tcpdump的选项介绍
-a 将网络地址和广播地址转变成名字;
-d 将匹配信息包的代码以人们能够理解的汇编格式给出;
-dd 将匹配信息包的代码以c语言程序段的格式给出;
-ddd 将匹配信息包的代码以十进制的形式给出;
-e 在输出行打印出数据链路层的头部信息,包括源mac和目的mac,以及网络层的协议;
-f 将外部的Internet地址以数字的形式打印出来;
-l 使标准输出变为缓冲行形式;
-n 指定将每个监听到数据包中的域名转换成IP地址后显示,不把网络地址转换成名字;
-nn指定将每个监听到的数据包中的域名转换成IP、端口从应用名称转换成端口号后显示
-t 在输出的每一行不打印时间戳;
-v 输出一个稍微详细的信息,例如在ip包中可以包括ttl和服务类型的信息;
-vv 输出详细的报文信息;
-c 在收到指定的包的数目后,tcpdump就会停止;
-F 从指定的文件中读取表达式,忽略其它的表达式;
-i 指定监听的网络接口;
-p 将网卡设置为非混杂模式,不能与host或broadcast一起使用
-r 从指定的文件中读取包(这些包一般通过-w选项产生);
-w 直接将包写入文件中,并不分析和打印出来;
-s snaplen。snaplen表示从一个包中截取的字节数。0表示包不截断,抓完整的数据包。默认的话 tcpdump 只显示部分数据包,默认68字节。
-S 打印序号的绝对值,不加的话打印偏移.TCP sequence numbers。
-T 将监听到的包直接解释为指定的类型的报文,常见的类型有rpc (远程过程调用)和snmp(简单网络管理协议;)
-X 告诉tcpdump命令,需要把协议头和包内容都原原本本的显示出来(tcpdump会以16进制和ASCII的形式显示),这在进行协议分析时是绝对的利器。
一、抓取DNS报文
linux系统中,会将DNS服务器地址存放在/etc/resolv.conf文件中。
[*************]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 101.215.217.16
1.首先打开两个linux终端,在其中一个终端启动tcpdump监听。tcpdump需要在root用户下执行才能生效。
[*************]$ sudo tcpdump -i eth3 -nt -s 500 port domain
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 500 bytes
2.在另一个终端执行命令通过dns服务查询www.baidu.com的ip。
[*************]$ host -t A www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 110.242.68.3
www.a.shifen.com has address 110.242.68.4
3.可以看到tcpdump抓包如下
IP 101.214.130.183.33167 > 101.215.217.16.domain: 52360+ A? www.baidu.com. (31)
IP 101.215.217.16.domain > 101.214.130.183.33167: 52360 3/4/4 CNAME www.a.shifen.com., A 110.242.68.3, A 110.242.68.4 (226)
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
可以看到共两条报文,本机(101.214.130.183)先向之前查到的文件中的DNS服务器地址发送了dns请求,+是递归查询,A是请求类型(域名->ip),31是报文长度,然后DNS服务器地址向本机回复了查询结果。
4.tcpdump开启-x选项后可以看到报文全文。
[*************]$ sudo tcpdump -X -i eth3 -nt -s 500 port domain
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 500 bytes
IP 101.214.130.183.53630 > 101.215.217.16.domain: 42689+ A? www.baidu.com. (31)
0x0000: 4500 003b b4fe 0000 4011 55a7 0a22 82b7 E..;....@.U.."..
0x0010: 0a23 d910 d17e 0035 0027 7045 a6c1 0100 .#...~.5.'pE....
0x0020: 0001 0000 0000 0000 0377 7777 0562 6169 .........www.bai
0x0030: 6475 0363 6f6d 0000 0100 01 du.com.....
IP 101.215.217.16.domain > 101.214.130.183.53630: 42689 3/4/4 CNAME www.a.shifen.com., A 110.242.68.4, A 110.242.68.3 (226)
0x0000: 4500 00fe a1f3 0000 3911 6eef 0a23 d910 E.......9.n..#..
0x0010: 0a22 82b7 0035 d17e 00ea 3424 a6c1 8180 ."...5.~..4$....
0x0020: 0001 0003 0004 0004 0377 7777 0562 6169 .........www.bai
0x0030: 6475 0363 6f6d 0000 0100 01c0 0c00 0500 du.com..........
0x0040: 0100 0001 5d00 0f03 7777 7701 6106 7368 ....]...www.a.sh
0x0050: 6966 656e c016 c02b 0001 0001 0000 006f ifen...+.......o
0x0060: 0004 6ef2 4404 c02b 0001 0001 0000 006f ..n.D..+.......o
0x0070: 0004 6ef2 4403 c031 0002 0001 0002 9490 ..n.D..1........
0x0080: 0006 036e 7334 c010 c031 0002 0001 0002 ...ns4...1......
0x0090: 9490 0006 0364 6e73 c010 c031 0002 0001 .....dns...1....
0x00a0: 0002 9490 0006 036e 7333 c010 c031 0002 .......ns3...1..
0x00b0: 0001 0002 9490 0006 036e 7332 c010 c078 .........ns2...x
0x00c0: 0001 0001 0002 9490 0004 6ef2 4486 c09c ..........n.D...
0x00d0: 0001 0001 0000 e7ce 0004 dcb5 211f c08a ............!...
