如何在 tcpdump 中捕获 TCP/IP 碎片? [英] How to capture TCP/IP fragmentation in tcpdump?

问题描述

众所周知，MTU为1500，TCP的MSS为1460，所以当recv函数中使用的buf大于1460字节时，TCP会被拆分成很多部分.

As we all know, the MTU is 1500 and the MSS for TCP is 1460. So when the buf used in the recv function is large than 1460 bytes, the TCP will be splitted into many parts.

我写了一个简单的 echo prog，想使用 tcpdump 来检查碎片.但是buf小的时候不显示碎片，buf在20K左右的时候显示.

I write a simple echo prog, and want to use tcpdump to check the fragmentation. However, it does not show the fragmentation when the buf is small, but shows when the buf is about 20K.

代码如下:

服务器:

import socket
import sys
import os

addr = ('10.0.0.2',10086)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(addr)
server.listen(5)

while True:
    connfd, addr= server.accept()
    print 'connection ip:', addr
    data = connfd.recv(8192);

客户:

import socket
import os
import sys

addr = ('10.0.0.2', 10086)
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect(addr)

data = '';
for num in range(0,8192):
    data += '1'

client.sendall(bytes(data))

这是我使用的 tcpdump cmd:

Here is the tcpdump cmd I used:

sudo tcpdump -i lo 端口 10086 -s 1514 -v

从代码上看，buf是8192，MSS是1460.所以，在我看来，数据包会被拆分为1460、1460、1460、1460、1460、892.但在截图中没有.

See from the code, the buf is 8192, the MSS is 1460. So, in my opinion, the packet will be splitted into 1460, 1460, 1460, 1460, 1460, 892. But in the screenshots it not.

另外，我不确定这是否是由 [DF] 标志引起的.prog 使用的是 python，所以内置的 sockopt [DF] 被设置为默认值?天知道.

Also, I am not sure if this is caused by the [DF] flags. The prog is used python, so the build-in sockopt [DF] is set default? Heaven knows.

推荐答案

众所周知，MTU 为 1500，TCP 的 MSS 为 1460

As we all know, the MTU is 1500 and the MSS for TCP is 1460

这不是真的.

MTU 取决于传输介质，1500 的 MTU 特定于以太网.但是根据您的 tcpdump，您没有使用以太网接口(即两台机器之间的有线 LAN 连接)，而是在同一台机器上有客户端和服务器，因此使用 lo 接口(tcpdump -i瞧……).localhost 接口的 MTU 通常要高得多:

The MTU depends on the transport medium and a MTU of 1500 is specific to ethernet. But based on your tcpdump you are not using the ethernet interface (i.e. wired LAN connection between two machines) but have client and server on the same machine and thus use the lo interface (tcpdump -i lo ...). The MTU for the localhost interface is usually much higher:

  $ ifconfig lo
  lo: ...  mtu 65536

  $ ifconfig eth0
  eth0: ...  mtu 1500

除此之外，您可能根本看不到任何碎片.如果数据包大于 MTU，您将看到 TCP 分段(不是分段)，即操作系统会将 TCP 流拆分为不同的分段，其中每个分段如果不大于 MSS.分段反而发生在较低层，例如，如果 IP 数据包需要进一步拆分，因为到达目标的路径中某处是具有较小 MTU 的设备.

Apart from that you will probably not see any fragmentation at all. If the packets are larger than the MTU you will see TCP segmentation (not fragmentation), i.e. that the OS will split the TCP stream into different segments where each if not larger than the MSS. Fragmentation instead occurs on the lower layers, for example if an IP packet needs to be split further since somewhere in the path to the target is a device with a smaller MTU.

您看到的 [DF](不要分片)是为了确保不会发生 IP 级分片，而是将数据包丢弃，并通知发送方，以便路径 MTU(最小 MTU路径)可以被发现，并为此优化 TCP 分段，以减少传输开销.有关详细信息，请参阅路径 MTU 发现.

The [DF] (don't fragment) you see is to make sure that no IP level fragmentation occurs and the packet instead gets discarded and the sender notified so that the Path MTU (minimal MTU of the Path) can be discovered and the TCP segmentation optimized for this in order to reduce the overhead of delivery. See Path MTU discovery for more information.

这篇关于如何在 tcpdump 中捕获 TCP/IP 碎片?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！