TCP实战抓包分析

两大网络分析利器：tcpdump和Wireshark。
tcpdump常用在Linux服务器中抓取和分析网络包，
Wireshark可以抓包，还提供可视化分析网络包的图形界面。

tcpdump

# -i eth0表示抓取eth0网口的数据包
# icmp 表示抓取icmp协议的数据包
# host 表示主机过滤，抓取对应IP的数据包
# -nn 表示不解析IP地址和端口号的名称
# tcpdump -i eth0 icmp and host 106.75.117.13 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:02:09.260779 IP 10.9.134.72 > 106.75.117.13: ICMP echo request, id 64345, seq 1, length 64
14:02:09.261861 IP 106.75.117.13 > 10.9.134.72: ICMP echo request, id 64345, seq 1, length 64
14:02:09.261907 IP 10.9.134.72 > 106.75.117.13: ICMP echo reply, id 64345, seq 1, length 64
14:02:09.262186 IP 106.75.117.13 > 10.9.134.72: ICMP echo reply, id 64345, seq 1, length 64
14:02:10.262348 IP 10.9.134.72 > 106.75.117.13: ICMP echo request, id 64345, seq 2, length 64
14:02:10.263134 IP 106.75.117.13 > 10.9.134.72: ICMP echo request, id 64345, seq 2, length 64
14:02:10.263163 IP 10.9.134.72 > 106.75.117.13: ICMP echo reply, id 64345, seq 2, length 64
14:02:10.263352 IP 106.75.117.13 > 10.9.134.72: ICMP echo reply, id 64345, seq 2, length 64
14:02:11.263453 IP 10.9.134.72 > 106.75.117.13: ICMP echo request, id 64345, seq 3, length 64
14:02:11.263713 IP 106.75.117.13 > 10.9.134.72: ICMP echo request, id 64345, seq 3, length 64
14:02:11.263737 IP 10.9.134.72 > 106.75.117.13: ICMP echo reply, id 64345, seq 3, length 64
#查看网卡 可用 route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.9.0.1        0.0.0.0         UG    100    0        0 eth0
10.9.0.0        0.0.0.0         255.255.0.0     U     100    0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

Wireshark

[root@10-9-134-72 ~]# tcpdump -i eth0 icmp and host 106.75.117.13 -w ping.pcap
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C36 packets captured
37 packets received by filter
0 packets dropped by kernel

三次握手四次挥手抓包

# 此次访问http://106.75.117.13:8080/ 服务端 
# 终端1 用tcpdump 抓取数据包
# 客户端执行 tcpdump抓包 
[root@iZwz94uzg6i8z0mp324ewlZ ~]# tcpdump -i any tcp and host 106.75.117.13 and port 80 -w http.pcap
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

# 客户端执行curl 
[root@iZwz94uzg6i8z0mp324ewlZ ~]# curl http://106.75.117.13:8080/
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F'/><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
-->

</body></html>                                                                                                                                                                                                                                                                                                           

未完待续。