divne chovani tcpdumpu
Zdenek SUTR Kaminski
sutr na valachian-labs.com
Čtvrtek Červen 30 22:03:30 CEST 2005
Zdravim,
zarazi mne chovani tcpdumpu na stroji A (82.142.70.161). Kdyz pingam
(ping -n <IP adresa>) ze stroje B (212.67.70.79) na adresu 82.142.70.165 a
na stroji A si pustim
tcpdump -i eth0 -n host 82.142.70.165 -v, tak vidim:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
21:56:29.865644 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.165: icmp 64: echo request seq 1
21:56:30.069741 IP (tos 0x0, ttl 112, id 5124, offset 0, flags [none],
proto 17, length: 33) 83.253.20.119.2285 > 82.142.70.165.27015: UDP,
length 5
21:56:30.872650 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.165: icmp 64: echo request seq 2
21:56:31.878097 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.165: icmp 64: echo request seq 3
21:56:32.870031 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.165: icmp 64: echo request seq 4
21:56:32.960981 IP (tos 0x0, ttl 112, id 5801, offset 0, flags [none],
proto 17, length: 33) 83.253.20.119.2286 > 82.142.70.165.27015: UDP,
length 5
21:56:33.883309 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.165: icmp 64: echo request seq 5
coz je v poradku.
Kdyz si ovsem pustim
tcpdump -i eth0 -n -p icmp -v, tak vidim:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
coz je spatne.
Kdyz vsak pingnu na adresu 82.142.70.163, tak v pripade modifikovaneho
prvniho tcpdumpu vidim:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
22:00:48.663584 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.163: icmp 64: echo request seq 1
22:00:48.664166 IP (tos 0x0, ttl 63, id 11718, offset 0, flags [none],
proto 1, length: 84) 82.142.70.163 > 212.67.79.70: icmp 64: echo reply seq
1
22:00:49.677104 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.163: icmp 64: echo request seq 2
22:00:49.677657 IP (tos 0x0, ttl 63, id 11719, offset 0, flags [none],
proto 1, length: 84) 82.142.70.163 > 212.67.79.70: icmp 64: echo reply seq
2
22:00:50.687498 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.163: icmp 64: echo request seq 3
22:00:50.688066 IP (tos 0x0, ttl 63, id 11720, offset 0, flags [none],
proto 1, length: 84) 82.142.70.163 > 212.67.79.70: icmp 64: echo reply seq
3
a v pripade druheho tcpdumpu vidim:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
22:00:22.739971 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.163: icmp 64: echo request seq 1
22:00:22.740568 IP (tos 0x0, ttl 63, id 11715, offset 0, flags [none],
proto 1, length: 84) 82.142.70.163 > 212.67.79.70: icmp 64: echo reply seq
1
22:00:23.747386 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.163: icmp 64: echo request seq 2
22:00:23.747952 IP (tos 0x0, ttl 63, id 11716, offset 0, flags [none],
proto 1, length: 84) 82.142.70.163 > 212.67.79.70: icmp 64: echo reply seq
2
22:00:24.757260 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto 1,
length: 84) 212.67.79.70 > 82.142.70.163: icmp 64: echo request seq 3
22:00:24.757807 IP (tos 0x0, ttl 63, id 11717, offset 0, flags [none],
proto 1, length: 84) 82.142.70.163 > 212.67.79.70: icmp 64: echo reply seq
3
coz je v obou pripadech spravne.
Muzete mi prosim vysvetlit, co je spatne?
Z.K.
--
Wallachian Laboratories? Freeride in UN*X systems...
Další informace o konferenci Linux