linux message timestamp linux message

How does Linux's tcpdump display the message content? What parameters to use? Give me an example, thank you?

The packet capture command tcpdumptcp-Aport22-wa.cap stores the packet content in a.cap. The a.cap file is binary and needs to be read specifically with the ethreal tool.

What is the principle of industrial firewall?

The firewall principle of industrial routers has a series of components that combine software and hardware between the security domains of different networks. Through monitoring, restrictions, etc., try to shield the internal information, structure and operating status of the network from the outside as much as possible, and selectively accept external access.

The term "firewall" comes from the field of architectural design and refers to a wall that acts as a partition, slowing down or protecting other parts from the effects of fire when one part catches fire. In computer networking, a firewall is a combination of one or more systems used to set security policy between two or more networks. The firewall plays the role of isolating abnormal access and only allows reliable traffic to pass through, thus protecting the security of internal network information at home and enterprise.

Linux firewall usually consists of two parts, namely iptables and netfilter. iptables is a command line tool for managing firewall rules in Linux and is located in user space. netfilter performs packet filtering and is located in the Linux kernel space. Sometimes iptables is also used to collectively refer to Linux firewalls.

iptables is used to set, maintain and check the firewall IP packet filtering rules and network address translation rules of the Linux kernel.

iptables is a packet status monitoring firewall, which means that the firewall stores information about each connection internally and can associate each packet with the connection to which it belongs. This information is very useful. It is used to automatically open the transmission path of the response message. Therefore, when creating a firewall rule, it is usually not necessary to create a firewall rule in the opposite direction. The firewall will automatically calculate this rule.

Use socket programming under dpdk, please explain in detail?

DPDK does not have a protocol stack. There are two ways. One is to use a third-party open source TCP/IP protocol stack developed based on DPDK, and the other is to transfer the sent and received messages to linux through the linuxTUN/TAP device. Processing in the kernel protocol stack

Why can’t my tcpdump run under Linux?

tcpdump captures messages through libpcap. libpcap has different implementations on different platforms. The following only uses the Linux platform for explanation. First of all, it is not a special thing for the Linux platform to obtain the link layer information such as the Mac address of the message in the user mode. It can be achieved through the AF_PACK socket, and tcpdump or libpcap also use this method to capture the message ( This can be verified using the strasetcpdump system call). For details about AF_PACK, see man7packet. Secondly, as mentioned above, tcpdumap uses AF_PACK sockets, not Netfilter. There are at least two unreasonable points in using Netfilter:

1. When the data packet enters Netfilter, some processing has already been done in the protocol stack, and the data packet may have undergone some changes. An obvious example is that fragmentation needs to be reorganized before entering Netfilter, so Netfilter cannot capture the original message fragments. In the sending direction, the processing of the protocol stack is not completely completed when the packet leaves Netfilter, so the captured packet may also be incomplete.

2. The packets captured by Netfilter will also be more complicated when delivered to the user mode. Netfilter's code is in two operating environments: interrupt context and process context. Traditional system calls cannot be used. The simple way is to use Netlink. And this is not as simple as directly using AF_PACKET to capture the message (this is true for both kernel and user-mode programs).