tcpdump 是一款靈活、功能強(qiáng)大的抓包工具�,能有效地幫助排查網(wǎng)絡(luò)故障問(wèn)題��。
以我作為管理員的經(jīng)驗(yàn)��,在網(wǎng)絡(luò)連接中經(jīng)常遇到十分難以排查的故障問(wèn)題�。對(duì)于這類(lèi)情況����, tcpdump 便能派上用場(chǎng)�����。
tcpdump 是一個(gè)命令行實(shí)用工具���,允許你抓取和分析經(jīng)過(guò)系統(tǒng)的流量數(shù)據(jù)包�����。它通常被用作于網(wǎng)絡(luò)故障分析工具以及安全工具���。
tcpdump 是一款強(qiáng)大的工具���,支持多種選項(xiàng)和過(guò)濾規(guī)則��,適用場(chǎng)景十分廣泛。由于它是命令行工具�,因此適用于在遠(yuǎn)程服務(wù)器或者沒(méi)有圖形界面的設(shè)備中收集數(shù)據(jù)包以便于事后分析。它可以在后臺(tái)啟動(dòng)���,也可以用 cron 等定時(shí)工具創(chuàng)建定時(shí)任務(wù)啟用它。
本文中�����,我們將討論 tcpdump 最常用的一些功能����。
1�、在 Linux 中安裝 tcpdump
tcpdump 支持多種 Linux 發(fā)行版,所以你的系統(tǒng)中很有可能已經(jīng)安裝了它。用下面的命令檢查一下是否已經(jīng)安裝了 tcpdump :
$ which tcpdump
/usr/sbin/tcpdump
如果還沒(méi)有安裝 tcpdump ���,你可以用軟件包管理器安裝它��。 例如��,在 CentOS 或者 Red Hat Enterprise 系統(tǒng)中����,用如下命令安裝 tcpdump :
$ sudo yum install -y tcpdump
tcpdump 依賴(lài)于 libpcap ���,該庫(kù)文件用于捕獲網(wǎng)絡(luò)數(shù)據(jù)包。如果該庫(kù)文件也沒(méi)有安裝�,系統(tǒng)會(huì)根據(jù)依賴(lài)關(guān)系自動(dòng)安裝它���。
現(xiàn)在你可以開(kāi)始抓包了�。
2、用 tcpdump 抓包
使用 tcpdump 抓包���,需要管理員權(quán)限��,因此下面的示例中絕大多數(shù)命令都是以 sudo 開(kāi)頭�����。
首先�,先用 tcpdump -D 命令列出可以抓包的網(wǎng)絡(luò)接口:
$ sudo tcpdump -D
eth0
virbr0
eth1
any (Pseudo-device that captures on all interfaces)
lo [Loopback]
如上所示����,可以看到我的機(jī)器中所有可以抓包的網(wǎng)絡(luò)接口��。其中特殊接口 any 可用于抓取所有活動(dòng)的網(wǎng)絡(luò)接口的數(shù)據(jù)包����。
我們就用如下命令先對(duì) any 接口進(jìn)行抓包:
$ sudo tcpdump -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720:3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 196
09:56:18.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop,nop,TS val 510771017 ecr 76577898], length 0
09:56:18.295058 IP rhel75.59883 > gateway.domain: 2486+ PTR? 1.64.168.192.in-addr.arpa. (43)
09:56:18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0/1/0 (102)
09:56:18.312482 IP rhel75.49685 > gateway.domain: 34242+ PTR? 28.64.168.192.in-addr.arpa. (44)
09:56:18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0/1/0 (103)
09:56:18.323164 IP rhel75.56631 > gateway.domain: 29904+ PTR? 1.122.168.192.in-addr.arpa. (44)
09:56:18.323342 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 196:584, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 388
09:56:18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928], length 0
09:56:18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0/1/0 (103)
09:56:18.336429 IP rhel75.44007 > gateway.domain: 61677+ PTR? 98.122.168.192.in-addr.arpa. (45)
09:56:18.336655 IP gateway.domain > rhel75.44007: 61677* 1/0/0 PTR rhel75. (65)
09:56:18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584:1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060
---- SKIPPING LONG OUTPUT -----
09:56:19.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0
^C
9003 packets captured
9010 packets received by filter
7 packets dropped by kernel
$
tcpdump 會(huì)持續(xù)抓包直到收到中斷信號(hào)��。你可以按 Ctrl+C 來(lái)停止抓包�。正如上面示例所示�����, tcpdump 抓取了超過(guò) 9000 個(gè)數(shù)據(jù)包���。在這個(gè)示例中,由于我是通過(guò) ssh 連接到服務(wù)器�,所以 tcpdump 也捕獲了所有這類(lèi)數(shù)據(jù)包�。 -c 選項(xiàng)可以用于限制 tcpdump 抓包的數(shù)量:
$ sudo tcpdump -i any -c 5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680:3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 196
11:21:30.242906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 0