0x00e0: 0001 0001 0000 77ce 0004 7050 f840 c066 ......w...pP.@.f
0x00f0: 0001 0001 0000 f297 0004 0ed7 b250 .............P
二、观察TCP连接建立与关闭
使用101.214.130.183(本机)telnet 101.214.130.53
,在登录时输入‘ctrl+[’
进入telnet命令行,再输入quit
退出。
[*************]$ telnet 101.214.130.53
Trying 101.214.130.53...
Connected to 101.214.130.53.
Escape character is '^]'.
Kernel 3.10.0-123.el7.x86_64 on an x86_64
nccddev130053 login:
telnet> quit
Connection closed.
通过tcpdump抓包可以看到以下内容:
输入'ctrl+['
前:
[*************]$ sudo tcpdump -i eth3 -nt -S '(src 101.214.130.53 and dst 101.214.130.183) or (src 101.214.130.183 and dst 101.214.130.53)'
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
// 三次握手
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [S], seq 3824451662, win 14600, options [mss 1460,sackOK,TS val 3125353344 ecr 0,nop,wscale 7], length 0
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [S.], seq 3919585988, ack 3824451663, win 14480, options [mss 1460,sackOK,TS val 3125551789 ecr 3125353344,nop,wscale 7], length 0
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [.], ack 3919585989, win 115, options [nop,nop,TS val 3125353344 ecr 3125551789], length 0
// 登录信息报文数据传输:
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [P.], seq 3824451663:3824451690, ack 3919585989, win 115, options [nop,nop,TS val 3125353344 ecr 3125551789], length 27
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [.], ack 3824451690, win 114, options [nop,nop,TS val 3125551789 ecr 3125353344], length 0
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [P.], seq 3919585989:3919586001, ack 3824451690, win 114, options [nop,nop,TS val 3125551885 ecr 3125353344], length 12
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [.], ack 3919586001, win 115, options [nop,nop,TS val 3125353440 ecr 3125551885], length 0
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [P.], seq 3919586001:3919586040, ack 3824451690, win 114, options [nop,nop,TS val 3125551885 ecr 3125353440], length 39
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [.], ack 3919586040, win 115, options [nop,nop,TS val 3125353440 ecr 3125551885], length 0
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [P.], seq 3824451690:3824451776, ack 3919586040, win 115, options [nop,nop,TS val 3125353441 ecr 3125551885], length 86
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [.], ack 3824451776, win 114, options [nop,nop,TS val 3125551886 ecr 3125353441], length 0
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [P.], seq 3919586040:3919586043, ack 3824451776, win 114, options [nop,nop,TS val 3125551889 ecr 3125353441], length 3
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [P.], seq 3824451776:3824451779, ack 3919586043, win 115, options [nop,nop,TS val 3125353444 ecr 3125551889], length 3
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [P.], seq 3919586043:3919586091, ack 3824451779, win 114, options [nop,nop,TS val 3125551889 ecr 3125353444], length 48
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [P.], seq 3824451779:3824451782, ack 3919586091, win 115, options [nop,nop,TS val 3125353444 ecr 3125551889], length 3
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [.], ack 3824451782, win 114, options [nop,nop,TS val 3125551929 ecr 3125353444], length 0
IP 101.214.130.53.telnet > 101.214.130.183.58306: Flags [P.], seq 3919586091:3919586112, ack 3824451782, win 114, options [nop,nop,TS val 3125551952 ecr 3125353444], length 21
IP 101.214.130.183.58306 > 101.214.130.53.telnet: Flags [.], ack 3919586112, win 115, options [nop,nop,TS val 3125353547 ecr 3125551952], length 0
TCP报文Flags[*]中*的含义:
S SYN Connection Start
F FIN Connection Finish
P PUSH Data Push
. ACK Acknowledment
输入'ctrl+['
和quit
后:
IP 101.34.130.183.58356 > 101.214.130.53.telnet: Flags [F.], seq 2191253793, ack 604146575, win 115, options [nop,nop,TS val 3126606880 ecr 3126802756], length 0
IP 101.214.130.53.telnet > 101.214.130.183.58356: Flags [F.], seq 604146575, ack 2191253794, win 114, options [nop,nop,TS val 3126805325 ecr 3126606880], length 0
IP 101.214.130.183.58356 > 101.214.130.53.telnet: Flags [.], ack 604146576, win 115, options [nop,nop,TS val 3126606881 ecr 3126805325], length 0
按理来说结束连接应该经历四次挥手
第一条报文seq = 2191253793。
通过第二条FIN报文中的ack值(2191253794 = seq + 1)可以看出,101.214.130.53在收到本机发送到结束报文后,没有先回复ACK报文,直接发了FIN报文,这里是因为中间没有数据传送了,就将ACK和FIN报文合并了。
二、访问不存在的TCP端口
使用101.214.130.183(本机)telnet 101.214.130.53 54321
,54321是不存在的端口,连接会被拒绝:
[*************]$ telnet 101.214.130.53 54321
Trying 101.214.130.53...
telnet: connect to address 101.214.130.53: Connection refused
抓包:
[*************]$ sudo tcpdump -i eth3 -nt -S port 54321
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
/bin/sh: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 101.214.130.183.55568 > 101.214.130.53.54321: Flags [S], seq 3219867085, win 14600, options [mss 1460,sackOK,TS val 3130153100 ecr 0,nop,wscale 7], length 0
IP 101.214.130.53.54321 > 101.214.130.183.55568: Flags [R.], seq 0, ack 3219867086, win 0, length 0
可以看到当服务端收到客户端访问一个不存在的端口的请求时,会回复一个复位报文(R)。