document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-23 21:20:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Translated:20140915 Linux FAQs with Answers--How to capture TCP SYN, ACK or FIN packets with tcpdump.md

Browse Source
This commit is contained in:
GOLinux 2014-09-19 09:10:41 +08:00
parent 72fa2c8148
commit d256a3d70f
2 changed files with 41 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
sources/tech/20140915 Linux FAQs with Answers--How to capture TCP SYN, ACK and FIN packets with tcpdump.md
View File

@ -1,42 +0,0 @@
Translating by GOLinux ...
Linux FAQs with Answers--How to capture TCP SYN, ACK and FIN packets with tcpdump
================================================================================
> **Question**: I want to monitor TCP connection dynamics (e.g., three-way handshake for connection establishment, and four-way handshake for connection tear-down). For that, I need to capture only TCP control packets such as those with SYN, ACK or FIN flag set. How can I use tcpdump to capture TCP SYN, ACK, and/or FYN packets only?
As a de-facto packet capture tool, tcpdump provides powerful and flexible packet filtering capabilities. The libpcap packet capture engine which tcpdump is based upon supports standard packet filtering rules such as 5-tuple packet header based filtering (i.e., based on source/destination IP addresses/ports and IP protocol type).
The packet filtering rules of tcpdump/libpcap also supports more general packet expressions, where arbitrary byte ranges in a packet are checked with relation or binary operators. For byte range representation, you can use the following format:
proto [ expr : size ]
"proto" can be one of well-known protocols (e.g., ip, arp, tcp, udp, icmp, ipv6). "expr" represents byte offset relative to the beginning of a specified protocol header. There exist well-known byte offsets such as tcpflags, or value constants such as tcp-syn, tcp-ack or tcp-fin. "size" is optional, indicating the number of bytes to check starting from the byte offset.
Using this format, you can filter TCP SYN, ACK or FIN packets as follows.
To capture only TCP SYN packets:
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"
To capture only TCP ACK packets:
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-ack) != 0"
To capture only TCP FIN packets:
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-fin) != 0"
To capture only TCP SYN or ACK packets:
# tcpdump -r <interface> "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"
![](https://farm4.staticflickr.com/3923/15050566798_db14aea9a9_z.jpg)
--------------------------------------------------------------------------------
via: http://ask.xmodulo.com/capture-tcp-syn-ack-fin-packets-tcpdump.html
作者:[作者名][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出

41
translated/tech/20140915 Linux FAQs with Answers--How to capture TCP SYN, ACK and FIN packets with tcpdump.md Normal file
View File

@ -0,0 +1,41 @@
Linux有问必答——如何使用tcpdump来捕获TCP SYNACK和FIN包
================================================================================
> **问题**我想要监控TCP连接活动建立连接的三次握手以及断开连接的四次握手。要完成此事我只需要捕获TCP控制包如SYNACK或FIN标记相关的包。我怎样使用tcpdump来仅仅捕获TCP SYNACK和/或FYN包
作为事实上的捕获工具tcpdump提供了强大而又灵活的包过滤功能。作为tcpdump基础的libpcap包捕获引擎支持标准的包过滤规则如基于5重包头的过滤如基于源/目的IP地址/端口和IP协议类型
tcpdump/libpcap的包过滤规则也支持更多通用分组表达式在这些表达式中包中的任意字节范围都可以使用关系或二进制操作符进行检查。对于字节范围表达你可以使用以下格式
proto [ expr : size ]
“proto”可以是熟知的协议之一如iparptcpudpicmpipv6“expr”表示与指定的协议头开头相关的字节偏移量。有我们熟知的直接偏移量如tcpflags也有取值常量如tcp-syntcp-ack或者tcp-fin。“size”是可选的表示从字节偏移量开始检查的字节数量。
使用这种格式你可以像下面这样过滤TCP SYNACK或FIN包。
只捕获TCP SYN包
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-syn) != 0"
只捕获TCP ACK包
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-ack) != 0"
只捕获TCP FIN包
# tcpdump -i <interface> "tcp[tcpflags] & (tcp-fin) != 0"
之捕获TCP SYN或ACK包
# tcpdump -r <interface> "tcp[tcpflags] & (tcp-syn|tcp-ack) != 0"
![](https://farm4.staticflickr.com/3923/15050566798_db14aea9a9_z.jpg)
--------------------------------------------------------------------------------
via: http://ask.xmodulo.com/capture-tcp-syn-ack-fin-packets-tcpdump.html
作者:[作者名][a]
译者:[GOLinux](https://github.com/GOLinux)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出