tcpdump 是一款靈活�����、功能強(qiáng)大的抓包工具,能有效地幫助排查網(wǎng)絡(luò)故障問題����。
以我作為管理員的經(jīng)驗(yàn),在網(wǎng)絡(luò)連接中經(jīng)常遇到十分難以排查的故障問題�。對于這類情況���, tcpdump 便能派上用場。
tcpdump 是一個命令行實(shí)用工具���,允許你抓取和分析經(jīng)過系統(tǒng)的流量數(shù)據(jù)包。它通常被用作于網(wǎng)絡(luò)故障分析工具以及安全工具����。
tcpdump 是一款強(qiáng)大的工具�����,支持多種選項(xiàng)和過濾規(guī)則,適用場景十分廣泛���。由于它是命令行工具���,因此適用于在遠(yuǎn)程服務(wù)器或者沒有圖形界面的設(shè)備中收集數(shù)據(jù)包以便于事后分析���。它可以在后臺啟動����,也可以用 cron 等定時工具創(chuàng)建定時任務(wù)啟用它。
本文中����,我們將討論 tcpdump 最常用的一些功能。
1���、在 Linux 中安裝 tcpdump
tcpdump 支持多種 Linux 發(fā)行版,所以你的系統(tǒng)中很有可能已經(jīng)安裝了它��。用下面的命令檢查一下是否已經(jīng)安裝了 tcpdump :
$ which tcpdump/usr/sbin/tcpdump
如果還沒有安裝 tcpdump �����,你可以用軟件包管理器安裝它�����。 例如,在 CentOS 或者 Red Hat Enterprise 系統(tǒng)中�����,用如下命令安裝 tcpdump :
$ sudo yum install -y tcpdump
tcpdump 依賴于 libpcap ��,該庫文件用于捕獲網(wǎng)絡(luò)數(shù)據(jù)包�。如果該庫文件也沒有安裝,系統(tǒng)會根據(jù)依賴關(guān)系自動安裝它�����。
現(xiàn)在你可以開始抓包了���。
2��、用 tcpdump 抓包
使用 tcpdump 抓包�����,需要管理員權(quán)限����,因此下面的示例中絕大多數(shù)命令都是以 sudo 開頭����。
首先����,先用 tcpdump -D 命令列出可以抓包的網(wǎng)絡(luò)接口:
$ sudo tcpdump -Deth0virbr0eth1any (Pseudo-device that captures on all interfaces)lo [Loopback]
如上所示�,可以看到我的機(jī)器中所有可以抓包的網(wǎng)絡(luò)接口。其中特殊接口 any 可用于抓取所有活動的網(wǎng)絡(luò)接口的數(shù)據(jù)包��。
我們就用如下命令先對 any 接口進(jìn)行抓包:
$ sudo tcpdump -i anytcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:56:18.293641 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3770820720:3770820916, ack 3503648727, win 309, options [nop,nop,TS val 76577898 ecr 510770929], length 19609:56:18.293794 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 391, options [nop,nop,TS val 510771017 ecr 76577898], length 009:56:18.295058 IP rhel75.59883 > gateway.domain: 2486+ PTR? 1.64.168.192.in-addr.arpa. (43)09:56:18.310225 IP gateway.domain > rhel75.59883: 2486 NXDomain* 0/1/0 (102)09:56:18.312482 IP rhel75.49685 > gateway.domain: 34242+ PTR? 28.64.168.192.in-addr.arpa. (44)09:56:18.322425 IP gateway.domain > rhel75.49685: 34242 NXDomain* 0/1/0 (103)09:56:18.323164 IP rhel75.56631 > gateway.domain: 29904+ PTR? 1.122.168.192.in-addr.arpa. (44)09:56:18.323342 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 196:584, ack 1, win 309, options [nop,nop,TS val 76577928 ecr 510771017], length 38809:56:18.323563 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 584, win 411, options [nop,nop,TS val 510771047 ecr 76577928], length 009:56:18.335569 IP gateway.domain > rhel75.56631: 29904 NXDomain* 0/1/0 (103)09:56:18.336429 IP rhel75.44007 > gateway.domain: 61677+ PTR? 98.122.168.192.in-addr.arpa. (45)09:56:18.336655 IP gateway.domain > rhel75.44007: 61677* 1/0/0 PTR rhel75. (65)09:56:18.337177 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 584:1644, ack 1, win 309, options [nop,nop,TS val 76577942 ecr 510771047], length 1060---- SKIPPING LONG OUTPUT -----09:56:19.342939 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 1752016, win 1444, options [nop,nop,TS val 510772067 ecr 76578948], length 0^C9003 packets captured9010 packets received by filter7 packets dropped by kernel$