11:21:30.244442 IP rhel75.43634 > gateway.domain: 57680+ PTR? 1.64.168.192.in-addr.arpa. (43)
11:21:30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0/0/0 (43)
11:21:30.247048 IP rhel75.33696 > gateway.domain: 37429+ PTR? 28.64.168.192.in-addr.arpa. (44)
5 packets captured
12 packets received by filter
0 packets dropped by kernel
$
如上所示, tcpdump 在抓取 5 個(gè)數(shù)據(jù)包后自動(dòng)停止了抓包。這在有些場(chǎng)景中十分有用 —— 比如你只需要抓取少量的數(shù)據(jù)包用于分析�����。當(dāng)我們需要使用過(guò)濾規(guī)則抓取特定的數(shù)據(jù)包(如下所示)時(shí), -c 的作用就十分突出了��。
在上面示例中, tcpdump 默認(rèn)是將 IP 地址和端口號(hào)解析為對(duì)應(yīng)的接口名以及服務(wù)協(xié)議名稱(chēng)����。而通常在網(wǎng)絡(luò)故障排查中,使用 IP 地址和端口號(hào)更便于分析問(wèn)題���;用 -n 選項(xiàng)顯示 IP 地址�����, -nn 選項(xiàng)顯示端口號(hào):
$ sudo tcpdump -i any -c5 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155], length 196
23:56:24.292357 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 0
23:56:24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 372
23:56:24.292655 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 0
23:56:24.292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568:908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 340
5 packets captured
6 packets received by filter
0 packets dropped by kernel
如上所示�,抓取的數(shù)據(jù)包中顯示 IP 地址和端口號(hào)�。這樣還可以阻止 tcpdump 發(fā)出 DNS 查找��,有助于在網(wǎng)絡(luò)故障排查中減少數(shù)據(jù)流量���。
現(xiàn)在你已經(jīng)會(huì)抓包了���,讓我們來(lái)分析一下這些抓包輸出的含義吧。
3�、理解抓取的報(bào)文
tcpdump 能夠抓取并解碼多種協(xié)議類(lèi)型的數(shù)據(jù)報(bào)文��,如 TCP�����、UDP�、ICMP 等等��。雖然這里我們不可能介紹所有的數(shù)據(jù)報(bào)文類(lèi)型��,但可以分析下 TCP 類(lèi)型的數(shù)據(jù)報(bào)文�����,來(lái)幫助你入門(mén)。更多有關(guān) tcpdump 的詳細(xì)介紹可以參考其 幫助手冊(cè) ���。 tcpdump 抓取的 TCP 報(bào)文看起來(lái)如下:
08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372
具體的字段根據(jù)不同的報(bào)文類(lèi)型會(huì)有不同,但上面這個(gè)例子是一般的格式形式���。
第一個(gè)字段 08:41:13.729687 是該數(shù)據(jù)報(bào)文被抓取的系統(tǒng)本地時(shí)間戳。
然后�����, IP 是網(wǎng)絡(luò)層協(xié)議類(lèi)型�,這里是 IPv4 ��,如果是 IPv6 協(xié)議�,該字段值是 IP6 ��。
192.168.64.28.22 是源 ip 地址和端口號(hào)���,緊跟其后的是目的 ip 地址和其端口號(hào),這里是 192.168.64.1.41916 。
在源 IP 和目的 IP 之后����,可以看到是 TCP 報(bào)文標(biāo)記段 Flags [P.] ���。該字段通常取值如下:
該字段也可以是這些值的組合,例如 [S.] 代表 SYN-ACK 數(shù)據(jù)包�。
接下來(lái)是該數(shù)據(jù)包中數(shù)據(jù)的序列號(hào)���。對(duì)于抓取的第一個(gè)數(shù)據(jù)包�����,該字段值是一個(gè)絕對(duì)數(shù)字���,后續(xù)包使用相對(duì)數(shù)值,以便更容易查詢(xún)跟蹤��。例如此處 seq 196:568 代表該數(shù)據(jù)包包含該數(shù)據(jù)流的第 196 到 568 字節(jié)��。
接下來(lái)是 ack 值: ack 1 。該數(shù)據(jù)包是數(shù)據(jù)發(fā)送方����,ack 值為 1。在數(shù)據(jù)接收方�����,該字段代表數(shù)據(jù)流上的下一個(gè)預(yù)期字節(jié)數(shù)據(jù)�����,例如��,該數(shù)據(jù)流中下一個(gè)數(shù)據(jù)包的 ack 值應(yīng)該是 568。
接下來(lái)字段是接收窗口大小 win 309 �,它表示接收緩沖區(qū)中可用的字節(jié)數(shù)����,后跟 TCP 選項(xiàng)如 MSS(最大段大小)或者窗口比例值����。更詳盡的 TCP 協(xié)議內(nèi)容請(qǐng)參考 Transmission Control Protocol(TCP) Parameters �。
最后, length 372 代表數(shù)據(jù)包有效載荷字節(jié)長(zhǎng)度���。這個(gè)長(zhǎng)度和 seq 序列號(hào)中字節(jié)數(shù)值長(zhǎng)度是不一樣的。
現(xiàn)在讓我們學(xué)習(xí)如何過(guò)濾數(shù)據(jù)報(bào)文以便更容易的分析定位問(wèn)題���。
4、過(guò)濾數(shù)據(jù)包
正如上面所提���, tcpdump 可以抓取很多種類(lèi)型的數(shù)據(jù)報(bào)文,其中很多可能和我們需要查找的問(wèn)題并沒(méi)有關(guān)系����。舉個(gè)例子����,假設(shè)你正在定位一個(gè)與 web 服務(wù)器連接的網(wǎng)絡(luò)問(wèn)題�,就不必關(guān)系 SSH 數(shù)據(jù)報(bào)文�����,因此在抓包結(jié)果中過(guò)濾掉 SSH 報(bào)文可能更便于你分析問(wèn)題�。
tcpdump 有很多參數(shù)選項(xiàng)可以設(shè)置數(shù)據(jù)包過(guò)濾規(guī)則���,例如根據(jù)源 IP 以及目的 IP 地址����,端口號(hào)���,協(xié)議等等規(guī)則來(lái)過(guò)濾數(shù)據(jù)包�����。
