龙空技术网

在Linux命令行中使用tcpdump「超详细」

云技术 800

前言:

而今看官们对“centosnginxtcp”大概比较关切,看官们都需要知道一些“centosnginxtcp”的相关文章。那么小编同时在网络上网罗了一些有关“centosnginxtcp””的相关资讯,希望咱们能喜欢,大家一起来学习一下吧!

灵活,强大的命令行工具有助于减轻网络问题排查的痛苦。

根据我作为系统管理员的经验,我经常发现网络连接问题难以排除故障。 对于那些情况,tcpdump是一个伟大的朋友。

Tcpdump是一个命令行实用程序,允许捕获和分析通过系统的网络流量。它通常用于帮助解决网络问题,以及安全工具。

tcpdump是一个功能强大且功能多样的工具,包含许多选项和过滤器,可用于各种情况。 由于它是一个命令行工具,因此最好在远程服务器或GUI不可用的设备上运行,以收集以后可以分析的数据。 它也可以在后台启动,也可以使用cron等工具作为预定作业启动。

在本文中,我们将介绍一些tcpdump最常见的功能。

1.在Linux上安装

Tcpdump包含在几个Linux发行版中,所以很可能已经安装了它。使用以下命令检查系统上是否安装了tcpdump:

$ which tcpdump

/usr/sbin/tcpdump

如果未安装tcpdump,则可以使用分发包管理器安装它。例如,在CentOS或Red Hat Enterprise Linux上,如下所示:

$ sudo yum install -y tcpdump

Tcpdump需要libpcap,这是一个用于网络数据包捕获的库。如果未安装,它将自动添加为依赖项。

现在准备开始抓取数据包。

2.使用tcpdump抓取数据包

要抓取数据包以进行故障排除或分析,tcpdump需要提升权限,因此在以下示例中,大多数命令都以sudo为前缀。

首先,使用命令tcpdump -D查看哪些接口可用于捕获:

$ sudo tcpdump -D

1.eth0

2.virbr0

3.eth1

4.any (Pseudo-device that captures on all interfaces)

5.lo [Loopback]

在上面的示例中,可以看到计算机中可用的所有接口。特殊接口any允许在任何活动界面中捕获。

让我们来开始捕获一些数据包。通过运行此命令捕获任何接口中的所有数据包:

$ sudo tcpdump -i any

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720:3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 196

09:56:18.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop,nop,TS val 510771017 ecr 76577898], length 0

09:56:18.295058 IP rhel75.59883 > gateway.domain: 2486+ PTR? 1.64.168.192.in-addr.arpa. (43)

09:56:18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0/1/0 (102)

09:56:18.312482 IP rhel75.49685 > gateway.domain: 34242+ PTR? 28.64.168.192.in-addr.arpa. (44)

09:56:18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0/1/0 (103)

09:56:18.323164 IP rhel75.56631 > gateway.domain: 29904+ PTR? 1.122.168.192.in-addr.arpa. (44)

09:56:18.323342 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 196:584, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 388

09:56:18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928], length 0

09:56:18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0/1/0 (103)

09:56:18.336429 IP rhel75.44007 > gateway.domain: 61677+ PTR? 98.122.168.192.in-addr.arpa. (45)

09:56:18.336655 IP gateway.domain > rhel75.44007: 61677* 1/0/0 PTR rhel75. (65)

09:56:18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584:1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060

---- SKIPPING LONG OUTPUT -----

09:56:19.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0

^C

9003 packets captured

9010 packets received by filter

7 packets dropped by kernel

$

Tcpdump继续捕获数据包,直到收到中断信号。可以按Ctrl + C中断捕获。正如在此示例中所看到的,tcpdump捕获了超过9,000个数据包。在这种情况下,由于我使用ssh连接到此服务器,tcpdump捕获了所有这些包。要限制捕获的数据包数并停止tcpdump,请使用-c选项:

$ sudo tcpdump -i any -c 5

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680:3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 196

11:21:30.242906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 0

11:21:30.244442 IP rhel75.43634 > gateway.domain: 57680+ PTR? 1.64.168.192.in-addr.arpa. (43)

