有时候在调试问题长长需要用抓包来定位问题,而网上关于抓包的冗余信息太多,为方便使用,下面直奔主题,只说明一种常用的命令,更详细的参数需要从别的文章里去匹配了~
假设有两台主机A B,A机器部署了某个服务,从B访问A服务,
假设B机器ip为 221.221.221.221 A机器IP为140.140.140.140 服务的端口为8099
1.在A机器抓包,tcpdump -s0 -A host 221.221.221.221 and port 8099
B访问A服务 http://140.140.140.140:8099/zlmlt/address/queryAddress
2.以下为A机器打印的抓包信息
[root@VM_0_11_centos ~]# tcpdump -s0 -A host 221.221.221.221 and port 8099
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:40:32.539184 IP 221.221.221.221.50434 > VM_0_11_centos.8099: Flags [S], seq 948093661, win 8192, options [mss 1412,nop,wscale 2,nop,nop,sackOK], length 0
Eh.4..@.5...............8......... .................
18:40:32.539254 IP VM_0_11_centos.8099 > 221.221.221.221.50434: Flags [S.], seq 3282024058, ack 948093662, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@..!...............z8.....r.c...............
18:40:32.550566 IP 221.221.221.221.50434 > VM_0_11_centos.8099: Flags [.], ack 1, win 16591, length 0
Eh.(..@.5...............8......{P.@..@..
18:40:32.550567 IP 221.221.221.221.50434 > VM_0_11_centos.8099: Flags [P.], seq 1:488, ack 1, win 16591, length 487
Eh....@.5...............8......{P.@.{=..GET /zlmlt/address/queryAddress HTTP/1.1
Host: 140.140.140.140:8099
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=C15D9E9749C94761F9FCFCB499F9FF11
18:40:32.550583 IP VM_0_11_centos.8099 > 221.221.221.221.50434: Flags [.], ack 488, win 237, length 0
E..(lo@.@.j................{8...P...c...
18:40:32.555054 IP VM_0_11_centos.8099 > 221.221.221.221.50434: Flags [P.], seq 1:221, ack 488, win 237, length 220
E...lp@.@.i................{8...P...d...HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 23 Feb 2019 10:40:32 GMT
56
{"result":"success","responseCode":"200","data":[],"errorMsg":null,"errorDetail":null}
18:40:32.555221 IP VM_0_11_centos.8099 > 221.221.221.221.50434: Flags [P.], seq 221:226, ack 488, win 237, length 5
E..-lq@.@.j................W8...P...c...0
18:40:32.566713 IP 221.221.221.221.50434 > VM_0_11_centos.8099: Flags [.], ack 226, win 16534, length 0
Eh.(..@.5...............8......\P.@.....
^C
11 packets captured
11 packets received by filter
0 packets dropped by kernel
3.其中橘色的分别为请求信息及相应信息。
> 表示由谁到谁的请求
221.221.221.221.50434 50434代表这整个http请求中占用的端口(不确定理解的对不对),可以用这个端口来匹配请求和响应内容
这样抓包的话就可以相关请求及响应了,在下面这个命令中,host和port都是表示过滤的,可以去掉,那就是打印所有的了,不过滤一下的会打出很多信息。
tcpdump -s0 -A host 221.221.221.221 and port 8099
wireshark抓包分析
有两种过滤方式,一种是在捕获->选项下设置过滤规则,一种是抓到所有的包在上图中标红的地方过滤,注意两种过滤的规则是不一样的.
一般每一个请求是会有两个记录的,一个表示请求信息,一个表示响应信息。
过滤规则参考一下:https://www.cnblogs.com/icez/p/3973873.html
如有问题麻烦指正,共同学习~