tcpdump

  

打印数据包，方便调试 

sudo tcpdump -i en1 port $PORT  -X

 

 ip header

 

tcp header

man tcpdump

       To  print  all  IPv4  HTTP packets to and from port 80, i.e. print only

       packets that contain data, not, for example, SYN and  FIN  packets  and

       ACK-only packets.  (IPv6 is left as an exercise for the reader.)

       tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf))) - ((tcp[12]&0xf0)>>4)) != 0)'

 

ip[2:2] 为 total length

ip[0]&0xf 为 ip header 的 header length

(tcp[12]&0xf0)>>4 为 tcp header length，一般为 20

如果 ip total length - ip header length - tcp header length = 0，即 tcp 部分只有 header，不含 data

 

so

sudo tcpdump -i en1 tcp 'port $PORT and (ip[2:2] - (ip[0]&0xf) - (tcp[12]&0xf0)>>4 != 0)' -X

 

参考链接

http://www.cnblogs.com/ggjucheng/archive/2012/01/14/2322659.html