设为首页收藏本站

LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
LinuxSir.cn,穿越时空的Linuxsir!»论坛 运维技术 —— LinuxSir.cn 网络技术\网络安全讨论 请教tcpdump的输出说明
返回列表 发新帖
查看: 1644|回复: 1

请教tcpdump的输出说明

[复制链接]
orphen
发表于 2007-5-23 15:49:02 | 显示全部楼层 |阅读模式
tcpdump抓包的输出说明有些不理解
[root@db ~]# tcpdump -n -v -s 0 -w bbb
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
54 packets captured                  捕获的
3 packets received by filter        收到的
0 packets dropped by kernel     丢弃的

后面这3行不理解,为什么收到的不等于捕获的?而且收到的小于捕获的。
  1. [root@db ~]# tcpdump -r bbb
  2. reading from file bbb, link-type EN10MB (Ethernet)
  3. 16:00:21.676513 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 145734099:145734147(48) ack 1858799498 win 1818
  4. 16:00:21.676916 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 48 win 8232
  5. 16:00:21.676930 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 48:160(112) ack 1 win 1818
  6. 16:00:21.850414 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 160 win 8120
  7. 16:00:22.341380 arp who-has 59.73.152.242 tell 59.73.152.239
  8. 16:00:22.677543 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 160:208(48) ack 1 win 1818
  9. 16:00:22.698650 arp who-has 59.73.152.167 tell 59.73.152.129
  10. 16:00:22.856405 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 208 win 8072
  11. 16:00:23.677541 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 208:256(48) ack 1 win 1818
  12. 16:00:23.862418 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 256 win 8024
  13. 16:00:24.678652 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 256:304(48) ack 1 win 1818
  14. 16:00:24.868391 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 304 win 7976
  15. 16:00:25.679575 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 304:352(48) ack 1 win 1818
  16. 16:00:25.874375 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 352 win 7928
  17. 16:00:26.680585 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 352:400(48) ack 1 win 1818
  18. 16:00:26.880368 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 400 win 7880
  19. 16:00:27.681626 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 400:448(48) ack 1 win 1818
  20. 16:00:27.785770 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 448 win 7832
  21. 16:00:28.682612 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 448:496(48) ack 1 win 1818
  22. 16:00:28.791755 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 496 win 7784
  23. 16:00:29.682635 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 496:544(48) ack 1 win 1818
  24. 16:00:29.797745 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 544 win 7736
  25. 16:00:30.683647 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 544:592(48) ack 1 win 1818
  26. 16:00:30.803739 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 592 win 7688
  27. 16:00:31.684663 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 592:640(48) ack 1 win 1818
  28. 16:00:31.809721 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 640 win 7640
  29. 16:00:32.685691 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 640:688(48) ack 1 win 1818
  30. 16:00:32.815710 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 688 win 7592
  31. 16:00:33.686697 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 688:736(48) ack 1 win 1818
  32. 16:00:33.821701 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 736 win 7544
  33. 16:00:34.687704 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 736:784(48) ack 1 win 1818
  34. 16:00:34.827686 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 784 win 7496
  35. 16:00:35.687726 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 784:832(48) ack 1 win 1818
  36. 16:00:35.833677 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 832 win 7448
  37. 16:00:36.688739 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 832:880(48) ack 1 win 1818
  38. 16:00:36.839667 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 880 win 7400
  39. 16:00:36.870013 00:d0:f8:8b:ce:9f > 01:80:c2:00:00:02, ethertype Unknown (0x8809), length 109:
  40.         0x0000:  1001 1100 00b4 0107 0700 d0f8 8bce 9e02  ................
  41.         0x0010:  0706 4661 302f 3600 100d 0100 d0f8 8bce  ..Fa0/6.........
  42.         0x0020:  9e01 0000 0000 0011 0200 0017 0500 d0f8  ................
  43.         0x0030:  0100 1705 00d0 f805 0117 0500 d0f8 0203  ................
  44.         0x0040:  170a 00d0 f804 0000 0000 0000 170b 00d0  ................
  45.         0x0050:  f803 5377 6974 6368 0017 0400 d0f8 ff    ..Switch.......
  46. 16:00:37.689780 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 880:928(48) ack 1 win 1818
  47. 16:00:37.845656 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 928 win 7352
  48. 16:00:38.690772 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 928:976(48) ack 1 win 1818
  49. 16:00:38.851647 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 976 win 7304
  50. 16:00:39.691791 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 976:1024(48) ack 1 win 1818
  51. 16:00:39.857627 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 1024 win 8760
  52. 16:00:40.692803 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 1024:1072(48) ack 1 win 1818
  53. 16:00:40.863635 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 1072 win 8712
  54. 16:00:41.692906 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 1072:1120(48) ack 1 win 1818
  55. 16:00:41.869621 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 1120 win 8664
  56. 16:00:42.693846 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 1120:1168(48) ack 1 win 1818
  57. 16:00:42.875608 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 1168 win 8616
  58. 16:00:43.694974 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 1168:1216(48) ack 1 win 1818
  59. 16:00:43.881613 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 1216 win 8568
  60. 16:00:44.695873 IP db.syiae.edu.cn.56789 > 59.73.158.253.2526: P 1216:1264(48) ack 1 win 1818
  61. 16:00:44.887605 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: . ack 1264 win 8520
  62. 16:00:45.075724 IP 59.73.158.253.2526 > db.syiae.edu.cn.56789: P 1:81(80) ack 1264 win 8520
复制代码
回复

使用道具 举报

晨想
发表于 2007-5-23 22:45:25 | 显示全部楼层
man tcpdump:

       When tcpdump finishes capturing packets, it will report counts of:

              packets ``captured'' (this is the number of packets that tcpdump has received and processed);

              packets ``received by filter'' (the meaning of this depends on the OS on which you're running tcpdump, and possibly on the way the OS
              was configured - if a filter was specified on the command line, on some OSes it  counts  packets  regardless  of  whether  they  were
              matched  by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and
              processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has
              read  and  processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed
              by tcpdump);

              packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet  capture
              mechanism  in  the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as
              0).
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表