tcpdump从哪个网络堆栈级别获取其信息?


12

当我徒劳地尝试在此处修复故障的以太网控制器时,我尝试的一件事是在计算机上运行tcpdump。

我发现tcpdump能够检测到ping应用程序认为正在发送的某些ICMP数据包实际上不在线路上,即使它在同一台计算机上运行,​​也很有趣。我在这里复制了这些tcpdump结果:

14:25:01.162331 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 1, length 64
14:25:02.168630 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 2, length 64
14:25:02.228192 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 2, length 64
14:25:07.236359 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 3, length 64
14:25:07.259431 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 3, length 64
14:25:31.307707 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 9, length 64
14:25:32.316628 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 10, length 64
14:25:33.324623 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 11, length 64
14:25:33.349896 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 11, length 64
14:25:43.368625 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 17, length 64
14:25:43.394590 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 17, length 64
14:26:18.518391 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 30, length 64
14:26:18.537866 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 30, length 64
14:26:19.519554 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 31, length 64
14:26:20.518588 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 32, length 64
14:26:21.518559 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 33, length 64
14:26:21.538623 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 33, length 64
14:26:37.573641 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 35, length 64
14:26:38.580648 IP debian.local > 74.125.224.80: ICMP echo request, id 2334, seq 36, length 64
14:26:38.602195 IP 74.125.224.80 > debian.local: ICMP echo reply, id 2334, seq 36, length 64

请注意,seq编号是如何跳跃数次...表示ping应用程序生成的数据包实际上并没有离开盒子。

这使我想到了一个问题:tcpdump如何能够检测到ICMP数据包实际上没有出去?是否能够以某种方式直接监视电线上的内容?

如果确实做到了这一点,我认为是通过与内核的某些部分接口,而内核又与某些硬件相连,这些硬件是网络控制器的标准部分。

即使这样,这还是很酷的!如果那实际上不是tcpdump的功能,有人可以向我解释它如何在软件中检测到丢失的数据包吗?

Answers:


13

是。通过将网络接口设置为混杂模式,tcpdump能够准确查看出(出入)网络接口的内容。

tcpdump在layer2 +上运行。它可用于查看以太网,FDDI,PPP和SLIP,令牌环以及libpcap支持的任何其他协议,这些协议完成了tcpdump的所有繁重工作。

请查看pcap手册页的pcap_datalink()部分,以获得tcpdump(通过libpcap)可以分析的第2层协议的完整列表。

阅读tcpdump手册页将使您很好地了解tcpdump和libpcap与内核和网络接口的接口如何能够读取原始数据链路层帧。


1
谢谢蒂姆。一件事,我看了一下tcpdump手册页,却没有看到关于内核/网络接口的任何信息。如果您还有其他建议,我很想了解更多有关此的信息。
埃里克(Eric)

我上面链接的pcap手册页详细介绍了网络接口。tcpdump仅显示数据。它是libpcap来捕获数据并连接到网络设备。
蒂姆·肯尼迪
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.