size;
//Establish a TCP connection
14:07:53.220954 IP 10.96.78.213.1234 > 10.96.78.213.8888: Flags [S], seq 1057661546, win 43690, options [mss 65495,sackOK,TS val 1879360564 ecr 0,nop,wscale 7], length 0
14:01:06.103599 IP 10.96.78.213.8888 > 10.96.78.213.1234: Flags [S.], seq 2496367938, ack 1057661547, win 43690, options [mss 65495,sackOK,TS val 1879360564 ecr 1879360564,nop,wscale 7], length 0
14:07:53.221003 IP 10.96.78.213.1234 > 10.96.78.213.8888: Flags [.], ack 1, win 342, options [nop,nop,TS val 1879360564 ecr 1879360564], length 0

//client poke request
14:08:18.802016 IP 10.96.78.213.1234 > 10.96.78.213.8888: Flags [P.], seq 1:7, ack 1, win 342, options [nop,nop,TS val 1879386145 ecr 1879360564], length 6
14:08:18.802041 IP 10.96.78.213.8888 > 10.96.78.213.1234: Flags [.], ack 7, win 342, options [nop,nop,TS val 1879386145 ecr 1879386145], length 0
//Server sends response
14:08:18.802683 IP 10.96.78.213.8888 > 10.96.78.213.1234: Flags [P.], seq 1:107, ack 7, win 342, options [nop,nop,TS val 1879386146 ecr 1879386145], length 106
14:08:18.802695 IP 10.96.78.213.1234 > 10.96.78.213.8888: Flags [.], ack 107, win 342, options [nop,nop,TS val 1879386146 ecr 1879386146], length 0

//The server actively closes the connection
14:08:18.802800 IP 10.96.78.213.8888 > 10.96.78.213.1234: Flags [F.], seq 107, ack 7, win 342, options [nop,nop,TS val 1879386146 ecr 1879386146], length 0
14:08:18.842051 IP 10.96.78.213.1234 > 10.96.78.213.8888: Flags [.], ack 108, win 342, options [nop,nop,TS val 1879386186 ecr 1879386146], length 0
//Client actively closes connection
14:20:49.874086 IP 10.96.78.213.1234 > 10.96.78.213.8888: Flags [F.], seq 7, ack 108, win 342, options [nop,nop,TS val 1880137218 ecr 1879386146], length 0
//Client force close connection
14:20:49.874107 IP 10.96.78.213.8888 > 10.96.78.213.1234: Flags [R], seq 2496368046, win 0, length 0

Reference resources:

  1. nc usage: https://www.ifmicro.com/records/2017/12/12/netcat-usage/

Posted by jacinthe on Mon, 11 Nov 2019 09:10:22 -0800

Hot Keywords

©2024 Programmer Group