歡迎光臨
每天分享高質量文章

在 Linux 命令列中使用 tcpdump 抓包 | Linux 中國

tcpdump 是一款靈活、功能強大的抓包工具,能有效地幫助排查網絡故障問題。
— Ricardo Gerardi


致謝
編譯自 | 
https://opensource.com/article/18/10/introduction-tcpdump
 
 作者 | Ricardo Gerardi
 譯者 | jrg (jrglinux) ??共計翻譯:8.0 篇 貢獻時間:340 天

tcpdump 是一款靈活、功能強大的抓包工具,能有效地幫助排查網絡故障問題。

以我作為管理員的經驗,在網絡連接中經常遇到十分難以排查的故障問題。對於這類情況,tcpdump 便能派上用場。

tcpdump 是一個命令列實用工具,允許你抓取和分析經過系統的流量資料包。它通常被用作於網絡故障分析工具以及安全工具。

tcpdump 是一款強大的工具,支持多種選項和過濾規則,適用場景十分廣泛。由於它是命令列工具,因此適用於在遠程服務器或者沒有圖形界面的設備中收集資料包以便於事後分析。它可以在後臺啟動,也可以用 cron 等定時工具創建定時任務啟用它。

本文中,我們將討論 tcpdump 最常用的一些功能。

1、在 Linux 中安裝 tcpdump

tcpdump 支持多種 Linux 發行版,所以你的系統中很有可能已經安裝了它。用下麵的命令檢查一下是否已經安裝了 tcpdump

  1. $ which tcpdump

  2. /usr/sbin/tcpdump

如果還沒有安裝 tcpdump,你可以用軟體包管理器安裝它。 例如,在 CentOS 或者 Red Hat Enterprise 系統中,用如下命令安裝 tcpdump

  1. $ sudo yum install -y tcpdump

tcpdump 依賴於 libpcap,該庫檔案用於捕獲網絡資料包。如果該庫檔案也沒有安裝,系統會根據依賴關係自動安裝它。

現在你可以開始抓包了。

2、用 tcpdump 抓包

使用 tcpdump 抓包,需要管理員權限,因此下麵的示例中絕大多數命令都是以 sudo 開頭。

首先,先用 tcpdump -D 命令列出可以抓包的網絡接口:

  1. $ sudo tcpdump -D

  2. 1.eth0

  3. 2.virbr0

  4. 3.eth1

  5. 4.any (Pseudo-device that captures on all interfaces)

  6. 5.lo [Loopback]

如上所示,可以看到我的機器中所有可以抓包的網絡接口。其中特殊接口 any 可用於抓取所有活動的網絡接口的資料包。

我們就用如下命令先對 any 接口進行抓包:

  1. $ sudo tcpdump -i any

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720:3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 196

  5. 09:56:18.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop,nop,TS val 510771017 ecr 76577898], length 0

  6. 09:56:18.295058 IP rhel75.59883 > gateway.domain: 2486+ PTR? 1.64.168.192.in-addr.arpa. (43)

  7. 09:56:18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0/1/0 (102)

  8. 09:56:18.312482 IP rhel75.49685 > gateway.domain: 34242+ PTR? 28.64.168.192.in-addr.arpa. (44)

  9. 09:56:18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0/1/0 (103)

  10. 09:56:18.323164 IP rhel75.56631 > gateway.domain: 29904+ PTR? 1.122.168.192.in-addr.arpa. (44)

  11. 09:56:18.323342 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 196:584, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 388

  12. 09:56:18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928], length 0

  13. 09:56:18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0/1/0 (103)

  14. 09:56:18.336429 IP rhel75.44007 > gateway.domain: 61677+ PTR? 98.122.168.192.in-addr.arpa. (45)

  15. 09:56:18.336655 IP gateway.domain > rhel75.44007: 61677* 1/0/0 PTR rhel75. (65)

  16. 09:56:18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584:1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060

