抓包分析

tcpdump -i docker0 -lXe

[root@iz2zecj7a5r32f2axsctb9z net]# tcpdump  -i docker0 -lXe
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:46:58.316119 02:42:42:33:a1:76 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 172.18.0.2 tell 172.18.0.1, length 46
    0x0000:  0001 0800 0604 0001 0242 4233 a176 ac12  .........BB3.v..
    0x0010:  0001 0000 0000 0000 ac12 0002 0000 0000  ................
    0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:46:58.316135 02:42:ac:12:00:02 (oui Unknown) > 02:42:42:33:a1:76 (oui Unknown), ethertype ARP (0x0806), length 42: Reply 172.18.0.2 is-at 02:42:ac:12:00:02 (oui Unknown), length 28
    0x0000:  0001 0800 0604 0002 0242 ac12 0002 ac12  .........B......
    0x0010:  0002 0242 4233 a176 ac12 0001            ...BB3.v....
`
  1. 发出的是广播包

    Broadcast, ethertype ARP (0x0806), length 60: Request who-has 172.18.0.2 tell 172.18.0.1, length 46

  • 整个帧的长度为60 , 满足发送帧的最小长度
  • 数据长度为46 ,因为以太网要求数据部分最小长度为46字节,不足46字节会总动补零处理, 可以看到内容后面有若干个0
  1. 接收

    ethertype ARP (0x0806), length 42: Reply 172.18.0.2 is-at 02:42:ac:12:00:02 (oui Unknown), length 28

  • 接收到的帧长度为42
  • 数据长度为28,即28字节的arp内容

    28(arp 内容长度 ) + 14 ( ether_header) = 42

文档更新时间: 2021-02-05 02:58   作者:周国强