下面就介紹一些最常用的過(guò)濾方法�。
協(xié)議
在命令中指定協(xié)議便可以按照協(xié)議類(lèi)型來(lái)篩選數(shù)據(jù)包����。比方說(shuō)用如下命令只要抓取 ICMP 報(bào)文:
$ sudo tcpdump -i any -c5 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
然后再打開(kāi)一個(gè)終端,去 ping 另一臺(tái)機(jī)器:
$ ping opensource.com
PING opensource.com (54.204.39.132) 56(84) bytes of data.
64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms
回到運(yùn)行 tcpdump 命令的終端中���,可以看到它篩選出了 ICMP 報(bào)文����。這里 tcpdump 并沒(méi)有顯示有關(guān) opensource.com 的域名解析數(shù)據(jù)包:
09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 64
09:34:20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 64
09:34:21.140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2, length 64
09:34:21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 64
09:34:22.141777 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 64
5 packets captured
5 packets received by filter
0 packets dropped by kernel
主機(jī)
用 host 參數(shù)只抓取和特定主機(jī)相關(guān)的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn host 54.204.39.132
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460,sackOK,TS val 122350391 ecr 0,nop,wscale 7], length 0
09:54:20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460,sackOK,TS val 522713542 ecr 122350391,nop,wscale 9], length 0
09:54:20.088204 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542], length 0
09:54:20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.1
09:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438], length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel
如上所示,只抓取和顯示與 54.204.39.132 有關(guān)的數(shù)據(jù)包��。
端口號(hào)
tcpdump 可以根據(jù)服務(wù)類(lèi)型或者端口號(hào)來(lái)篩選數(shù)據(jù)包����。例如�����,抓取和 HTTP 服務(wù)相關(guān)的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460,sackOK,TS val 122599140 ecr 0,nop,wscale 7], length 0
09:58:28.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460,sackOK,TS val 522775728 ecr 122599140,nop,wscale 9], length 0
09:58:28.834093 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728], length 0
09:58:28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.1
09:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184], length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel
IP 地址/主機(jī)名
同樣��,你也可以根據(jù)源 IP 地址或者目的 IP 地址或者主機(jī)名來(lái)篩選數(shù)據(jù)包���。例如抓取源 IP 地址為 192.168.122.98 的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332+ A? opensource.com. (32)
10:02:15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749+ AAAA? opensource.com. (32)
10:02:15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460,sackOK,TS val 122825713 ecr 0,nop,wscale 7], length 0
10:02:15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 122825758 ecr 522832372], length 0
10:02:15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.1
5 packets captured
5 packets received by filter
0 packets dropped by kernel
注意此處示例中抓取了來(lái)自源 IP 地址 192.168.122.98 的 53 端口以及 80 端口的數(shù)據(jù)包,它們的應(yīng)答包沒(méi)有顯示出來(lái)因?yàn)槟切┌脑?IP 地址已經(jīng)變了���。
相對(duì)的��,使用 dst 就是按目的 IP/主機(jī)名來(lái)篩選數(shù)據(jù)包�。
$ sudo tcpdump -i any -c5 -nn dst 192.168.122.98
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:05:03.572931 IP 192.168.122.1.53 > 192.168.122.98.47049: 2248 1/0/0 A 54.204.39.132 (48)
10:05:03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0/0/0 (32)