  17. ---- SKIPPING LONG OUTPUT -----

  18. 09:56:19.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0

  19. ^C

  20. 9003 packets captured

  21. 9010 packets received by filter

  22. 7 packets dropped by kernel

  23. $

tcpdump 會持續抓包直到收到中斷信號。你可以按 Ctrl+C 來停止抓包。正如上面示例所示,tcpdump 抓取了超過 9000 個資料包。在這個示例中,由於我是通過 ssh 連接到服務器,所以 tcpdump 也捕獲了所有這類資料包。-c 選項可以用於限制 tcpdump 抓包的數量:

  1. $ sudo tcpdump -i any -c 5

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680:3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 196

  5. 11:21:30.242906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 0

  6. 11:21:30.244442 IP rhel75.43634 > gateway.domain: 57680+ PTR? 1.64.168.192.in-addr.arpa. (43)

  7. 11:21:30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0/0/0 (43)

  8. 11:21:30.247048 IP rhel75.33696 > gateway.domain: 37429+ PTR? 28.64.168.192.in-addr.arpa. (44)

  9. 5 packets captured

  10. 12 packets received by filter

  11. 0 packets dropped by kernel

  12. $

如上所示,tcpdump 在抓取 5 個資料包後自動停止了抓包。這在有些場景中十分有用 —— 比如你只需要抓取少量的資料包用於分析。當我們需要使用過濾規則抓取特定的資料包(如下所示)時,-c 的作用就十分突出了。

在上面示例中,tcpdump 預設是將 IP 地址和端口號解析為對應的接口名以及服務協議名稱。而通常在網絡故障排查中,使用 IP 地址和端口號更便於分析問題;用 -n 選項顯示 IP 地址,-nn 選項顯示端口號:

  1. $ sudo tcpdump -i any -c5 -nn

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155], length 196

  5. 23:56:24.292357 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 0

  6. 23:56:24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 372

  7. 23:56:24.292655 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 0

  8. 23:56:24.292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568:908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 340

  9. 5 packets captured

  10. 6 packets received by filter

  11. 0 packets dropped by kernel

如上所示,抓取的資料包中顯示 IP 地址和端口號。這樣還可以阻止 tcpdump 發出 DNS 查找,有助於在網絡故障排查中減少資料流量。

現在你已經會抓包了,讓我們來分析一下這些抓包輸出的含義吧。

3、理解抓取的報文

tcpdump 能夠抓取並解碼多種協議型別的資料報文,如 TCP、UDP、ICMP 等等。雖然這裡我們不可能介紹所有的資料報文型別,但可以分析下 TCP 型別的資料報文,來幫助你入門。更多有關 tcpdump 的詳細介紹可以參考其 幫助手冊[1]tcpdump 抓取的 TCP 報文看起來如下:

  1. 08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372

具體的欄位根據不同的報文型別會有不同,但上面這個例子是一般的格式形式。

第一個欄位 08:41:13.729687 是該資料報文被抓取的系統本地時間戳。

然後,IP 是網絡層協議型別,這裡是 IPv4,如果是 IPv6 協議,該欄位值是 IP6

192.168.64.28.22 是源 ip 地址和端口號,緊跟其後的是目的 ip 地址和其端口號,這裡是 192.168.64.1.41916

在源 IP 和目的 IP 之後,可以看到是 TCP 報文標記段 Flags [P.]。該欄位通常取值如下:

< 如顯示不全,請左右滑動 >
標誌型別 描述
S SYN Connection Start
F FIN Connection Finish
P PUSH Data push
R RST Connection reset
. ACK Acknowledgment

該欄位也可以是這些值的組合,例如 [S.] 代表 SYN-ACK 資料包。

接下來是該資料包中資料的序列號。對於抓取的第一個資料包,該欄位值是一個絕對數字,後續包使用相對數值,以便更容易查詢跟蹤。例如此處 seq 196:568 代表該資料包包含該資料流的第 196 到 568 位元組。

