tcpdump 观察3次握手4次挥手过程与分析 http 包
tcpdump 观察3次握手4次挥手过程与分析 http 包
lukachen
发布于 2023-10-22 15:53:01
发布于 2023-10-22 15:53:01
tcpdump 文档
https://www.tcpdump.org/manpages/tcpdump.1.html
tcpdump Flags:
TCP Flag tcpdump Flag Meaning
SYN S Syn packet, a session establishment request.
ACK A Ack packet, acknowledge sender’s data.
FIN F Finish flag, indication of termination.
RESET R Reset, indication of immediate abort of conn.
PUSH P Push, immediate push of data from sender.
URGENT U Urgent, takes precedence over other data.
NONE A dot . Placeholder, usually used for ACK.机器 A
192.168.75.119场景1:抓取网卡 80 端口数据包,观察3次握手4次挥手过程
命令
tcpdump -nn -i venet0:0 port 80命令解释
-nn 两个 n 表示不解析域名和端口。方便查看 IP 和端口号
-i 要抓取的接口,上述命令抓取 venet0:0 网卡
port 端口过滤器机器 A 执行抓包命令,另开一个终端执行 curl 百度,以下为机器 A 抓包的输出
xxx@root:/tmp$ tcpdump -nn -s0 -i venet0:0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0:0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:38:15.662702 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [S], seq 380372445, win 14600, options [mss 1460,sackOK,TS val 3112001446 ecr 0,nop,wscale 7], length 0
19:38:15.674763 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [S.], seq 3139174922, ack 380372446, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
19:38:15.674795 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 1, win 115, length 0
19:38:15.674984 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [P.], seq 1:165, ack 1, win 115, length 164
19:38:15.682270 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], ack 165, win 944, length 0
19:38:15.683738 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], seq 1:1453, ack 165, win 944, length 1452
19:38:15.683755 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 1453, win 137, length 0
19:38:15.683763 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [P.], seq 1453:2782, ack 165, win 944, length 1329
19:38:15.683770 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 2782, win 160, length 0
19:38:15.684667 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [F.], seq 165, ack 2782, win 160, length 0
19:38:15.691683 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], ack 166, win 944, length 0
19:38:15.691786 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [F.], seq 2782, ack 166, win 944, length 0
19:38:15.691801 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 2783, win 160, length 0
19:38:18.699755 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [R], seq 3139177705, win 0, length 03 次握手过程
19:38:15.662702 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [S], seq 380372445, win 14600, options [mss 1460,sackOK,TS val 3112001446 ecr 0,nop,wscale 7], length 0
19:38:15.674763 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [S.], seq 3139174922, ack 380372446, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
19:38:15.674795 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 1, win 115, length 04 次挥手过程
19:38:15.684667 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [F.], seq 165, ack 2782, win 160, length 0
19:38:15.691683 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [.], ack 166, win 944, length 0
19:38:15.691786 IP 180.101.49.12.80 > 192.168.75.119.43670: Flags [F.], seq 2782, ack 166, win 944, length 0
19:38:15.691801 IP 192.168.75.119.43670 > 180.101.49.12.80: Flags [.], ack 2783, win 160, length 0场景2:分析 http 包
命令
tcpdump -nn -s0 -A -i venet0:0 port 80 命令解释
-nn 两个 n 表示不解析域名和端口。方便查看 IP 和端口号
-s0 获取报文全部内容
-A 以ASCII格式打印每个数据包,方便查看数据包内容
-i 要抓取的接口,上述命令抓取 venet0:0 网卡
port 端口过滤器机器 A 执行抓包命令,另开一个终端执行 curl 百度,以下为机器 A 抓包的输出
xxx@root:/tmp$ tcpdump -nn -s0 -A -i venet0:0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0:0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:02:49.878097 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [S], seq 4212612831, win 14600, options [mss 1460,sackOK,TS val 3113475661 ecr 0,nop,wscale 7], length 0
E..<..@.@.....Kw.e1....P..^.......9.z).........
...M........
20:02:49.886133 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [S.], seq 3330186074, ack 4212612832, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
E .<..@.0..x.e1...Kw.P...~.Z..^... ..7......................
20:02:49.886168 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [.], ack 1, win 115, length 0
E..(..@.@.....Kw.e1....P..^..~.[P..sP...
20:02:49.886390 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [P.], seq 1:165, ack 1, win 115, length 164
E.....@.@.....Kw.e1....P..^..~.[P..s....GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: www.baidu.com
Accept: */*
20:02:49.894725 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [.], ack 165, win 944, length 0
E .(..@.'..q.e1...Kw.P...~.[.._.P...L...
20:02:49.896030 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [P.], seq 1:1441, ack 165, win 944, length 1440
E ....@.'....e1...Kw.P...~.[.._.P...J~..HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 2381
Content-Type: text/html
Date: Wed, 27 Jan 2021 12:02:49 GMT
Etag: "588604c8-94d"
Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content="text/html; charset=gbk""e4q16" name="%E6%A0%B8%E5%BF%83%E8%BF%87%E7%A8%8B1%EF%BC%9A%E9%99%A4%E5%8E%BB-3-%E6%AC%A1%E6%8F%A1%E6%89%8B%E9%83%A8%E5%88%86%EF%BC%8C%E5%BE%80%E4%B8%8B%E7%9C%8B%EF%BC%8C%E6%9C%BA%E5%99%A8-A-%E5%90%91%E7%99%BE%E5%BA%A6%E5%8F%91%E9%80%81-http-%E5%A4%B4">核心过程1:除去 3 次握手部分,往下看,机器 A 向百度发送 http 头20:02:49.886390 IP 192.168.75.119.45332 > 180.101.49.12.80: Flags [P.], seq 1:165, ack 1, win 115, length 164
E.....@.@.....Kw.e1....P..^..~.[P..s....GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: www.baidu.com
Accept: */*
核心过程2:百度响应一个 ack 165 的包,然后向机器 A 发送,http 响应头、空行、响应内容
20:02:49.894725 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [.], ack 165, win 944, length 0
E .(..@.'..q.e1...Kw.P...~.[.._.P...L...
20:02:49.896030 IP 180.101.49.12.80 > 192.168.75.119.45332: Flags [P.], seq 1:1441, ack 165, win 944, length 1440
E ....@.'....e1...Kw.P...~.[.._.P...J~..HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Connection: keep-alive
Content-Length: 2381
Content-Type: text/html
Date: Wed, 27 Jan 2021 12:02:49 GMT
Etag: "588604c8-94d"
Last-Modified: Mon, 23 Jan 2017 13:27:36 GMT
Pragma: no-cache
Server: bfe/1.0.8.18
Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content="text/html; charset=gbk""4g2aq" name="%E7%BB%93%E8%AF%AD">结语tcpdump 是很强大的抓包工具,参数特别多,上述仅列举了两种使用场景,可根据自己的需要举一反三。
如有什么疑问或者错误的地方,欢迎评论沟通交流。
本文参与?腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2021-01-27,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录