tcpdump powerful network packet capturing tool tutorial

Keywords: Programming network sudo

tcpdump

tcpdump is a necessary tool in debugging network communication program. tcpdump is very powerful, you can see every detail of network communication. For example, TCP can see 3 handshakes, PUSH/ACK data push, close 4 waves, all details. Including the number of bytes and time of each network packet reception.

Usage method

The simplest example is:

sudo tcpdump -i any tcp port 9501

-The i parameter specifies the network card, and any indicates all network cards
TCP specifies listening only to TCP protocol
Port specifies the port to listen to
tcpdump requires root permission. If you want to see the data content of communication, you can add the - Xnlps0 parameter. For more parameters, see the article on the Internet

Operation result

13:29:07.788802 IP localhost.42333 > localhost.9501: Flags [S], seq 828582357, win 43690, options [mss 65495,sackOK,TS val 2207513 ecr 0,nop,wscale 7], length 0
13:29:07.788815 IP localhost.9501 > localhost.42333: Flags [S.], seq 1242884615, ack 828582358, win 43690, options [mss 65495,sackOK,TS val 2207513 ecr 2207513,nop,wscale 7], length 0
13:29:07.788830 IP localhost.42333 > localhost.9501: Flags [.], ack 1, win 342, options [nop,nop,TS val 2207513 ecr 2207513], length 0
13:29:10.298686 IP localhost.42333 > localhost.9501: Flags [P.], seq 1:5, ack 1, win 342, options [nop,nop,TS val 2208141 ecr 2207513], length 4
13:29:10.298708 IP localhost.9501 > localhost.42333: Flags [.], ack 5, win 342, options [nop,nop,TS val 2208141 ecr 2208141], length 0
13:29:10.298795 IP localhost.9501 > localhost.42333: Flags [P.], seq 1:13, ack 5, win 342, options [nop,nop,TS val 2208141 ecr 2208141], length 12
13:29:10.298803 IP localhost.42333 > localhost.9501: Flags [.], ack 13, win 342, options [nop,nop,TS val 2208141 ecr 2208141], length 0
13:29:11.563361 IP localhost.42333 > localhost.9501: Flags [F.], seq 5, ack 13, win 342, options [nop,nop,TS val 2208457 ecr 2208141], length 0
13:29:11.563450 IP localhost.9501 > localhost.42333: Flags [F.], seq 13, ack 6, win 342, options [nop,nop,TS val 2208457 ecr 2208457], length 0
13:29:11.563473 IP localhost.42333 > localhost.9501: Flags [.], ack 14, win 342, options [nop,nop,TS val 2208457 ecr 2208457], length 0

13: 29:11.563473 time with precision to subtlety
Localhost.42333 > localhost.9501 indicates the flow direction of communication. 42333 is the client and 9501 is the server
[S] Indicates that this is a SYN request
[.] indicates that this is an ACK confirmation package, and (client) syn - > (server) syn - > (client) ack is the process of three handshakes
[P] Indicates that this is a data push, which can be pushed from the server to the client or from the client to the server
[F] Indicates that this is a FIN package. It is a close connection operation, which may be initiated by client/server
[R] Indicates that this is an RST package, which has the same function as the F package. However, RST indicates that when the connection is closed, there is still data unprocessed. It can be understood as forced disconnection
win 342 is the sliding window size
length 12 is the size of the packet

Reprinted from https://wiki.swoole.com/#/other/tools?id=tcpdump

Posted by johnrcornell on Sat, 14 Mar 2020 01:03:59 -0700