11:21:30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0/0/0 (43)

11:21:30.247048 IP rhel75.33696 > gateway.domain: 37429+ PTR? 28.64.168.192.in-addr.arpa. (44)

5 packets captured

12 packets received by filter

0 packets dropped by kernel

$

在这种情况下,tcpdump在捕获五个数据包后自动停止捕获。这在不同的场景中很有用,例如,如果正在排除连接并捕获一些初始包就足够了。当我们应用过滤器捕获特定数据包时,这甚至更有用(如下所示)。

默认情况下,tcpdump将IP地址和端口解析为名称,如上例所示。在排除网络问题时,通常更容易使用IP地址和端口号;使用选项-n和端口解析与-nn禁用名称解析:

$ sudo tcpdump -i any -c5 -nn

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155], length 196

23:56:24.292357 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 0

23:56:24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 372

23:56:24.292655 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 0

23:56:24.292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568:908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 340

5 packets captured

6 packets received by filter

0 packets dropped by kernel

如上所示,捕获输出现在显示IP地址和端口号。这还可以防止tcpdump发出DNS查找,这有助于在排除网络问题时降低网络流量。

现在已经能够捕获网络数据包了,让我们来探索一下这些输出意味着什么。

3.了解输出格式

Tcpdump能够捕获和解码许多不同的协议,例如TCP,UDP,ICMP等等。虽然我们不能在这里介绍所有这些,但为了帮助入门,让我们探索TCP数据包。可以在tcpdump的手册页中找到有关不同协议格式的更多详细信息。tcpdump捕获的典型TCP数据包如下所示:

08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372

字段可能会根据发送的数据包类型而有所不同,但这是一般格式。

第一个字段08:41:13.729687表示根据本地时钟接收的数据包的时间戳。

接下来,IP表示网络层协议 - 在这种情况下是IPv4。对于IPv6数据包,值为IP6。

下一个字段192.168.64.28.22是源IP地址和端口。接下来是目标IP地址和端口,由192.168.64.1.41916表示。

在源和目标之后,可以找到TCP 标记 [P.]。 该字段的典型值包括:

值标记类型描述SSYN连接开始FFIN连接结束PPUSH数据 pushRRST连接重置.ACK确认

该字段也可以是这些值的组合,例如用于SYN-ACK分组的[S.]。

接下来是数据包中包含的数据的序列号。对于捕获的第一个数据包,这是一个绝对数字。后续数据包使用相对数字,以便更容易遵循。在该示例中,序列是seq 196:568,这意味着该分组包含该流的字节196到568。

接下来是Ack编号:ack 1.在这种情况下,它是1,因为这是发送数据的一方。对于接收数据的一方,该字段表示该流上的下一个预期字节(数据)。例如,此流程中下一个数据包的Ack编号为568。

下一个字段是窗口大小win 309,它表示接收缓冲区中可用的字节数,后跟TCP选项,例如MSS(最大段大小)或窗口比例。有关TCP协议选项的详细信息,请参阅传输控制协议(TCP)参数。

最后,我们有数据包长度,长度372,它表示有效载荷数据的长度(以字节为单位)。长度是序列号中最后一个字节和第一个字节之间的差值。

现在让我们学习如何过滤包以缩小结果范围,并更轻松地解决特定问题。

4.过滤数据包

如上所述,tcpdump可以捕获太多的软件包,其中一些甚至与正在排除故障的问题无关。 例如,如果正在解决与Web服务器的连接问题,那么对SSH流量不感兴趣,因此从输出中删除SSH数据包可以更轻松地处理真正的问题。

tcpdump最强大的功能之一是它能够使用各种参数过滤捕获的数据包,例如源和目标IP地址,端口,协议等。让我们看看一些最常见的参数。

协议

要根据协议过滤数据包,请在命令行中指定协议。例如,仅使用以下命令捕获ICMP数据包:

$ sudo tcpdump -i any -c5 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

在另一个终端中,尝试ping另一台机器:

$ ping opensource.com

PING opensource.com (54.204.39.132) 56(84) bytes of data.

