tshark linux
大多数情况下,当我们连接到Internet时,我们不会想到底层的网络协议可以使一切变为可能。 现在,当您阅读本文时,计算机正在交换大量数据包并通过Internet进行传输。
要了解这些协议,您需要一个可以捕获并帮助您分析这些数据包的工具。 Wireshark是一种流行的开源图形用户界面(GUI)工具,用于分析数据包。 但是,它也为喜欢在Linux命令行上工作的人们提供了一个称为TShark的强大命令行实用程序。
要尝试本文中的示例,您需要连接到Internet。 有关TShark命令行选项或标志的任何更改,请参考相应的手册页和在线文档 。 另外,我在这些示例中使用Fedora。
[gaurav@testbox ~]$ cat /etc/fedora-release
Fedora release 30 (Thirty)
[gaurav@testbox ~]$
检查您的安装
首先,确保已安装必需的软件包:
[gaurav@testbox ~]$ rpm -qa | grep -i wireshark
wireshark-cli-3.0.1-1.fc30.x86_64
[gaurav@testbox ~]$
如果安装了Wireshark软件包,请检查是否安装了TShark实用程序,如果已安装,则检查哪个版本:
[gaurav@testbox ~]$ tshark -v
TShark (Wireshark) 3.0.1 (23f278e2)
Built using gcc 9.0.1 20190312 (Red Hat 9.0.1-0.10).
[gaurav@testbox ~]$
如果您以普通的非root用户身份登录,则需要sudo权限才能使用TShark实用程序。 超级用户可以跳过sudo并直接运行tshark命令。
查找可用于TShark的网络设备
在TShark可以分析数据包之前,它需要捕获这些数据包。 网络数据包通过服务器,工作站或台式机上的网络接口卡(NIC)或笔记本电脑上的WiFi卡进行处理。 首先确定用于连接互联网的NIC或WiFi卡。
要确定哪些网络设备可用于TShark,请运行以下命令。 我的笔记本电脑(用于这些示例)显示:
[gaurav@testbox ~]$ sudo tshark -D
Running as user "root" and group "root". This could be dangerous.
1. wlp61s0
2. lo (Loopback)
3. any
4. virbr0
5. enp0s31f6
6. bluetooth-monitor
7. nflog
8. nfqueue
[gaurav@testbox ~]$
我正在使用WiFi卡连接到家庭路由器以访问Internet。 您可以使用ifconfig -a命令查看系统上的所有网络接口。 如果未安装ifconfig命令,则可以改用较新的ip addr show命令。 接口之一应分配有一个IP地址。 对于特定的接口,可以使用ifconfig <interface-name> ,例如:
ifconfig wlp61s0
捕获一些数据包
既然您知道正在使用哪个接口连接到Internet,就可以开始使用它捕获一些数据包。 -i选项可用于捕获此特定接口上的数据包。 您将看到一堆输出,显示通过接口传输的网络数据包,但是可以使用Ctrl + C命令停止它:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xa02b AAAA fedoraproject.org
2 0.000128115 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xcc47 A fedoraproject.org
3 0.000316195 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xe29d A fedoraproject.org
4 0.000616019 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xac7c AAAA fedoraproject.org
5 0.007963200 192.168.1.1 → 192.168.1.9 DNS 93 Standard query response 0xcc47 A fedoraproject.org A 185.141.165.254
6 0.009171815 192.168.1.1 → 192.168.1.9 DNS 93 Standard query response 0xe29d A fedoraproject.org A 185.141.165.254
7 0.011075350 192.168.1.1 → 192.168.1.9 DNS 322 Standard query response 0xa02b AAAA fedoraproject.org AAAA 2610:28:3090:3001:dead:beef:cafe:fed3 AAAA 2605:bc80:3010:600:dead:beef:cafe:fed9 AAAA 2604:1580:fe00:0:dead:beef:cafe:fed1 NS ns04.fedoraproject.org NS ns05.fedoraproject.org NS ns02.fedoraproject.org A 152.19.134.139 AAAA 2610:28:3090:3001:dead:beef:cafe:fed5 A 209.132.181.17 A 85.236.55.10 AAAA 2001:4178:2:1269:dead:beef:cafe:fed5
