Single file version available here.
Last updated on 2008-06-28.
To discuss, comment here.
| Prev | Next | |
| Home |
http://www.chinalinuxpub.com/doc/www.siliconvalleyccie.com/linux-hn/network-trouble.htm
Tcpdump is one of the most popular packages for viewing the flow of packets through your Linux box's NIC card. It is installed by default on RedHat linux and has very simple syntax, especially if you are doing simpler types of troubleshooting.
One of the most common uses of tcpdump is to determine whether you are getting basic two way communication. Lack of communication could be due to:
Analyzing tcpdump in much greater detail is beyond the scope of this section.
Like most Linux commands, tcpdump uses command line switches to modify the output. Some of the more useful command line switches would include:
Possible TCPdump Messages
tcpdump command switch Description
-c Stop after viewing count packets.
-i Listen on interface. If this is not
specified, then tcpdump will use the
lowest numbered interface that is UP-t Don't print a timestamp at the
beginning of each lineYou can also add expressions after all the command line switches. These act as filters to limit the volume of data presented on the screen. You can also use keywords such as "and" or "or" between expressions to further fine tune your selection criteria. Some useful expressions include:
Useful TCPdump Expressions
tcpdump command expression Description
host host-address View packets from the IP address host-
addressicmp View icmp packets
tcp port port-number View TCP packets with packets with either a
source or destination TCP port of port-
numberudp port port-number View UDP packets with either a source or
destination UDP port of port-numberExample: tcpdump used to view ICMP "ping" packets going through interface wlan0
[root@bigboy tmp]# tcpdump -i wlan0 icmp
tcpdump: listening on wlan0 21:48:58.927091 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.927510 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.928257 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.928365 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.943926 smallfry > bigboy.my-site.com: icmp: echo request (DF) 21:48:58.944034 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.962244 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.963966 bigboy.my-site.com > smallfry: icmp: echo reply 21:48:58.968556 bigboy.my-site.com > smallfry: icmp: echo reply
9 packets received by filter 0 packets dropped by kernel [root@bigboy tmp]#
Example: tcpdump used to view packets on interface wlan0 to/from host 192.168.1.102 on TCP port 22 with no timestamps in the output
[root@bigboy root]# tcpdump -i wlan0 -t host 192.168.1.102 and tcp port 22
tcpdump: listening on wlan0 smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 75227931 0,nop,wscale 0> (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 2013297021 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 75227931 0,nop,wscale 0> (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] smallfry.32938 > bigboy.my-site.com.ssh: S 2013297020:2013297020(0) win 5840 <mss 1460,sackOK,timestamp 75227931 0,nop,wscale 0> (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10]
bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10] bigboy.my-site.com.ssh > smallfry.32938: R 0:0(0) ack 1 win 0 (DF) [tos 0x10]
9 packets received by filter 0 packets dropped by kernel [root@bigboy root]#
| Prev | Next | |
| Home |