64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms

回到tcpdump捕获,请注意tcpdump仅捕获并显示与ICMP相关的数据包。在这种情况下,tcpdump不显示解析名称opensource.com时生成的名称解析数据包:

09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 64

09:34:20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 64

09:34:21.140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2, length 64

09:34:21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 64

09:34:22.141777 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 64

5 packets captured

5 packets received by filter

0 packets dropped by kernel

主机

使用主机过滤器将捕获限制为仅限与特定主机相关的数据包:

$ sudo tcpdump -i any -c5 -nn host 54.204.39.132

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460,sackOK,TS val 122350391 ecr 0,nop,wscale 7], length 0

09:54:20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460,sackOK,TS val 522713542 ecr 122350391,nop,wscale 9], length 0

09:54:20.088204 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542], length 0

09:54:20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.1

09:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

在此示例中,tcpdump仅捕获并显示与主机54.204.39.132之间的数据包。

端口

要根据所需的服务或端口过滤数据包,请使用端口过滤器。例如,使用以下命令捕获与Web(HTTP)服务相关的数据包:

$ sudo tcpdump -i any -c5 -nn port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460,sackOK,TS val 122599140 ecr 0,nop,wscale 7], length 0

09:58:28.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460,sackOK,TS val 522775728 ecr 122599140,nop,wscale 9], length 0

09:58:28.834093 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728], length 0

09:58:28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.1

09:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

追踪IP/主机名

还可以根据源或目标IP地址或主机名过滤数据包。例如,要从主机192.168.122.98捕获数据包:

$ sudo tcpdump -i any -c5 -nn src 192.168.122.98

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332+ A? opensource.com. (32)

10:02:15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749+ AAAA? opensource.com. (32)

10:02:15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460,sackOK,TS val 122825713 ecr 0,nop,wscale 7], length 0

10:02:15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 122825758 ecr 522832372], length 0

10:02:15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.1

5 packets captured

5 packets received by filter

0 packets dropped by kernel

请注意,tcpdumps捕获了源IP地址为192.168.122.98的数据包,用于多种服务,例如名称解析(端口53)和HTTP(端口80)。由于源IP不同,因此不显示响应数据包。

相反,可以使用dst过滤器按目标IP /主机名进行过滤:

$ sudo tcpdump -i any -c5 -nn dst 192.168.122.98

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:05:03.572931 IP 192.168.122.1.53 > 192.168.122.98.47049: 2248 1/0/0 A 54.204.39.132 (48)

10:05:03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0/0/0 (32)

10:05:03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960, options [mss 1460,sackOK,TS val 522874425 ecr 122993922,nop,wscale 9], length 0

10:05:03.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 113, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 0

10:05:03.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found

5 packets captured

5 packets received by filter

0 packets dropped by kernel

复杂过滤

还可以使用逻辑运算符组合过滤器,或者创建更复杂的表达式。例如,要从源IP地址192.168.122.98和仅HTTP服务过滤数据包,请使用以下命令:

$ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 0

10:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 0

10:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.1

10:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 0

10:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

可以通过使用括号对过滤器进行分组来创建更复杂的表达式。在这种情况下,请用引号括起整个过滤器表达式,以防止shell将它们与shell表达式混淆:

$ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 0

10:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 0

10:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 0

10:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1

10:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 0

5 packets captured

5 packets received by filter

0 packets dropped by kernel

在此示例中,我们仅过滤HTTP服务(端口80)和源IP地址192.168.122.98或54.204.39.132的数据包。这是检查同一流程两侧的快速方法。

5.检查包内容

在前面的示例中,我们仅检查数据包的标头,以获取源,目标,端口等信息。有时,这就是解决网络连接问题所需的全部内容。但是,有时我们需要检查数据包的内容,以确保我们发送的消息包含我们需要的消息或我们收到的预期响应。 要查看数据包内容,tcpdump提供了两个附加标志:-X以十六进制打印内容,ASCII或-A以ASCII格式打印内容。

例如,检查Web请求的HTTP内容,如下所示:

$ sudo tcpdump -i any -c10 -nn -A port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0

E..<..@.@.....zb6.'....P...@......r............