8 0.012458151 192.168.1.1 → 192.168.1.9 DNS 322 Standard query response 0xac7c AAAA fedoraproject.org AAAA 2605:bc80:3010:600:dead:beef:cafe:fed9 AAAA 2610:28:3090:3001:dead:beef:cafe:fed3 AAAA 2604:1580:fe00:0:dead:beef:cafe:fed1 NS ns05.fedoraproject.org NS ns02.fedoraproject.org NS ns04.fedoraproject.org A 152.19.134.139 AAAA 2610:28:3090:3001:dead:beef:cafe:fed5 A 209.132.181.17 A 85.236.55.10 AAAA 2001:4178:2:1269:dead:beef:cafe:fed5
^C8 packets captured
[gaurav@testbox ~]$
查看上面的前两个数据包; 它们在行的开头用数字表示:
1 0.000000000 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xa02b AAAA fedoraproject.org
2 0.000128115 192.168.1.9 → 192.168.1.1 DNS 77 Standard query 0xcc47 A fedoraproject.org
这些行在箭头的两侧包括两个IP地址-这些是交换数据包的主机。 箭头的方向指示数据包的前进方向。 因此, 192.168.1.9→192.168.1.1表示该数据包起源于主机192.168.1.9 ,这是我的笔记本电脑,并且到达目的地192.168.1.1 ,这是我的家庭路由器。 在目标IP地址之后,您会看到DNS ,它只是域名系统协议,后面是DNS查询。 以后再说。
您可以使用-c (计数)选项限制捕获并显示在屏幕上的数据包数量。 以下示例显示了捕获的10个数据包。 注意协议,您已经在上面看到了DNS,这里还有其他协议,例如NTP和TCP:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 10
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 10.5.26.10 NTP 90 NTP Version 4, client
2 0.803303963 192.168.1.9 → 10.5.27.10 NTP 90 NTP Version 4, client
3 3.524867645 192.168.1.9 → 192.168.1.1 DNS 69 Standard query 0x3837 A testbox
4 6.227373094 192.168.1.9 → 192.168.1.1 DNS 89 Standard query 0x0814 A location.services.mozilla.com
5 6.227395145 192.168.1.9 → 192.168.1.1 DNS 89 Standard query 0x5e1c AAAA location.services.mozilla.com
6 6.234878912 192.168.1.1 → 192.168.1.9 DNS 105 Standard query response 0x0814 A location.services.mozilla.com A 34.253.23.107
7 6.238110416 192.168.1.1 → 192.168.1.9 DNS 223 Standard query response 0x5e1c AAAA location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOA ns-1260.awsdns-29.org
8 6.238446999 192.168.1.9 → 34.253.23.107 TCP 74 35326 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2832002333 TSecr=0 WS=128
9 6.438833991 34.253.23.107 → 192.168.1.9 TCP 74 443 → 35326 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1440 SACK_PERM=1 TSval=2056252981 TSecr=2832002333 WS=256
10 6.438947001 192.168.1.9 → 34.253.23.107 TCP 66 35326 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=2832002533 TSecr=2056252981
10 packets captured
[gaurav@testbox ~]$
DNS协议将主机名转换为IP地址,并将IP地址转换为主机名。 有专用的DNS(或名称)服务器,您可以使用主机名或IP地址进行查询。 下面的示例使用nslookup命令来查询名称服务器,以将主机名解析为IP地址。 在继续之前,请确保已安装bind-utils软件包:
[gaurav@testbox ~]$ rpm -qa | grep -i bind-utils
bind-utils-9.11.5-13.P4.fc30.x86_64
[gaurav@testbox ~]$
为了查询您的名称服务器,您需要找出您的计算机正在与哪台服务器进行通信。 您可以在/etc/resolv.conf文件中找到该信息。 在我的情况下,名称服务器指向1.1.1.1 ,这是Cloudflare提供的公共DNS服务:
[gaurav@testbox ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 1.1.1.1
[gaurav@testbox ~]$
诸如Opensource.com这样的主机名对于人类来说很容易理解,但是机器使用IP地址通过网络或Internet连接到其他机器。 为了使您的计算机连接到opensource.com,需要找到该站点的IP地址。 您可以使用以下命令找到它:
