如何使用 tcpdump 查看完整的 snaplen 捕获？

发布于 2024-11-25 21:27:34 字数 1651 浏览 1 评论 0原文

使用 tcpdump 时，我似乎无法看到捕获的所有数据。具体来说，我似乎从帧头丢失了 6 个字节，我想知道是否有人可以解释原因。

为了说明这一点，我在 VMWare 上以仅主机网络配置设置了一个 Ubuntu 实例。为了生成流量，我 ping VMWare 网关...在我的例子中：

$ ping 192.168.153.1

现在捕获并打印数据：

$ tcpdump -i eth0 -x -s 64
...
10:23:24.419067 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 137, length 64
    0x0000:  4500 0054 2313 4000 4001 63bf c0a8 9901
    0x0010:  c0a8 9984 0000 af80 0b8f 0089 0cb2 294e
    0x0020:  1d64 0600 0809 0a0b 0c0d 0e0f
10:23:25.418807 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 138, length 64
    0x0000:  4500 0054 0000 4000 4001 86d2 c0a8 9984
    0x0010:  c0a8 9901 0800 df7f 0b8f 008a 0db2 294e
    0x0020:  e463 0600 0809 0a0b 0c0d 0e0f

正如预期的那样，此时显示的总字节数不是 64；数据链路标头被隐藏，IP 字节是第一个出现的，即“4500”。为了显示数据链路头字节，我添加了另一个 x。

$ tcpdump -i eth0 -xx -s 64
...
10:29:29.523043 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 501, length 64
    0x0000:  000c 292a 4f6c 0050 56c0 0001 0800 4500
    0x0010:  0054 b305 4000 4001 d3cc c0a8 9901 c0a8
    0x0020:  9984 0000 007d 0b8f 01f5 79b3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f
10:29:30.522884 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 502, length 64
    0x0000:  0050 56c0 0001 000c 292a 4f6c 0800 4500
    0x0010:  0054 0000 4000 4001 86d2 c0a8 9984 c0a8
    0x0020:  9901 0800 f77b 0b8f 01f6 7ab3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f

现在显示更多字节。我认为它们是以太网帧头的 14 个字节（dest，源 MAC + ethertype = 14 个字节）。相应地，IP 标头现在从 14 个字节开始。

但为什么还少了6个字节呢？请注意，仅显示 58 个字节 - 我预计 64 个字节可见。

原文

I can't seem to see all the data of a capture when using tcpdump. Specifically I seem to be missing 6 bytes off of the head of the frame and I'm wondering if anyone can explain why.

To illustrate, I setup a Ubuntu instance on VMWare in a host-only network configuration. To generate traffic I ping the VMWare gateway... in my case:

$ ping 192.168.153.1

Now to capture and print the data:

$ tcpdump -i eth0 -x -s 64
...
10:23:24.419067 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 137, length 64
    0x0000:  4500 0054 2313 4000 4001 63bf c0a8 9901
    0x0010:  c0a8 9984 0000 af80 0b8f 0089 0cb2 294e
    0x0020:  1d64 0600 0809 0a0b 0c0d 0e0f
10:23:25.418807 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 138, length 64
    0x0000:  4500 0054 0000 4000 4001 86d2 c0a8 9984
    0x0010:  c0a8 9901 0800 df7f 0b8f 008a 0db2 294e
    0x0020:  e463 0600 0809 0a0b 0c0d 0e0f

As expected at this point the total number of bytes show is not 64; the data-link headers are hidden and the IP bytes are the first ones to appear, ie '4500'. To display the data-link header bytes I add another x.

$ tcpdump -i eth0 -xx -s 64
...
10:29:29.523043 IP 192.168.153.1 > ubuntu.local: ICMP echo reply, id 2959, seq 501, length 64
    0x0000:  000c 292a 4f6c 0050 56c0 0001 0800 4500
    0x0010:  0054 b305 4000 4001 d3cc c0a8 9901 c0a8
    0x0020:  9984 0000 007d 0b8f 01f5 79b3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f
10:29:30.522884 IP ubuntu.local > 192.168.153.1: ICMP echo request, id 2959, seq 502, length 64
    0x0000:  0050 56c0 0001 000c 292a 4f6c 0800 4500
    0x0010:  0054 0000 4000 4001 86d2 c0a8 9984 c0a8
    0x0020:  9901 0800 f77b 0b8f 01f6 7ab3 294e 5cfa
    0x0030:  0700 0809 0a0b 0c0d 0e0f

Now more bytes are shown. I think they are the 14 bytes of the ethernet frame header (dest,source MAC + ethertype = 14 bytes). Correspondingly the IP header now starts 14 bytes down the line.

But why are there still 6 bytes missing? Notice that only 58 bytes are shown - I was expecting to 64 bytes to be visible.

分享到QQ

分享到微博