接下來是 ack 值:ack 1。該資料包是資料發送方,ack 值為 1。在資料接收方,該欄位代表資料流上的下一個預期位元組資料,例如,該資料流中下一個資料包的 ack 值應該是 568。

接下來欄位是接收視窗大小 win 309,它表示接收緩衝區中可用的位元組數,後跟 TCP 選項如 MSS(最大段大小)或者視窗比例值。更詳盡的 TCP 協議內容請參考 Transmission Control Protocol(TCP) Parameters[2]

最後,length 372 代表資料包有效載荷位元組長度。這個長度和 seq 序列號中位元組數值長度是不一樣的。

現在讓我們學習如何過濾資料報文以便更容易的分析定位問題。

4、過濾資料包

正如上面所提,tcpdump 可以抓取很多種型別的資料報文,其中很多可能和我們需要查找的問題並沒有關係。舉個例子,假設你正在定位一個與 web 服務器連接的網絡問題,就不必關係 SSH 資料報文,因此在抓包結果中過濾掉 SSH 報文可能更便於你分析問題。

tcpdump 有很多引數選項可以設置資料包過濾規則,例如根據源 IP 以及目的 IP 地址,端口號,協議等等規則來過濾資料包。下麵就介紹一些最常用的過濾方法。

協議

在命令中指定協議便可以按照協議型別來篩選資料包。比方說用如下命令只要抓取 ICMP 報文:

  1. $ sudo tcpdump -i any -c5 icmp

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

然後再打開一個終端,去 ping 另一臺機器:

  1. $ ping opensource.com

  2. PING opensource.com (54.204.39.132) 56(84) bytes of data.

  3. 64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms

回到運行 tcpdump 命令的終端中,可以看到它篩選出了 ICMP 報文。這裡 tcpdump 並沒有顯示有關 opensource.com 的域名解析資料包:

  1. 09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 64

  2. 09:34:20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 64

  3. 09:34:21.140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2, length 64

  4. 09:34:21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 64

  5. 09:34:22.141777 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 64

  6. 5 packets captured

  7. 5 packets received by filter

  8. 0 packets dropped by kernel

主機

用 host 引數只抓取和特定主機相關的資料包:

  1. $ sudo tcpdump -i any -c5 -nn host 54.204.39.132

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460,sackOK,TS val 122350391 ecr 0,nop,wscale 7], length 0

  5. 09:54:20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460,sackOK,TS val 522713542 ecr 122350391,nop,wscale 9], length 0

  6. 09:54:20.088204 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542], length 0

  7. 09:54:20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.1

  8. 09:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438], length 0

  9. 5 packets captured

  10. 5 packets received by filter

  11. 0 packets dropped by kernel

如上所示,只抓取和顯示與 54.204.39.132 有關的資料包。

端口號

tcpdump 可以根據服務型別或者端口號來篩選資料包。例如,抓取和 HTTP 服務相關的資料包:

  1. $ sudo tcpdump -i any -c5 -nn port 80

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460,sackOK,TS val 122599140 ecr 0,nop,wscale 7], length 0

  5. 09:58:28.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460,sackOK,TS val 522775728 ecr 122599140,nop,wscale 9], length 0

  6. 09:58:28.834093 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728], length 0

  7. 09:58:28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.1

  8. 09:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184], length 0

  9. 5 packets captured

  10. 5 packets received by filter

  11. 0 packets dropped by kernel

IP 地址/主機名

同樣,你也可以根據源 IP 地址或者目的 IP 地址或者主機名來篩選資料包。例如抓取源 IP 地址為 192.168.122.98 的資料包:

  1. $ sudo tcpdump -i any -c5 -nn src 192.168.122.98

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332+ A? opensource.com. (32)

  5. 10:02:15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749+ AAAA? opensource.com. (32)

  6. 10:02:15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460,sackOK,TS val 122825713 ecr 0,nop,wscale 7], length 0

  7. 10:02:15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 122825758 ecr 522832372], length 0