nslookup opensource.com
如果您的计算机上没有nslookup,则可以使用dig命令:
dig opensource.com
但是, 在您按下Enter键之前,请打开另一个终端并键入以下命令,以告知TShark捕获去往名称服务器的所有流量(例如1.1.1.1):
sudo tshark -i wlp61s0 host 1.1.1.1
保持该终端运行并返回到另一个终端,然后运行nslookup (或dig )。 命令完成后,它将提供Opensource.com的IP地址,即54.204.39.132。 这是nslookup的输出:
[gaurav@testbox ~]$ nslookup opensource.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: opensource.com
Address: 54.204.39.132
[gaurav@testbox ~]$
和dig的输出:
[gaurav@testbox ~]$ dig opensource.com
; <<>> DiG 9.11.5-P4-RedHat-9.11.5-13.P4.fc30 <<>> opensource.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33030
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;opensource.com. IN A
;; ANSWER SECTION:
opensource.com. 206 IN A 54.204.39.132
;; Query time: 30 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Nov 02 21:05:54 IST 2019
;; MSG SIZE rcvd: 59
[gaurav@testbox ~]$
到目前为止,一切都很好,但是在数据包级别发生了什么? 移至您输入tshark命令的终端。 它捕获了一些数据包:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 host 1.1.1.1
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
2 1.798275687 192.168.1.9 → 1.1.1.1 DNS 74 Standard query 0xcda0 A opensource.com
3 1.827143443 1.1.1.1 → 192.168.1.9 DNS 90 Standard query response 0xcda0 A opensource.com A 54.204.39.132
^C packets captured
[gaurav@testbox ~]$
下面的数据包来自我的笔记本电脑192.168.1.9 ,到达目的地1.1.1.1 。 该数据包用于DNS协议,它正在查询(标准查询)Opensource.com的名称服务器:
2 1.798275687 192.168.1.9 → 1.1.1.1 DNS 74 Standard query 0xcda0 A opensource.com
下面的数据包是从我的名称服务器1.1.1.1发送到我的机器192.168.1.9的答复。 同样,它是DNS,但现在它是对Opensource.com IP地址查询的响应(标准查询响应):
3 1.827143443 1.1.1.1 → 192.168.1.9 DNS 90 Standard query response 0xcda0 A opensource.com A 54.204.39.132
如果事先知道要查找的协议,则可以将其添加到tshark命令中。 以下示例仅查找UDP数据包,但捕获了DNS数据包。 这是因为DNS数据包使用下面的UDP协议:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 udp
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 1.1.1.1 DNS 89 Standard query 0xcc6d A location.services.mozilla.com
2 0.000068640 192.168.1.9 → 1.1.1.1 DNS 89 Standard query 0x6484 AAAA location.services.mozilla.com
3 0.032616053 1.1.1.1 → 192.168.1.9 DNS 189 Standard query response 0xcc6d A location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net A 52.215.71.87 A 54.72.168.141 A 34.253.23.107
4 0.108203529 1.1.1.1 → 192.168.1.9 DNS 241 Standard query response 0x6484 AAAA location.services.mozilla.com CNAME locprod1-elb-eu-west-1.prod.mozaws.net SOA ns-1260.awsdns-29.org
5 1.268489014 192.168.1.9 → 1.1.1.1 DNS 69 Standard query 0x74be A testbox
6 1.302652455 1.1.1.1 → 192.168.1.9 DNS 144 Standard query response 0x74be No such name A testbox SOA a.root-servers.net