10:05:03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960, options [mss 1460,sackOK,TS val 522874425 ecr 122993922,nop,wscale 9], length 0
10:05:03.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 113, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 0
10:05:03.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found
5 packets captured
5 packets received by filter
0 packets dropped by kernel
多條件篩選
當(dāng)然�,可以使用多條件組合來(lái)篩選數(shù)據(jù)包����,使用 and 以及 or 邏輯操作符來(lái)創(chuàng)建過(guò)濾規(guī)則��。例如�,篩選來(lái)自源 IP 地址 192.168.122.98 的 HTTP 數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 0
10:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 0
10:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.1
10:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 0
10:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel
你也可以使用括號(hào)來(lái)創(chuàng)建更為復(fù)雜的過(guò)濾規(guī)則��,但在 shell 中請(qǐng)用引號(hào)包含你的過(guò)濾規(guī)則以防止被識(shí)別為 shell 表達(dá)式:
$ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 0
10:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 0
10:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 0
10:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.1
10:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 0
5 packets captured
5 packets received by filter
0 packets dropped by kernel
該例子中我們只抓取了來(lái)自源 IP 為 192.168.122.98 或者 54.204.39.132 的 HTTP (端口號(hào)80)的數(shù)據(jù)包。使用該方法就很容易抓取到數(shù)據(jù)流中交互雙方的數(shù)據(jù)包了�����。
5�����、檢查數(shù)據(jù)包內(nèi)容
在以上的示例中���,我們只按數(shù)據(jù)包頭部的信息來(lái)建立規(guī)則篩選數(shù)據(jù)包����,例如源地址�����、目的地址���、端口號(hào)等等��。有時(shí)我們需要分析網(wǎng)絡(luò)連接問(wèn)題�,可能需要分析數(shù)據(jù)包中的內(nèi)容來(lái)判斷什么內(nèi)容需要被發(fā)送、什么內(nèi)容需要被接收等����。 tcpdump 提供了兩個(gè)選項(xiàng)可以查看數(shù)據(jù)包內(nèi)容, -X 以十六進(jìn)制打印出數(shù)據(jù)報(bào)文內(nèi)容���, -A 打印數(shù)據(jù)報(bào)文的 ASCII 值�����。
例如����,HTTP 請(qǐng)求報(bào)文內(nèi)容如下:
$ sudo tcpdump -i any -c10 -nn -A port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0
E..<..@.@.....zb6.'....P...@......r............
............................
13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0
E..<..@./..a6.'...zb.P..o..&...A..q a..........
.R.W....... ................
13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0
E..4..@.@.....zb6.'....P...Ao..'...........
.....R.W................
13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1
E.....@.@..1..zb6.'....P...Ao..'...........
.....R.WGET / HTTP/1.1
User-Agent: Wget/1.14 (linux-gnu)
Accept: */*
Host: opensource.com
Connection: Keep-Alive
................
13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0
E..4.F@./.."6.'...zb.P..o..'.......9.2.....
.R.a....................
13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 Found
E....G@./...6.'...zb.P..o..'.......9.......
.R.b....HTTP/1.1 302 Found
Server: nginx
Date: Sun, 23 Sep 2018 17:02:14 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 207
X-Content-Type-Options: nosniff
Location: https://opensource.com/
Cache-Control: max-age=1209600
Expires: Sun, 07 Oct 2018 17:02:14 GMT
X-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2d
X-Varnish: 632951979
Age: 0
Via: 1.1 varnish (Varnish/5.2)
X-Cache: MISS
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a >here</a>.</p>
</body></html>
................