tcpdump 會持續(xù)抓包直到收到中斷信號���。你可以按 Ctrl+C 來停止抓包。正如上面示例所示�, tcpdump 抓取了超過 9000 個數(shù)據(jù)包。在這個示例中���,由于我是通過 ssh 連接到服務(wù)器�����,所以 tcpdump 也捕獲了所有這類數(shù)據(jù)包。 -c 選項(xiàng)可以用于限制 tcpdump 抓包的數(shù)量:
$ sudo tcpdump -i any -c 5tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes11:21:30.242740 IP rhel75.localdomain.ssh > 192.168.64.1.56322: Flags [P.], seq 3772575680:3772575876, ack 3503651743, win 309, options [nop,nop,TS val 81689848 ecr 515883153], length 19611:21:30.242906 IP 192.168.64.1.56322 > rhel75.localdomain.ssh: Flags [.], ack 196, win 1443, options [nop,nop,TS val 515883235 ecr 81689848], length 011:21:30.244442 IP rhel75.43634 > gateway.domain: 57680+ PTR? 1.64.168.192.in-addr.arpa. (43)11:21:30.244829 IP gateway.domain > rhel75.43634: 57680 NXDomain 0/0/0 (43)11:21:30.247048 IP rhel75.33696 > gateway.domain: 37429+ PTR? 28.64.168.192.in-addr.arpa. (44)5 packets captured12 packets received by filter0 packets dropped by kernel$
如上所示���, tcpdump 在抓取 5 個數(shù)據(jù)包后自動停止了抓包。這在有些場景中十分有用 —— 比如你只需要抓取少量的數(shù)據(jù)包用于分析�����。當(dāng)我們需要使用過濾規(guī)則抓取特定的數(shù)據(jù)包(如下所示)時���, -c 的作用就十分突出了。
在上面示例中�����, tcpdump 默認(rèn)是將 IP 地址和端口號解析為對應(yīng)的接口名以及服務(wù)協(xié)議名稱��。而通常在網(wǎng)絡(luò)故障排查中�,使用 IP 地址和端口號更便于分析問題���;用 -n 選項(xiàng)顯示 IP 地址���, -nn 選項(xiàng)顯示端口號:
$ sudo tcpdump -i any -c5 -nntcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes23:56:24.292206 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 166198580:166198776, ack 2414541257, win 309, options [nop,nop,TS val 615664 ecr 540031155], length 19623:56:24.292357 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 196, win 1377, options [nop,nop,TS val 540031229 ecr 615664], length 023:56:24.292570 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 37223:56:24.292655 IP 192.168.64.1.35110 > 192.168.64.28.22: Flags [.], ack 568, win 1400, options [nop,nop,TS val 540031229 ecr 615664], length 023:56:24.292752 IP 192.168.64.28.22 > 192.168.64.1.35110: Flags [P.], seq 568:908, ack 1, win 309, options [nop,nop,TS val 615664 ecr 540031229], length 3405 packets captured6 packets received by filter0 packets dropped by kernel
如上所示,抓取的數(shù)據(jù)包中顯示 IP 地址和端口號����。這樣還可以阻止 tcpdump 發(fā)出 DNS 查找,有助于在網(wǎng)絡(luò)故障排查中減少數(shù)據(jù)流量�。
現(xiàn)在你已經(jīng)會抓包了��,讓我們來分析一下這些抓包輸出的含義吧����。
3、理解抓取的報(bào)文
tcpdump 能夠抓取并解碼多種協(xié)議類型的數(shù)據(jù)報(bào)文�����,如 TCP、UDP���、ICMP 等等。雖然這里我們不可能介紹所有的數(shù)據(jù)報(bào)文類型���,但可以分析下 TCP 類型的數(shù)據(jù)報(bào)文�����,來幫助你入門。更多有關(guān) tcpdump 的詳細(xì)介紹可以參考其 幫助手冊 �。 tcpdump 抓取的 TCP 報(bào)文看起來如下:
08:41:13.729687 IP 192.168.64.28.22 > 192.168.64.1.41916: Flags [P.], seq 196:568, ack 1, win 309, options [nop,nop,TS val 117964079 ecr 816509256], length 372
具體的字段根據(jù)不同的報(bào)文類型會有不同,但上面這個例子是一般的格式形式����。
第一個字段 08:41:13.729687 是該數(shù)據(jù)報(bào)文被抓取的系統(tǒng)本地時間戳�����。
然后���, IP 是網(wǎng)絡(luò)層協(xié)議類型���,這里是 IPv4 ��,如果是 IPv6 協(xié)議���,該字段值是 IP6 。
192.168.64.28.22 是源 ip 地址和端口號����,緊跟其后的是目的 ip 地址和其端口號����,這里是 192.168.64.1.41916 ��。
在源 IP 和目的 IP 之后,可以看到是 TCP 報(bào)文標(biāo)記段 Flags [P.] ����。該字段通常取值如下:
該字段也可以是這些值的組合�����,例如 [S.] 代表 SYN-ACK 數(shù)據(jù)包����。
接下來是該數(shù)據(jù)包中數(shù)據(jù)的序列號。對于抓取的第一個數(shù)據(jù)包��,該字段值是一個絕對數(shù)字���,后續(xù)包使用相對數(shù)值��,以便更容易查詢跟蹤���。例如此處 seq 196:568 代表該數(shù)據(jù)包包含該數(shù)據(jù)流的第 196 到 568 字節(jié)。
接下來是 ack 值: ack 1 �。該數(shù)據(jù)包是數(shù)據(jù)發(fā)送方�,ack 值為 1���。在數(shù)據(jù)接收方,該字段代表數(shù)據(jù)流上的下一個預(yù)期字節(jié)數(shù)據(jù)����,例如�,該數(shù)據(jù)流中下一個數(shù)據(jù)包的 ack 值應(yīng)該是 568。
接下來字段是接收窗口大小 win 309 ���,它表示接收緩沖區(qū)中可用的字節(jié)數(shù)����,后跟 TCP 選項(xiàng)如 MSS(最大段大?�。┗蛘叽翱诒壤?���。更詳盡的 TCP 協(xié)議內(nèi)容請參考 Transmission Control Protocol(TCP) Parameters ���。
最后, length 372 代表數(shù)據(jù)包有效載荷字節(jié)長度�。這個長度和 seq 序列號中字節(jié)數(shù)值長度是不一樣的���。
現(xiàn)在讓我們學(xué)習(xí)如何過濾數(shù)據(jù)報(bào)文以便更容易的分析定位問題�。
4、過濾數(shù)據(jù)包
正如上面所提���, tcpdump 可以抓取很多種類型的數(shù)據(jù)報(bào)文����,其中很多可能和我們需要查找的問題并沒有關(guān)系�����。舉個例子�����,假設(shè)你正在定位一個與 web 服務(wù)器連接的網(wǎng)絡(luò)問題���,就不必關(guān)系 SSH 數(shù)據(jù)報(bào)文���,因此在抓包結(jié)果中過濾掉 SSH 報(bào)文可能更便于你分析問題。
tcpdump 有很多參數(shù)選項(xiàng)可以設(shè)置數(shù)據(jù)包過濾規(guī)則,例如根據(jù)源 IP 以及目的 IP 地址���,端口號���,協(xié)議等等規(guī)則來過濾數(shù)據(jù)包。
下面就介紹一些最常用的過濾方法。
協(xié)議
在命令中指定協(xié)議便可以按照協(xié)議類型來篩選數(shù)據(jù)包���。比方說用如下命令只要抓取 ICMP 報(bào)文:
$ sudo tcpdump -i any -c5 icmptcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
然后再打開一個終端��,去 ping 另一臺機(jī)器:
$ ping opensource.comPING opensource.com (54.204.39.132) 56(84) bytes of data.64 bytes from ec2-54-204-39-132.compute-1.amazonaws.com (54.204.39.132): icmp_seq=1 ttl=47 time=39.6 ms
回到運(yùn)行 tcpdump 命令的終端中�����,可以看到它篩選出了 ICMP 報(bào)文�����。這里 tcpdump 并沒有顯示有關(guān) opensource.com 的域名解析數(shù)據(jù)包:
09:34:20.136766 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 1, length 6409:34:20.176402 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 1, length 6409:34:21.140230 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 2, length 6409:34:21.180020 IP ec2-54-204-39-132.compute-1.amazonaws.com > rhel75: ICMP echo reply, id 20361, seq 2, length 6409:34:22.141777 IP rhel75 > ec2-54-204-39-132.compute-1.amazonaws.com: ICMP echo request, id 20361, seq 3, length 645 packets captured5 packets received by filter0 packets dropped by kernel
主機(jī)
用 host 參數(shù)只抓取和特定主機(jī)相關(guān)的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn host 54.204.39.132tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:54:20.042023 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [S], seq 1375157070, win 29200, options [mss 1460,sackOK,TS val 122350391 ecr 0,nop,wscale 7], length 009:54:20.088127 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [S.], seq 1935542841, ack 1375157071, win 28960, options [mss 1460,sackOK,TS val 522713542 ecr 122350391,nop,wscale 9], length 009:54:20.088204 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122350437 ecr 522713542], length 009:54:20.088734 IP 192.168.122.98.39326 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122350438 ecr 522713542], length 112: HTTP: GET / HTTP/1.109:54:20.129733 IP 54.204.39.132.80 > 192.168.122.98.39326: Flags [.], ack 113, win 57, options [nop,nop,TS val 522713552 ecr 122350438], length 05 packets captured5 packets received by filter0 packets dropped by kernel