7 6.268558254 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0xc47a A cups.pnq.redhat.com
8 6.268618039 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0xb08b AAAA cups.pnq.redhat.com
9 6.664992312 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0xb08b AAAA cups.pnq.redhat.com SOA a1-68.akam.net
10 6.665088305 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0xc47a A cups.pnq.redhat.com SOA a1-68.akam.net
^C10 packets captured
[gaurav@testbox ~]$
ping命令通常用于检查计算机是否已启动或可通过网络访问。 您可以对Opensource.com的IP地址运行ping命令,以查看服务器是否已启动并正在运行。
在执行此操作之前,请开始捕获数据包,以便以后可以分析数据包。 打开一个终端并运行以下命令,该命令将继续运行并查找源自IP地址54.204.39.132的数据包:
sudo tshark -i wlp61s0 host 54.204.39.132
在另一个终端中,运行以下ping命令。 -c用于计数,因此-c 2表示应仅向给定主机发送两个数据包:
ping -c 2 54.204.39.132
在运行ping命令的终端上,您可以看到发送了两个数据包,并且收到了两个数据包。 它还说有0%的数据包丢失,这表明目的地54.204.39.132响应了 ping 要求:
[gaurav@testbox ~]$ ping -c 2 54.204.39.132
PING 54.204.39.132 (54.204.39.132) 56(84) bytes of data.
64 bytes from 54.204.39.132: icmp_seq=1 ttl=43 time=357 ms
64 bytes from 54.204.39.132: icmp_seq=2 ttl=43 time=278 ms
--- 54.204.39.132 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 278.045/317.410/356.776/39.369 ms
[gaurav@testbox ~]$
返回到运行TShark的终端。 它显示了四个数据包: ping命令中的请求( -c 2 )和两个答复,因此共有四个数据包:
Packet 1 - request (1st request)
Packet 2 - reply (to Packet 1)
Packet 3 - request (2nd request)
Packet 4 - reply (to Packet 3)
输出显示它正在使用ICMP协议。 Ping通过ICMP来完成其任务:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1749, seq=1/256, ttl=64
2 0.356750411 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1749, seq=1/256, ttl=43 (request in 1)
3 1.000295229 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1749, seq=2/512, ttl=64
4 1.278267790 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1749, seq=2/512, ttl=43 (request in 3)
^C4 packets captured
[gaurav@testbox ~]$
网络数据包以二进制格式发送,因此,如果要查看它们在网络上的外观,可以通过在tshark命令中简单地添加-x来转储数据包的十六进制格式,然后您将看到十六进制输出。 以下输出显示通过运行命令ping -c 1 54.204.39.132发送的ping请求:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -x -c 2 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
0000 28 c6 8e 3e 39 3a 48 89 e7 a0 33 db 08 00 45 00 (..>9:H...3...E.
0010 00 54 e6 29 40 00 40 01 34 7e c0 a8 01 09 36 cc .T.)@.@.4~....6.
0020 27 84 08 00 25 5f 27 d1 00 01 7e aa bd 5d 00 00 '...%_'...~..]..
0030 00 00 a2 f3 0d 00 00 00 00 00 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67
0000 48 89 e7 a0 33 db 28 c6 8e 3e 39 3a 08 00 45 00 H...3.(..>9:..E.
0010 00 54 31 06 00 00 2b 01 3e a2 36 cc 27 84 c0 a8 .T1...+.>.6.'...
0020 01 09 00 00 2d 5f 27 d1 00 01 7e aa bd 5d 00 00 ....-_'...~..]..
0030 00 00 a2 f3 0d 00 00 00 00 00 10 11 12 13 14 15 ................
