linux – tcpdump从哪个级别的网络堆栈获取信息?

2022-10-09 12:50:40

当我试图修复一个有故障的以太网控制器here时,我试过的一件事就是在机器上运行tcpdump.

我发现有趣的是tcpdump能够检测到ping应用程序认为它发送的某些ICMP数据包实际上并没有通过网络传输,即使它在同一台机器上运行.我在这里复制了那些tcpdump结果:

14:25:01.162331 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 1, length 64
14:25:02.168630 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 2, length 64
14:25:02.228192 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 2, length 64
14:25:07.236359 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 3, length 64
14:25:07.259431 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 3, length 64
14:25:31.307707 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 9, length 64
14:25:32.316628 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 10, length 64
14:25:33.324623 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 11, length 64
14:25:33.349896 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 11, length 64
14:25:43.368625 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 17, length 64
14:25:43.394590 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 17, length 64
14:26:18.518391 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 30, length 64
14:26:18.537866 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 30, length 64
14:26:19.519554 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 31, length 64
14:26:20.518588 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 32, length 64
14:26:21.518559 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 33, length 64
14:26:21.538623 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 33, length 64
14:26:37.573641 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 35, length 64
14:26:38.580648 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 36, length 64
14:26:38.602195 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 36, length 64

注意seq编号如何跳转多次…表示ping应用程序生成的实际上没有离开框的数据包.

这让我想到了一个问题:tcpdump如何能够检测到ICMP数据包实际上没有出现?是否能够以某种方式直接监控电线上的内容?

如果它确实实现了这一点,我认为它是通过连接到内核的某些部分,而内核又连接到某些硬件,这些硬件是网络控制器的标准部分.

即便如此,这很酷!如果这实际上不是tcpdump的功能,有人可以向我解释它是如何在软件中检测到丢失的数据包的吗?

解决方法:

是.通过将网络接口置于混杂模式,tcpdump能够准确地看到网络接口的内容.

tcpdump在layer2上运行.它可以用来看以太网,FDDI,PPP& SLIP,Token Ring和libpcap支持的任何其他协议,它完成了所有tcpdump的繁重工作.

查看pcap man page的pcap_datalink()部分,了解tcpdump(通过libpcap)可以分析的第2层协议的完整列表.

阅读tcpdump man page将使您很好地理解tcpdump和libpcap与内核和网络接口的接口如何能够读取原始数据链路层帧.

上一篇:Android 使用DexClassLoader要执行其他apk方法


下一篇:linux – tcpdump在shell脚本中捕获任何内容