如上所示,只抓取和顯示與 54.204.39.132 有關(guān)的數(shù)據(jù)包����。
端口號
tcpdump 可以根據(jù)服務(wù)類型或者端口號來篩選數(shù)據(jù)包。例如�,抓取和 HTTP 服務(wù)相關(guān)的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn port 80tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes09:58:28.790548 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [S], seq 1745665159, win 29200, options [mss 1460,sackOK,TS val 122599140 ecr 0,nop,wscale 7], length 009:58:28.834026 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [S.], seq 4063583040, ack 1745665160, win 28960, options [mss 1460,sackOK,TS val 522775728 ecr 122599140,nop,wscale 9], length 009:58:28.834093 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 122599183 ecr 522775728], length 009:58:28.834588 IP 192.168.122.98.39330 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 122599184 ecr 522775728], length 112: HTTP: GET / HTTP/1.109:58:28.878445 IP 54.204.39.132.80 > 192.168.122.98.39330: Flags [.], ack 113, win 57, options [nop,nop,TS val 522775739 ecr 122599184], length 05 packets captured5 packets received by filter0 packets dropped by kernel
IP 地址/主機(jī)名
同樣����,你也可以根據(jù)源 IP 地址或者目的 IP 地址或者主機(jī)名來篩選數(shù)據(jù)包�����。例如抓取源 IP 地址為 192.168.122.98 的數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10:02:15.220824 IP 192.168.122.98.39436 > 192.168.122.1.53: 59332+ A? opensource.com. (32)10:02:15.220862 IP 192.168.122.98.39436 > 192.168.122.1.53: 20749+ AAAA? opensource.com. (32)10:02:15.364062 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [S], seq 1108640533, win 29200, options [mss 1460,sackOK,TS val 122825713 ecr 0,nop,wscale 7], length 010:02:15.409229 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [.], ack 669337581, win 229, options [nop,nop,TS val 122825758 ecr 522832372], length 010:02:15.409667 IP 192.168.122.98.39334 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 122825759 ecr 522832372], length 112: HTTP: GET / HTTP/1.15 packets captured5 packets received by filter0 packets dropped by kernel
注意此處示例中抓取了來自源 IP 地址 192.168.122.98 的 53 端口以及 80 端口的數(shù)據(jù)包���,它們的應(yīng)答包沒有顯示出來因?yàn)槟切┌脑?IP 地址已經(jīng)變了�����。
相對的�,使用 dst 就是按目的 IP/主機(jī)名來篩選數(shù)據(jù)包�。
$ sudo tcpdump -i any -c5 -nn dst 192.168.122.98tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10:05:03.572931 IP 192.168.122.1.53 > 192.168.122.98.47049: 2248 1/0/0 A 54.204.39.132 (48)10:05:03.572944 IP 192.168.122.1.53 > 192.168.122.98.47049: 33770 0/0/0 (32)10:05:03.621833 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [S.], seq 3474204576, ack 3256851264, win 28960, options [mss 1460,sackOK,TS val 522874425 ecr 122993922,nop,wscale 9], length 010:05:03.667767 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [.], ack 113, win 57, options [nop,nop,TS val 522874436 ecr 122993972], length 010:05:03.672221 IP 54.204.39.132.80 > 192.168.122.98.39338: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 522874437 ecr 122993972], length 642: HTTP: HTTP/1.1 302 Found5 packets captured5 packets received by filter0 packets dropped by kernel