0040 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 .......... !"#$%
0050 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 &'()*+,-./012345
0060 36 37 67
2 packets captured
[gaurav@testbox ~]$
保存输出
在屏幕上看到输出是可以的,但是通常您需要将数据保存到文件中以便以后使用。 使用ping命令,但添加-w告诉TShark将输出转储到文件中。 例如,以下将输出保存到/ tmp目录中名为nlog.pcap的文件中:
sudo tshark -w /tmp/nlog.pcap -i wlp61s0 host 54.204.39.132
现在,从另一个终端再次运行ping命令,但是这次计数为五个数据包:
ping -c 5 54.204.39.132
TShark终端显示已捕获10个数据包。 为什么是10? 因为您要求ping发送五个请求,所以您得到了五个答复,因此有10个数据包。 使用Ctrl + C停止数据包捕获:
[gaurav@testbox ~]$ sudo tshark -w /tmp/nlog.pcap -i wlp61s0 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
10 ^C
[gaurav@testbox ~]$
TShark将输出保存到文件/tmp/nlog.pcap中 :
[gaurav@testbox ~]$ ls -l /tmp/nlog.pcap
-rw-------. 1 root root 1692 Nov 2 21:10 /tmp/nlog.pcap
[gaurav@testbox ~]$
file命令显示文件类型是pcapng捕获文件,因此您不能只使用Vim这样的编辑器打开文件并开始阅读; 您将看到的只是一堆垃圾字符:
[gaurav@testbox ~]$ sudo file /tmp/nlog.pcap
/tmp/nlog.pcap: pcapng capture file - version 1.0
[gaurav@testbox ~]$
由于TShark将数据写入文件,因此它也可以使用-r选项和文件名从文件中读取回数据。 下面显示了所有10个数据包(五个请求和五个答复):
[gaurav@testbox ~]$ sudo tshark -r /tmp/nlog.pcap
Running as user "root" and group "root". This could be dangerous.
1 0.000000000 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=1/256, ttl=64
2 0.270098703 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=1/256, ttl=43 (request in 1)
3 1.000485186 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=2/512, ttl=64
4 1.323571769 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=2/512, ttl=43 (request in 3)
5 2.000955585 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=3/768, ttl=64
6 2.347737132 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=3/768, ttl=43 (request in 5)
7 3.000912998 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=4/1024, ttl=64
8 3.269412434 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=4/1024, ttl=43 (request in 7)
9 4.001573635 192.168.1.9 → 54.204.39.132 ICMP 98 Echo (ping) request id=0x1875, seq=5/1280, ttl=64
10 4.293431592 54.204.39.132 → 192.168.1.9 ICMP 98 Echo (ping) reply id=0x1875, seq=5/1280, ttl=43 (request in 9)
[gaurav@testbox ~]$
#TCP handshake
在通过网络建立连接之前,已完成TCP握手 。 上面的示例只是查询了名称服务器,还是试图通过ping命令确定计算机是否可访问,而这两个命令都不需要与主机建立连接。 尝试通过wget命令获取www.opensource.com 。
在运行wget之前,请在另一个终端上运行以下命令以捕获数据包。 由于握手涉及初始数据包,因此我故意将计数保持为三:
sudo tshark -i wlp61s0 -c 3 host 54.204.39.132
接下来,运行wget命令以下载索引文件:
[gaurav@testbox ~]$ wget https://www.opensource.com
--2019-11-02 21:13:54-- https://www.opensource.com/
Resolving www.opensource.com (www.opensource.com)... 54.204.39.132
Connecting to www.opensource.com (www.opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://opensource.com/ [following]
--2019-11-02 21:13:56-- http://opensource.com/
Resolving opensource.com (opensource.com)... 54.204.39.132