  8. 10:02:15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.1

  9. 5 packets captured

  10. 5 packets received by filter

  11. 0 packets dropped by kernel

註意此處示例中抓取了來自源 IP 地址 192.168.122.98 的 53 端口以及 80 端口的資料包,它們的應答包沒有顯示出來因為那些包的源 IP 地址已經變了。

相對的,使用 dst 就是按目的 IP/主機名來篩選資料包。

  1. $ sudo tcpdump -i any -c5 -nn dst 192.168.122.98

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 10:05:03.572931 IP 192.168.122.1.53 > 192.168.122.98.47049: 2248 1/0/0 A 54.204.39.132 (48)

  5. 10:05:03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0/0/0 (32)

  6. 10:05:03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960, options [mss 1460,sackOK,TS val 522874425 ecr 122993922,nop,wscale 9], length 0

  7. 10:05:03.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 113, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 0

  8. 10:05:03.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found

  9. 5 packets captured

  10. 5 packets received by filter

  11. 0 packets dropped by kernel

多條件篩選

當然,可以使用多條件組合來篩選資料包,使用 and 以及 or 邏輯運算子來創建過濾規則。例如,篩選來自源 IP 地址 192.168.122.98 的 HTTP 資料包:

  1. $ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 0

  5. 10:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 0

  6. 10:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.1

  7. 10:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 0

  8. 10:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 0

  9. 5 packets captured

  10. 5 packets received by filter

  11. 0 packets dropped by kernel

你也可以使用括號來創建更為複雜的過濾規則,但在 shell 中請用引號包含你的過濾規則以防止被識別為 shell 運算式:

  1. $ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 0

  5. 10:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 0

  6. 10:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 0

  7. 10:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1

  8. 10:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 0

  9. 5 packets captured

  10. 5 packets received by filter

  11. 0 packets dropped by kernel

該例子中我們只抓取了來自源 IP 為 192.168.122.98 或者 54.204.39.132 的 HTTP (端口號80)的資料包。使用該方法就很容易抓取到資料流中交互雙方的資料包了。

5、檢查資料包內容

在以上的示例中,我們只按資料包頭部的信息來建立規則篩選資料包,例如源地址、目的地址、端口號等等。有時我們需要分析網絡連接問題,可能需要分析資料包中的內容來判斷什麼內容需要被髮送、什麼內容需要被接收等。tcpdump 提供了兩個選項可以查看資料包內容,-X 以十六進制打印出資料報文內容,-A 打印資料報文的 ASCII 值。

例如,HTTP 請求報文內容如下:

  1. $ sudo tcpdump -i any -c10 -nn -A port 80

  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

  3. listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

  4. 13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0

  5. E..<..>zb6.'[email protected]

  6. ............................

  7. 13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0

  8. E..<..>...zb.P..o..&...A..q a..........

  9. .R.W.......     ................

  10. 13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0

  11. E..4.[email protected]@.....zb6.'....P...Ao..'...........

  12. .....R.W................

  13. 13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1

  14. E[email protected]@..1..zb6.'....P...Ao..'...........

  15. .....R.WGET / HTTP/1.1

  16. User-Agent: Wget/1.14 (linux-gnu)

  17. Accept: */*

  18. Host: opensource.com

  19. Connection: Keep-Alive

  20. ................

  21. 13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0

  22. [email protected]/.."6.'...zb.P..o..'.......9.2.....

  23. .R.a....................

  24. 13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found

  25. [email protected]/...6.'...zb.P..o..'.......9.......

  26. .R.b....HTTP/1.1 302 Found

  27. Server: nginx

  28. Date: Sun, 23 Sep 2018 17:02:14 GMT

  29. Content-Type: text/html; charset=iso-8859-1

  30. Content-Length: 207

  31. X-Content-Type-Options: nosniff

  32. Location: https://opensource.com/

  33. Cache-Control: max-age=1209600

  34. Expires: Sun, 07 Oct 2018 17:02:14 GMT

  35. X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d

  36. X-Varnish: 632951979

  37. Age: 0

  38. Via: 1.1 varnish (Varnish/5.2)

  39. X-Cache: MISS

  40. Connection: keep-alive

  41. 302 Found

  • Found

  • The document has moved here.