多條件篩選
當(dāng)然,可以使用多條件組合來篩選數(shù)據(jù)包���,使用 and 以及 or 邏輯操作符來創(chuàng)建過濾規(guī)則�。例如����,篩選來自源 IP 地址 192.168.122.98 的 HTTP 數(shù)據(jù)包:
$ sudo tcpdump -i any -c5 -nn src 192.168.122.98 and port 80tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10:08:00.472696 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [S], seq 2712685325, win 29200, options [mss 1460,sackOK,TS val 123170822 ecr 0,nop,wscale 7], length 010:08:00.516118 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 268723504, win 229, options [nop,nop,TS val 123170865 ecr 522918648], length 010:08:00.516583 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [P.], seq 0:112, ack 1, win 229, options [nop,nop,TS val 123170866 ecr 522918648], length 112: HTTP: GET / HTTP/1.110:08:00.567044 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 123170916 ecr 522918661], length 010:08:00.788153 IP 192.168.122.98.39342 > 54.204.39.132.80: Flags [F.], seq 112, ack 643, win 239, options [nop,nop,TS val 123171137 ecr 522918661], length 05 packets captured5 packets received by filter0 packets dropped by kernel
你也可以使用括號來創(chuàng)建更為復(fù)雜的過濾規(guī)則��,但在 shell 中請用引號包含你的過濾規(guī)則以防止被識別為 shell 表達(dá)式:
$ sudo tcpdump -i any -c5 -nn "port 80 and (src 192.168.122.98 or src 54.204.39.132)"tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10:10:37.602214 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [S], seq 871108679, win 29200, options [mss 1460,sackOK,TS val 123327951 ecr 0,nop,wscale 7], length 010:10:37.650651 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [S.], seq 854753193, ack 871108680, win 28960, options [mss 1460,sackOK,TS val 522957932 ecr 123327951,nop,wscale 9], length 010:10:37.650708 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 010:10:37.651097 IP 192.168.122.98.39346 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 123328000 ecr 522957932], length 112: HTTP: GET / HTTP/1.110:10:37.692900 IP 54.204.39.132.80 > 192.168.122.98.39346: Flags [.], ack 113, win 57, options [nop,nop,TS val 522957942 ecr 123328000], length 05 packets captured5 packets received by filter0 packets dropped by kernel
該例子中我們只抓取了來自源 IP 為 192.168.122.98 或者 54.204.39.132 的 HTTP (端口號80)的數(shù)據(jù)包����。使用該方法就很容易抓取到數(shù)據(jù)流中交互雙方的數(shù)據(jù)包了。
5��、檢查數(shù)據(jù)包內(nèi)容
在以上的示例中�����,我們只按數(shù)據(jù)包頭部的信息來建立規(guī)則篩選數(shù)據(jù)包��,例如源地址����、目的地址����、端口號等等�����。有時我們需要分析網(wǎng)絡(luò)連接問題�,可能需要分析數(shù)據(jù)包中的內(nèi)容來判斷什么內(nèi)容需要被發(fā)送�、什么內(nèi)容需要被接收等�。 tcpdump 提供了兩個選項(xiàng)可以查看數(shù)據(jù)包內(nèi)容, -X 以十六進(jìn)制打印出數(shù)據(jù)報(bào)文內(nèi)容�, -A 打印數(shù)據(jù)報(bào)文的 ASCII 值。
例如�����,HTTP 請求報(bào)文內(nèi)容如下:
$ sudo tcpdump -i any -c10 -nn -A port 80tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes13:02:14.871803 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [S], seq 2546602048, win 29200, options [mss 1460,sackOK,TS val 133625221 ecr 0,nop,wscale 7], length 0E..<..@.@.....zb6.'....P...@......r........................................13:02:14.910734 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [S.], seq 1877348646, ack 2546602049, win 28960, options [mss 1460,sackOK,TS val 525532247 ecr 133625221,nop,wscale 9], length 0E..<..@./..a6.'...zb.P..o..&...A..q a...........R.W....... ................13:02:14.910832 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 133625260 ecr 525532247], length 0E..4..@.@.....zb6.'....P...Ao..'................R.W................13:02:14.911808 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 133625261 ecr 525532247], length 112: HTTP: GET / HTTP/1.1E.....@.@..1..zb6.'....P...Ao..'................R.WGET / HTTP/1.1User-Agent: Wget/1.14 (linux-gnu)Accept: */*Host: opensource.comConnection: Keep-Alive................13:02:14.951199 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [.], ack 113, win 57, options [nop,nop,TS val 525532257 ecr 133625261], length 0E..4.F@./.."6.'...zb.P..o..'.......9.2......R.a....................13:02:14.955030 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 525532258 ecr 133625261], length 642: HTTP: HTTP/1.1 302 FoundE....G@./...6.'...zb.P..o..'.......9........R.b....HTTP/1.1 302 FoundServer: nginxDate: Sun, 23 Sep 2018 17:02:14 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 207X-Content-Type-Options: nosniffLocation: https://opensource.com/Cache-Control: max-age=1209600Expires: Sun, 07 Oct 2018 17:02:14 GMTX-Request-ID: v-6baa3acc-bf52-11e8-9195-22000ab8cf2dX-Varnish: 632951979Age: 0Via: 1.1 varnish (Varnish/5.2)X-Cache: MISSConnection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://opensource.com/">here</a>.</p></body></html>................13:02:14.955083 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 133625304 ecr 525532258], length 0E..4..@.@.....zb6.'....P....o...................R.b................13:02:15.195524 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 133625545 ecr 525532258], length 0E..4..@.@.....zb6.'....P....o...................R.b................13:02:15.236592 IP 54.204.39.132.80 > 192.168.122.98.39366: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 525532329 ecr 133625545], length 0E..4.H@./.. 6.'...zb.P..o..........9.I......R......................13:02:15.236656 IP 192.168.122.98.39366 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 133625586 ecr 525532329], length 0E..4..@.@.....zb6.'....P....o...................R..................10 packets captured10 packets received by filter0 packets dropped by kernel
這對定位一些普通 HTTP 調(diào)用 API 接口的問題很有用����。當(dāng)然如果是加密報(bào)文,這個輸出也就沒多大用了�����。
6�、保存抓包數(shù)據(jù)
tcpdump 提供了保存抓包數(shù)據(jù)的功能以便后續(xù)分析數(shù)據(jù)包。例如,你可以夜里讓它在那里抓包�,然后早上起來再去分析它���。同樣當(dāng)有很多數(shù)據(jù)包時�,顯示過快也不利于分析�,將數(shù)據(jù)包保存下來��,更有利于分析問題���。
使用 -w 選項(xiàng)來保存數(shù)據(jù)包而不是在屏幕上顯示出抓取的數(shù)據(jù)包:
$ sudo tcpdump -i any -c10 -nn -w webserver.pcap port 80[sudo] password for ricardo:tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes10 packets captured10 packets received by filter0 packets dropped by kernel