Connecting to opensource.com (opensource.com)|54.204.39.132|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://opensource.com/ [following]
--2019-11-02 21:13:57-- https://opensource.com/
Connecting to opensource.com (opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 71561 (70K) [text/html]
Saving to: ‘index.html’
index.html 100%[=============================================================>] 69.88K 105KB/s in 0.7s
2019-11-02 21:13:59 (105 KB/s) - ‘index.html’ saved [71561/71561]
[gaurav@testbox ~]$ ^C
您可以查看下面的三个数据包。 第一个数据包将SYN请求从我的笔记本电脑发送到Opensource.com服务器。 第二个数据包是OpenSource.com服务器,其中设置了SYN,ACK标志。 最后,第三个数据包是我的便携式计算机发送的ACK请求,以确认收到了第二个数据包。 这称为TCP握手。 握手之后,两个节点(即我的笔记本电脑和Opensource.com服务器)都可以交换数据。
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 3 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 54.204.39.132 TCP 74 58784 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=790376430 TSecr=0 WS=128
2 0.306538226 54.204.39.132 → 192.168.1.9 TCP 74 443 → 58784 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1440 SACK_PERM=1 TSval=1306268046 TSecr=790376430 WS=512
3 0.306671608 192.168.1.9 → 54.204.39.132 TCP 66 58784 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=790376737 TSecr=1306268046
3 packets captured
[gaurav@testbox ~]$
如果排除-c 3 ,它将捕获所有数据包,并且您将看到类似的关闭连接的仪式。 只是这一次,我的笔记本电脑将FIN,ACK数据包发送到Opensource.com(在下面的数据包1中),然后是FIN,ACK从Opensource.com发送到我的笔记本电脑(在下面的数据包2中),最后发送了一个ACK数据包。我的笔记本电脑连接到Opensource.com服务器。 这样就结束了先前建立的网络连接,以后的任何连接都必须再次建立TCP握手。
73 4.505715716 192.168.1.9 → 54.204.39.132 TCP 66 59574 → 443 [FIN, ACK] Seq=814 Ack=76239 Win=69888 Len=0 TSval=792384514 TSecr=1306769989
74 4.737227282 54.204.39.132 → 192.168.1.9 TCP 66 443 → 59574 [FIN, ACK] Seq=76239 Ack=815 Win=29184 Len=0 TSval=1306770066 TSecr=792384514
75 4.737389399 192.168.1.9 → 54.204.39.132 TCP 66 59574 → 443 [ACK] Seq=815 Ack=76240 Win=69888 Len=0 TSval=792384745 TSecr=1306770066
加密握手数据
如今,大多数网站都是通过HTTPS而非HTTP访问的。 这样可以确保在两个节点之间传递的数据在通过Internet时都经过在线加密。 为了确保数据被加密,发生了类似于TCP握手的TLS握手方法。
触发另一个wget命令,但这一次它从头开始捕获了11个数据包:
[gaurav@testbox ~]$ wget https://www.opensource.com
--2019-11-02 21:15:21-- https://www.opensource.com/
Resolving www.opensource.com (www.opensource.com)... 54.204.39.132
Connecting to www.opensource.com (www.opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://opensource.com/ [following]
--2019-11-02 21:15:23-- http://opensource.com/
Resolving opensource.com (opensource.com)... 54.204.39.132
Connecting to opensource.com (opensource.com)|54.204.39.132|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://opensource.com/ [following]
--2019-11-02 21:15:28-- https://opensource.com/
Connecting to opensource.com (opensource.com)|54.204.39.132|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 71561 (70K) [text/html]
Saving to: ‘index.html’
index.html 100%[=============================================================>] 69.88K 114KB/s in 0.6s