13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0
E..4..@.@.....zb6.'....P....o..............
.....R.b................
13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0
E..4..@.@.....zb6.'....P....o..............
.....R.b................
13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0
E..4.H@./.. 6.'...zb.P..o..........9.I.....
.R......................
13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0
E..4..@.@.....zb6.'....P....o..............
.....R..................
10 packets captured
10 packets received by filter
0 packets dropped by kernel
這對(duì)定位一些普通 HTTP 調(diào)用 API 接口的問(wèn)題很有用��。當(dāng)然如果是加密報(bào)文���,這個(gè)輸出也就沒(méi)多大用了�。
6���、保存抓包數(shù)據(jù)
tcpdump 提供了保存抓包數(shù)據(jù)的功能以便后續(xù)分析數(shù)據(jù)包�。例如�����,你可以夜里讓它在那里抓包�,然后早上起來(lái)再去分析它。同樣當(dāng)有很多數(shù)據(jù)包時(shí)���,顯示過(guò)快也不利于分析����,將數(shù)據(jù)包保存下來(lái)��,更有利于分析問(wèn)題�。
使用 -w 選項(xiàng)來(lái)保存數(shù)據(jù)包而不是在屏幕上顯示出抓取的數(shù)據(jù)包:
$ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80
[sudo] password for ricardo:
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10 packets captured
10 packets received by filter
0 packets dropped by kernel
該命令將抓取的數(shù)據(jù)包保存到文件 webserver.pcap 。后綴名 pcap 表示文件是抓取的數(shù)據(jù)包格式��。
正如示例中所示�����,保存數(shù)據(jù)包到文件中時(shí)屏幕上就沒(méi)有任何有關(guān)數(shù)據(jù)報(bào)文的輸出�����,其中 -c10 表示抓取到 10 個(gè)數(shù)據(jù)包后就停止抓包。如果想有一些反饋來(lái)提示確實(shí)抓取到了數(shù)據(jù)包��,可以使用 -v 選項(xiàng)���。
tcpdump 將數(shù)據(jù)包保存在二進(jìn)制文件中�,所以不能簡(jiǎn)單的用文本編輯器去打開(kāi)它�。使用 -r 選項(xiàng)參數(shù)來(lái)閱讀該文件中的報(bào)文內(nèi)容:
$ tcpdump -nn -r webserver.pcap
reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)
13:36:57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460,sackOK,TS val 135708029 ecr 0,nop,wscale 7], length 0
13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0
13:36:57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 0
13:36:57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 112: HTTP: GET / HTTP/1.1
13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0
13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found
13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 0
13:36:57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959], length 0
13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0
13:36:58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0
$
這里不需要管理員權(quán)限 sudo 了,因?yàn)榇丝滩⒉皇窃诰W(wǎng)絡(luò)接口處抓包���。
你還可以使用我們討論過(guò)的任何過(guò)濾規(guī)則來(lái)過(guò)濾文件中的內(nèi)容��,就像使用實(shí)時(shí)數(shù)據(jù)一樣�����。 例如��,通過(guò)執(zhí)行以下命令從源 IP 地址 54.204.39.132 檢查文件中的數(shù)據(jù)包:
$ tcpdump -nn -r webserver.pcap src 54.204.39.132
reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)
13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 0
13:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 0
13:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found
13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0
下一步做什么��?
以上的基本功能已經(jīng)可以幫助你使用強(qiáng)大的 tcpdump 抓包工具了����。更多的內(nèi)容請(qǐng)參考 tcpdump 網(wǎng)站 以及它的 幫助文件 。
tcpdump 命令行工具為分析網(wǎng)絡(luò)流量數(shù)據(jù)包提供了強(qiáng)大的靈活性�。如果需要使用圖形工具來(lái)抓包請(qǐng)參考 Wireshark 。
Wireshark 還可以用來(lái)讀取 tcpdump 保存的 pcap 文件�。你可以使用 tcpdump 命令行在沒(méi)有 GUI 界面的遠(yuǎn)程機(jī)器上抓包然后在 Wireshark 中分析數(shù)據(jù)包���。
via: https://opensource.com/article/18/10/introduction-tcpdump
總結(jié)
以上所述是小編給大家介紹的在 Linux 命令行中使用 tcpdump 抓包的一些功能����,希望對(duì)大家有所幫助�,如果大家有任何疑問(wèn)請(qǐng)給我留言,小編會(huì)及時(shí)回復(fù)大家的��。在此也非常感謝大家對(duì)腳本之家網(wǎng)站的支持�����!