  • ................

  • 13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0

  • [email protected]@.....zb6.'....P....o..............

  • .....R.b................

  • 13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0

  • [email protected]@.....zb6.'....P....o..............

  • .....R.b................

  • 13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0

  • [email protected]/.. 6.'...zb.P..o..........9.I.....

  • .R......................

  • 13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0

  • [email protected]@.....zb6.'....P....o..............

  • .....R..................

  • 10 packets captured

  • 10 packets received by filter

  • 0 packets dropped by kernel

  • 這對定位一些普通 HTTP 呼叫 API 接口的問題很有用。當然如果是加密報文,這個輸出也就沒多大用了。

    6、儲存抓包資料

    tcpdump 提供了儲存抓包資料的功能以便後續分析資料包。例如,你可以夜裡讓它在那裡抓包,然後早上起來再去分析它。同樣當有很多資料包時,顯示過快也不利於分析,將資料包儲存下來,更有利於分析問題。

    使用 -w 選項來儲存資料包而不是在屏幕上顯示出抓取的資料包:

    1. $ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80

    2. [sudo] password for ricardo:

    3. tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

    4. 10 packets captured

    5. 10 packets received by filter

    6. 0 packets dropped by kernel

    該命令將抓取的資料包儲存到檔案 webserver.pcap。後綴名 pcap 表示檔案是抓取的資料包格式。

    正如示例中所示,儲存資料包到檔案中時屏幕上就沒有任何有關資料報文的輸出,其中 -c10 表示抓取到 10 個資料包後就停止抓包。如果想有一些反饋來提示確實抓取到了資料包,可以使用 -v 選項。

    tcpdump 將資料包儲存在二進制檔案中,所以不能簡單的用文本編輯器去打開它。使用 -r選項引數來閱讀該檔案中的報文內容:

    1. $ tcpdump -nn -r webserver.pcap

    2. reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

    3. 13:36:57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460,sackOK,TS val 135708029 ecr 0,nop,wscale 7], length 0

    4. 13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

    5. 13:36:57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 0

    6. 13:36:57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 112: HTTP: GET / HTTP/1.1

    7. 13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

    8. 13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

    9. 13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 0

    10. 13:36:57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959], length 0

    11. 13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

    12. 13:36:58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0

    13. $

    這裡不需要管理員權限 sudo 了,因為此刻並不是在網絡接口處抓包。

    你還可以使用我們討論過的任何過濾規則來過濾檔案中的內容,就像使用實時資料一樣。 例如,通過執行以下命令從源 IP 地址 54.204.39.132 檢查檔案中的資料包:

    1. $ tcpdump -nn -r webserver.pcap src 54.204.39.132

    2. reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

    3. 13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

    4. 13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

    5. 13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

    6. 13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

    下一步做什麼?

    以上的基本功能已經可以幫助你使用強大的 tcpdump 抓包工具了。更多的內容請參考 tcpdump 網站[3] 以及它的 幫助檔案[4]

    tcpdump 命令列工具為分析網絡流量資料包提供了強大的靈活性。如果需要使用圖形工具來抓包請參考 Wireshark[5]

    Wireshark 還可以用來讀取 tcpdump 儲存的 pcap 檔案。你可以使用 tcpdump 命令列在沒有 GUI 界面的遠程機器上抓包然後在 Wireshark 中分析資料包。


    via: https://opensource.com/article/18/10/introduction-tcpdump

    作者:Ricardo Gerardi[7] 選題:lujun9972 譯者:jrg 校對:wxy

    本文由 LCTT 原創編譯,Linux中國 榮譽推出

    赞(0)

    分享創造快樂

    © 2021 知識星球   网站地图