2019-11-02 21:15:31 (114 KB/s) - ‘index.html’ saved [71561/71561]
[gaurav@testbox ~]$
TCP握手在前三个数据包中结束,而第四个到第九个数据包中的每个数据包都有TLS字符串,这些数据包遵循类似的握手规则在两个主机之间建立安全的加密连接:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 11 host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 0.000000000 192.168.1.9 → 54.204.39.132 TCP 74 58800 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=790462858 TSecr=0 WS=128
2 0.305006506 54.204.39.132 → 192.168.1.9 TCP 74 443 → 58800 [SYN, ACK] Seq=0 Ack=1 Win=26847 Len=0 MSS=1440 SACK_PERM=1 TSval=1306289652 TSecr=790462858 WS=512
3 0.305135180 192.168.1.9 → 54.204.39.132 TCP 66 58800 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=790463163 TSecr=1306289652
4 0.308282152 192.168.1.9 → 54.204.39.132 TLSv1 583 Client Hello
5 0.613210220 54.204.39.132 → 192.168.1.9 TCP 66 443 → 58800 [ACK] Seq=1 Ack=518 Win=28160 Len=0 TSval=1306289729 TSecr=790463166
6 0.613298883 54.204.39.132 → 192.168.1.9 TLSv1.2 3139 Server Hello, Certificate, Server Key Exchange, Server Hello Done
7 0.613356054 192.168.1.9 → 54.204.39.132 TCP 66 58800 → 443 [ACK] Seq=518 Ack=3074 Win=61184 Len=0 TSval=790463472 TSecr=1306289729
8 0.617318607 192.168.1.9 → 54.204.39.132 TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
9 0.919718195 54.204.39.132 → 192.168.1.9 TLSv1.2 324 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
10 0.940858609 192.168.1.9 → 54.204.39.132 TLSv1.2 240 Application Data
11 1.228530079 54.204.39.132 → 192.168.1.9 TLSv1.2 754 Application Data
11 packets captured
[gaurav@testbox ~]$
由于默认情况下HTTPS在端口443上工作,因此您可以将其用作TShark中的筛选器,以捕获流向该特定端口的流量:
sudo tshark -i wlp61s0 host 54.204.39.132 and port 443
当您需要离线分析数据包以重建过去的事件(例如,调试)时,时间戳是必不可少的。 在TShark中添加-t ad标志会将时间戳添加到每个数据包捕获的开始:
[gaurav@testbox ~]$ sudo tshark -n -i wlp61s0 -t ad
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
1 2019-11-02 21:43:58.344158174 25:c9:8e:3f:38:3a → 48:89:e7:a0:33:db ARP 42 Who has 192.168.1.9? Tell 192.168.1.1
2 2019-11-02 21:43:58.344194844 48:89:e7:a0:33:db → 25:c9:8e:3f:38:3a ARP 42 192.168.1.9 is at 48:89:e7:a0:33:db
3 2019-11-02 21:44:00.223393961 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0x00fb A cups.pnq.redhat.com
4 2019-11-02 21:44:00.223460961 192.168.1.9 → 1.1.1.1 DNS 79 Standard query 0x1814 AAAA cups.pnq.redhat.com
5 2019-11-02 21:44:00.266325914 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0x00fb A cups.pnq.redhat.com SOA a1-68.akam.net
6 2019-11-02 21:44:00.269102767 1.1.1.1 → 192.168.1.9 DNS 143 Standard query response 0x1814 AAAA cups.pnq.redhat.com SOA a1-68.akam.net
^C6 packets captured
[gaurav@testbox ~]$
查看整个数据包
到目前为止,您已经看到了数据包的几个示例以及解释它们的方法,但没有看到整个数据包。 以下是使用ping和nslookup实用程序转储整个数据包的方法:
[gaurav@testbox ~]$ ping -c 1 54.204.39.132
PING 54.204.39.132 (54.204.39.132) 56(84) bytes of data.