............................

13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0

E..<..@./..a6.'...zb.P..o..&...A..q a..........

.R.W....... ................

13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0

E..4..@.@.....zb6.'....P...Ao..'...........

.....R.W................

13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1

E.....@.@..1..zb6.'....P...Ao..'...........

.....R.WGET / HTTP/1.1

User-Agent: Wget/1.14 (linux-gnu)

Accept: */*

Host: opensource.com

Connection: Keep-Alive

................

13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0

E..4.F@./.."6.'...zb.P..o..'.......9.2.....

.R.a....................

13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found

E....G@./...6.'...zb.P..o..'.......9.......

.R.b....HTTP/1.1 302 Found

Server: nginx

Date: Sun, 23 Sep 2018 17:02:14 GMT

Content-Type: text/html; charset=iso-8859-1

Content-Length: 207

X-Content-Type-Options: nosniff

Location:

Cache-Control: max-age=1209600

Expires: Sun, 07 Oct 2018 17:02:14 GMT

X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d

X-Varnish: 632951979

Age: 0

Via: 1.1 varnish (Varnish/5.2)

X-Cache: MISS

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>302 Found</title>

</head><body>

<h1>Found</h1>

<p>The document has moved <a href="">here</a>.</p>

</body></html>

................

13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0

E..4..@.@.....zb6.'....P....o..............

.....R.b................

13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0

E..4..@.@.....zb6.'....P....o..............

.....R.b................

13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0

E..4.H@./.. 6.'...zb.P..o..........9.I.....

.R......................

13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0

E..4..@.@.....zb6.'....P....o..............

.....R..................

10 packets captured

10 packets received by filter

0 packets dropped by kernel

这有助于解决API调用问题,假设调用使用普通HTTP。对于加密连接,此输出不太有用。

6.将捕获保存到文件

tcpdump提供的另一个有用功能是能够将捕获保存到文件中,以便稍后分析结果。例如,这允许你在批处理模式下捕获数据包,并在早上验证结果。当有太多数据包需要分析时,它也会有所帮助,因为实时捕获可能发生得太快。

要将数据包保存到文件而不是在屏幕上显示,请使用选项-w:

$ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80

[sudo] password for ricardo:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

10 packets captured

10 packets received by filter

0 packets dropped by kernel

此命令将输出保存在名为webserver.pcap的文件中。.pcap扩展名代表“数据包捕获”,是此文件格式的约定。

如此示例所示,屏幕上不会显示任何内容,并且根据选项-c10捕获10个数据包后捕获完成。 如果需要一些反馈以确保捕获数据包,请使用选项-v。

Tcpdump以二进制格式创建文件,因此不能简单地使用文本编辑器打开它。要读取文件的内容,请使用-r选项执行tcpdump:

$ tcpdump -nn -r webserver.pcap

reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

13:36:57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460,sackOK,TS val 135708029 ecr 0,nop,wscale 7], length 0

13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

13:36:57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 0

13:36:57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 112: HTTP: GET / HTTP/1.1

13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 0

13:36:57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959], length 0

13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

13:36:58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0

$

由于不再直接从网络接口捕获数据包,因此不需要sudo来读取该文件。

还可以使用我们讨论过的任何过滤器来过滤文件中的内容,就像使用实时数据一样。 例如,通过执行以下命令从源IP地址54.204.39.132检查捕获文件中的数据包:

$ tcpdump -nn -r webserver.pcap src 54.204.39.132

reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)

13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0

13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0

13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found

13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0

下一步是什么?

tcpdump的这些基本功能将帮助你开始使用这个功能强大的多功能工具。要了解更多信息,请参阅tcpdump网站和手册页。

tcpdump命令行界面为捕获和分析网络流量提供了极大的灵活性。如果你需要图形工具来了解更复杂的流程,请查看Wireshark。

Wireshark的一个好处是它可以读取tcpdump捕获的.pcap文件。 可以使用tcpdump在没有GUI的远程计算机中捕获数据包,并使用Wireshark分析结果文件,但这是另一个主题。

原文链接:

标签: #centosnginxtcp