該命令將抓取的數(shù)據(jù)包保存到文件 webserver.pcap 。后綴名 pcap 表示文件是抓取的數(shù)據(jù)包格式��。
正如示例中所示���,保存數(shù)據(jù)包到文件中時屏幕上就沒有任何有關(guān)數(shù)據(jù)報(bào)文的輸出�,其中 -c10 表示抓取到 10 個數(shù)據(jù)包后就停止抓包。如果想有一些反饋來提示確實(shí)抓取到了數(shù)據(jù)包���,可以使用 -v 選項(xiàng)。
tcpdump 將數(shù)據(jù)包保存在二進(jìn)制文件中�,所以不能簡單的用文本編輯器去打開它。使用 -r 選項(xiàng)參數(shù)來閱讀該文件中的報(bào)文內(nèi)容:
$ tcpdump -nn -r webserver.pcapreading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)13:36:57.679494 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [S], seq 3709732619, win 29200, options [mss 1460,sackOK,TS val 135708029 ecr 0,nop,wscale 7], length 013:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 013:36:57.719005 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 013:36:57.719186 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [P.], seq 1:113, ack 1, win 229, options [nop,nop,TS val 135708068 ecr 526052949], length 112: HTTP: GET / HTTP/1.113:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 013:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found13:36:57.760182 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 643, win 239, options [nop,nop,TS val 135708109 ecr 526052959], length 013:36:57.977602 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [F.], seq 113, ack 643, win 239, options [nop,nop,TS val 135708327 ecr 526052959], length 013:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 013:36:58.022132 IP 192.168.122.98.39378 > 54.204.39.132.80: Flags [.], ack 644, win 239, options [nop,nop,TS val 135708371 ecr 526053025], length 0$
這里不需要管理員權(quán)限 sudo 了,因?yàn)榇丝滩⒉皇窃诰W(wǎng)絡(luò)接口處抓包�����。
你還可以使用我們討論過的任何過濾規(guī)則來過濾文件中的內(nèi)容�����,就像使用實(shí)時數(shù)據(jù)一樣���。 例如,通過執(zhí)行以下命令從源 IP 地址 54.204.39.132 檢查文件中的數(shù)據(jù)包:
$ tcpdump -nn -r webserver.pcap src 54.204.39.132reading from file webserver.pcap, link-type LINUX_SLL (Linux cooked)13:36:57.718932 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [S.], seq 1999298316, ack 3709732620, win 28960, options [mss 1460,sackOK,TS val 526052949 ecr 135708029,nop,wscale 9], length 013:36:57.756979 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [.], ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 013:36:57.760122 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [P.], seq 1:643, ack 113, win 57, options [nop,nop,TS val 526052959 ecr 135708068], length 642: HTTP: HTTP/1.1 302 Found13:36:58.022089 IP 54.204.39.132.80 > 192.168.122.98.39378: Flags [F.], seq 643, ack 114, win 57, options [nop,nop,TS val 526053025 ecr 135708327], length 0
下一步做什么����?
以上的基本功能已經(jīng)可以幫助你使用強(qiáng)大的 tcpdump 抓包工具了。更多的內(nèi)容請參考 tcpdump 網(wǎng)站 以及它的 幫助文件 ��。
tcpdump 命令行工具為分析網(wǎng)絡(luò)流量數(shù)據(jù)包提供了強(qiáng)大的靈活性�。如果需要使用圖形工具來抓包請參考 Wireshark 。
Wireshark 還可以用來讀取 tcpdump 保存的 pcap 文件����。你可以使用 tcpdump 命令行在沒有 GUI 界面的遠(yuǎn)程機(jī)器上抓包然后在 Wireshark 中分析數(shù)據(jù)包。
via: https://opensource.com/article/18/10/introduction-tcpdump
總結(jié)
以上所述是小編給大家介紹的在 Linux 命令行中使用 tcpdump 抓包的一些功能��,希望對大家有所幫助,如果大家有任何疑問請給我留言�,小編會及時回復(fù)大家的。在此也非常感謝大家對VEVB武林網(wǎng)網(wǎng)站的支持��!
注:相關(guān)教程知識閱讀請移步到服務(wù)器教程頻道���。