64 bytes from 54.204.39.132: icmp_seq=1 ttl=43 time=357 ms
--- 54.204.39.132 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 356.961/356.961/356.961/0.000 ms
[gaurav@testbox ~]$
在另一个窗口中,运行以下命令,然后运行上面的ping命令。 请注意附加的-V标志-它用于在屏幕上转储整个数据包信息。 输出分为多个部分,从帧开始,然后移至以太网,然后移至Internet协议,依此类推。
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 1 -V host 54.204.39.132
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits) on interface 0
Interface id: 0 (wlp61s0)
Interface name: wlp61s0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 2, 2019 21:17:55.556150846 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1572709675.556150846 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 98 bytes (784 bits)
Capture Length: 98 bytes (784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:data]
Ethernet II, Src: IntelCor_a0:33:db (48:89:e7:a0:33:db), Dst: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Destination: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Address: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: IntelCor_a0:33:db (48:89:e7:a0:33:db)
Address: IntelCor_a0:33:db (48:89:e7:a0:33:db)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.9, Dst: 54.204.39.132
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 84
Identification: 0x8f68 (36712)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x8b3f [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.1.9
Destination: 54.204.39.132
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xcfc5 [correct]
[Checksum Status: Good]
Identifier (BE): 7399 (0x1ce7)
Identifier (LE): 59164 (0xe71c)
Sequence number (BE): 1 (0x0001)
Sequence number (LE): 256 (0x0100)
Timestamp from icmp data: Nov 2, 2019 21:17:55.000000000 IST
[Timestamp from icmp data (relative): 0.556150846 seconds]
Data (48 bytes)
0000 5b 7c 08 00 00 00 00 00 10 11 12 13 14 15 16 17 [|..............
0010 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 ........ !"#$%&'
0020 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 35 36 37 ()*+,-./01234567
Data: 5b7c080000000000101112131415161718191a1b1c1d1e1f…
[Length: 48]
1 packet captured
[gaurav@testbox ~]
同样,运行以下nslookup命令,并在一侧通过TShark转储整个数据包:
[gaurav@testbox ~]$ nslookup opensource.com
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
Name: opensource.com
Address: 54.204.39.132
[gaurav@testbox ~]$
这是执行DNS查找时数据包的外观-请注意,正在使用UDP协议:
[gaurav@testbox ~]$ sudo tshark -i wlp61s0 -c 1 -V host 1.1.1.1
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp61s0'
Frame 1: 88 bytes on wire (704 bits), 88 bytes captured (704 bits) on interface 0
Interface id: 0 (wlp61s0)
Interface name: wlp61s0
Encapsulation type: Ethernet (1)
Arrival Time: Nov 2, 2019 21:19:32.161216715 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1572709772.161216715 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 88 bytes (704 bits)
Capture Length: 88 bytes (704 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
Ethernet II, Src: IntelCor_a0:33:db (48:89:e7:a0:33:db), Dst: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Destination: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
Address: Netgear_3f:38:3a (25:c9:8e:3f:38:3a)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: IntelCor_a0:33:db (48:89:e7:a0:33:db)
Address: IntelCor_a0:33:db (48:89:e7:a0:33:db)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.1.9, Dst: 1.1.1.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 74
Identification: 0x907d (36989)
Flags: 0x4000, Don't fragment
0... .... .... .... = Reserved bit: Not set
.1.. .... .... .... = Don't fragment: Set
..0. .... .... .... = More fragments: Not set
...0 0000 0000 0000 = Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0xe672 [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.1.9
Destination: 1.1.1.1
User Datagram Protocol, Src Port: 60656, Dst Port: 53
Source Port: 60656
Destination Port: 53
Length: 54
Checksum: 0x2fd2 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
[Time since first frame: 0.000000000 seconds]
[Time since previous frame: 0.000000000 seconds]
Domain Name System (query)
Transaction ID: 0x303c
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
clock01.util.phx2.redhat.com: type A, class IN
Name: clock01.util.phx2.redhat.com
[Name Length: 28]
[Label Count: 5]
Type: A (Host Address) (1)
Class: IN (0x0001)
1 packet captured
[gaurav@testbox ~]$
下一步
一旦熟悉了数据包捕获和分析的这些基础知识,便可以在更高级的用例上使用TShark的各种捕获和显示过滤器。 有关这些过滤器的更多信息,请参考在线文档。
翻译自: https://opensource.com/article/20/1/wireshark-linux-tshark
tshark linux
497
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
