关键点:
sudo tcpdump -i eth1 host www.baidu.com -S -xx -n
监控网卡eth1,host或者ip为www.baidu.com的,-xx打印链路层级别的协议,-n地址转换为实际数字,-S ack用实际数字表示(避免1)
链路层协议(以太网协议):http://blog.csdn.net/shenxin870409/article/details/40209967
23:26:45.665615 IP 172.18.192.125.42574 > 115.239.211.112.80: Flags [S], seq 871372055, win 29200, options [mss 1460,sackOK,TS val 45725240 ecr 0,nop,wscale 7], length 0
0x0000: eeff ffff ffff 0016 3e08 b134 0800 4500
0x0010: 003c a32f 4000 4006 e39c ac12 c07d 73ef
0x0020: d370 a64e 0050 33f0 1517 0000 0000 a002
0x0030: 7210 b41e 0000 0204 05b4 0402 080a 02b9
0x0040: b638 0000 0000 0103 0307
以太网协议:
ee:ff:ff:ff:ff:ff为目的mac目的地址,通过查看路由和网关:route -n:
arp -n:
目的地址为下一站,转出网关为172.18.207.253,mac为ee:ff:ff:ff:ff:ff
00:16:3e:08:b1:34为源mac地址,ifconfig可以查看:
0800:ip类型
ip协议:
4:ipv4协议
5:首部长度,32位字长度,即5*32/8=20字节
00:DSCP,ECN
003c:总长度,
ac12c07d:源ip地址,172.18.192.125,ip转换地址:http://www.ab126.com/system/2859.html
73efd370:目的ip地址,115.239.211.112
tcp协议:
a64e:源port,42574
0050:目的port,80
33f01517:seq num, 871372055
00000000:ack num, 0
a002:0110 0000 0000 0010,syn flag
7210:window 窗口,29200
注意点:
23:26:45.719233 IP 115.239.211.112.80 > 172.18.192.125.42574: Flags [P.], seq 1741454648:1741455048, ack 871372133, win 772, length 400: HTTP: HTTP/1.1 200 OK
0x0000: 0016 3e08 b134 eeff ffff ffff 0800 4514
0x0010: 01b8 4dd7 4000 3406 4365 73ef d370 ac12
0x0020: c07d 0050 a64e 67cc 7d38 33f0 1565 5018
0x0030: 0304 ab0e 0000 4854 5450 2f31 2e31 2032
0x0040: 3030 204f 4b0d 0a53 6572 7665 723a 2062
0x0050: 6665 2f31 2e30 2e38 2e31 380d 0a44 6174
0x0060: 653a 204d 6f6e 2c20 3038 204a 616e 2032
0x0070: 3031 3820 3135 3a32 363a 3435 2047 4d54
0x0080: 0d0a 436f 6e74 656e 742d 5479 7065 3a20
0x0090: 7465 7874 2f68 746d 6c0d 0a43 6f6e 7465
这里有一个seq:1741454648:1741455048,length 400,
当需要发送回来ack的时候是发送1741455048,那么这个是怎么得到的呢,
ip的总长度:0x01b8=440字节
ip的头部:5,5 * 32 / 8 = 20字节
tcp的头部:5,5 * 32 / 8 = 20字节
tcp的seq num:0x67cc7d38,1741454648
所以结尾的seq num:1741454648 + 440 - 20 - 20 = 1741455048