Traditional Culture Encyclopedia - Weather inquiry - Linux view tcp

Linux view tcp

Why can't my tcpdump run under linux?

Tcpdump captures messages through libpcap, which has different implementations on different platforms. The following is only a description of the Linux platform. First of all, it is nothing special for Linux platform to obtain link layer information such as Mac address of messages in user mode, which can be realized by AF_PACK socket, and it is also the way for tcpdump or libpcap to capture messages (which can be verified by the system call of stracetcpdump). See man7packet for more information about AF_PACK. Secondly, as mentioned above, tcpdumap uses AF_PACK socket instead of Netfilter. There are at least two unreasonable points in using Netfilter:

1. When the packet enters Netfilter, it has actually been processed in the protocol stack, and the packet may have changed. An obvious example is that the fragments need to be reorganized before entering Netfilter, so the original message fragments cannot be captured in Netfilter. In the sending direction, when the message leaves Netfilter, the processing of the protocol stack is not completely completed, so the captured message may be incomplete.

2. When passing to user mode, the message captured in Netfilter will be more complicated. Netfilter's code is in interrupt context and process context, so traditional system calls cannot be used. The simple way is to use Netlink. This is not as simple as grabbing messages directly with AF_PACKET (both kernel and user-mode programs).

What are the connection states of linuxtcp?

Interception: Interception of connection requests sent synchronously from remote TCP ports; Send the connection request again and wait for the SYN-RECEIVED matching connection request; Receiving and sending another connection request, and waiting for the confirmation of the other party; ESTABLISHED: stands for open connection FIN-WAIT- 1: waiting for remote TCP connection interrupt request, Or the connection interruption request before confirmation FIN-WAIT-2: Waiting for the remote TCP connection interruption request CLOSE: Waiting for the connection interruption request sent by the local user CLOSING: Waiting for the remote TCP to confirm the connection interruption LAST-ACK: Waiting for the confirmation of the original connection interruption request sent to the remote TCP TIME-WAIT: Waiting for enough time to ensure that the remote TCP receives the confirmation of the connection interruption request CLOSED: No connection status.