tcpdump跟wireshark显示的包格式对比

通过对比知道：tcpdump显示的Flags 后面中括号里面的意思如下：

S代表SYN

.（点号）代表ACK

P代表HTTP协议

F代表FIN

tcpdump 格式：

root@vyos:/home/vyos# tcpdump -i eth0 tcp and host 172.20.15.118
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:41:56.566276 IP 172.20.15.118.48890 > 172.24.244.140.systat: Flags [S], seq 1293998715, win 29200, options [mss 1460,sackOK,TS val 650516051 ecr 0,nop,wscale 7], length 0
15:41:56.566399 IP 172.24.244.140.systat > 172.20.15.118.48890: Flags [S.], seq 1299858403, ack 1293998716, win 65160, options [mss 1460,sackOK,TS val 1650524506 ecr 650516051,nop,wscale 6], length 0
15:41:56.566956 IP 172.20.15.118.48890 > 172.24.244.140.systat: Flags [.], ack 1, win 229, options [nop,nop,TS val 650516052 ecr 1650524506], length 0
15:41:56.566956 IP 172.20.15.118.48890 > 172.24.244.140.systat: Flags [P.], seq 1:82, ack 1, win 229, options [nop,nop,TS val 650516052 ecr 1650524506], length 81
15:41:56.567014 IP 172.24.244.140.systat > 172.20.15.118.48890: Flags [.], ack 82, win 1017, options [nop,nop,TS val 1650524507 ecr 650516052], length 0
15:41:56.569055 IP 172.24.244.140.systat > 172.20.15.118.48890: Flags [P.], seq 1:253, ack 82, win 1017, options [nop,nop,TS val 1650524509 ecr 650516052], length 252
15:41:56.569661 IP 172.20.15.118.48890 > 172.24.244.140.systat: Flags [.], ack 253, win 237, options [nop,nop,TS val 650516055 ecr 1650524509], length 0
15:41:56.569661 IP 172.20.15.118.48890 > 172.24.244.140.systat: Flags [F.], seq 82, ack 253, win 237, options [nop,nop,TS val 650516055 ecr 1650524509], length 0
15:41:56.570213 IP 172.24.244.140.systat > 172.20.15.118.48890: Flags [F.], seq 253, ack 83, win 1017, options [nop,nop,TS val 1650524510 ecr 650516055], length 0
15:41:56.570801 IP 172.20.15.118.48890 > 172.24.244.140.systat: Flags [.], ack 254, win 237, options [nop,nop,TS val 650516056 ecr 1650524510], length 0

wireshark格式显示：

https://zhuanlan.zhihu.com/p/142665708